Data Security on Windows Machines?

mcskoufis asks: "I am running my own company from home, offering various Internet related services to customers. I have rented a server which runs Linux and there are no current security or performance problems. However, because I cannot afford to have a business site with several geeks investigating into network security, I have some sensitive data on my Windows box at home which need to be safe from malicious marketers/kiddies having fun/etc. More and more marketing companies are working on very dirty tricks to gather email addresses and also turn windows (mainly) machines into mass mailing servers without the owners knowledge. With the latest worm attacks and also the sophistication of them, I feel even more and more vulnerable each day. Bearing in mind the fact that it is impossible to switch to Linux at home for a number of reasons and also that because of the business I need to be online 24/7/365 what the Slashdot community suggest as the best way to have a secure environment for my data while using Windows? Anti-virus software has proven to be not enough and firewalls create problems while performing daily business tasks on the server from home."

A few ideas

[DetrimentalFiend]

Now I don't really know how much this would help, so please correct me if I'm wrong, but maybe it'd be helpful to work in a normal user account. Most people that I know in the windows world just log in as administrator for daily work, but that seems kind of like working as root in Linux. Now, I understand that user security isn't as strong in Windows, but I wonder if you could lock it down enough that programs wouldn't install without your knowledge.

Besides that, good virus software (we've got McAffe at work and are happy with it), using the firewall capabilities of XP (if you have it), and not using Outlook (if you can) would be good ideas. If you're really paranoid, and know how to configure it well, a Cisco pix box may add a little more security too.

About your issues with firewalls disrupting daily activities on your server, you should look into VPNs. PPTP is very simple to set up, but has problems with man in the middle attacks. IPSec can be a pain to get working with windows, but it is possible. SSL tunnels probably would be the best way to go, and they're not too hard to set up.

WindowsUpdate

[cloudless.net]

http://windowsupdate.microsoft.com It doesn't make your data 100% secure, but it is the bottom line action you must take. By the way, it is a good idea to disable any services that you don't need.

Re:WindowsUpdate

[pcmills]

Black Viper is a good resource for windows services configuration.

Get a "Work" workstation

[duffbeer703]

Buy a cheap computer that is strictly for business. Don't let your wife or kids on it and don't install games or surf for pron on it.

I'd also suggest buying a smart card reader and storing all of your private keys on the card.

Firewire

[Hungus]

Keep data on a removable drive of some type. Don't send documents via email. Your machine may need to be on and connected 24/7 (which I kind of doubt that you couln't segregate some things but you don't want to and that is fine) but that doesn't mean all your data needs to be avaiable online all teh time eitehr. firewire, usb and even hotswappable ata/sata/scsi drives are pretty darned cheap these days, so use one of them after all a hacker can;t get to your data or email if its not there right?

I've done this for years.

[HotNeedleOfInquiry]

Set up a Windows server. No users, just file service. Don't let anyone use it, don't install more than a bare Windows installation. Set its network protocol to Netbeu or IPX *only*. Very important *no* TCP/IP. Don't let anyone muck with it.

Set your user machines to both TCP/IP and Netbeu or IPX, depending on which the server is set for.

Set your firewall to only allow mail, http, https and whatever else might be essential.

No guarantees, but like I said, it's worked for me for years.

What I use..

[zcat_NZ]

Internet (ADSL) firewalled by a FreeBSD server. Linux could do the same job. I also have spamassassin+amavis+clamav scanning my mail, and I keep all my files on a samba share, which is backed up to another server via a cron job.

The only two windows machines on my network are actually my kids games machines (Windows, because there's very little good educational software for Linux yet!)

I've replaced Outlook and Internet Explorer with FireFox and ThunderBird. I've also got open-office installed. Original files, drivers, and games CD's are all on the Samba server. Anything they type up or scan in gets saved on the Samba server. If anything weird happens to the Windows boxes, I simply nuke-and-pave.

I haven't had any problems with Viruses or anything yet, but the kids don't tend to download stuff or share their email addresses too widely.

Not foolproof, but low-maintanence and works

[DaveJay]

Here's what I do to keep my wife's Windows laptop (with sensitive film production information on it) from being hijacked:

1. Up-to-date anti-virus and zonealarm firewall on the laptop;

2. Mozilla and Thunderbird for web browsing and email;

3. A Mitel SME (formerely e-smith) Linux box between the laptop and the internet -- the firewall is very unobtrusive, but effective -- and the distro itself is low-maintenance;

4. No wireless;

5. Important but not commonly updated information backed up on CD-R and removed from the machine (you can't get information off the machine if it isn't there).

Please Re-examine

[ratboy666]

"Bearing in mind the fact that it is impossible to switch to Linux at home for a number of reasons and also that because of the business I need to be online 24/7/365 what the Slashdot community suggest"

So you need Windows. Which is ok -- put Linux on another box, and secure it. I just bought a Compaq with 128MB of memory, 20GB or so hard drive, 400Mhz processor for 100$ CDN (80$ US or so). Used.

Something like that would make a good firewall for you.

Alternately, home routers also have reasonably firewalling. My SMC Barricade (gasp, yet, I know that a REAL geek wouldn't use one) offers the ability to drop in-bound traffic, and only allow certain ports through. This can provide you 80% of what you need (it does for me). Staying on top of patches can bring you the rest of the way. Just don't enable the "DMZ" feature!

As you mentioned, you have external hosting -- which means that you don't have to allow incoming HTTP, or SMTP. If you don't need to administer externally (and since you use Windows, you *probably* don't), you don't need port 22. So, close off ALL inbound connections. Just leaves you with FTP as an issue -- some router boxes will accomodate, or you can learn to love the PASV command (and, AFAIK, MS browser FTP does that automagically).

If you AREN'T using a small home router, GET ONE. They are even cheaper (I have seen brand new units selling here for $20 CDN, approx. $15 US).

Don't forget a good backup plan, just in case you get rooted (or other disaster strikes).

Still, buying a cheap box or two is reasonable. One for a "real" firewall, and another for SAMBA, and other internal services (DNS).

Ratboy

Freeware windows security 101

[cgenman]

"firewalls create problems while performing daily business tasks on the server from home"

Not a well-configured software one. It's not as safe as a hardware firewall, but it is a heck of a lot safer than running around with your pants down, not knowing when your machine is connecting and what it is sending. It makes it difficult to connect *to* the machine, but your home winbox shouldn't be a remote server anyway.

Grab ZoneAlarm NOW, and put up with a few extra dialog boxes until it is trained.

Furthermore, good Antivirus software will detect many trojans. Get AVG if you have alredy abandoned your AV of choice.

This must sound like free windows security 101 by now, but get AdAware and / or Spybot, and schedule a regular download / check for once every week.

For encrypting sensitive or old data, you can either use windows built-in encryption (which uses your user password, enable this now if your machine is fast enough) and / or pick up a (non-free) copy of Dekart Private Disk, AKA The Bat! Private Disk, a simple encrypted virtual disk creator. Anything you really don't want people to see should go here... Just remember to shut it down when you're done.

Furthermore, don't use I.E. and don't use Outlook. What many people refer to as "computer" viruses or "windows" exploits are really just I.E. exploits or Outlook viruses. Firebird, I mean, Thun... Firefox is a powerful little internet surfer, which while not as flexible as my beloved Opera (ducks), does render pages faster, is more beginner friendly, and is free. Thunderbird is a good mail replacement, though pegasus mail, Opera's built in e-mail client, and the non-free The Bat! are all good choices. If you want the most security possible, try Secure Bat. At 140 dollars per copy, it isn't cheap, but it does encrypt all of your personal files and utilizes hardware token authentication to ensure that you really are who you say you are.

Finally, don't forget to regularly back up your disks to something not normally connected to the computer. For simplicity's sake, I'd attach an external USB drive and run Polder Backup once a week, removing the drive when done. For a more automated approach, get a PC controllable X10 unit, and have it turn on and off the external USB drive, so that backups can be completely automatic.

Re:This is constantly misunderstood

[bloo9298]

The NT derivatives' mechanisms are more sophisticated. The current implementations of those mechanisms have obviously had bugs and are very often misconfigured (yeah, having a buggy portmapper exposed to the world really would be a good idea) or used badly (IIS not taking advantage of process-level protection for performance reasons). As you point out this has caused huge problems and badly damaged Windows' reputation (quite deservedly). However, it looks to me like Windows' security could be fixed more easily over a few generations than UNIX's could.

Sorry, no MCSE, but I have been a UNIX systems programmer for 16 years and have spent some time looking at the NT kernel and using the Win32 security and crypto APIs. If you want to form your own opinion, try reading Keith Brown's book "Programming Windows Security".