Harden
Harden Your System
Once you are patched, cleaned up and backed up, it’s time to do a little locking down. Some of this can be done from inside your system and some of it needs to be done outside.
The easiest thing to do to add a level of security to your system is to password-protect the user accounts on your system, especially those accounts that have administrator privileges. And don’t go for rinky-dink passwords, either. Use strong passwords that are long, contain letters (upper- and lower-case), numbers and symbols/punctuation. If you still have Win9x systems, you’re pretty much stuck at a maximum of 14 characters, but for Windows XP it’s much more. You might consider using a passphrase rather than a password (That’s the way, uh-huh, uh-huh, I like it, uh-huh, uh-huh). Notice that it’s long, has upper-case letters, lower-case letters, spaces and punctuation? This is not something that’s going to be brute-force hacked for a loooong time. Of course, you’ll have type it in exactly like that every time you want to log on, so try to keep it reasonable and workable.
Just as a physical security measure, you should password-protect every account. But it’s more important to cover the accounts that can actually damage your system.
Inside your system, you should turn off any unneeded services by using the Services console (Start -> Run -> services.msc). A fellow named Black Viper maintained a list of services that were needed or unneeded under certain configurations. He has since taken down his website for unknown reasons. A few other sites have posted his material on their pages. If you Google for “Black Viper” you’ll be able to get that information from the sites that gave him credit for doing the original work (the less said about those who take others’ work and claim it as theirs, the better).
In any event, unless you are in a networked environment where an administrator would need to notify you of network problems, completely disable the Messenger service. It is more often used as a means of sending you advertising than for any legitimate purpose.
Your next step should be to run Microsoft’s Baseline Security Analyzer (www.microsoft.com/downloads/). Version 2.0.1 is the current version at the time I wrote this. The analyzer will point out security problems on your system. Keep in mind that Microsoft DOES NOT know more about what you want to do on your system than you do. So take its results as advice, not as requirements. Some of its results are common-sense (like requiring complex passwords for all accounts with administrator privileges) and some of its suggestions are downright stupid (like requiring you to install the Genuine Windows scanner as a security update). But it will at least give you a good idea of where you might have security problems and give you some “best practices” advice.
If you have the money and patience, consider adding a hardware firewall to your home network. A hardware firewall is a bit different from the firewall that came with your security suite. It sits between you and the internet and can block network traffic in both directions and it can work in conjunction with the software firewalls on your systems. The nice thing about a hardware firewall is that the only thing it does is monitor and filter your network traffic. It’s never going to stop what it’s doing for a fast game of Freecell.
In an ideal world, you configure the firewall to block traffic on all ports except the ones that you are actually using (port 25 for SMTP email, port 80 for web browsing, port 110 for POP3 email, port 119 for newsgroups, etc.). It’s a tedious process to track down all of the ports used by all of the different applications on all of your home systems, but it will definitely help keep the bad guys off of your systems. If you are using a router that provides DHCP services, you are getting some degree of protection, but not as much as you would with a dedicated firewall.