XP Home and Pro)
Last updated November 25, 2006)
spam to spyware, the internet is
full of malicious content which is constantly trying to invade your
personal computer. This page is maintained by the Baldwin Street CRC
Tech Committee to inform members of good security practices.
note that being "safe" on the
internet is like being "safe" in a car - steps can be taken to reduce
risk, but there is an element of danger involved which cannot be
totally removed. Each of the following steps can be done independently
of each other, and will reduce the risk of compromise. We naturally
would recommend them all, but you can implement on an a la carte basis
and gain some security with each section you employ.
1: Web Browsing
used for internet surfing affects the amount of malicious
spyware or adware a PC attracts. Some browsers are
inherently unsecure, and allow websites to install software on a PC
without warning the user. Many malicious software programs
recognize this by checking for different browsers, and not even trying
to install if a secure browser is used.
2: Spyware Detection
good spyware blocker will both remove current spyware infestations and
innoculate a PC against new infections.
- A widely used, freely available
application if SpyBot
- After downloading, run the
install. Follow the prompts and don't change any settings.
- SpyBot will run after
installation. First Create a registry backup - this may take
a few minutes.
- Next, if you use a web browser
that SpyBot should use it download updates.
- Next, search Updates. If
found, click the button to download them.
- Next, click the button to Immunize
system. This will block thousands of known spyware apps from
- Finally, click the button to start
- On the left side of the
application, click on
the "Search and Destroy" button, then click the "Check for Problems"
- Your system will be
scanned, and a
list of problems displayed. Click the "Fix Problems" to clear
spyware from your system.
anti-virus application monitors all current file activity to trap
viruses in open files and keep the PC hard drive free of infected files.
- The committee recommends AVG
maintains a link
to download the free version here.
- Run the AVG installer, and follow
taking all the default settings.
- AVG will start after install,
should be downloaded. There may be several updates to
download, and Windows may need to reboot between downloads, but it is
critical that all updates be downloaded.
- AVG will run when your PC starts
up, and warn
you if any open file contains a virus real time.
local email client should be impervious to viruses embedded within
emails and should never email viruses to one's address book.
- Due to well known security
compromises, the Tech Committee strenuously recommends
against using Outlook for email.
- All church computers use
Thunderbird, an email
client from the Mozilla Foundation.
- To use Thunderbird, download the
latest version and run the installer. Accept the
default install options
- When Thunderbird is first started,
it will run
a wizard to configure an emailbox. NOTE: your
email must support POP or IMAP.
- Choose "Email Account" on the
page, and click Next.
- Enter your name as you want it
to appear in
the "From" field of emails you send. Then enter your email
address and click Next.
- Select IMAP or POP,
and enter the
name of your incoming AND outgoing email servers. Check with
your ISP if you don't know this server name. Click Next.
- Enter the username
given by your
ISP and click Next.
- Enter a name by which
account should be identified and click next.
- Verify that all
information is correct and click finish.
- To run the Thunderbird profile
on the start menu, click Run, enter "thunderbird.exe -profilemanager"
and click OK.
5: Internet Filtering
A good internet
filter will accurately block undesired internet content
and make circumvention impossible by non administrator computer users.
- The K9 Web Protection
filter is recommended
- You may request one free licence
for K9 by
filling out the registration page, which will generate an email
containing a licence number.
the software, and after you have received your license email
- BE SURE to make note of the
password - it is needed to override the filter and deinstall it.
- K9 has different levels of
highest level is recommended.
- Web pages which are
blocked, but can be unblocked temporarily or permanently using the
- A log of all internet
activity is kept
by K9, and can only be viewed or cleared by one using the administrator
6: Disable Insecure Internet Applications
enabled applications, like Instant Messaging clients and
P2P file sharing clients are security risks, or gateways for malicious
software. These applications should be disabled or
deinstalled if not excplicitly required.
- The Windows Instant Messenger is
Windows XP by default, and fully activated. If you don't use
this IM client, click
here for instructions on deinstalling it.
- Never install applications like
are known to install or attract spyware. Furthermore, they
are often used to file sharing of a dubious ethical or legal nature.
7: User Access Security
Windows XP Home
have the ability to disable Simple File Sharing, so this
section is only for Windows XP Pro installations. On each
Windows XP Pro computer there should be one user designated as the
Administrator, with full privileges on the system. All other
user should be set as "Simple Users", with limited privileges on the
system. Simple Users cannot install or deinstall
applications, which prevents malicious software from being installed
when browsing the internet. Follow these steps to set users
to "Simple Users":
- Start the Windows Control Panel and
click on "User Accounts".
- Select an account and choose the
Account Type" option.
- Choose "Limited" and click the
- NOTE: all new software must be
installed by the
Administrator user; simple users no longer have this ability.
it will be necessary to grant a simple user access to certain areas of
the file system, as required by certain applications. For
this example, we'll use a hypothetical application named "AnyApp",
which installs into the c:\program files\anyapp directory.
Follow these steps to grant access to this directory to any simple
- Start Windows Explorer and navigate
- Right click on the
"anyapp" folder and
- Click on the "Security"
- Select the desired user, or the
for all simple users, in the "Group or User Names" box (top).
- In the "Permissions for Users" box
all boxes in the "Allow" column and click the "OK" button.
|Section 8: Home Network Security
internet "broadband" access is via a cable modem or DSL
modem. While some cable/DSL modems have built in firewalling
capability, most do not, which means any computer connected to them is
"live" on the internet, and subject to hacker attacks. Here
is a network diagram of an unsafe, yet common hardware configuration:
Note that only one PC can be hooked
up to the internet via this configuration - another setback.
The proper way to secure a home network is to run a gateway router with
built in firewalling. This device is live on the internet,
but much better prepared to resists attacks than a Windows
PC. Furthermore, most gateway routers have multiple ethernet
ports, so the internet connection can be shared with more than one
PC. If wireless internet access is desired, a wireless
enabled gateway router will provide firewalling, multiple ethernet
ports and wireless access in one device. Here is a network
diagram of a safer home network configuration:
It is sometimes possible to purchase a DSL or
Cable Modem that has a firewalling router built in, thus eliminating
the need for two devices. However, such a device must be
specified when broadband is ordered, or must be purchased separately
from one's Internet Service Provider (ISP). Here are some
devices which will lead to a secure network:
|Section 9: Secure a Wireless
Access Point (WAP)
(cable or DSL) users have WAPs to provide wireless internet access in
the home. The advantage is easy, "anywhere" access to the
internet in one's home. The disadvantage is that most WAPs
are highly insecure by default. Follow these steps to secure
your WAP, referencing the owner's manual to implement each step for
your particular WAP model:
- Turn SSID Broadcast Off:
by turning off the SSID the WAP broadcasts you render it invisible to
the casual wireless hacker. The downside to this step can be
interoperability problems between different brands of WAPs and wireless
NICs. Furthermore, you must specify the SSID when setting up
the wireless connection in Windows, as opposed to having the NIC find
and suggest it.
- Enable WEP encryption:
a WEP encryption key is a string of characters used to encryt all data
between the WAP and the wireless NIC. It prevents other
clients from capturing and reading that data. WEP encryption
also serves as a password of sorts for clients trying to use the
WAP. Without the key, they cannot connect.
- Implement MAC Address
Filtering: each wireless NIC has a unique Machine Address
Code (MAC) address. Setting the WAP to allow a
specified list of MAC addresses prevents unauthorized NICs from using
These security measures can be adopted
in an a la carte fashion: any combination of them will make your WAP
more secure. Sometimes locking down a WAP can cause
interoperability problems between WAPs and NICs of a different brand,
so you may have experiment with different settings.
Furthermore, making your WAP highly secure makes it more difficult to
use, so friends and family visiting your home have a harder time
connecting to the internet.