Windows 7 : Protecting Your Network from Hackers and Snoops - Active Defense

11/22/2012 3:03:38 AM
Active defense means actively resisting known methods of attack. Active defenses include these:
  • Firewalls and gateways to block dangerous or inappropriate Internet traffic as it passes between your network and the Internet at large

  • Encryption and authentication to limit access based on some sort of credentials (such as a password)

  • Efforts to keep up-to-date on security and risks, especially with respect to Windows 7

When your network is in place, your next job is to configure it to restrict access as much as possible. This task involves blocking network traffic that is known to be dangerous and configuring network protocols to use the most secure communications protocols possible.

Firewalls and NAT (Connection-Sharing) Devices

Using a firewall is an effective way to secure your network. From the viewpoint of design and maintenance, it is also the most efficient tool because you can focus your efforts on one critical place, the interface between your internal network and the Internet.

A firewall is a program or piece of hardware that intercepts all data that passes between two networks—for example, between your computer or LAN and the Internet. The firewall inspects each incoming and outgoing data packet and permits only certain packets to pass. Generally, a firewall is set up to permit traffic for safe protocols such as those used for email and web browsing. It blocks packets that carry file-sharing or computer administration commands.

Network Address Translation (NAT), the technology behind Internet Connection Sharing and connection-sharing routers, insulates your network from the Internet by funneling all of your LAN’s network traffic through one IP address—the Internet analog of a telephone number. Like an office’s switchboard operator, NAT lets all your computers place outgoing connections at will, but it intercepts all incoming connection attempts. If an incoming data request was anticipated, it’s forwarded to one of your computers, but all other incoming network requests are rejected or ignored. Microsoft’s Internet Connection Sharing and hardware Internet Connection Sharing routers all use a NAT scheme.

The use of either NAT or a firewall, or both, can protect your network by letting you specify exactly how much of your network’s resources you expose to the Internet.

Windows Firewall

One of Windows 7’s features is the built-in Windows Firewall software.

Windows Firewall is enabled, or attached, on any network adapter or dial-up connection that directly connects to the Internet. Its purpose is to block any traffic that carries networking-related data, so it prevents computers on the Internet from accessing your shared files, Remote Desktop, Remote Administration, and other “sensitive” functions.

Window Firewall by default blocks all attempts by other computers to reach your computer, except in response to communications that you initiate yourself. For example, if you try to view a web page, your computer starts the process by connecting to a web server out on the Internet. Windows Firewall knows that the returning data is in response to your request, so it allows the reply to return to your computer. However, someone “out there” who tries to view your shared files will be rebuffed. Any unsolicited, incoming connection will simply be ignored.

This type of network haughtiness is generally a good thing, except that it would also prevent you from sharing your computer with people that you do want to share with. For example, it would block file and printer sharing, Remote Assistance, and other desirable services. So, Windows Firewall can make exceptions that permit incoming connections from other computers on a case-by-case basis. By that, I mean that it can differentiate connections based on the software involved (which is discerned by the connection’s port number), and by the remote computer’s network address, which lets Windows know whether the request comes from a computer on your own network or from a computer “out there” on the Internet. And starting with Windows 7, Windows Firewall uses a third criterion for judging incoming requests: the “public” or “private” label attached to the network adapter through which the request comes. This is a huge improvement over Windows XP and Vista.

Here’s why: When you’re at home, the other computers on your network share a common network address scheme (just as most telephone numbers in a neighborhood start with the same area code and prefix digits). Those computers can be trusted to share your files and printers. However, if you take your computer to a hotel or coffee shop, the computers on your local network should not be trusted, even though they will share the same network addressing scheme. With prior versions of Windows, you had to reconfigure Windows Firewall every time you moved your computer from one network to another, so that you didn’t inadvertently expose your shared files to unknown people.


Windows Firewall has the advantage that it can permit incoming connections for programs such as Remote Assistance. On the other hand, it’s part of the very operating system it’s trying to protect, and if either Windows 7 or Windows Firewall gets compromised, your computer’s a goner.

If I had the choice between using Windows Firewall, or an external firewall device—such as a commercial firewall server or a connection-sharing router with filter rules—I’d use the external firewall. But Windows Firewall is definitely better than no firewall at all.

As you may know, when you connect your computer to a network for the first time, Windows 7 asks you whether the network is private or public. As you might guess, a public network is one where you don’t trust the other connected computers. This would be an appropriate choice in a coffee shop or hotel, or for a connection from your computer directly to a DSL or cable modem. A private network is one where you trust the other computers that are directly attached. This network might connect to the Internet through a router, but you can still consider it private, because your local trusted computers can be distinguished by sharing a common network address.

Windows Firewall is enabled by default when you install Windows 7. You can also enable or disable it manually by selecting the Change Settings task on the Windows Firewall window.  You also can tell Windows Firewall whether you want it to permit incoming requests for specific services. If you have a web server installed in your computer, for example, you need to tell Windows Firewall to permit incoming HTTP data.

Packet Filtering

If you use a hardware Internet Connection Sharing router (also called a residential gateway) or a full-fledged network router for your Internet service, you can instruct it to block data that carries services you don’t want exposed to the Internet. This is called packet filtering. You can set this up in addition to NAT, to provide extra protection.

Filtering works like this: Each Internet data packet contains identifying numbers that indicate the protocol type (such as TCP or UDP) and the IP address for the source and destination computers. Some protocols also have an additional number called a port, which identifies the program that is to receive the packet. The WWW service, for example, expects TCP protocol packets addressed to port 80. A domain name server listens for UDP packets on port 53.

A packet that arrives at the firewall from either side is examined; then it is either passed on or discarded, according to a set of rules that lists the protocols and ports permitted or prohibited for each direction. A prohibited packet can be dropped silently, or the router can reject the packet with an error message returned to the sender indicating that the requested network service is unavailable. If possible, specify the silent treatment. (Why tell hackers that a desired service is present, even if it’s unavailable to them?) Some routers can also make a log entry or send an alert indicating that an unwanted connection was attempted.

Table 1 lists some relevant protocols and ports. If your router lets you block incoming requests separately from outgoing requests, you should block incoming requests for all the services listed, unless you are sure you want to enable access to them. If you have a basic gateway router that doesn’t provide separate incoming and outgoing filters, you probably want to filter only those services that I’ve marked with an asterisk (*).

Table 1. Services That You Might Want to Block
ProtocolPortAssociated Service
TCP20–21FTP—File Transfer Protocol.
TCP22SSH—Secure Shell protocol, an encrypted version of Telnet.
TCP *23Telnet—Clear-text passwords are sent by this remote terminal service, which also is used to configure routers.
TCP53DNS—Domain name service. Block TCP mode “zone” transfers, which reveal machine names.
TCP+UDP67BOOTP—Bootstrap protocol (similar to DHCP). Unnecessary.
TCP+UDP69TFTP—Trivial File Transfer Protocol. No security.
TCP110POP3—Post Office Protocol.
UDP *TCP TCP+UDP *137–139NetBIOS—These ports are used by Microsoft File Sharing.
UDP *161–2SNMP—Simple Network Monitoring Protocol. Reveals too much information and can be used to reconfigure the router.
TCP *445SMB—Windows File Sharing can use port 445 as well as ports 137–139.
TCP515LPD—UNIX printer-sharing protocol supported by Windows.
UDP, TCP1900, 5000Universal Plug and Play—Can be used to reconfigure routers.

As I said, if you use a hardware router to connect to the Internet, I can’t show you the specifics for your device. I can give you a couple of examples, though. My Linksys cable/DSL–sharing router uses a web browser for configuration, and there’s a page for setting up filters, as shown in Figure 1. In this figure, I’ve blocked the ports for Microsoft file-sharing services.

Figure 1. Configuring packet filters in a typical Internet Connection Sharing router.

If you use routed DSL Internet service, your ISP might have provided a router manufactured by Flowpoint, Netopia, or another manufacturer.

These are complex devices, and your ISP will help you set up yours. Insist that your ISP install filters for ports 137, 138, 139, and 445, at the very least.

Using NAT or Internet Connection Sharing

By either name, Network Address Translation (NAT) has two big security benefits. First, it can be used to hide an entire network behind one IP address. Then, while it transparently passes connections from you out to the Internet, it rejects all incoming connection attempts except those that you explicitly direct to waiting servers inside your LAN. Packet filtering isn’t absolutely necessary with NAT, although it can’t hurt to add it.


Microsoft’s Internet Connection Sharing (ICS) blocks incoming access to other computers on the LAN, but unless Windows Firewall is also enabled, it does not protect the computer that is sharing the Internet connection. If you use ICS, you must enable Windows Firewall on the same connection, or you must use a third-party software firewall application.

If you have built a network with another type of router or connection-sharing device, you must follow the manufacturer’s instructions or get help from your ISP to set it up.

Add-On Firewall Products for Windows

Commercial products called personal firewalls are designed for use on PCs. These types of products, Norton Internet Security 2009 ( for instance, range in price from free to about $60. Now that Windows includes an integral firewall, add-on products might no longer be necessary, and I don’t think that it’s worth paying for a software firewall program for Windows. Windows Firewall is good enough, it’s free, and it’s built in. It’s far more important that you keep Windows and all of your add-on applications up-to-date, and use Windows Defender or a third-party antivirus/antispyware program.

Secure Your Router

If you use a router for your Internet connection and rely on it to provide network protection, you must make it require a secure password. If your router doesn’t require a password, anyone can connect to it across the Internet and delete the filters you’ve set up. (As configured by the manufacturers and ISPs, most connection-sharing routers do not require a password, although they typically won’t accept configuration commands from the Internet, but only from your own network.)

To lock down your router, you have to follow procedures for your specific router. You’ll want to do the following:

  • Change the router’s administrative password to a combination of letters, numbers, and punctuation. Be sure to write it down somewhere, and keep it in a secure place. (I usually write the password on a sticky label and attach it to the bottom of the router.)

  • Change the SNMP read-only and read-write community names (which are, in effect, passwords) to a secret word or a very long random string of random characters; or better yet, follow the next recommendation.

  • Prohibit write access via SNMP or disable SNMP entirely.

  • Change all Telnet login passwords, whether administrative or informational.

If you don’t want to attempt to lock down your router, your ISP should do it for you. If your ISP supplied your router and you change the password yourself, be sure to give the new password to your ISP.

Configure Passwords and File Sharing

Windows 7 supports password-protected and passwordless file sharing. Before I explain this, I need to give you some background. In the original Windows NT workgroup network security model, when you attempted to use a network resource shared by another computer, Windows would see if your username and password matched an account on that remote computer. One of four things would happen:

  • If the username and password exactly matched an account defined on the remote computer, you got that user’s privileges on the remote machine for reading and writing files.

  • If the username matched but the password didn’t, you were prompted to enter the correct password.

  • If the username didn’t match any predefined account, or if you failed to supply the correct password, you got the privileges accorded to the Guest account, if the Guest account was enabled.

  • If the Guest account was disabled—and it usually was—you were denied access.

The problem with this system is that it required you to create user accounts on each computer you wanted to reach over the network. Multiply, say, 5 users times 5 computers, and you had 25 user accounts to configure. What a pain! (People pay big bucks for a Windows Server–based domain network to eliminate this very hassle.) Because it was so much trouble, people usually enabled the Guest account.

Windows 7 has a new feature called the HomeGroup that provides a way around the headaches of managing lots of user accounts and passwords. When you make a Windows 7 computer a member of a homegroup, it uses a built-in user account named HomeGroupUser$ when it accesses shared resources on other computers in the group. The member computers all have this same account name set up, with the same password (which is derived from the homegroup’s password in some way), so that all member computers can use any shared resource. When you share a library, folder, or printer with the homegroup, Windows gives the user account HomeGroupUser$ permission to read, or to read and write the files in that folder. It’s a simple, convenient scheme, but only Windows 7 computers can take advantage of it.


When you disable Password Protected Sharing, you get what was called Simple File Sharing on Windows XP, but with a twist: On XP, when Simple File Sharing was in effect, every network accessed shared resources using the Guest account, no matter what username and password they supplied. On Windows 7, if the remote user’s username matches an account on the Windows 7 computer and the account has a password set, they’ll be able to access the shared resources using that account’s privileges. The Guest account is used only when the remote user’s account doesn’t match one on the Windows 7 computer, or if the matching account has no password.

If your computer is a member of a Windows domain network, you cannot disable Password Protected Sharing.

On Windows 7, another way to avoid password headaches is to entirely disable the use of passwords for network resources. If you disable Password Protected Sharing, the contents of the Public folder and all other shared folders are accessible to everyone on the network, even if they don’t have a user account and password on your computer, and regardless of the operating system they’re using. This is ideal if you want to share everything in your Public folder and do not need to set sharing permissions for individuals.

From a security perspective, only a few folders are accessible when Password Protected Sharing is disabled, and although anybody with access to the network can access them, the damage an intruder can do is limited to stealing or modifying just the files in a few folders that are known to be public.

If you do disable Password Protected Sharing, it’s crucial that you have a firewall in place. Otherwise, everyone on the Internet will have the same rights in your shared folders as you. (That’s one of the reasons for Windows Firewall, and why Windows is so adamant about either installing Windows Firewall or disabling file sharing.)

By default, Windows 7 has Password Protected Sharing enabled, which limits access to the Public folder and all other shared folders to users with a user account and password on your computer.

If you want to make the Public folder accessible to everyone on your network without having to create for each person an account on every computer, you have four choices:

  • If you are on a home or small office network and you have only (or mostly) Windows 7 computers, you can enable the HomeGroup networking feature.

  • You can set up accounts for every user on your computer, so that everyone will access the shared folder using their own account. You’ll need to be sure that everyone uses the same password on every computer.

  • You can create a special user account, for example, named “share,” and give people you trust the password to this account. Everyone can use this same username and password to access the shared folder on your computer.

  • You can disable Password Protected Sharing. To do this, click Start, Control Panel, Network and Internet, Network and Sharing Center, Homegroup and Sharing Options, Advanced Sharing Options. Under Password Protected Sharing, click Turn Off Password Protected Sharing, and click Apply.

Set Up Restrictive Access Controls

Possibly the most important and difficult step you can take is to limit access to shared files, folders, and printers. You can use the guidelines shown in Table 2 to help organize a security review of every machine on your network.

Table 2. Restricting Access Controls
Access PointControls
File SharingDon’t share your computers’ entire hard drives. Share only folders that need to be shared, and, if possible, choose only folders within your Documents folder (for simplicity). Use Password Protected Sharing.
PasswordsSet up all accounts to require passwords. You can configure your computers to require long passwords if you want to enforce good internal security.
PartitionsIf you install IIS and want to make a website or FTP site available to the Internet, set up a separate NTFS partition on your hard drive just for website files.
Access ControlDon’t disable User Account Control. In fact, even with UAC in place, it’s best not to use Administrator or any other Computer Administrator account for your day-to-day work. Instead, create a Standard user account for yourself, and type in an Administrator password when you’re prompted to.
FTPIf you install a public FTP server, do not let FTP share a FAT-formatted drive or partition. In addition, you must prevent anonymous FTP users from writing to your hard drive.
SMTPIf you operate an email server, consider storing incoming mail in a separate partition, to avoid getting overrun with too much mail. Also, you must prohibit “relaying” from outside SMTP servers to outside domains, lest your server be used as a spam relay site.
HTTP (Web)Don’t enable both Script/Execute permission and Write permission on the same folder. Enabling both permissions would permit outside users to install and run arbitrary programs on your computer. You should manually install any needed scripts or CGI programs. (The FrontPage extensions can publish scripts to protected directories, but they perform strong user authentication before doing so.)
SNMPThis network-monitoring option is a useful tool for large networks, but it also poses a security risk. If installed, it could be used to modify your computer’s network settings and, at the very least, will happily reveal the names of all the user accounts on your computer. Don’t install SNMP unless you need it, and if you do, change the “community name” from public to something confidential and difficult to guess. Block SNMP traffic through your Internet connection with filtering.
Most View
Spring Is Here (Part 2)
Is 802.11ac Worth Adopting?
BlackBerry Z10 - A Touchscreen-Based Smartphone (Part 1)
LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 5)
Fujifilm X-E1 - A Retro Camera That Inspires (Part 4)
My SQL : Replication for High Availability - Procedures (part 6) - Slave Promotion - A revised method for promoting a slave
10 Contenders For The 'Ultimate Protector' Crown (Part 3) : Eset Smart Security 6, Kaspersky Internet Security 2013, Zonealarm Internet Security 2013
HTC Desire C - Does It Have Anything Good?
Windows Phone 7 : Understanding Matrix Transformations (part 2) - Applying Multiple Transformations
How To Lock Windows By Image Password
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Top 10
OPEL MERIVA : Making a grand entrance
FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
BMW 650i COUPE : Sexy retooling of BMW's 6-series
BMW 120d; M135i - Finely tuned
PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
Java Tutorials : Nested For Loop (part 1)
C# Tutorial: Reading and Writing XML Files (part 2) - Reading XML Files
C# Tutorial: Reading and Writing XML Files (part 1) - Writing XML Files