Let's begin with a look at protecting your PC from direct attacks: That is, when an unauthorized cracker (which I define as a hacker who has succumbed to the Dark Side of the Force) sits down at your keyboard and tries to gain access to your system. Sure, it may be unlikely that a malicious user would gain physical access to the computer in your home or office, but it's not impossible.
Crackers specialize in breaking into systems ("cracking" system security, hence the name), and at any given time, hundreds, perhaps even thousands, of crackers roam cyberspace looking for potential targets. If you're online right now, the restless and far-seeing eyes of the crackers are bound to find you eventually.
Sounds unlikely, you say? You wish. Crackers are armed with programs that automatically search through millions of IP addresses (the addresses that uniquely identify any computer or device connected to the Internet). Crackers specifically look for computers that aren't secure, and if they find one, they'll pounce on it and crack their way into the system.
Again, if all this sounds unlikely or that it would take them forever to find you, think again. Tests have shown that new and completely unprotected systems routinely get cracked within 20 minutes of connecting to the Internet!
So how do your thwart the world's crackers? I often joke that it's easy if you follow a simple four-prong plan:
- Don't connect to the Internet. Ever.
- Don't install programs on your computer. No, not even that one.
- Don't let anyone else work with, touch, glance at, talk about, or come with 20 feet of your computer.
- Burglar-proof your home or office.
The point here is that if you use your computer (and live your life) in an even remotely normal way, you open up your machine to security risks. That's a bleak assessment, for sure, but fortunately it doesn't take a lot of effort on your part to turn your computer into a maximum security area. The security techniques in this chapter (and the next half dozen chapters) will get to that goal, but first make sure you've nailed down the basics:
- Leave User Account Control turned on. Yes, I know UAC is a hassle, but it's way better in Windows 7 because it doesn't get in your face nearly as often. UAC is the best thing that's happened to Windows security in a long time, and it's a fact of life that your computer is much more secure when UAC has got your back. See "Making Sure User Account Control is Turned On," later in this chapter.
- Be paranoid. The belief that everyone's out to get you may be a sign of trouble in the real world, but it's just common sense in the computer world. Assume someone will sit down at your desk when you're not around; assume someone will try to log on to your computer when you leave for the night; assume all uninvited email attachments are viruses; assume unknown websites are malicious; assume any offer that sounds too good to be true probably is.
- Keep to yourself. We all share lots of personal info online these days, but there's sharing and then there's asking-for-trouble sharing. Don't tell anybody any of your passwords. Don't put your email address online unless it's disguised in some way (for example, by writing it as username at yourdomain dot com). Don't give out sensitive personal data such as your social security number, bank account number, or even your address and phone number (unless making a purchase with a reputable vendor). Only give your credit card data to online vendors that you trust implicitly or, even better, get a secure PayPal account and use that instead.
- Test the firewall. A firewall's not much good if it leaves your computer vulnerable to attack, so you should test the firewall to make sure it's doing its job. I show you several ways to do this, later in this chapter (see Manage Microsoft Windows Firewall).
- Take advantage of your router's firewall, too. Why have one line of defense when in all probability you can have two! If your network has a router and that router connects to the Internet, then it, too, has an IP address that crackers can scan for vulnerabilities, particularly holes that expose your network. To prevent this, most routers come with built-in hardware firewalls that provide robust security. Access your router's setup pages, locate the firewall settings (see Figure 14.1 for an example), and then make sure the firewall is turned on.
|To access the router setup pages, open a web browser, type the router address, and then press Enter. See your device documentation for the correct URL, but for most routers the address is either http://192.168.1.1 or http://192.168.0.1. In most cases, you have to log in with a username and password, so, again, see your documentation.|
- Update, update, update. Many crackers take advantage of known Windows vulnerabilities to compromise a system. To avoid this, keep your PC updated with the latest patches, fixes, and service packs, many of which are designed to plug security leaks.
- Assume the worst. Back up your data regularly, keep your receipts, keep all email correspondence, and read the fine print.
In Chapter 17, "Securing the File System," you learn a few more security tweaks, including important measures such as advanced file permissions and encryption. These two features are great, but they each have one small flaw: They rely on the assumption that after you've entered a legitimate username and password to log on to your Windows user account, only you will use your computer. This means that after you log on, you become a "trusted" user and you have full access to your files, even if they're protected by permissions and encryption.
This is certainly reasonable on the surface. After all, you wouldn't want to have to enter your account credentials every time you want to open, edit, create, or delete a document. So while you're logged on and at your desk, you get full access to your stuff.
But what happens when you leave your desk? If you remain logged on to Windows, any other person who sits down at your computer can take advantage of your trusted-user status to view and work with secure files (including copying them to a USB flash drive inserted by the snoop). This is what I mean by permissions and encryption having a flaw, and it's a potentially significant security hole in large offices where it wouldn't be hard for someone to pull up your chair while you're stuck in yet another meeting.
One way to prevent this would be to turn off your computer every time you leave your desk. That way, any would-be snoop would have to get past your login to get to your files. This, obviously, is wildly impractical and inefficient.
|I'm assuming that because you have files worthy of being protected by permissions or encryption, you haven't set up Windows to automatically log on, as I described in Chapter 4, "Customizing Startup and Shutdown."|
Is there a better solution? You bet. You can lock your system before leaving your desk. Anyone who tries to use your computer must enter your password to access the Windows desktop.
Locking your computer manually
Windows 7 gives you three ways to lock your computer before heading off:
- Select Start, Shut Down, Lock.
- If you lock your PC regularly, consider changing the Shut Down button to a Lock button.
- Press Windows Logo+L.
- Press Ctrl+Alt+Delete
- Click Lock This Computer.
Whichever method you use, you end up at the Windows logon screen, shown in Figure 14.2. Note that it says Locked under the username.
Figure 14.2 You see a screen similar to this when you lock your Windows 7 computer. (Click on image for enlarged view.)
Locking your computer automatically
The locking techniques from the previous section are easy enough to do, but the hard part is remembering to do them. If you're late for a meeting or a rendezvous, locking up your machine is probably the last thing on your mind as you dash out the door. The usual course of events in these situations is that just as you arrive at your destination, you remember that you forgot to lock your PC, and you then spend the whole time fretting about your defenseless computer.
To avoid the fretting (not to mention the possible intrusion), you can configure your computer to lock automatically after a period of inactivity. Earlier versions of Windows required a screen saver to do this, but not Windows 7. Here's how it's done:
- Right-click the desktop and then click Personalize to open the Personalization windows.
- Click Screen Saver.
- If you want to have a screensaver kick in after your PC is inactive for a while, choose one from the Screen Saver list.
- Use the Wait spin box to set the interval (in minutes) of idle time that Windows 7 waits before locking your PC.
- Activate the On Resume, Display Logon Screen check box.
- Click OK.
Protecting your Windows 7 user account with a password, though an excellent idea, is not foolproof. Hackers are an endlessly resourceful bunch, and some of the smarter ones figured out a way to defeat the user account password system. The trick is that they install a virus or Trojan horse program -- usually via an infected email message or malicious website -- that loads itself when you start your computer. This program then displays a fake version of the Windows 7 Welcome Screen. When you type your user name and password into this dialog box, the program records it and your system security is compromised.
To thwart this clever ruse, Windows 7 enables you to configure your system so that you must press Ctrl+Alt+Delete before you can log on. This key combination ensures that the authentic Welcome screen appears.
To require that users must press Ctrl+Alt+Delete before they can log on, follow these steps:
- Press Windows Logo+R to display the Run dialog box.
- Type control userpasswords2.
- then click OK. The User Accounts dialog box appears.
- Display the Advanced tab.
- Activate the Require Users to Press Ctrl+Alt+Delete check box.
- Click OK.
How to secure Microsoft Windows 7
Part 1: Protect your computer from direct attacks in Windows 7
Part 2: Confirm crucial Windows 7 security settings are enabled
Part 3: Manage Microsoft Windows Firewall
|This chapter excerpt from Microsoft Windows 7 Unleashed, by Paul McFedries, is printed with permission from Sams Publishing, Copyright 2009.
Click here to purchase the book.