NIST Issues Windows XP Security Guide
routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."
Step one: Isolate from network.
...install VMWare, run XP from inside the sandbox :D
And unfortunately IE is integrated into Windows. Even if you use Mozilla, problems are still potentially exploitable, sadly.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Does this get filed the same as "90% of all statistics are made up"?
Hmmm.
Easy broken down into 9 littler chapters for those MCSE's still out there.
And the answer is simple- hook it up to a Linux-based NAT router! If no server ports are exposed to the WAN, no worms can find the new box.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Only 147 pages of reading to secure your Windows XP?!? And they say Linux requires an in-depth knowledge of the OS...
There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.
Hopefully SP2 will fix many of these problems.
Wow, changing all those settings really bumps up the Total Cost of Ownership (TCO) of Windows!
Windows XP *IS* Windows 3.11. We perceive the thought form at the root of each and merely hypostatize a different product because we believe in the illusion of time.
90% of all statistics are made up
Where did you hear that? I thought it was only 60%.
The shareholder is always right.
Yes, you and I have a clue and use something else for mail and web, but most home users are not savy enough to switch away from the vulnerable products, and worms and viruses will continue to spread through these channels for some time to come.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
Or any NAT router or a decent hardware based firewall etc. And I'd rather it be some proprietary OS like Cisco IOS so I don't have to worry about securing my OS to secure my OS.
The point is to download the Windoze updates *before* even running Outhouse or IE. And of course, following all the rest of the advice in the above document in setup, before doing ANYTHING on the web.
I'm also strongly of the opinion that home users that don't take precautions in this day and age deserve to have their boxen 0wn3d. And then have their ISP shut them down and isolate those boxen.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Step two: FDISK!
Audioscrobbler
You mean like Cisco's Linksys routers- which are linux based? Still, yes, certainly a hardware (Flash Rom) based solution helps quite a bit, and is less troublesome to set up.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Quick way to get the post-SP1 pre-SP2 updates:
AutoPatcher
This is a good thing if you need to reinstall Windows soon before SP2 comes out.
Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.
Forget about NAT and start running proxies for anything you need. Worms will keep working as long as they can get out. Proxies can help with not allowign the stupid stuff in and running all sorts of malware scanning but it's very important to stop the spread as well. NAT is good for things you cany proxy like games.
No sir I dont like it.
This is not a troll.
It should be patently obvious that if Windows XP requires that much effort to use securely, it means that the software itself is insecure by nature, and you probably shouldn't be using it.
As a famous computer once said: "The only winning move is not to play."
Tired of FB/Google censorship? Visit UNCENSORED!
I've only kept my XP box around for games, movies, and entertainment. If I have to do something that needs to be secure I either use mac osx or linux. I try to avoid the IE browser except when reading webcomics or news and I do online banking far away from IE but I'm not worried about that cause I'm pretty sure my money is still federally insured under a plan that I forgot its name. I like XP for games and that is about it so far besides movies. I just hope SP2 doesn't ruin compatibility to some of my old favorites like Fallout 2
- "Microsoft ripped off/ruined XXXXXXX!"
- "Windows sUx0rZ! Use Linux instead."
- "Blah, blah, Bill Gates ate my balls, blah."
- "They must have used IE! LOL!"
- "Blahblah, William Henry Gates, blah, hexidecimal, blah 666, blah."
Amusing, all of them, but couldn't we just bundle all the posts that do nothing but bash MS with some over-used catchphrase into a scripted category? Automatically, every time a story regarding Microsoft or Bill Gates comes out, a script will automatically generate the above comments in a seperate thread, and if someone can think of an original bash to say, they can just add it to the list. With time and effort, the script will grow to a good....10 or 20 insults.-The Libra
"Please be patient--The future will begin momentarily."
I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.
Don't download zips from the internet and open them on your winxp machine.
Whatever man, I spelled it write!
You're in IT? Notify the upper-management about the best tools available then implement those tools. If you can't make a reasonable argument why Windows is a hazard than get another career and move over for someone that can. It is POSSIBLE.
IT departments are the problem and Windows will be the dominant OS for decades to come until more IT "men" grow some balls.
HA! Just ask the boss for money and he gives it to you? Thats rich. So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault? So, the solution is buy yet more software, that will not know about these exploits until they are exposed anyway, so is useless for unknown (but will be discovered) vulnerabilities?
And MS is the good guy and the IT guys are the bad guys, because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for? And if the company is dependent on software that will only run on Windows for a year or two, its the IT depts fault if the boss won't change to Linux?
I gotta admit, I did enjoy the "grow some balls", coming from an AC. You sound more like a pissed off 20 year old who just finished a program at Devry and can't believe someone won't hire him for $80k.
Tequila: It's not just for breakfast anymore!
"Fifty percent of those problems are IE problems."
And, in an earth shattering coincidence, it's also the main app that actually goes out to the net and pulls data down. Other browsers need be very wary of this issue as well. Just ask the Mac users out there that thought they were downloading Word 04.
but I'm not supposed to download unknown zip files on my Windows machine.
There are already a lot of people who can do this. Well, without the first blank, that is.
I love C++
Load Linux. :)
This is not the sig line you are looking for... -- Old Jedi Sig Line Trick
I had heard it as "A survey once showed that 50% of all statistics are wrong 90% of the time." :-D
Phibz
Great free tool to deploy security updates if you complement it with a few VBScripts to check the status of the GPO and to force deployement...
Too bad version 2 which will support Office, IIS and SQL patches keeps getting delayed..
effectively securing Windows XP systems
That's the great thing about Slashdot -- timely reviews of only the very best science-fiction literature.
-- I could tell right away that she was impressed with my HUGE Slashdot Karma.
And 75% of the people who are told that that believe it.
http://www.microsoft.com/security/protect/cd/order .asp
See? Wasn't that easy?
~hylas
Especially the one quoted in the article: "I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta."
Strike Three! You're OUT!
I thought that was 92.3% of all statistics are made up? :)
You hate your job? There's a support group for that. It's called "everybody" and they meet at the bar. -Drew Carey.
Blaming the comsumer for the actions of some poorly designed, incompetently manufactured product instead of blaming the product's creator isn't really all that smart in a capitalist system. However, within that same system, once a monopoly has been allowed to run unchecked and now swamps the planet to 90%+ penetration with the aformentioned engineering abomination, it gets very difficult to do anything about it.
Don't blame me, I don't use it, and neither does my Mom or my niece and nephew.
The heat from below can burn your eyes out
Glad to know that my taxpayer dollars not only go to subsidize their schooling and subsidize their certification programs but also to generate a nice neat HOWTO manual for them to do their jobs.
No wonder there's so many pencils stuck in the ceiling.
+++ATHZ 99:5:80
Speak truth to power.
"But somehow people put up with this, and somehow (at least according to MS) Windows has a lower TCO."
We put up with it so we don't have to go search Google for obscure things like the setting up of dual monitors.
"Derp de derp."
... before it's too old for the front page. Probably a good idea to read before heading straight to the zip file.
guidance_WinXP.html
Longhorn is going to be released before SP2 is release..which is supposed to clean up a lot of these loose ends.
Going along the lines of the earlier slashdot story0 6/12172 43&mode=thread&tid=146&tid=188&tid=192&tid=99)
(http://slashdot.org/article.pl?sid=04/07/
I wish my college prof threw out the books for class and asked us to use stuff like this, it has everything the books had in it, and it covers it so much better.
99% of Windows 3.11 machines have never been connected to the Internet, so I don't think we'd know if there were any security holes.
Maybe most or half, but certainly not 99%. We had a box setup as a router using a modem in the 28.8 days, for around 8 people, all running Windows 3.11, well before 95 came out. And we are not in the tech industry.
Then again, my first internet account was a shell account I accessed from a DOS dialup terminal. Lots of people had internet access with 3.1 and 3.11. I still have the same Usenet account I had pre 95, and still using Forte Agent, which came out for win16 (still support 1.9x in both 32 and 16 bit vers!), as did Mosaic, Netscape, PircH, plus lots of utilities, Trumpet Winsock, Archie, Veronica, Finger (those USED to work, you know), WS_FTP, mIRC, all for 16 bit windows. Plus all the unix utilities I could want from the shell account. Back then, we used our Mosaic browser to Gopher, and we liked it!
But Windows 3.11 has tons of internet capability, still, due to 3rd parties porting unix utils. Windows updates were via ftp then. In a huge directory that had the msg "dont do a ls here, there are too many files". ALL their patches and updates in a SINGLE ftp directory. They weren't too smart back then, internet wise.
You may be right in one way: There may not have been any internet specific holes, but Win 3.11 by itself did not support the Internet. It was all add on software, Free for the most part. No browser (later, IE was released for 3.11), no TCP/IP stack. Even FTP was a port of BSDs, and still has acknowledgements to Berkeley, to this day. If you can get the NIC drivers, you can still surf just fine with 3.11.
Tequila: It's not just for breakfast anymore!
...speaking of - short joke: A baby seal walks into a club.
Ba-dam tisch....curtain
Quidquid latine dictum sit, altum sonatur.
147. Search Google for "apache 2.0 win32?. Download. Install. Copy and paste custom stuff into httpd.conf. Restart Apache service.
148. GHOST MACHINE. Never have to reinstall again.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
I happen to work at NIST and I'm on the Gaithersburg, MD campus right now. Perhaps reading this article can be considering reading slashdot and working at the same time?
Cyde Weys Musings - Scrutinizing the inscrutable
Did anyone actually read the documented guide, even for a little bit? :\
I tell you, if a sysadmin should resort to that, he must REALLY suck, because all of what is explained in there is so f*cking obvious.
I mean, c'mon.
- Agilo
Dunno. I've done just fine with a years old Linksys router. No AV, no anti-spyware software, and pretty much no configuration on the boxes themselves. Oh, and using Outlook and IE.
How have I gone literally YEARS without a virus, worm, or peice of spyware? Quite simple.
1. I don't steal other peoples work. This has two implications. I don't install file sharing software which is most always loaded with spyware. The other is that I don't download software of dubious origin.
2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now.
3. I limit the items that I do download to execute to those that are well known and from sites that I trust. I DO NOT go and download every screen saver I can find on the internet like a LOT of other idiots do. You'd be surprised at the amount of shit that creeps in through the installs of these whores.
4. When the little popup says that updates are availible I install them. That simple. For software that I use which is not included in the windows update I check the sites regularly (if they are software that is susceptable to this sort of thing).
No cost, save the router. All common sense and situational awareness when I surf. The people who have computers loaded with spyware lack this. And Linux/OSX/FreeBSD are NOT going to save them from themselves.
HA! Just ask the boss for money and he gives it to you?
Linux is free.
So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault?
YES! You were stupid enough to accept running Windoze and other M$ trash. You should have demanded an M$-free workplace or walked out.
because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for?
Again. Linux is free, has a much lower TCO, and requires fewer admins.
and I thought the gentoo handbook was a long read.
what about konqueror integration in KDE?
I'll have you know that I have lovely 'balls', so whenever you're done your MBA (the only thing I can attribute your cluelessness to), perhaps get a mitt and get in the game. You're obviously not seeing a broad enough spectrum of the business world.
You've at least got the CHOICE of whether or not to use KDE. I personally use GNOME, but that's only because I'm using Fedora, because I'm too lazy to install Debian at work...or rather I've got better things to do. Erm, where was I?
Oh right, also, KDE is open source, so you could potentially disable konqueror if you *really* wanted to, so it seems that your point is invalid...
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
Since NSA already has a guide for Securing WinXP...which part of the government is authoritative on recommendations?
u ID =scg10.3.1.1
Here is the link to the page for NSA's Windows XP security Guide (And others)
http://www.nsa.gov/snac/downloads_winxp.cfm?Men
Might want to delete mshtml.dll and possibly browseui.dll and shdocvw.dll and that should get rid of a majority of IE security holes. I won't vouch for how many applications you totally nuke by doing that though.
BTW I found the list by running the dependancy walker on iexplore.exe and checking html/browser specific looking things in the list.
"You can now flame me, I am full of love,"
I found my own little list of "potentially insecure" apps by opening my windows directory lol.
l s.shtml and http://www.sysinternals.com/ntw2k/freeware/handle. shtml and http://www.sysinternals.com/ntw2k/source/filemon.s html among other products.
Seriously, just go ahead and delete whatever you want. If something breaks, you needed it. Just go to a recovery console and get it back if you have to. If not, cool, your system is likely better without it.
This rule of thumb does not hold true for your firewall or antivirus software...
BTW, Sysinternals (http://www.sysinternals.com) has some really great free products that could really help in determining what files and dlls you actually need. Checkout http://www.sysinternals.com/ntw2k/freeware/listdl
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
It is ITs responsibility to be aware of security issues and make appropriate recommendations to those responsible for purchasing based on risk assessment to the company's infrastructure. Any less makes people wonder why you collect a paycheck.
This comment does not necessarily represent the views and opinions of the author.
but that is a far cry from "its IT's fault!", when you have budgets, TONS of bugs to patch (and test and test and test..), and a short staff. It would be much easier if MS had STARTED with the security settings in SP2 to begin with.
Tequila: It's not just for breakfast anymore!
Absolutely agreed that the Windoze monopoly is an overpriced and poorly designed product- but incompetently manufactured? Depends what you mean by manufactured- but in a capitalist system, anything you can slap a 95% markup on is a success regardless of whether it actually works as advertised or not.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
From that site:
The Microsoft Windows Security Update CD includes Microsoft critical updates released through October 2003 and information to help you protect your PC. In addition, you will also receive free antivirus and firewall trial software!
2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now. (...) The other is that I don't download software of dubious origin.
Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.
Anyway, I realize what you're trying to say but it is still a poor situation. It's like saying "Yeah, I drive a crappy and hazardous car with poor brakes, but I'm a good driver and drive defensively so I don't get into any accidents anyway."
And regardless of how obvious it may seem to you, it is not common sense. It's your computer knowledge. Don't confuse common sense with logic. It is logical to you because you know how a computer works. It is not logical to a person that doesn't know what's ihside that beige box, and has no idea what an OS is or does. And that really have no idea what is nor should be happening when they open a file.
People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.
Kjella
Live today, because you never know what tomorrow brings
No matter where you are on the totem pole, it has to start somewhere.
You must be new to the industry. While I share your sentiments completely, they're unfortunately fairly unrealistic.
Don't let your fingers get so sticky from the donuts that it gets hard to type,
Ah, the classic assumption that all IT folks are big sweaty nerds. Further verifying that you're new to the industry, or not a part of the industry at all. You don't seem to have been around long enough to a) be jaded or b) figure out how things REALLY work, and for that, I can't fault you. Your ideas on change are understandable, but the ease with which you think they can be carried out are off the mark.
Right:
.....uh, uh, but it fulfills the prophesy
Boss: Why should I spend $x million?
You: Several well-documented studies show that we are at risk for significantly more grins smugly
Boss: Does our application platform with multiple terabytes of data run on it.
You:
"And the answer is simple- hook it up to a Linux-based NAT router!"
Why not just do the web-browsing on the linux machine? It would be easier, nicer, and more secure than using it to protect what we can only call "the virus-bait"
in effectively securing Windows XP systems
Anyone else first read this as "ineffectively securing..." ?
192.168.1.10 :) Have fun with that!
Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.
I patch. Sooner or later I guess my luck could run out, but I expect Firefox (even though it, the most popular open source browser, cannot properly render the most popular open source advocacy site) to start stealing marketshare. When this happens MS will either get off its ass and fix/improve IE or I'll end up switching to Firefox for the added features. Firefox was not quite a "better mousetrap" the last time I checked (0.9.1), but it was getting damn close, and when that happens I switch.
People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.
When I said "dubious" what I really meant to say was "l33t zer0 day juarez". Simply not screwing around with warez/mp3z/etcz limits your exposure to malware in a big way.
When it comes to downloading other things it still seems like common sense to me. When the website looks like jeffk authored and the software is claiming to help you grow your penis by 2 inches I usually take a pass. When the download is from a company website and there are some reviews to be found I feel fairly safe.
Oh hell, maybe I *am* just a smart guy with lots of technical knowledge. But then again, I use windows so THAT can't be possible.
Don't forget to read the EULA. In it you'll find out you aren't allowed to install an IMAP server, SMTP server, or apache server for non-local connections. It's right there on page 1.
Developers: We can use your help.
Given that Win 3.11 didn't support the internet out-of-the-box, 1% still sounds reasonable to me.
Sure IT is responsible for configuring secure systems and applying updates, but most people would agree that MS hasn't exactly made an IT workers life easy. I'm not saying that the job should be "easy" as in they sit around all day, but applying patches shouldn't consume a large chunk of your time nor should it require more IT employees to actually accomplish the repeated patching.
I'm not opposed to running a mixed environment (select the proper tool for the job) but MS tends to make a large target that is easy to hit.
A commercial and easily pirated product is not being "antagonistic" if it requires a product key. The fact that Windows does this is more of a commentary on the ethics of too many people than it is on the obtuseness of MS. If Torvalds had decided to sell Linux, odds are it would need a product key, too. One approach is no more or less correct than the other.
You wouldn't install a 4-year old Linux. You'd install a current distribution that incorporates all the security patches that have been issued in the last 4 years. And you would still need to install all the patches issued after that distribution hit the streets. It's a simple equation. All that whining about security updates when installing XP from an original CD was deliberate posturing.
Re: drivers -- Yes, a CD pressed today can contain new drivers than a CD pressed yesterday, or last year, or 4 years ago. Whining that an original XP CD doesn't have drivers for hardware manufactured after the CD was made is childish.
The piece was simply an exercise in willful FUD and dilettantism.
-- Slashdot: When Public Access TV Says "No"
Looks like those NIST folks forgot all about the DISA STIGs
After all that, I'd:
1. defrag the disk
2. download the pagefile defragger from Sysinternals, and
3. defrag the pagefile and system files.
Competition Good, Monopoly Bad.
Hey! I went to DeVry you insensetive clod!
:)
(And it's even a "University" now
For any part that says "disable unused services", don't forget to check out XP Service Config Guide by Black Viper.
[o]_O
Amen brother. And new patches should not re-break old ones. Or change random settings without telling you. (BTW: Last one isn't Microsoft exclusive, but I've had far more personal experience with exploding MS patches than any other OS.)
Who did what now?
Info here.
Got time? Spend some of it coding or testing
Geez, what planet are you on?
Check back after you actually been on someone's payroll for a day or two. (Although that may take some time if you follow your own advice and demand an MS-free workplace.)
Trust me on this: The corporate world doesn't care that Linux is "free".
-- Slashdot: When Public Access TV Says "No"
I'd advise knowing slightly more than that, I actually think a fair number of "IE" security holes are actually in the mshtml.dll. Unfortunately a great many others are in wierd random dlls like webdav and stuff.
"You can now flame me, I am full of love,"
Aren't government agencies usually the worst offenders as far as network security is concerned? Aren't they usually given D and F ratings by the Office of Management and Budget (OMB) year after year? Yet here is a government agency cranking out advice on securing Win XP. It makes more sense to get rid of the offending OS if it really is that bad rather than trying to fix the unfixable. I can't beleive all the time and money that is spent on firewalls, antivirus software and patching on what shouldn't be a major problem in the first place. I don't understand why Microsoft Software is so popular if it really is this crappy. Even if it came "free" with the computer (I can assure you it didn't), MS would still be charging too much for such a low quality POS by any other standard. By all rights, all MS OSes should have some sort of warning during installation that says that the OS was designed for easy installation of viruses, worms, trojans, and malware that you should retract your hard drive for safety.
Yeah, sure, I can talk smart; I don't use MS products so what do I know.
There are lies, damn lies, and then statistics.
Professional Politicians are not the solution, they ARE the problem.
My mom still uses a Calender Creator made in 1987 for DOS 3 or 5. I'm not sure which. She's managed to carry it all the way over to her Windows 2000 Professional machine. She uses Windows 2000 because that's what they use at her workplace.
The computer decisions of my aunt & uncle and my grandparents were heavily influenced based upon what my mom used... Windows.
Actually, it was more of a rolldown effect. My aunt saw what my mom could do with her IBM Compatible PC and bought one in the 90s. Last year, when my aunt bought her new Windows PC, Grandmother saw what my aunt could do with it and bought one similar to it.
Which also means that I had no influence whatsoever in what they bought... Oddly enough, they don't call me for tech support very often. I suppose that's because they still haven't caught the Internet bug... they're content with using an email only service.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
An amusing story was of a secretary who decided to clean her keyboard only to discover that her PC was behaving oddly. I had seen her cleaning the keyboard earlier and asked whether she had left the PC switched on. "It's not that" she said "I switched the computer off - like this" and switched the monitor off. I naturally explained to her in my most sarcastic, condescending tone that switching the monitor off does not disable the keyboard or switch off the PC.
Getting back to the point, firewalls, anti-virus, ad-aware and the like are all to prevent or undo malicious programming - the less experienced the user the more protection required.
A friend of mine is a serious user who thinks Windows is a poor creature indeed (with a grudging exception for Win 3.11). My argument is that it helped bring computer useage to the masses (I owe my whole career to MS Word upon which I built a business with some labour- (correct spelling in the UK!) saving macros in 1996).
If my friend had his way command prompts and UNIX would be the norm but he fails to see that this would not have caught on en masse and we would be trapped in the 70s or 80s. 'Wargames' would still be 'fresh'. Britney would not have been airbrushed and you could see that she looks like a bag of spanners... Flame me on these points if you wish but we will have to agree to differ.
For full protection stick an M&M in the ethernet port (peanut butter my preference although sadly unavailable here in the UK), remove the DVD/CD drives, diable USB and wi-fi and turn the floppy disk connector upside down (if you didn't do it when you built the PC) which also provides for a constantly lit LED which is pleasing.
Email me if think of any additions to the above list. Don't expect a reply mind you, I'm just digging out my abacus - sans ZoneAlarm...