Neowin Windows Security tips...thread.

By Osiris
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Osiris

Posted
Posted

So im just wondering we seem to have threads on neowin for all sorts of things, from best defrag to definitive firewall threads, so why not have a security thread.

No doubt you could google a 100000 pages on the topic, but on neowin we have the collective experiences and knowledge of quite a number of generally tech savvy people, so why dont you just post things you do that you think are essential to the security of your windows machine. Little tweaks, system changes, policy editing changes, you do to ensure your system is secure be it physically or over the net.

I dont know many tweaks or tips, that is in essence the purpose of this thread, apart from Installing critical updates, and loading and updating Norton, my security measures until recently have ended there. So if you can expand on advice or tips beyond that, feel free to offer up some handy tips and advice youve learnt from your time with 2000 or XP...

Link to comment
https://www.neowin.net/forum/topic/155215-neowin-windows-security-tipsthread/
Share on other sites
Mentor

Bold_Fortune

Posted
Posted
So im just wondering we seem to have threads on neowin for all sorts of things, from best defrag to definitive firewall threads, so why not have a security thread.

No doubt you could google a 100000 pages on the topic, but on neowin we have the collective experiences and knowledge of quite a number of generally tech savvy people, so why dont you just post things you do that you think are essential to the security of your windows machine. Little tweaks, system changes, policy editing changes, you do to ensure your system is secure be it physically or over the net.

I dont know many tweaks or tips, that is in essence the purpose of this thread, apart from Installing critical updates, and loading and updating Norton, my security measures until recently have ended there. So if you can expand on advice or tips beyond that, feel free to offer up some handy tips and advice youve learnt from your time with 2000 or XP...

Been wishing people would take my hint on this subject for sometime now. Here's my tip.

This site...

http://www.jfitz.com/tips/ie_security_config.html

(I export this registry key to my Desktop before making adjustments: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

And then export it once more after making my adjustments.

That way I can interchange settings when certain sites need the Default Settings, and use my Adjusted Settings when browsing normally.)

And this...

Internet Properties Advance Settings Preferences

Accessibility Section:

UNCHECKED...Always expand ALT tags for images

The ALT text is meant to be alternative text, primarily for use when the image is not being displayed. The most common mistake (if used at all!) is to provide a description of the image, without considering what job the image was doing on the page, leading to results that can range from the incongruous to the absurd. The ALT text is intended to be a suitable textual alternative to the purpose of the image: sometimes that might turn out to be a description of the image, but in practice that choice seems to be wrong far more often than it's right.

UNCHECKED...Move system focus with caret with focus/selection changes

When selected, this accessibility option moves the system caret (cursor or insertion point) when the focus/selection changes. This option improves the functionality of some screen readers and screen magnifiers that use the ?system caret? (cursor) to determine which area of the screen to read or magnify.

Browsing Section:

CHECKED.....Always send URL's as UTF-8. UTF-8 (requires restart)

UTF-8 defines a character set that is readable in any language.

UNCHECKED.....Automatically check for Internet Explorer updates

Will alert you if a newer version of Internet Explorer becomes available and

prompt you if you want to download it.

CHECKED.....Close unused folders in history and favorites

If you are using the history or favorites window, specifies whether opening

a new folder will close the one that was previously opened by you.

It has been determined that some external programs access the Web using Internet Explorer functions in such a manner that the 'History' files are kept open. When these programs are active, the 'History' files can't really be deleted. In some instances, the files appear to delete but soon reappear.

CHECKED.....Disable script debugging

Used by web page developers to test programs and scripts on their web pages.

UNCHECKED...Display notification about every script error

Useful to developers when testing web pages, displays the actual scripting

error code when a page does not load properly due to a scripting error.

CHECKED.....Enable folder view for FTP sites

Specifies whether to display the folders on a FTP site similar to a windows

explorer view or a my computer view.

UNCHECKED.....Enable install On Demand (Internet Explorer)

Will automatically download and install components that a web page needs in

order to be displayed properly.

The Install On Demand feature specifies whether to automatically download and install Web components that can be installed by Internet Explorer Active Setup by using the component's cabinet information file (CIF) for Setup instructions. Typically, a Web page may need to download items to display the page properly, or to perform a particular task. For example, if you open a Web page that requires Japanese-text display support (Charset=euc-jp), Internet Explorer automatically prompts you to download the Japanese Language Pack component if it is not already installed and the Install On Demand feature is enabled.

UNCHECKED...Enable install On Demand (Other)

Components that can be installed by using self-installing program files that are registered with Internet Explorer 6 are controlled by the Enable Install on Demand (Other) setting.

UNCHECKED...Enable offline items to be synchronized on a schedule

You can set up web pages to be delivered to you at a specified time.

UNCHECKED...Enable page transitions

Specifies whether as you move from one page to another, the previous page

fades out and the new page fades in.

UNCHECKED...Enable Personalized Favorites menu

Specifies whether to have items displayed on your favorites

menu that you don't frequently use.

CHECKED.....Enable third-party browser extentions (requires restart).

I need this for PopUpCop to stay installed and work in my browser.

CHECKED.....Enable visual styles on buttons and control in web pages

UNCHECKED...Force offscreen compositing even under Terminal Server (requires restart)

CHECKED.....Notify when a downloads complete.

Indicates whether to display a message at the end of a file download to

indicate that the download is complete. Note, assigning a sound to the

asterisk in sounds in control panel will play a sound when a download is

complete.

UNCHECKED...Reuse windows for launching shortcuts

Specifies whether when you click on a link in a program such as Outlook

Express, if there is already a Internet Explorer window open, whether to

reuse that window or to open another session of Internet Explorer.

CHECKED.....Show friendly HTTP error messages

Specifies whether to display the error and detailed description of the

problem when there is a problem connecting with a server.

UNCHECKED...Show friendly URLs

Specifies if you want the actual web address of a site displayed in the

status bar or the shorter friendly name. For example whether to display

www.microsoft.com or Microsoft's Home Page. HJ states to have this one off.

CHECKED.....Show Go button in Address Bar

Specifies whether to have a go button. You can either use enter or the go

button after entering an address in the address bar.

Underline links:

CHECKED.....Always

UNCHECKED...Hover

UNCHECKED...Never

Specifies when to underline links, always, only when

mouse pointer is over the link, or never.

UNCHECKED....Use inline AutoComplete

Specifies whether you want Internet Explorer to auto complete addresses as

you enter them based on sites you have visited before.

UNCHECKED....Use Passive FTP (for firewall and DSL modem compatibility)

Use passive FTP for compatibility with some firewalls and DSL modems.

Does not require you to know the actual IP address of a FTP site.

UNCHECKED....Use smooth scrolling

Specifies whether a special type of scrolling is used to scroll through

pages at a predefined speed.

HTTP1.1 settings:

CHECKED......Use HTTP 1.1

UNCHECKED....Use HTTP 1.1 through proxy settings

Specifies to attempt to use HTTP 1.1 when connecting to Web sites. HTTP

(Hypertext Transfer Protocol), is the protocol that is used to display web

pages. HTTP 1.1 is a newer version than HTTP 1.0 and loads web pages

faster. Some Web sites still use HTTP 1.0, so if you are having

difficulties connecting to some Web sites, you may want to clear this check

box.

Multimedia Section:

CHECKED......Don't display online media content in the media bar Play animations

UNCHECKED....Automatic Image Resizing

Another change you might want to make is in the way IE handles images. By default, IE resizes images to fit the window. This often distorts large images and can be a real pain if you frequently use IE to view images on the Web. Just disable or enable the Enable Automatic Image Resizing option.

UNCHECKED....Enable Image Toolbar (requires restart)

UNCHECKED....Play animations in web pages.

I'm on a Dial-Up Connection, so this really helpd web pages to load faster for me.

UNCHECKED....Play sounds in web pages

Allows audio.

UNCHECKED....Play videos in web pages

Plays video clips.

CHECKED......Show pictures

Specifies whether to download and display graphics.

UNCHECKED....Smart image dithering

Smooths image displays.

Printing Section:

UNCHECKED....Print backgroud colors and images

Specifies that you want Internet Explorer to print background colors and

images when you print a Web page.

Search from the Address Bar Section:

When searching:

UNCHECKED....Display results, and go to the most likely site

CHECKED......Do not search from the Address Bar

UNCHECKED....Just display the results in the main window

UNCHECKED....Just go to the most likely site

Internet Explorer 5 allows you to enter words in the address bar for

searching the web and uses the MSN search engine for the results.

Security Section:

UNCHECKED....Check for publisher's certificate revocation.

I've unchecked this since that license fiasco effected clicking on some files and folders.

UNCHECKED....Check for server certificate revocation (requires restart)

Tells whether IE should check an internet site's certificate to see if it

has been revoked or is still valid.

UNCHECKED....Check for signatures on downloaded programs

UNCHECKED......Do not save encrypted pages to disk

Specifies that secured information such as on secure shopping sites is not

saved to your hard disk or to your temporary internet files folder. This is

useful if you are using Internet Explorer from a shared server and you do

not want other people to see your secure information.

I used to CHECK this, but I discovered it slowed the Backspace action on some sites

UNCHECKED....Empty Temporary Internet Files folder when browser is closed

This will delete all files that IE has saved to your temporary internet

files folder each time you exit IE. Remember though, this may slow down

your browsing as IE will not be able to retrieve pages you revisit from your

temporary internet files folder.

UNCHECKED....Enable Integrated Windows Authentication (requires restart)

UNCHECKED....Enable Profile Assistant

IE can fill the whole form in for you, but only if the Web site supports

the Profile Assistant. Your profile information is contained in the

profiles on the contents page.

CHECKED......Use SSL 2.0

Specifies that you want to send and receive secured information through SSL2

(Secured Sockets Layer Level 2), the standard protocol for secure

transmissions. All secure Web sites support this protocol

CHECKED......Use SSL 3.0

Specifies that you want to send and receive secured information through SSL3

(Secured Sockets Layer Level 3), a proprietary protocol that is intended to

be more secure than SSL2. Note that some Web sites might not support this

protocol.

UNCHECKED....Use TLS 1.0

TLS stands for Transport Layer Security, and is a new security protocol being developed to supersede Secure Sockets Layer (SSL) which is the standard means for encrypting information transmitted across the internet. HeySportsFans website (as an example of a site) uses SSL to protect secure areas of the website, but does not currently support TLS. This means that if the "Use TLS 1.0" option is enabled, secure pages will not be displayed.

CHECKED......Warn about invalid site certificates

Specifies whether Internet Explorer should warn you if the address (URL) in

a security certificate of an Internet site is not valid.

CHECKED......Warn if changing between secure and not secure mode

Specifies whether Internet Explorer should warn you if you are switching

between Internet sites that are and are not secure.

CHECKED......Warn if forms submittal is being redirected

Tells whether IE should warn you if a form you submit is being redirected to

a web site other than the one you are using to fill out the form.

Grand Master

+allan MVC

Posted
  • MVC
Posted

  • Common Sense!!!!!!
  • Never open email attachments unless you know the sender, expected the attachment, and know what the attachment is before opening
  • Use a GOOD anti-virus program, have it active at all times, and keep the definitions up to date (if it has an auto-updater, use it)
  • Use AdAware and Spybot as scanning programs on a regular basis. You must use both - one will often miss items the other will catch. Neither is better than the other - just different.
  • Download and use both SpywareBlaster and SpywareGuard from javacool. SB is a passive utility that will innoculate the registry and prevent spyware entries from being installed. SG is an active utility that sits in the system tray and prevents spyware from being installed. Again, they are complementary to one another - use both and keep definitions updated
  • Common Sense!!!!!!!
  • Never go to web sites that are known for spyware
  • Allow First Party & Session Cookies, but block Third Party Cookies
  • Never post your email address or other personal information on a web site or forum
  • Do not allow others to surf the web on your computer - or be prepared for the consequences
  • Common Sense!!!!!!!!
  • Never reply to emails that request personal information, regardless of the apparent source of the request
  • Stay the hell out of chat rooms
  • While Bold_Fortune's suggestions above are all good, I've never made any of the registry changes myself. I've found that by taking the steps outlined in this post I've been able to avoid 100% of spyware and viruses (so far ;) ). I'm not suggesting you should or should not make the changes - just saying that if you are prepared to pay attention to what you are doing they may not be necessary. On the other hand, they can't hurt.
  • Did I mention Common Sense?

Veteran

trix

Posted
Posted

my cusin has no common sense what so ever!!! every time i go around his house i end up reinstalling windows on his machine just coz he f**ks it up so much! i've started avoiding visiting his house now :D let him be a irc bot in like 30 diff networks its killin his machine not mine.

Grand Master

Frank

Posted
Posted

Sorry if any of these have been posted, but it is early, and I could have missed one.....

Tip # 1 that Has not been mentioned yet

MAKE SURE you are behind a firewall AND it is configured properly. It doesn't matter if it is software, or hardware, as long as you have one, your good.

Tip #2 that has not been mentioned yet

MAKE SURE you keep updated from Microsoft. A good way to do this is with the AutoPatcher, or just leave the bloody Automatic Updates turn on.

Tip #4 that has not been mentioned yet

Download and install Mike Lin's StartUp Monitor. This is the best program in the world.

The other two I would have to say that has been mentioned, is to use Common Sense!!!!!!!! and to run a good anti-virus program. If you don't want to buy one, get AVG. It's free, and it works well.

/Edit: yes I know it goes from 2 to 4, I just wanted to make sure you were paying attention. If you did not, you get a *BONK* from Ded Bob.

Also, if your one of the stupid heads who say "I don't need a firewall, or anti-virus, im leet, you get two *BONKS* from dead bob, and then he tells you to STFU cause your wrong.

Mentor

eversor

Posted
Posted
"Also, if your one of the stupid heads who say "I don't need a firewall, or anti-virus, im leet, you get two *BONKS* from dead bob, and then he tells you to STFU cause your wrong."

Quit bonking me.

Hm. I don't want to sound leet or something but i think that anti virus tools are not that neccesary. Firewall is a real must though.

I think the normal user feels too safe with anti virus installed and thinks that he can do just anything ("uh i hav anti virus installed").

See most virii spread because the user clicked on something the shouldn't have clicked on. There are only a few that spread by exlpoiting security holes (e.g. blaster). And normally these security holes are fixed prior to the birth of the virus (eg blaster). Its again the users fault. He should have updated his os.

Now you will say if the creator of the virus just found the security hole by himself so that it can't be fixed prior to the virus release, than i would say that an anti virus tool can't do much. The creator can use the engines of the anti virus tools itself and try to code the virus that way that it can't be found (until new signatures are out). And if you are once infected you can't really be sure what the virus has done to your pc (you could have been infected with a variety of the orginal virus. So i would recommend a clean re-install instead of deleting it.

As others said before: Common Sense!

MfG.Eversor

(What i described above only applies to normal users with normal pc usage. If a pc is used by too many people (in companys or whatsoever) you normally have one that hasn't much common sense or is behaving not as he should be. In that case it (av tools) can help on some level). Altough i also like the way my university handles it: Upon restart of the pc the whole os will be re-deplyed..... but thats another story)

Mentor

Bold_Fortune

Posted
Posted

I was looking over the Ten Commandments. I couldn't find the Commandments pertaining to anti-virus and firewalls. Maybe it's in the New Testament and I missed it.

Bearing down on users never works. The best anyone can do is post what we feel is some good advice.

Mentor

eversor

Posted
Posted

Hm. But saying that it is a necessity doesn't quite convince me. But i kinda exptected that i might be alone with this. Perhaps i think that way because my pc was never infected...

And i never said that they are useless they are only not that important (for me), because they can never give you full security... If you were infected you can still delete it "manually" (by following an instruction found on the internet or by using a tool designed especially to delete it). And if that should happen i render my system useless as it has been corupted and i can't be sure what the virus did with my pc

  • 1 month later...
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.