SECURITY

Windows 7 : Protecting Your Network from Hackers and Snoops - Specific Configuration Steps for Windows 7

12/3/2012 6:23:10 PM
Disaster Planning: Preparation for Recovery After an Attack

Disaster planning should be a key part of your security strategy. The old saying “Hope for the best and prepare for the worst” certainly applies to network security. Murphy’s law predicts that if you don’t have a way to recover from a network or security disaster, you’ll soon need one. If you’re prepared, you can recover quickly and may even be able to learn something useful from the experience. Here are some suggestions to help you prepare for the worst:

  • Make permanent, archived “baseline” backups of exposed computers before they’re connected to the Internet and anytime system software is changed.

  • Make frequent backups once online.

  • Prepare written, thorough, and tested computer restore procedures.

  • Write and maintain documentation of your software and network configuration.

  • Prepare an incident plan.

A little planning now will go a long way toward helping you through this situation. The key is having a good backup of all critical software. Each of the points discussed in the preceding list is covered in more detail in the following sections.

Make a Baseline Backup Before You Go Online

You should make a permanent “baseline” backup of your computer before you connect with the Internet for the first time so that you know it doesn’t have any virus infections. Make this backup onto a removable disk or tape that can be kept separate from your computer, and keep this backup permanently. You can use it as a starting point for recovery if your system is compromised.

Make Frequent Backups When You’re Online

I hate to sound like a broken record on this point, but you should have a backup plan and stick to it. Make backups at some sensible interval and always after a session of extensive or significant changes (for example, after installing new software or adding users). In a business setting, you might want to have your backup program schedule a backup every day automatically. (You do have to remember to change the backup media, even if the backups are automatic.) In a business setting, backup media should be rotated offsite to prevent against loss from theft or fire.

Write and Test Server Restore Procedures

I can tell you from personal experience that the only feeling more sickening than losing your system is finding out that the backups you’ve been diligently making are unreadable. Whatever your backup scheme is, be sure it works!

This step is difficult to take, but I urge you to try to completely rebuild a system after an imaginary break-in or disk failure. Use a sacrificial computer, of course, not your main computer, and allow yourself a whole day for this exercise. Go through all the steps: Reformat hard disks, reinstall Windows or use the Complete PC Restore feature, reinstall tape software (if necessary), and restore the most recent backups. You will find this a very enlightening experience, well worth the cost in time and effort. Finding the problem with your system before you need the backups is much better than finding it afterward.

Also be sure to document the whole restoration process so that you can repeat it later. After a disaster, you’ll be under considerable stress, so you might forget a step or make a mistake. Having a clear, written, tested procedure goes a long way toward making the recovery process easier and more likely to succeed.

Write and Maintain Documentation

It’s in your own best interest to maintain a log of all software installed on your computers, along with software settings, hardware types and settings, configuration choices, network address information, and so on. (Do you vaguely remember some sort of ordeal when you installed your wireless router last year? How did you resolve that problem, anyway?)

Tip

Windows has no utilities to print the configuration settings for software and network systems. I use Alt+PrntScrn to record the configurations for each program and network component, and then paste the images into WordPad or Microsoft Word.


In businesses, this information is often part of the “oral tradition,” but a written record is an important insurance policy against loss due to memory lapses or personnel changes. Record all installation and configuration details.

Then print a copy of this documentation so you’ll be able to refer to it if your computer crashes.

Make a library of software DVDs and CD-ROMs, repair disks, startup disks, utility disks, backup disks, tapes, manuals, and notebooks that record your configurations and observations. Keep them together in one place and locked up, if possible.

Prepare an Incident Plan

A system crash, virus infection, or network intrusion is a highly stressful event. A written plan of action made now will help you keep a clear head when things go wrong. The actual event probably won’t go as you imagined, but at least you’ll have some good first steps to follow while you get your wits about you.

If you know a break-in has been successful, you must take immediate action. First, disconnect your network from the Internet. Then find out what happened.

Unless you have an exact understanding of what happened and can fix the problem, you should clean out your system entirely. This means that you should reformat your hard drive, install Windows and all applications from CDs/DVDs or pristine disks, and make a clean start. Then you can look at recent backups to see whether you have any you know aren’t compromised, restore them, and then go on.

But most of all, have a plan. The following are some steps to include in your incident plan:

  • Write down exactly how to properly shut down computers and servers.

  • Make a list of people to notify, including company officials, your computer support staff, your ISP, an incident response team, your therapist, and anyone else who will be involved in dealing with the aftermath.

  • If you had a hacker break-in, check www.first.org to see whether you are eligible for assistance from one of the many FIRST response teams around the world. The FIRST (Forum of Incident Response and Security Teams) Secretariat can tell you which agencies might best be able to help you in the event of a security incident; call 301-975-3359.

  • The CERT-CC (Computer Emergency Response Team Coordination Center) might also be able to help you, or at least get information from your break-in to help protect others. Check www.cert.org. In an emergency, call 412-268-7090.

  • You can find a great deal of general information on effective incident response planning at www.cert.org. CERT offers training seminars, libraries, security (bug) advisories, and technical tips as well.


Specific Configuration Steps for Windows 7

The following sections provide some specific instructions to tighten security on your Windows 7 computer or LAN. These instructions are for a single Windows 7 computer or a workgroup without a Windows Server. Windows Server offers more powerful and integrated security tools than are available with Windows 7 alone (and happily for you, it’s the domain administrator’s job to set it all up).

Windows 7’s Security Features

Right out of the box, Windows 7 has better security tools built in than any previous version of Windows. If you do nothing else but let these tools do their job, you’ll be better off than most people, and certainly far better off than anyone running Windows 98 or XP. These are the built-in security features:

  • User Account Control— UAC makes sure that programs don’t have the ability to change important Windows settings without your giving your approval. This helps prevent virus programs from taking over your computer and disabling your computer’s other security features.

  • Protected Mode Internet Explorer— Internet Explorer is the primary gateway for bad software to get into your computer. You don’t even have to deliberately install the bad stuff or go to shady websites to get it—hackers take over well-known, legitimate websites and modify the sites’ pages so that just viewing them pulls virus and Trojan horse software into your computer. This risk is so great that Internet Explorer was modified to run with such low privileges that these bad programs can’t do any damage.

  • Windows Firewall— Windows Firewall blocks other computers on the Internet from connecting to your computer.

  • Windows Defender— Defender is an antispyware program that scans your hard disk and monitors your Internet downloads for certain categories of malicious software. It’s not a full antivirus program, but it does help.

These features are all good at their jobs. The best bit of security advice I can give you is this: Do not disable any of them. In particular, don’t disable UAC. If you find that any of the security features cause some problems with one of your applications, fix the problem just for that application, instead of disabling the security feature outright. For example, if you have a program that doesn’t work well under UAC, use the Run As Administrator setting on that application’s shortcut to let just that program bypass UAC.

If you just follow that advice, you’ll be in pretty good shape. If you want to ratchet up your defenses another notch or two, read on.

If You Have a Standalone Windows 7 Computer

If you have a standalone system without a LAN, you need to take only a few steps to be sure you’re safe when browsing the Internet:

  • Enable Macro Virus Protection in your Microsoft Office applications.

  • Be sure that Windows Defender is turned on and up-to-date. Or, install a third-party antivirus/antispyware program.

  • When you connect to the Internet, be sure to stay connected long enough for Windows Update to download needed updates.

  • Be very wary of viruses and Trojan horses in email attachments and downloaded software. Install a virus scan program, and discard unsolicited email with attachments without opening it. If you use Outlook or Windows Mail, you can disable the preview pane that automatically displays email. Several viruses have exploited this open-without-asking feature.

    Note

    Unfortunately, the Windows Automatic Updates pop-up appears only when you are logged in using a Computer Administrator account. Unless you’ve configured Windows Automatic Updates to alllow all users to install updates, or to automatically install the updates, you need to log on as an administrator at least once every week or two to see if anything new has been downloaded.


  • Keep your system up-to-date with Windows Update, service packs, application software updates, and virus scanner updates. Check for updates every couple weeks, at the very least.

  • If you use Microsoft Office or other Microsoft applications, go to the Windows Update web page and select Microsoft Update. This will let Update automatically download updates and security fixes for Office as well as Windows.

  • Make the Security Policy changes

  • Use strong passwords on each of your accounts, including the Administrator account. For all passwords, use uppercase letters and lowercase letters and numbers and punctuation; don’t use your name or other simple words.

  • Be absolutely certain that Windows Firewall is enabled on all network and dial-up connections to the Internet.

If You Have a LAN

If your computer is connected to others through a LAN, follow the suggestions from the list in the preceding section. Make the Security Policy changes on each computer.

In addition, if you use a wireless network, you must use encryption to protect your network. Otherwise, thanks to passwordless file sharing, random people passing by could have the same access to your shared files as you do. Use WPA2 encryption if all of your computers and routers support it; otherwise, see whether you can use WPA. Use WEP only if you have devices that don’t support WPA.

Keep Up-to-Date

New bugs in major operating systems and applications software are found every week, and patches and updates are issued almost as frequently. Even Microsoft’s own public servers have been taken out by virus software.

Software manufacturers, including Microsoft, have recently become quite forthcoming with information about security risks, bugs, and the like. It wasn’t always the case; they mostly figured that if they kept the problems a secret, fewer bad guys would find out about them, so their customers would be better off (and it saved them the embarrassment of admitting the seriousness of their bugs). Information is shared so quickly among the bad guys now that it has become essential for companies to inform users of security problems as soon as a defensive strategy can be devised.

You can subscribe to the Microsoft Email Updates security bulletin service at www.microsoft.com/security. The following are some other places to check out:

www.sans.org

www.cert.org

www.first.org

www.cerias.purdue.edu/coast

www.greatcircle.com

Usenet newsgroups: comp.security.*, comp.risks

Some of these sites point you toward security-related mailing lists. You should subscribe to Microsoft Security Advisor Bulletins at least. Forewarned is forearmed.

Tightening Local Security Policy

You should set your machine’s own (local) security policy whether you have a standalone computer or are on a LAN. The Local Security Policy lets Windows enforce some commonsense security rules, such as requiring a password of a certain minimum length or requiring users to change their passwords after a certain number of days.

Note

Local Security Policy settings are not available on Windows 7 Home versions.


If your computer is part of a Windows domain-type network, your Local Security Policy settings will likely be superseded by policies set by your domain administrator, but you should set them anyway so that you’re protected if your domain administrator doesn’t specify a so-called global policy.

To configure Local Security Policy, log in as a Computer Administrator and choose Start, All Programs, Administrative Tools, Local Security Policy. (If Administrative Tools doesn’t appear on the menu, the Administrative Tools Control Panel applet can get you there. You can also customize the Start menu to display Administrative Tools.)

A familiar Explorer view then appears, with several main security policy categories in the left pane, as shown in Figure 1. I list several policy items you might want to change.

Figure 1. The Local Policy Editor lets you tighten security by restricting unsafe configuration options.

To change the settings, select the policy categories from the left pane and double-click one of the policy names listed in the right pane. A Properties dialog box will appear in which you can change the setting.

You don’t need to change all the policies; I list the important ones in the following sections.

Account Policies

Account policies can be used to enforce long, difficult, frequently changed passwords and make it hard for users to recycle the same passwords when forced to change. You should lock out accounts that fail several login attempts, locally or over the LAN. In the Local Security Policy window’s left pane, open the list under Account Policy, then select Password Policy or Account Policy to see the available settings. Table 1 shows the recommended altered Password Policy settings, and Table 32.4 shows the options at your disposal for locking out an account.

Table 1. Password Policy Settings
Password PolicyLocal Setting
Enforce password history10 passwords remembered
Maximum password age70 days
Minimum password age1 day
Minimum password length8 characters
Passwords must meet complexity requirementsEnabled
Store password using reversible encryptionDisabled

Table 32.4. Account Lockout Policy Settings
Account Lockout PolicyLocal Setting
Account lockout duration30 minutes
Account lockout threshold5 invalid logon attempts
Reset account lockout counter after30 minutes

Local Policies

You should have Windows make an entry in the Event Log whenever someone oversteps his or her bounds. Table 2 shows the recommended audit policy changes.

Table 2. Audit Policy Settings
Audit PolicyLocal Setting
Audit account logon eventsFailure
Audit account managementFailure
Audit directory service accessFailure
Audit logon eventsFailure
Audit policy changeSuccess, Failure
Audit system eventsFailure

No changes are necessary in the User Rights assignments section, but you might want to view these entries to see what sorts of permission restrictions Windows uses.

Note

If you’re interested in how Windows regulates the operation of your computer, take a look at the settings under User Rights Assignment and Security Options. You’ll probably never need to change any of these settings, but these two sections are the heart of Windows’ security controls.


Finally, go through the security options, as listed in Table 3. Security options are used to restrict what users can do with system options.

Table 3. Security Options Settings
Security OptionLocal Setting
Interactive logon: Message text for users attempting to log onYou can display a sort of “Posted: No Trespassing” warning with this entry.
Devices: Prevent users from installing printer driversDisabled by default. If you want to prevent users from installing potentially untested printer and hardware drivers, check out the options for these settings.
Audit: Shut down system immediately if unable to log security auditsA common hacker trick is to fill up audit logs with junk messages and then break in. If you want, you can have Windows shut down when the Security Event Log fills. The downside is that it makes your security system a denial-of-service risk.

When you log out and back in, the new restrictive security policies will take effect.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8