Slashdot Mirror
Data Security on Windows Machines?
mcskoufis asks: "I am running my own company from home, offering various Internet related services to customers. I have rented a server which runs Linux and there are no current security or performance problems. However, because I cannot afford to have a business site with several geeks investigating into network security, I have some sensitive data on my Windows box at home which need to be safe from malicious marketers/kiddies having fun/etc.
More and more marketing companies are working on very dirty tricks to gather email addresses and also turn windows (mainly) machines into mass mailing servers without the owners knowledge.
With the latest worm attacks and also the sophistication of them, I feel even more and more vulnerable each day. Bearing in mind the fact that it is impossible to switch to Linux at home for a number of reasons and also that because of the business I need to be online 24/7/365 what the Slashdot community suggest as the best way to have a secure environment for my data while using Windows? Anti-virus software has proven to be not enough and firewalls create problems while performing daily business tasks on the server from home."
Now I don't really know how much this would help, so please correct me if I'm wrong, but maybe it'd be helpful to work in a normal user account. Most people that I know in the windows world just log in as administrator for daily work, but that seems kind of like working as root in Linux. Now, I understand that user security isn't as strong in Windows, but I wonder if you could lock it down enough that programs wouldn't install without your knowledge.
Besides that, good virus software (we've got McAffe at work and are happy with it), using the firewall capabilities of XP (if you have it), and not using Outlook (if you can) would be good ideas. If you're really paranoid, and know how to configure it well, a Cisco pix box may add a little more security too.
About your issues with firewalls disrupting daily activities on your server, you should look into VPNs. PPTP is very simple to set up, but has problems with man in the middle attacks. IPSec can be a pain to get working with windows, but it is possible. SSL tunnels probably would be the best way to go, and they're not too hard to set up.
http://windowsupdate.microsoft.com It doesn't make your data 100% secure, but it is the bottom line action you must take. By the way, it is a good idea to disable any services that you don't need.
and security is increased with Windows...
firewalls create problems while performing daily business tasks
AFAIK, there's no way around sacrificing convenience for security (or the other way).
If you really need some of those "convenient" business network traffic, you can try to setup a VPN so your Windows box remains behind a secure firewall.
"Provided by the management for your protection."
"firewalls create problems while performing daily business tasks on the server from home"
Depending on your level of knowledge and the type of traffic you're seding to-from work, any linux based solution should be able to facilitate your needs. Mind you, mroe complex problems may require more complex solutions.
Bye!
Buy a cheap computer that is strictly for business. Don't let your wife or kids on it and don't install games or surf for pron on it.
I'd also suggest buying a smart card reader and storing all of your private keys on the card.
Conformity is the jailer of freedom and enemy of growth. -JFK
Keep data on a removable drive of some type. Don't send documents via email. Your machine may need to be on and connected 24/7 (which I kind of doubt that you couln't segregate some things but you don't want to and that is fine) but that doesn't mean all your data needs to be avaiable online all teh time eitehr. firewire, usb and even hotswappable ata/sata/scsi drives are pretty darned cheap these days, so use one of them after all a hacker can;t get to your data or email if its not there right?
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
Set up a Windows server. No users, just file service. Don't let anyone use it, don't install more than a bare Windows installation. Set its network protocol to Netbeu or IPX *only*. Very important *no* TCP/IP. Don't let anyone muck with it.
Set your user machines to both TCP/IP and Netbeu or IPX, depending on which the server is set for.
Set your firewall to only allow mail, http, https and whatever else might be essential.
No guarantees, but like I said, it's worked for me for years.
"Eve of Destruction", it's not just for old hippies anymore...
Spybot Search and destroy is a great program for ridding yourself of/ preventing the install of spyware. That, combined with a (hardware) firewall and up-to-date antivirus software should do the trick
no?
Viruses aren't the issue: the Microsoft software that came with your machine has all the vulnerabilities the hackers need.
Of course, you haven't told us what's so valuable about your data. Will your business immediately fold if it leaks out? Are you worried about having your customer list stolen? Do you have customer credit card numbers on your machine? Medical data? Bank records of your customers? In most cases dealing with bank/medical customer data there are already federal standard you have to meet.
Could you incript the particular files that are sensitive, so that by the time a cracker decrypted them, they were useless? This wouldn't work for a database that was accessed constantly without code editing, but for most applications, it would work well. WinPT was the first application I found, but there must be many of them.
Simon's Rock College
If you really want it to be secure, de-network it. No ethernet, no modem, no wifi. Use another machine for network connectivity and put the data you want to take over (that is known to be clean) on a floppy or cd-r.
Then get some good locks and a security system. Nothing trumps physical security.
-molo
Using your sig line to advertise for friends is lame.
Internet (ADSL) firewalled by a FreeBSD server. Linux could do the same job. I also have spamassassin+amavis+clamav scanning my mail, and I keep all my files on a samba share, which is backed up to another server via a cron job.
The only two windows machines on my network are actually my kids games machines (Windows, because there's very little good educational software for Linux yet!)
I've replaced Outlook and Internet Explorer with FireFox and ThunderBird. I've also got open-office installed. Original files, drivers, and games CD's are all on the Samba server. Anything they type up or scan in gets saved on the Samba server. If anything weird happens to the Windows boxes, I simply nuke-and-pave.
I haven't had any problems with Viruses or anything yet, but the kids don't tend to download stuff or share their email addresses too widely.
455fe10422ca29c4933f95052b792ab2
Here's what I do to keep my wife's Windows laptop (with sensitive film production information on it) from being hijacked:
1. Up-to-date anti-virus and zonealarm firewall on the laptop;
2. Mozilla and Thunderbird for web browsing and email;
3. A Mitel SME (formerely e-smith) Linux box between the laptop and the internet -- the firewall is very unobtrusive, but effective -- and the distro itself is low-maintenance;
4. No wireless;
5. Important but not commonly updated information backed up on CD-R and removed from the machine (you can't get information off the machine if it isn't there).
Oh ye of little faith...
2 52 .shtml?tid=16
Switch now before its too late
http://www.newsforge.com/business/03/08/13/1258
Why not setup a really secure firewall? Say a PF OpenBSD one. Disable ssh and everthing else you can live without if the machine is at your house. I don't see how that could interfere with any business needs?
Ofcourse a firewall like that will not protect you from your own stupidity (if that is a factor, ie opening emailed viruses etc) or certain windows flaws, but as far as a firewall can go in security enhancement, you can't go wrong with a properly setup PF wall.
Firewalls don't create problems... they solve them. You need to have a firewall if you're connected to the Internet. Period. Whatever problem you're having simply needs to be solved. Cars don't technically need locks... they can "create problems" if you lock your keys in the car. But would you buy a car without locks?
As far as anti-virus: keep your machines patched and don't open spam. In concert with a firewall, you should be fine.
Firewall, NTFS with encryption, and a large hand gun.
You have a lot of open ended questions. But I'll take a shot. Your machine needs to be on 24/7 but does your sensitive data? If you only need that data when you are on the machine, spend 100 bucks and get a removable hard drive. As far as firewalls go, are you doing any tuning? If the defaults are too restrictive change them, having only one port firewalled is better than having none. As far as worms go, try and avoid the programs that help them propogate, namely outlook and IE, I use webmail and surprise surprise, I've never had a worm/virus hit my machine. Use mozilla. You can't switch to linux, can you switch to a Mac? Need more info next time.
-G
"Immolation is the sincerest form of flattery."
Windows (well, at least since NT SP6a and assuming you are running NTFS) has better user rights management than Linux. With Linux, you only have 3 possible rights to a file or directory (read, write, execute). You also only have three places to apply these rights (owner, group, world). Windows has astronomically more options, and more flexible - and granular - user rights.
the fact that most admins are clueless morons does nothing to take away from the relative strength of the windows os over the unix os. It is easily possible to make a Windows box extremely hardened. Does the system account (or any user other than admin) need write access to %SYSTEM%? Or anythign besides temp and log directories? No? Well then.
"Bearing in mind the fact that it is impossible to switch to Linux at home for a number of reasons and also that because of the business I need to be online 24/7/365 what the Slashdot community suggest"
So you need Windows. Which is ok -- put Linux on another box, and secure it. I just bought a Compaq with 128MB of memory, 20GB or so hard drive, 400Mhz processor for 100$ CDN (80$ US or so). Used.
Something like that would make a good firewall for you.
Alternately, home routers also have reasonably firewalling. My SMC Barricade (gasp, yet, I know that a REAL geek wouldn't use one) offers the ability to drop in-bound traffic, and only allow certain ports through. This can provide you 80% of what you need (it does for me). Staying on top of patches can bring you the rest of the way. Just don't enable the "DMZ" feature!
As you mentioned, you have external hosting -- which means that you don't have to allow incoming HTTP, or SMTP. If you don't need to administer externally (and since you use Windows, you *probably* don't), you don't need port 22. So, close off ALL inbound connections. Just leaves you with FTP as an issue -- some router boxes will accomodate, or you can learn to love the PASV command (and, AFAIK, MS browser FTP does that automagically).
If you AREN'T using a small home router, GET ONE. They are even cheaper (I have seen brand new units selling here for $20 CDN, approx. $15 US).
Don't forget a good backup plan, just in case you get rooted (or other disaster strikes).
Still, buying a cheap box or two is reasonable. One for a "real" firewall, and another for SAMBA, and other internal services (DNS).
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Personally, I have an old P3-500 box running Mandrake 9.2 (only 'cos that's the distro I'm familiar with) that's hooked up to my ADSL connection.
Firewall services are provided by Shorewall, and I use a combination of fetchmail, qmail, qmail-scanner, spamassassin, clamav, maildrop and courier-imap to clean my incoming mail.
On my Windows XP boxes, I use Norton AntiVirus 2004, and Spybot - Search and Destroy.
All in all, I find this reaches a decent balance between functionality and security, and I've never had a single instance of an intrusion into my home network.
Life is like a sewer; what you get out of it depends on what you put into it...
A few things:
1. Add a firewall if you don't have one. IPCop on an old Pentium will work (and be less hassle hardware-wise than the 386 or 486 it could also run on), which you can probably get for free by asking around.
2. Encrypt the data on your hard-drive. DriveCrypt looks pretty good for that and can encrypt the entire drive as well as specific directories.
3. PGP/GPG-sign your email. Thunderbird does this with a simple plugin (takes about 15 minutes to set up). The commercial PGP works with Outlook if that's what you use and won't change.
4. Get rid of Outlook and Outlook Express. These two email programs are major security holes. There is little that Thunderbird can't do for email, and for scheduling use something like the old Lotus Approach or Microsoft Schedule+.
5. Use DVD-RAM for data backups to give you the reliability you need when you have to cover your back.
Damien
I would recommend to simply
-use a non-administrator account on the PC for regular work
-maintain Windows updates
-use strong passwords
-turn off all unnecessary services
-configure only required networking
-don't leave access "holes" like telnet, FTP, VNC, Remote Desktop, etc.
-don't use dynamic IP services
-don't put the PC in a DMZ
-don't use the work PC for ANYTHING other than work-related stuff
-maintain firewalls as needed either through a router, ZoneAlarm, or both
Continually be vigilent and aware of things--don't become complacent. Proactive measures are always better than having to be reactive.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
OK, now how much are your business data worth if you lose them, both in direct losses and future lost business? How much would it cost to hire a local consultant to come in and work over your systems to lock them down? What is your time worth per hour, and how many hours would it take per year to sort through all of the cr*p you get off of
90% of the time that people go through this calculation they discover that given the potential losses and the amount of time that they would need to do it themselves, it's a lot cheaper to hire someone to take care of this for them.
Or better yet, switch to a different OS that doesn't have so many problems.
--Paul
If you want a secure WindowsXP system, you're going to have to get an expert to do it (or spend the time to learn yourself). There are a lot of steps to take, at a minimum. These are the basic mandatory steps though:
- Good router/firewall at gateway (all ports closed by default, then open what you need and no more)
- Clean WindowsXP install, all updated drivers/patches, ALL unnecessary services turned off, ALL unneccesary startup software turned off, and any unused windows components uninstalled (a good windows install can take a couple days of tweaking, done right)
- Good antivirus software, such as AVG (try not to use the big popular ones)(keep this on a rigorous update schedule)
- Good firewall software, such as kerio (it's important this is GOOD software - otherwise we all saw what can happen)(also use this to block programs - such as windows - from calling home)
- Good email and browser, such as thunderbird and opera. Do NOT under any circumstances use MS software, if even remotely avoidable (this goes for all software on the system).
- Do not install any unnecessary software, such as P2P or IM software, or any untrusted or unknown free software, ever.
- Once the initial install and setup is done for the system, never install anything on it again, unless absolutely required
- Never ever update the system again, or you're asking for it
- make sure there are no other computers on the same local network, unless they are configured similarily and 100% trusted (you can make a network within a network, if you need to)
Like I said though, it really takes an expert to do this properly. Good luck.
..some some 'Security through Obscurity'?
When was the last time an OS/2 WARP Server was rooted? When was the last time OS/2 had a virus?
Then again, when was the last time OS/2 WARP Server was available for purchase?
Damn. If only I still had a copy...
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
Anti-virus software has proven to be not enough and firewalls create problems while performing daily business tasks on the server from home.
You seem to have a cheap/free/software-only firewall. Try this Router/Firewall/VPN/File and ftp server. It's basically a linux-based router with an Intel IXP422 processor. Disclosure: I work there, but aside from that, it's a pretty sick little toy.
Unlike most cheap/software-only firewalls, you can configure the firewall on many levels (initial/final/input/output/WAN/LAN/PPPoE), you can specifically block/allow AIM file sharing, Kazaa, Half-Life, smtp, etc. You can even put a box in the DMZ if you really want something naked out there. Plus it can be a File and FTP server by adding a firewire/USB hard drive. The firewall configuration capabilities alone are pretty much only matched in products that cost 2-300 more. VPN access while you're on the road, etc, ok, enough marketing shpiel...check out the 'learn how' link on the page linked above. I know folks are lined up to say 'I can do that on my 486 with IPtables and...' but you can pretty much set all this up in half an hour.
You can find it $220 or so, and while that seems high compared to 'old 486' option, personally, the time it saved me was worth it. I know a fair bit about linux, but it would have burned up a bunch of my time to get all that working.
I worked for a graphics design lab (they thought they were a "branding" firm) for some time, and try as I might, they could not be convinced to purchase a firewall - as it was stuck in limbo as part of buying a new system/moving locations....
What I ended up doing was simply keeping the sensitive documents etc. on a zip disk that I kept ejected except when I was modifying a list or looking up something. The rest of the time it was ejected. Granted, you would probably want some encryption on it as well, to further protect yourself but really physically separating your data from your computer should be paramount.
I would like to echo getting decent anti-virus, running windows update, using some sort of firewall, run with less priviledged accounts, etc.... all good practices as well.
My first advice is to sacrifice an old PC to a real standalone OpenBSD or Linux firewall.
If that's not possible, go to CompUSA and plunk down $50 for an internet connection-sharing NAT box. (LinkSys, NetGear, etc. usually call them modem-sharing/gateway/routers [*SHUDDER*]) If you aren't willing to invest in building and maintaining a real rule-based standalone firewall on a PC using Linux or OpenBSD, this is probably the next best thing and you can't beat the price. IT IS NOT TOTAL SECURITY - you still have to deal with internal threats (ActiveX, spyware, viruses, etc.) be aware thatthe models that are based on Linux kernels may actually be hackable to serve a terminal prompt (though I don't think it's been done) but the NAT/masquerading it provides will block incoming connections and hide your internals, and for most home/so users with Cable/DSL/Wireless connections, a NAT box plus Spybot S&D and Avast AntiVirus should be sufficient.
If that's too risky, do what GNU does - keep the real (sensitive) data offline on an unnetworked box.
"Lawyers are for sucks."
- Doug McKenzie
"I need to be online 24/7/365"
;-)
wouldn't, running windows defeat the purpose?
I'm going to assume that the Windows system at home is some kind of workstation, in addition to being a data repository of some kind, and that based on your comments, you need secure, remote access to this system. I'm also assuming that you want to maintain the confidentiality, integrity, and availability of your data.
Some of my suggestions are processes. Some of them are specific technologies or products. In order of increasing complexity (and ridiculousness), do the following:
- Regularly backup your data and store the copies off-site. CD-R is cheap and readily available. Safety deposit boxes are easy to lease.
- Don't use wireless networking.
- Install a hardware firewall capable of acting as a VPN server, e.g. the Watchguard Firebox SOHO 6tc. Set it up "default deny" for traffic inbound from the Internet.
- Enable automatic critical operating system updates. If you don't trust your vendor
- Install a modern anti-virus package and schedule automatic daily updates and nightly scans.
- Install a modern anti-spyware package and schedule automatic daily updates and nightly scans.
- Set a schedule to check for updates to the software packages you regularly use, e.g. Office.
- Restrict access to web sites, e.g. by using IE's security zones feature, a JunkBuster proxy, certain firewalls that include popup blockers, etc.
- Encrypt sensitive data, e.g. with PGP, with Windows EFS; store the escrowed recovery keys on separate media in a sealed (frangible) envelope in your safety deposit box.
- Enable VPN access.
- Configure and use a one-time password system for all authentication to this system, e.g. RSA SecurID, S/Key.
- Locate the system in a EM-shielded enclosure. Light is also a form of EM.
- Install a small thermite bomb inside the computer case that will slag the hard drive if someone physically tampers with the system. The old electromagnet-in-the-door trick won't work reliably.
- Cut the power cord off the computer. Bury the computer under six feet of concrete.
OK, so maybe those last few suggestions aren't entirely practical...I'm proud of my Northern Tibetian Heritage
With the latest worm attacks and also the sophistication of them, I feel even more and more vulnerable each day.
..and you'll be absolutely fine.
Scared? Feel the terror! FUD that Linux users spread about Windows is mostly just that if you use just a little bit of common sense.
* Get a hardware NAT router / firewall (simpler and less complicated to make a bulletproof install than a dedicated box - although don't forget to disable remote administration and set a new admin password)
* keep an eye on network traffic (is the data light on the router blinking when you're not transfering any data? you have a potential problem)
* don't install any software you don't need
* run Ad-Aware occasionally
* run Norton Antivirus occasionally
* use something other than Outlook and Explorer (Mozilla for example)
* keep your system up to date (run Windows Update once a week or so)
You are a bit vague about what you are doing, so we have to guess a little. Here is one approach:
1. Run your Linux server as you do, it seems to work.
2. Take your MS Windows offline. No network connection at all.
Do whatever you want on that computer. If it is incommunicado you are safe from long distance interlopers.
Ah, but now you are going to say you do need to get some data across between the two. Okay:
3. Get another computer, put Linux on it, set it next to your Windows box. Keep it secure*. When you need to transfer data, be careful about what you transfer, and use removable media (maybe a USB flash dongle). The Linux box can then transfer to and from the outside world.
Next I suppose you are going to say that you have to do e-mail on the MS Windows box. To that I ask: Why?
* How to secure a Linux box? Here is a short 5-step recipe:
1. Put Linux a respectable distribution on it, and don't stray from the default install without knowing what you are doing. Default installations are pretty secure these days.
2. Keep your distribution up to date.
3. Turn off services you are not using. If you run an e-mail server on that machine, switch from sendmail to postfix, it has a more secure design.
4. Use good passwords (passwords that have a significant amount of real randomness in them), and do NOT reuse those passwords elsewhere.
5. If you start using the Linux regular GUI-based work, be suspicious of fancy, automatic, Windows-like features. That is, worry about macros in Open Office documents, worry about e-mail programs doing anything for you automatically, worry about Javascript (it is different from Java and was not designed with security in mind).
-kb, the Kent who knows exactly one person with a very secure Windows machine: someone who never connects that computer to the internet.
"firewalls create problems while performing daily business tasks on the server from home"
Not a well-configured software one. It's not as safe as a hardware firewall, but it is a heck of a lot safer than running around with your pants down, not knowing when your machine is connecting and what it is sending. It makes it difficult to connect *to* the machine, but your home winbox shouldn't be a remote server anyway.
Grab ZoneAlarm NOW, and put up with a few extra dialog boxes until it is trained.
Furthermore, good Antivirus software will detect many trojans. Get AVG if you have alredy abandoned your AV of choice.
This must sound like free windows security 101 by now, but get AdAware and / or Spybot, and schedule a regular download / check for once every week.
For encrypting sensitive or old data, you can either use windows built-in encryption (which uses your user password, enable this now if your machine is fast enough) and / or pick up a (non-free) copy of Dekart Private Disk, AKA The Bat! Private Disk, a simple encrypted virtual disk creator. Anything you really don't want people to see should go here... Just remember to shut it down when you're done.
Furthermore, don't use I.E. and don't use Outlook. What many people refer to as "computer" viruses or "windows" exploits are really just I.E. exploits or Outlook viruses. Firebird, I mean, Thun... Firefox is a powerful little internet surfer, which while not as flexible as my beloved Opera (ducks), does render pages faster, is more beginner friendly, and is free. Thunderbird is a good mail replacement, though pegasus mail, Opera's built in e-mail client, and the non-free The Bat! are all good choices. If you want the most security possible, try Secure Bat. At 140 dollars per copy, it isn't cheap, but it does encrypt all of your personal files and utilizes hardware token authentication to ensure that you really are who you say you are.
Finally, don't forget to regularly back up your disks to something not normally connected to the computer. For simplicity's sake, I'd attach an external USB drive and run Polder Backup once a week, removing the drive when done. For a more automated approach, get a PC controllable X10 unit, and have it turn on and off the external USB drive, so that backups can be completely automatic.
The ______ Agenda
I am running my own company from home, offering various Internet related services to customers. Oh my do I feel bad for his customers. Hey I want to start a business coding from my house, Can anybody teach me C?
You might want to encrypt it. Windows has EFS built in, which some people recommend. I'm a happy customer of Jetico BestCrypt, which i highly recommend.
Encryption might be helpful against a physical break-in or computer theft. It might also aid against _some_ successful hacking, provided that you do not keep an encrypted volume mounted (thus accessible) when not necessary. This won't help if you've been rooted and keylogged, though.
Dear Slashdot,
I fly a lot in the course of my home business, but I'm too cheap to pay for air tickets, and too lazy to learn to fly a plane. Flying by flapping my arms around is making them really tired and I'm often late for meetings, so business is suffering. I've tried taping thousands of hummingbirds to my body, but they can rarely be persuaded to fly in the same direction at the same time. Since I've systematically ruled out all of the most sensible solutions to my self-created problem, I'm hoping the Slashdot community can bail me out.
Signed,
mcskoufis, MSCE
then just forget about it.
on a more serious note, have the computer behind firewall(or 2, one firewall off the computer). maybe even have the computer behind nat if that's not too much of an extra effort(this all just to make it harder, that windows might have open services by mistake).
don't use outlook, don't use ie. sure you can have proxys for both that would scan for malicious stuff and not let it go through but really would you trust that?
update frequently(maybe with windowsupdate even). however, if you'd prefer not to do that(for whatever reasons) you might want to pull out ie with XPlite(and various other stuff). if you choose not to keep it up-to-date then _please_ have it firewalled to BOTH directions, which is my last advice to securing it. Some local fw that asks you when a new program is making network connections helps a lot.
you want ease of use with blind confidence - recipe for disaster! following what's going on to both directions is the key, there's programs for windows for this but can you trust them since they are running under the same system that might be compromised anyways is another issue(and the time when Nortons utilities actually made your machine faster, not slower, is way past. they do offer kits for what you're wanting though if you should trust just them is another matter.).
I got my windows pc behind NAT and with kerio running and keeping tabs on which programs are accessing the net. there's only few ports(3 - that are seemingly randomly numbered) forwarded from the nat to it(and they're to programs I've chosen to trust to not get exploited, just like I've chosen to trust that mozilla is more secure to be used on potentially hostile sites than Ie is which I'm still keeping for the sake of using windows update).
world was created 5 seconds before this post as it is.
1. Whether you like it or not, firewall and open up what you need, that's both inbound and outbound, do NOT get a linksys router or other silly piece of hardware that believes in the concept of "trusted" interface. Be sure to have it NAT, although never get the impression that NAT is security in itself.
2. Dedicate purpose, do not use one machine to fill multiple roles, instead use different systems for different tasks and run firewalls on each that are configured for just what traffic needs to go in and out on that machine. If you MUST use a machine for multiple roles then take it off the network and transfer data as needed using removable media.
3. You may need windows, but be sure you aren't using it for anything you don't need to, anything that can be done on a secured linux or BSD system should be.
4. Use secure passwords but use passwords you can remember as well, even a shit password is better than a 200 random character password that you end up taping to your monitor. But don't use a shit password either, just come up with a decent scheme, l33t script is good for coming up with secure passwords and change them often (daily or weekly depending on the system).
5. Use both filesystem compression and encryption in windows, for files that need to be more PGP them with a strong passphrase which is also changed often.
6. Files which aren't changed often should be encrypted, moved to removable media and then locked in a safety deposit box. For medium term data that needs to be more readily available consider an offsite encrypted storage drive, make sure you connect to it through an encrypted link and make sure you do NOT keep information for accessing this on pc's or written down anywhere. For absolute emergencies keep a physical handwritten (don't type it or you've already defeated the point) copy of the information you need in a safty deposit box.
7. Make sure all data is eradicated from the pc drives on a regular basis. What i find useful is to have a machine that is dedicated to zeroing drives and keep base images. Having extra drives and hotswap ide bays helps make this convient. Cycle drives so that in the morning you have a clean set of imaged drives for the pc's.
8. At the end of the day all files which are accessed on a VERY regular basis and aren't suitable for the above should be moved to removable media that is at least locked in a safe.
9. No wireless access, at all, ever.
10. Keep systems and software updated.
11. All email should be handled on systems which are not running windows. Seriously evaluate where email is needed and where it's not, all email should be run through a linux gateway scanner, running something like a combination of amavisd+clamav+postfix(or really most anything but sendmail).
12. Where you do have windows systems make sure they have a/v software on them, and that not all have the same a/v software, I find a combination of pc-cillan and avg works well, this way if the machines are on the network and one is infected, obviously it's a/v software didn't catch the virus, but the other might.
13. If a virus should be detected this should be a red light issue and require all systems on the physically connected network be pulled off the network immediately, all drives be put in a secure offline non-windows systems and scanned, and working files be transferred off and encrypted. The systems in question should be reimaged immediately and only then can the safely scanned data be put back on them and work resumed. (It's a bitch but neccesary).
14. On the systems themselves make rigorous use of filesystem permissions, registry manipulation, anything else in your bag of tricks.
15. Bios password the systems, prevent floppy booting, etc, change these passwords regularly.
16. Physically lock the systems, installing small magnetic relays that trip a buzzer when the system is opened in addition to locks doesn't hurt either.
17. Double up security with biometric d
I suppose that Gnome.org and GNU Savannah were running windows?
Software has holes, period. There was a time not so long ago that people would laugh if the words "Unix" and "Security" were used in the same sentence. At this point, there is little difference between Windows, Linux and Commercial Unix.
Conformity is the jailer of freedom and enemy of growth. -JFK
There is always a trade off between security and convenience. If you secure your data, it will probably get in your way somewhere along the line.
The most drastic solution is to take the computer off the internet. The fact is that if it is on the internet, it could potentially be cracked.
The next possible solution is to change away from windows. Since you don't want Linux you may want to consider a Mac with OSX or a second hand SGI with IRIX. But to be honest, if you don't know what you are doing then any operating system will probably be insecure for you.
That leaves the option of making Windows more secure. If you don't know how to do this yourself, you will have to hire someone to do it or put up with the consequences. You don't have to get a permanent employee, you just need someone to look over your computers and recommend the appropriate changes. A firewall shouldn't get in your way once it is properly configured, and it is essential to have one.
A latent existence
Like, for instance, BlackIce. THEN your Windows box will be secure fer SURE!
Uhmmm... Oops.
include $sig;
1;
Reasonable security is possible, assuming the attackers do not have physical
access to the system. (If you have to protect against your family or your
landlord, you're screwed.)
First, get rid of Outlook. No, I mean it, get rid of Outlook. (This includes
Outlook Express.) 100.0% of all known email-born viruses and worms[1] have
exploited Outlook exclusively; get rid of Outlook, and you can stop worrying
about email-borne malware.
This leaves the issue of stuff that comes in over open ports, exploiting
various services that are running on your system. It's possible to close
all those off and shut them down individually, but it's much simpler to
put your Windows system behind a NAT gateway. You can use a dedicated
Linux box for this (IP Masquerade) or there are also hardware NAT gateway
solutions available.
That right there is pretty good. There's still the occasional vulnerability
in MSIE, but that only hits you if you visit a malicious website. Of course
you still have to engage in safe practices generally (e.g., don't download
and execute stuff you don't trust, don't share floppies with unprotected
systems, et cetera), but the steps I've just outlined will stop cold over
99% of all internet-based attacks on your Windows system, especially the
automated ones like worms and viruses.
Did I mention, I've only outlined two simple steps to take? Two *very*
important simple steps: get rid of Outlook, and put your Windows system
behind a NAT gateway. There are other things that you can do, but these
two steps are each vastly more important than all other things you can do
combined, so they're the first two things you should do, before even
considering anything else. Do them, do them soon.
What to replace Outlook with? If you don't care about portability (i.e.,
a Windows-only solution will do), Pegasus Mail is excellent, but of course
you have other options too, including some that are open-source if that
scores any points with you. You will not regret getting rid of Outlook.
Well, for a few minutes you may not be so sure, while you're importing all
your mail from Outlook, setting your prefs, and learning how to use the
new system, but the next time you read on slashdot about Yet Another New
Outlook Virus infecting half of the desktop computers on the internet once
again (hmmm... when will that be? I'm betting on sometime in May, but it
could be as soon as April or possibly as late as June if the virus writers
decide to do something else over spring break...) you'll be glad you don't
have to worry about that anymore.
The reasons why Outlook, even with all the latest patches, is a huge
security risk are technical in nature, but you don't need to understand
the technical reasons: just look at the track record; fully *half* of
all internet-borne viruses in the last five years have exploited Outlook,
and 100% of the ones that spread by email have exploited Outlook.
Windows itself isn't too bad, especially if you put it behind a NAT
gateway like I'm recommending.
[1] Trojans, of course, exploit the *user's* willingness to execute the
attachment, so they don't care what mailreader you use, but you can
protect yourself from trojans by not executing any attachments unless
you're sure you know what they are.
Cut that out, or I will ship you to Norilsk in a box.
or cut the Ethernet cable.
Google for it, I used it way back in the day (on Windows NT, 4 years ago almost) it's GREAT!
Basically, it's really simple, it starts up on login, and how it works, is it'll prompt you when a program attempts to access the internet, and you say [yes/no (and remember choice)] and it will block or allow that program, really simple, fast UI, I NEVER got a virus in almost 3 years of windows.
Windows Update maybe once a month never hurts
Error 407 - No creative sig found
Simple - Buy a second computer, unplug the first from the internet, and never reconnect it.
-Lock down the registry with permissions -Change hard drive permissions to authenticated users instead of everyone -Do NOT use administrator all the time -Use the run as service to run as administrator when needed -Use Steve Gibson's Socket Lock to prevent the berkely sockets form being abused -Subscribe to Microsoft's Security Bulletins -Turn off all unnecessary services -Use Group Policy editor to clear swap file on shut down and do not enumerate SAM for anonymous users -Enable Full security auditting -Disable NetBIOS of TCP/IP (DNS will handle names for you) -Unbind file and printer sharing if it's enabled -Disable IP forwarding (Let a physical router handle the routing) -Use double NIC cards if the server is also on a LAN -Use N-tiering if the server is on a LAN -Change the name of the Administrator account -Turn of the DCOM interface so it's not listening on TCP port 135 -If you plan on using Internet Explorer, set security settings to maximum if possible -Use a restricted user account (NOT power user) -Use a packet sniffer and monitor to check performance and traffic -Disable ActiveX controls and plugins if possible -Lock the server up and administer it remotely if possible -Set password complexity requirements and force password changes and require a different password for at least the next two password changes -Close any mail relays you might have open -Avoid using programs that use mail relays -Have a regular backup plan -Have a disaster recovery plan -If the server cannot be secured, put a camera in the room if possible -Clear the last user name of the last logged in user (Group policy editor) -Use fault tolerant equipment -Make sure the guest account is disable (disabled by default) -Develop a patching schedule -Enable the recovery console option for emergency recovery [cd rom drive letter]:\i386\winnt32 /cmdcons
-Make sure that unused ports on your router are closed
-Implement ACLs if applicable
patch often,
install appropriate AV software if needed,
backup,
keep sensistive data on more secure machines/areas.
I've worked with windows for a few years, even did some work under a MSCE wannabe back in the day. I've seen windows boxes 'hardened' out the wazoo, with much pain, bloodshed, tears, and the like. Windows has major flaws that can be exploited long before patches are out.
If you have critical (read: confidential and/or mission critical) data, never, ever trust a single hard drive and windows. I learned this the HARD way.
Find some slow hardware (a PII will do the trick if you don't need a ton of crypto), slap a pair of ATA100 controllers in it, hook up some new HD's, make a raid array.
Use samba under some small, controllable distro (i use gentoo), use shorewall or similar firewall together with kernel filtering to block all requests but 22 (ssh), 10000 (webmin) and samba (the number(s) escape me ATM).
Under samba, setup two shares visible to windows. pick a login name and pass different than the one your doze box uses (duh).
The first share should be your everyday stuff (RW)
The second share is the critical info that you don't write to much (RO).
On the nix box, setup a directory (chmod 0 if you can, and allow the cron user access (don't know if this is 'secure' enough) do not share it. setup a cron job to mirror your open directories to another place on the HD. even if your data somehow gets hosed via samba (however unlikly that may be), it's still there buried within the server.
Granted linux has only three possible options (User,Group,World) but in a situation like this you needn't be overly complex.
Use Webmin http://www/webmin.org to admin the box when needed, it has a nice java based file manager to allow file manipulation via GUI (if you don't want to learn BASH to move your data).
Keep the system updated (emerge -u world under gentoo) and you shouldn't have many problems.
Also get a firewall at home and the office that allows VPN, set one up between your home and office nets, allowing only the two nix boxes to exchange data (file updates via NFS/VPN, dumping everything straight to your samba share and therefore your doze box). this allows you to keep a backup of your server data at home and vice versa. The first timw, use a removable HD, CD or DVD to transfer most of the data if it's large, then the linux machines can do the rest real easy, no muss, no fuss. IMO it's worth learning about linux to do this stuff.
You can even stick a CD/DVD burner in said server and setup a simple shell script to burn a backup of your data every day and automatically spit the disc out (tar with permission save -> iso -> cd or dvd).
It should be noted that once the box is setup (you only need the kernel, syslogger, cron, samba mdtools (raid), shorewall, cdrtools, and webmin) it will run with no problems. If someone or some thing gains control of your windows machine, pull the net plug on your windows box, your server will remain unaffected (bonus points if you disable ICMP echos on the box)
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
Blaster got through because you had no firewall in place and obviously did not download the required CRITICAL updates from Microsoft. Visit windows update every day is the first lesson to take away from this.
Secondly, I use Zonealarm and manage 8 servers on the net remotely. ZoneAlarm doesn't block based on ports, it's a program policy based firewall that blocks access to processes that are not trusted (they are not trusted until you click "allow this program to access the internet").
Go to "Program Control" make sure the program control setting is on medium (programs must ask for access), then click on the Programs tab and make sure any progs you use to access your servers (i.e. Putty SSH client, WinSCP etc) are listed as being allowed access.
It's not hard and to be honest you owe it to your customers to learn how to use your security software properly.
I am NaN
If you wish to secure Windows box, never connect it to Internet at all. Connect it to trusted Linux networked computer instead. Do not use NAT in this case! Use samba etc. for data exchange between Windows and Linux. Download all you need manually with linux then copy to windows.
How about adding Intrusion Detection Systems too?
Data Sentinel is a great HIDS (Host-Based Intrusion Detection System) for Windows systems. It'll monitor files and registry keys for changed and alert you. Very easy to use, very simple to set up, very cheap (far easier and cheaper than Tripwire or the like)
Snort is a great NIDS (Network-Based Intrusion Detection System) that is available for Windows systems. It'll monitor network traffic for anything suspicious and alert you.
I don't know who told you that MS Windows could be online 24/7/365, but they told you a porky. According to uptime statistics on Netcraft, the *BSDs and Linux systems in general have MUCH longer uptimes than MS Windows systems. Having Unix systems with uptimes of over a year is not at all unusal, having MS Windows systems with uptimes approaching a month is unusal.
1) Format C:
2) Download OpenBSD, FreeBSD or some Linux distro of the month before performing step #1.
3) Install download from previous step.
4) Profit!!! you clod.
Surf some pr0n.
This guy's business is developing and sell hosting for WEB SITES! Ha!
For cyring out loud. Sob!
Then he has to ask how to secure his Windows pc.
Ha, Sob!