There are numerous operating system and program settings that can be tweaked in order to better your security profile. True system “hardening” is not for the impatient or faint of heart, and may be discussed in a future column; this column will cover only the basics.
I like to start at the beginning with the Windows Startup group. While it may not seem directly related to system security, having a computer that’s running as few programs in the background as possible can contribute to overall system speed and stability. Windows 2000 users can download a nifty utility written by Mike Lin called Startup Control Panel (http://www.mlin.net/StartupCPL.shtml) to control programs that run when Windows loads. XP users can use Start/Run/msconfig and click the Startup tab. You really don’t need Acrobat, digital camera software, iTunes, Realplayer, Nero or Google Update, to name just a few, constantly running in the background. About all you really want to be running are your antivirus and firewall programs. Search the Web to learn about any strangely named programs that you find in your startup list.
The next things to tweak are Windows services. Go to Control Panel/Administrative Tools/Services. Double-click a service to change its settings. Many services are either dangerous or useless to most users; for the purposes of this article, only a few services will be addressed.
Disable DNS Client, IPSEC, NetMeeting Remote Desktop Sharing, Remote Desktop Help Session Manager, Remote Registry, RunAs Service, Secondary Logon, TCP/IP NetBIOS Helper, Telnet, Terminal Services, Internet Connection Sharing, Windows Firewall (since you are using something better, yes?) and WebClient.
Some antivirus programs also need tweaking for better security. Symantec/Norton products in particular have some very stupid default settings. If you are fortunate enough to have an error-free installation of Norton Antivirus (NAV) or Norton Internet Security (NIS), take a look at the settings available in the Options section. Make sure that all scans have the highest heuristics settings. Make sure that all files will be scanned, including compressed files. By default, NAV excludes certain files from being scanned. Whoever came up with this idea should be flogged. Remove all exclusions from the Exclusions box for both manual and scheduled scans. I’ve seen viruses buried in System Volume files that were missed by NAV scans because those files were excluded from scanning. Other antivirus programs that you may use should be checked for this type of flaw. You want all files to be scanned.
Firewall settings should also be considered. Many programs and services are set by default to immediately start accessing the Internet as soon as you’re connected. Not only is this a waste of bandwidth, it can also be dangerous. You want to deny Internet access to as many programs as possible. For example, Windows Explorer has absolutely no business accessing the Internet. In most instances, ICMP (Internet Control Message Protocol) traffic should be blocked. Examine your firewall’s Program Permissions list; you may be surprised with what you find. Do some online research to learn which programs and services truly need Internet access, and deny access to all but those that are needed.
Next week: the final installment in this series.