Wednesday, February 23, 2005
WINDOWS :: How To Secure Your Windows Box By Thinking Like A Linux Nerd
Oh my God. The sky is falling. Again.
Word among the pasty-faced representatives of the seedy underbelly of the Internet has it that there's a wonderful new exploit ready to make the rounds, for those of us running Windows XP, ANY version.
This little monster hides itself on your system, and could do any number of things, depending on which mutation of the original you have the misfortune to pick up. What it does isn't half as bad as the fact that even if you discover something amiss on your system, you're unlikely to ever find it and whack it dead. This new exploit allows a bug using it to hide itself as part of the "kernel", the very heart of Windows itself. Hiding this way, you will never see it's process running in the process manager (ctrl-alt-del), and there isn't an anti-virus or anti-spyware solution in existence that can detect and remove it, because for all intents and purposes, once it's on your box, it's PART OF WINDOWS.
Sounds scary, right? Sounds like more doomsaying by Microsoft-bashing weirdos, right? Well, it is, and it is. This time, they're right. Want to defend against it before it has its way with your hard drive? Start thinking like a Linux nerd. That's right, you heard me.
Now don't freak out just yet. I didn't say you had to start actually *running* Linux, just think like the users do. How to do that? Stop using your machine as an Administrator.
"But wait," someone says, "I'm not running as Administrator, I'm running as Stinky Wizzleteats," the voice in the back proclaims proudly.
Here's the thing, if you can do whatever you please in Windows, without it ever once griping about permissions, you ARE using the system as an Administrator, and that's dangerous. One of the reasons Linux is so secure is that, used properly, the average user is logged in as just that: a user. In Linux, a regular user doesn't have permissions to install things at random and move files anywhere he/she pleases. It's an inconvenience, but consider this: if the user himself can't install arbitrary software, then a website being accessed by that same user can't either! This concept is the crux of what will save the common Windows installation from getting hosed hard when the user least expects it.
Most Windows XP users are playing around on their machine, using the standard login that's setup for them when they bought the machine from the store, or using the standard account setup provided with a fresh Windows install. These accounts are Admin accounts, giving the user, and any website he views full install/remove capabilities. Up until now, that's been an acceptable risk to most people.
Now, however, it's the difference between keeping your important stuff, or surrendering it all to a mysterious mass-deletion or forced formatting of the drive.
The consequences are horrendous for continuing to use our Windows XP machines they way we have grown accustomed to, but the rewards for changing that a little bit are many. Here's what you need to change, and how to deal with it from here on out:
1) Using the machine as you usually do, open the Control Panel, then open the User Administration section.
2) Create an account with a unique name that you will recognize as being an admin account. (You can't use Admin or Administrator, unless you installed Windows yourself and know the core admin password)
3) Give the new account Administrator priveleges.
4) Create a password for the new account. I suggest a password with shifted numbers in it. So "2124" would become "@!@$". This makes it hard for outside would-be hackers to "brute-force" your password by throwing a dictionary at it, because those weird characters don't exist in everyday words.
5) Now, logout of your current account and login to the new Admin account.
6) Go back to the User Administration panel, and change your old account's permissions to User.
7) Now logout of the Admin account and go back to the regular old account.
This procedure will force you to click the icon for your account when you first start the machine, and if you set one, enter a password. Logging in using this method will be a little frustrating at first, since you won't be able to install new programs without first jumping over to the Admin account, but thanks to Windows XP fast user switching, it's pretty painless to do. You will also run across certain instances where you will be forbidden from moving files to critical areas, like the Windows, Program Files, and C:/ directories for example. You will still have complete and total access to all secondary drives and partitions though.
"Why in God's name did I ever do this," you're asking now, "this is such a pain in the butt to use!"
Well, yes, admittedly, it takes a little more effort to do a few things that you used to be able to do without a second thought. However, the shortcomings are extremely few, and the benefits this usage model offers far outweigh any minor inconveniences. Now, even if you're still madly in love with Internet Explorer, and won't listen to anyone tell you how crappy it is, you will be able to surf mostly worry-free now.
Bear in mind, this method won't stop some of the spyware and adware and viruses from getting onto your system, so be sure to continue to protect yourself with the programs you've always used to eliminate them. (You DO use those programs, right?)
But now, the truly nasty ones, the ones that do their best to destroy your precious files or make changes to important Windows files will be unable to do their thing. You rule, you lucky sop you.
//Edit//: Okay, you know what, I tried this method out for a couple of weeks, and it just got to be too much of a pain in the ass. I won't blame you if you go back to the old method of using Windows. The problem appears to be that for about 3/4 of the important functions that you will likely be attempting to use every day, Windows forces you to switch users over to the Administrator account, instead of simply asking you to login in using the Admin password, like Linux/Unix normally does. Since Windows DOESN'T do this, trying to secure your system by using it like a Unix box introduces more frustration than you may be willing to deal with.
Word among the pasty-faced representatives of the seedy underbelly of the Internet has it that there's a wonderful new exploit ready to make the rounds, for those of us running Windows XP, ANY version.
This little monster hides itself on your system, and could do any number of things, depending on which mutation of the original you have the misfortune to pick up. What it does isn't half as bad as the fact that even if you discover something amiss on your system, you're unlikely to ever find it and whack it dead. This new exploit allows a bug using it to hide itself as part of the "kernel", the very heart of Windows itself. Hiding this way, you will never see it's process running in the process manager (ctrl-alt-del), and there isn't an anti-virus or anti-spyware solution in existence that can detect and remove it, because for all intents and purposes, once it's on your box, it's PART OF WINDOWS.
Sounds scary, right? Sounds like more doomsaying by Microsoft-bashing weirdos, right? Well, it is, and it is. This time, they're right. Want to defend against it before it has its way with your hard drive? Start thinking like a Linux nerd. That's right, you heard me.
Now don't freak out just yet. I didn't say you had to start actually *running* Linux, just think like the users do. How to do that? Stop using your machine as an Administrator.
"But wait," someone says, "I'm not running as Administrator, I'm running as Stinky Wizzleteats," the voice in the back proclaims proudly.
Here's the thing, if you can do whatever you please in Windows, without it ever once griping about permissions, you ARE using the system as an Administrator, and that's dangerous. One of the reasons Linux is so secure is that, used properly, the average user is logged in as just that: a user. In Linux, a regular user doesn't have permissions to install things at random and move files anywhere he/she pleases. It's an inconvenience, but consider this: if the user himself can't install arbitrary software, then a website being accessed by that same user can't either! This concept is the crux of what will save the common Windows installation from getting hosed hard when the user least expects it.
Most Windows XP users are playing around on their machine, using the standard login that's setup for them when they bought the machine from the store, or using the standard account setup provided with a fresh Windows install. These accounts are Admin accounts, giving the user, and any website he views full install/remove capabilities. Up until now, that's been an acceptable risk to most people.
Now, however, it's the difference between keeping your important stuff, or surrendering it all to a mysterious mass-deletion or forced formatting of the drive.
The consequences are horrendous for continuing to use our Windows XP machines they way we have grown accustomed to, but the rewards for changing that a little bit are many. Here's what you need to change, and how to deal with it from here on out:
1) Using the machine as you usually do, open the Control Panel, then open the User Administration section.
2) Create an account with a unique name that you will recognize as being an admin account. (You can't use Admin or Administrator, unless you installed Windows yourself and know the core admin password)
3) Give the new account Administrator priveleges.
4) Create a password for the new account. I suggest a password with shifted numbers in it. So "2124" would become "@!@$". This makes it hard for outside would-be hackers to "brute-force" your password by throwing a dictionary at it, because those weird characters don't exist in everyday words.
5) Now, logout of your current account and login to the new Admin account.
6) Go back to the User Administration panel, and change your old account's permissions to User.
7) Now logout of the Admin account and go back to the regular old account.
This procedure will force you to click the icon for your account when you first start the machine, and if you set one, enter a password. Logging in using this method will be a little frustrating at first, since you won't be able to install new programs without first jumping over to the Admin account, but thanks to Windows XP fast user switching, it's pretty painless to do. You will also run across certain instances where you will be forbidden from moving files to critical areas, like the Windows, Program Files, and C:/ directories for example. You will still have complete and total access to all secondary drives and partitions though.
"Why in God's name did I ever do this," you're asking now, "this is such a pain in the butt to use!"
Well, yes, admittedly, it takes a little more effort to do a few things that you used to be able to do without a second thought. However, the shortcomings are extremely few, and the benefits this usage model offers far outweigh any minor inconveniences. Now, even if you're still madly in love with Internet Explorer, and won't listen to anyone tell you how crappy it is, you will be able to surf mostly worry-free now.
Bear in mind, this method won't stop some of the spyware and adware and viruses from getting onto your system, so be sure to continue to protect yourself with the programs you've always used to eliminate them. (You DO use those programs, right?)
But now, the truly nasty ones, the ones that do their best to destroy your precious files or make changes to important Windows files will be unable to do their thing. You rule, you lucky sop you.
//Edit//: Okay, you know what, I tried this method out for a couple of weeks, and it just got to be too much of a pain in the ass. I won't blame you if you go back to the old method of using Windows. The problem appears to be that for about 3/4 of the important functions that you will likely be attempting to use every day, Windows forces you to switch users over to the Administrator account, instead of simply asking you to login in using the Admin password, like Linux/Unix normally does. Since Windows DOESN'T do this, trying to secure your system by using it like a Unix box introduces more frustration than you may be willing to deal with.
