10 Steps To A More Secure Windows 2000/XP/Vista System

As in the world at large, Microsoft Windows is the predominant computer operating system at Penn. In recent years, as computer security has become more and more of a concern, Microsoft has placed more and more emphasis on making their Windows operating system as secure as possible as they have developed and marketed the 2000 and XP versions. For those who are operating and administering large, Windows-based servers with many users, there are many complex, security-related settings to consider, and no two servers are likely to have exactly the same security needs and parameters.

However, for the average, single-user desktop Windows 2000, XP or Vista system, the security issues are somewhat less complex, and there a number of basic things that can be done to make a personal, Windows-based computer reasonably secure. The following 10 suggestions are all relatively simple, but effective steps that can be implemented by the average computer owner, although in a couple of them it is suggested that getting help from your local support provider might be a good idea.

Please note: the following suggestions are applicable mainly to Windows 2000, XP and Vista systems, although some systems running Windows NT (3.5 or 4.0) may be able to make use of them. Earlier versions (Windows 3.11, 95, 98 and ME) have essentially no security, and no way of making them secure. If you are running one of these older versions, it is recommended that you upgrade to, at the very least, Windows XP Home (XP Professional is preferable). Vista is still relatively new and has not yet acquired as large a user base. Most newly-purchased Windows systems now come with Vista pre-installed, however.

1. Keep your original Windows CD-ROM media in a safe, secure place, and make regular backups of your personal data.

If your Windows system becomes inoperable due to a hardware crash, or if an intruder has gained unauthorized access to your system via a trojan, back door, virus or other malicious software, your only method of recovery will be to reformat your hard drive (or a new one if necessary) and reinstall Windows from the original CD-ROM media. Even if your system came with Windows pre-installed, at least one CD-ROM with the system software should have been included. If you have lost the CD-ROM, or it has become damaged and unusable, your only recourse will be to purchase a new copy of Windows.

You will also need to have a recent backup of your personal data to restore. Most Windows applications will save to your My Documents folder by default, so at the very least you should be in the habit of backing that folder up on a regular basis. If you do not, you risk losing all your hard work in the event of a system crash or security compromise.

2. Make sure your Administrator account has a strong password.

The Administrator account is your system's "superuser" account, and a person logged on to this account will have complete control over the computer. For anyone attempting to "crack" your system, gaining Administrator privileges or equivalent is the ultimate goal, and having a weak password (or no password at all) on this account is an open invitation to having your computer compromised. This is of special concern with systems running Windows 2000, because unlike Windows XP, Windows 2000 will allow installation of the operating system to be completed without assigning a password to the Administrator account, which creates an open door into the system.

Make sure you choose a strong password for the account. Penn's basic suggested rules for choosing passwords are:

• Choose one that is at least 6 characters long, but fewer that 16. Longer is generally better, though, and 8 characters is often suggested..
• The password should be a mixture of UPPERCASE (A-Z), lowercase (a-z), numeric (0-9) and special (e.g., @$&*, etc.) characters
• The password should not be based on common dictionary words or phrases. Even substituting digits for words can be insufficient to keep the password from falling prey to a "dictionary" cracking attack. For example, "time2go" would be easily cracked.

Windows XP also permits use of "passphrases", which are essentially the same thing as passwords, but can be much longer and can include spaces and punctuation. Though they take a few more seconds to type in, passphrases tend to be exponentially more secure than passwords, especially if you mix upper/lower case, digits and special characters as recommended with passwords. Many people also find that passphrases are actually easier to remember than passwords.

For more suggestions on choosing passwords, see http://www.upenn.edu/computing/e-mail/pswd_guide.html

To set or reset the password on your Administrator account, you will need to be logged in as the Administrator, or from an account that has been given Administrator privileges (make sure this account also has a strong password!):

• Click on the Start button on the Task Bar á Click on Control Panel in the right Start Menu column
• Double-click on the Administrative Tools icon
• Double-click on the Computer Management icon
• In the tree at left, double-click on Local Users and Groups, then under that, double-click on Users
• Locate the Administrator account in the pane on the right, and click on it with the right mouse button
• Choose Set Password from the Right-Button Menu, and confirm that you want to change the password
• Enter the new password twice, and click OK to finish

3. Disable the Guest account

On installation, Windows sets up a permanent account called "Guest", which cannot be deleted (although the name can be changed, which some security experts recommend). This account is of little real use, though, so it is a generally recommended security practice to disable access to it. Here's how:

• Click on the Start button on the Task Bar
• Click on Control Panel in the right Start Menu column
• Double-click on the Administrative Tools icon
• Double-click on the Computer Management icon
• In the tree at left, double-click on Local Users and Groups, then under that, double-click on Users
• Locate the Guest account in the pane on the right, and click on it with the right mouse button
• Choose Properties from the Right-Button Menu, then click the check box that says "Account is Disabled"
• Click OK to confirm your choice

4. Install and use anti-virus software

Among the most common ways for security problems to enter your computer is by way of viruses, usually propagated via e-mail. To protect against this, it is vitally important not only to have anti-virus software installed and operating on your system, but also to keep its virus signature files updated on a regular basis, weekly at the very least. Most makers of anti-virus software have mechanisms that will allow you to update easily over the web.

Penn has a site license for Symantec Anti-Virus, and it is available to most Penn users at no charge by either obtaining a PennConnect CD from the Computing Resource Center, or via download from http://www.upenn.edu/computing/product/ (PennKey authentication required).

5. Install and use a personal firewall

When properly installed and configured, a personal firewall program can make your system nearly invisible to people who probe and scan the Internet, searching for unprotected or poorly protected systems, yet still allow you to do normal things like surf the web, read e-mail, etc. There are a number of personal firewalls available for Windows machines, and some are even free for personal, non-business use. And, Windows XP (but not 2000) comes with a built-in firewall that has many (but not all) of the capabilities of commercial versions.

Though the default configuration settings are usually adequate and functional, firewall configuration can be tricky, so this is something that you should ask your local support provider for help with, but using a personal firewall can provide much valuable protection against attacks.

6. Utilize Microsoft's Windows Update service regularly to keep current with patches and service packs.

When security vulnerabilities in the various versions of Microsoft Windows operating system software are discovered, Microsoft develops "patches" to fix the problems and distributes them via a free, web-based service. At various intervals, they will combine the patches into a "service pack" designed to bring a system up to current security level in one fell swoop. The ability to access, download and install these system updates is included with Windows 2000, XP and Vista as part of the Windows Update service, which can be set to run manually, automatically, or interactively.

It is strongly recommended that any computer system, regardless of which operating system is in use, be continually maintained with the most recent security and system patches for maximum security. The Windows Update service can usually be found on the Start menu, in the top section of the left-hand column. Clicking on its icon will take you to Microsoft's Update website (www.windowsupdate.com), which will scan your system to see which updates are required and/or recommended. The website will provide instructions on downloading and installing. In many cases, final installation will require rebooting the system. To set your system for automatic updates:

• Click on the Start button on the Task Bar
• Click on Control Panel in the right Start Menu column
• Double-click on the System icon to get the System Properties box
• Select the Automatic Updates tab
• Click the check box for "Keep my computer up to date..."
• In the Settings box, choose the option that suits you best
• Click OK and close the System Properties box to finish

7. Unless you really want to share your files with other people across the Internet, disable file sharing on all hard drives on your system.

Windows makes it easy for you to set up file sharing, so that other users can access your files over the network. However, if you're not careful in setting this up, you may find that you've granted full access to parts of your system that you didn't intend, and that may contain sensitive personal information (correspondence, account numbers, etc. ) that an unauthorized person may use to commit identity theft. Or conversely, an unauthorized person might use your system to store illegal or offensive files, or simply take up your drive space for free.

In general, if you don't really need or want to share your system with other people, it's best to turn off file sharing entirely. The ways of doing this will vary slightly between Windows 2000, Windows XP and Vista, and you may want to ask your local support provider for help, but you can start by:

• Click on the Start button on the Task Bar
• Click on My Computer in the right-hand column
• For each of your hard drives shown (if you have more than one), use the right mouse button to open the Sharing and Security box in the Properties menu
• If you need file sharing, set the options as securely as possible, including passwords. Otherwise, make sure file sharing is turned off.

In recent years a number of very popular Windows-based Peer-to-Peer ("P2P") filesharing applications have appeared that can be downloaded at little or no cost and installed to turn a personal desktop or laptop computer into a "file-swapping" server that can be accessed by anyone on the Internet. The most popular use of these P2P applications, by far, is to download and exchange music and other media files, and these files are often copyrighted material that has been illegally duplicated and distributed.

Making copyrighted material illegally available over PennNet violates the Digital Millenium Copyright Act and is also a violation of Penn's Acceptable Use Policy. Penn students, faculty and staff found to be infringing on copyrights may find themselves open to legal action by copyright holders as well as disciplinary action by the University.

Copyright infringement issues aside, though, there are a number of other dangers to using P2P filesharing applications:

• As with native Windows filesharing, if you incorrectly configure a P2P application, you may discover - too late - that you have granted access to much more of your computer than you intended
• Many P2P applications have been found to be notorious sources of "spyware", software that is installed on your computer - usually without your knowledge - that can track websites you visit, files you upload/download, even keystrokes (including passwords) that you type in. In many cases, these "spyware" programs also change settings in the Windows Registry (a critical part of your Windows operating system) and generally tend to make your system run slower.
• Many of these P2P applications, in order that you can obtain and install them "for free", will turn your computer into a source of annoying "pop-up" ads for every person who connects to your machine. In many cases, if you read closely the End User License Agreement, or EULA (those pages of legalese you're presented with and required to click "I Agree" before the installation is completed), you'll find that not only did you technically agree to let them do this, but pretty much anything else they want to do on your computer.
• In general, installing and using P2P applications provides a path for intruders to circumvent or pass through your personal firewall (see #5, above)

8. Make sure the file system on your hard drive(s) is using NTFS

The original file system used by Windows runs on what is called File Allocation Tables (FAT), which has no capability to assign group and user permissions to files and directories on an individual basis. Beginning with Windows NT, Microsoft began using a much more secure file system called, naturally enough, NT File System, or NTFS, which also allows for compression and encryption of files. With the later development and release of Windows 2000 and XP, NTFS has continued to be the recommended file system. In virtually all pre-configured Windows 2000, XP or Vista systems that are shipped these days, the hard drives are configured with NTFS by default, or during the final installation the user will be offered the option of NTFS or FAT. Of course, NTFS is the choice - there is no longer any good reason to use FAT.

To check on the file system each of your hard drives is using:

• Click on the Start button on the Task Bar
• Click on My Computer in the right-hand column
• For each of your hard drives shown (if you have more than one), use the right mouse button to open the Properties menu
• Under the General tab, look for the line that says "File System:". If it says "NTFS" after that, you're OK. If it says "FAT", both 2000 and XP allow for conversion from FAT to NTFS. Though this is not a difficult operation, you may want to consult with your local support provider before doing this.

(Note: In the General tab, there is a checkbox marked "Compress drive to save disk space". If this drive is your main system drive, i.e., your C: drive, it is not recommended that you compress the whole drive. This can cause problems with your Windows system software, which resides in a directory on this drive. You can compress individual folders and files in other places on the drive, but do not do so in your system directory - usually C:\Windows or C:\WinNT)

9. Use a password-protected screensaver to lock your computer and prevent physical access when you're away from it...

...even if you're only away for a few moments. Unauthorized and unprotected physical access is a primary avenue for mailicious software (trojans, back doors, spyware, keystroke grabbers, etc.) to be introduced from a floppy disk, USB "jump drive" or CD-ROM. Given enough time, an intruder can also reboot your system to a different operating system (using a floppy or CD) that can bypass file protections, even if you're using NTFS.

To set up your password-protected screensaver:

• Click on the Start button on the Task Bar
• Click on Control Panel in the right Start Menu column
• Double-click on Display to open the Display Properties box
• Under the Screen Saver tab, choose the screensaver you like best, select the delay (in minutes) before it starts automatically, and check the box that says "On Resume, password protect".
• Click OK to save and exit.

Once you have set this, the screen saver you chose will become active automatically after the delay selected if no keys are pressed, or the mouse is not moved. You can also activate it manually by pressing "(Control)+(Alt)+(Delete)" and choosing "Lock Computer". Or, if your keyboard has a "Windows Logo" key, simply press it and "L" at the same time. Once activated, only the account password of the user who activated it or an Administrator can unlock it.

10. Turn off "auto complete" for information entered on web forms, and never use the "Remember my password" option.

Most web browsers, like Internet Explorer, Netscape, Mozilla Firefox and Opera, have an "auto complete" feature that will "remember" previous responses on web input forms. Often, this information includes personal data like name, address, Social Security Number, and even account passwords. The browser stores the information on your hard drive in files that could potentially be available to intruders who could possibly use it to commit identity theft. Likewise, web sites that offer to "remember" your password usually do this by storing it in a small file on your drive that could be compromised.

Passwords are most secure when they are stored in just one place - in your head.

The procedure to turn off "auto complete" will differ from browser to browser, but for current versions of Internet Explorer it can be done through the Control Panel:

• Click on the Start button on the Task Bar
• Click on Control Panel in the right Start Menu column
• Double-click on Internet Options
• Click on the Content tab
• In the "Personal Information" section at bottom, click on the AutoComplete button
• Make sure the boxes next to "Forms" and "User names and passwords on forms" are not checked. (It is generally OK to allow auto-completion for typing web addresses)
• Click OK to save and exit.

Last updated: Friday, July 13, 2007