Slashdot Mirror
Stop Christmas-Gift PCs From Feeding Worms
An Anonymous Reader writes "If you recently set up a new PC with Windows XP,
or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.
"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."
But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)
Check those links, people.
Click Start > Network and Dial up connections
Right click on your internet connection, choose "Properties"
Click "Advanced"
Click the box to turn on the firewall
Voila. You are safe from Blaster.
As an added precaution, deselect "Client for Microsoft Networks" from all interfaces except any you really need it on.
Try this instead.
http://www.sans.org/rr/papers/index.php?id=1298
There's been a lot of "Slashdot posts ever anti-Windows article that exists", but this article debunks that.
I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.
This year I've also begun recommending anti-spyware as well. It's amazing how ubiquitous that stuff's become over the past year.
Ruby on Rails Screencast
I figure if you're reading this on slashdot you don't need screenshots to find your way around a monitor...
Obviously, this should be done before you plug the machine into any kind of internet connection.
-Go to Start and then Control Panel.
-Once in Control Panel, choose Network Connections
-Right click on your connection of choice (if there's more than one, do it for all of them) and choose Properties.
-Go to the advanced tab and check the Firewall check box.
If you want to know more about how to configure it and modify the settings, click the link below that checkbox for directions.
-
Some might argue that WinXP comes with the Best Before date already expired, but there's a lot of CDs for many OSs out there with "open security". (The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.)
One line blog. I hear that they're called Twitters now.
You can slipstream all the patches for XP and install from that.
Its hard and it isn't hard to keep an image up to date. If you're an OEM building systems, you basically build a base install and you then go into a special 'system builder' mode. This enables you to configure the system, load software and set everything up, all without accepting a license agreement or entering user details. If you did that, the copy of windows would be licensed to you, and you only. When its all sorted, you put the PC into its Out Of Box Experience mode. The OOBE is the first thing a new PC will do, which includes the EULA and entering serial numbers and the like. If your image has been entered into the sysprep stage, then its pretty damn hard to coax it back out again. They probably could take an image of it pre-OOBE, but the trouble is, none of these OEMs like to just whack patches on as soon as they come out. If they put on a patch which conflicts with something and they've not tested it, they could be in for a lot of trouble. Its a liability thing on their part mainly. Maybe a better option would be enabling the firewall and the like. I know the OEM we buy PCs from at work are funny about patches and things. We had to ask if upgrading the BIOS on some Intel boards to the latest would bugger up warranties and the like. Thankfully they agreed. It is a catch-22, but it saves headaches for OEMs in some respects, but creates them in others.
It took me five tries to get the PDF, so here is a mirror if anyone needs it.
xpsurvivalguide.pdf
No kidding, I just setup some computers for my brothers who just started college. I got a windows messenger (not the IM one) popup before I even had a chance to click on the windows update icon. That was 30 seconds after I logged in, at most 3 minutes since I turned the thing on.
Once I got the patches, virus protector, and ad-aware installed, everything was fine, but still, there was a reason I wanted to do a clean install.
When installing any operating system, you need to be protected before you open your machine to the depravatoins of the internet.
Although Windows users incur a higher risk due to the ubiquity of the product. all operating systems are vulnerable to oen degree or another.
Personally, I am unable to install Windows and download the updates without being infected with at least one virus. When I need to install Windows, the first thing I do is to disconnect the machine from the internet. After the install, I set up my internet connection, enable the Windows firewall, and reboot. Then I download the minimim number of updates needed to install the current version of the Norton antivirus/firewall product. Then I disable the Windows firewall and install Norton.
The first widespread Linux virus will do damage to the OS' reputation beyond any reasomable limits. Consumer Linux distributions should disable all servers and activate a simple firewall by default. Give the user the option to turn it , not on.
-- Slashdot: When Public Access TV Says "No"
There needs to be a new moderation added. Call it "Tired" as in this joke is old and isn't really that funny. Kind of like how the French always surrender and that Bush is a moron.
(Not agreeing or disagreeing with the comments including the fact that MS has always been security unconscious but that the jokes are no longer funny)
Plus setting any unpatched box Windows or Linux on the Internet with no Firewall in between is stupid
I'm glad to hear that the user on linux.com is happy with her copy of Mandrake, but I can't help but think that a Mac would be much, much better so long as a given person can afford it (remember, you don't need a dual G5, just an eMac or iBook).
The reason would be the support network for when you do need support. Not everyone is or can afford to drop by, and saying "go check Ars Technica" isn't really helpful. IF they ever need professional support, it would be better to have actual phone and store support for the product.
Not to mention that you can actually expect to find common peripherals which will work out of the box, or at least have company-supported drivers that you can install.
Not everyone can justify the cost when you can get a new Linux box for half the price, but I wouldn't want someone spending extra on tech support (or downtime) just to save some money on the initial purchase.
you won't get any spyware or data-mining cookies sneaked onto your computer
What, you're saying that not a single Linux web browser supports cookies? A "data-mining" cookie is just a cookie to track you as you browse the web - one set by an advertising site such as doubleclick. They work just as well whatever OS you're running.
6. Use your new shiny computer as you're pleased
Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). It also pleases me to write code in C# (again, forget mono, it's not nearly there yet). Until Linux provides me the means to do these things, it'll always be my secondary OS, Windows will be my primary, and "advice" to secure my PC by wiping Windows and installing Linux will be treated with the contempt that it deserves.
However, none of those bugs/holes will expose your PC to worms such as Blaster
You are of course aware that the first internet-borne worm utilised a buffer overflow in sendmail to infect computers? Don't go getting over-confident - true, I can't think of any Linux-targetting worms at the moment, but it's been done before, and it will be done again.
It's official. Most of you are morons.
Microsoft does have patch CDs.
In North America, Office Service Packs can be obtained free of charge on CD-ROM. Order Office Service Packs on CD-ROM
They also have a free CD as part of the Security Resouce Kit (the technet website, not the book). http://microsoft.order-4.com/securitykit
I have a webpage with more home broadband security information.
is called "TCP/IP port filtering". I have encountered this experience personally, on my dorm network. When I reinstalled WinXP, I didn't even have time to download SP1 before a virus made its way onto my computer and the IS dept shut off my port. However, I've found that if I leave my network cord unpliugged (card disabled, etc) until I have setup my TCP/IP filtering settings to allow only port 80, I can then download the necessary patches, update, and remove the filter. No problems yet!
The power of Christ compiles you.
A Random Blog