Fast broadband is now commonplace, making computer security an important issue as computers can be connected to the internet 24/7 and users will regularly be connected and on-line for many hours a day. These habits give much more scope for opportunistic drive-by infections (via your web browser) as well as having your computer exposed to attack. Hacking itself is now easier than it used to be since hacker toolkits (which can be used by anybody, even people without much technical knowledge) are widely available. Whilst having an infected machine has always been annoying, hijacked machines nowadays are valuable to fraudsters and spammers. Worse for you personally data stolen from malware infected machines, such as banking details, can mean you could end up having money taken from your accounts to loans being taken out in your name. No one wants these sorts of things to happen to them.
In all cases you should also consult with your local computer officer as other rules may apply in Colleges and Departments.
If your machine is a laptop and you will be taking it back and forth from home to work you should talk to your local Computer Officer to check what settings and rules may apply. They may have their own settings which are required or preferred. If the machine was bought for you by your Department or College then certain restrictions may apply to what software you can use.
The basics of modern Windows protection are:
- Do not login as an Administrator
- Have a strong login password for all accounts
- Keep your operating system and all software up-to-date
- Have an active anti-virus product running (only one)
- Run the Windows Firewall
When installed modern versions of Windows will offer you a set of sensible defaults (Windows update is enabled), provide you with a basic anti-malware product (Windows Defender), enable the Windows firewall and will prompt you for a password for your Administrator account when you first install the system.
If you have set good passwords, keep your system up to date and do not run as an Administrator when you surf the internet you can safely use Windows without too many concerns, provided you practice safe surfing, see our article on this.
Unfortunately many people do not have these default options set correctly or they have become un-set for a variety of reasons, sometimes due to malware. This page will provide you the means to check your settings and to provide you with as much protection as is possible, even if you insist on using an Administrator account all the time.
Do Not Login as an Administrator
The only time you need administrative rights is when you are configuring certain system settings and installing software. In most cases once you have configured your computer you don't need to login as an Administrator ever again. When you try and perform an action which requires Administrator rights you can either choose to right click an object and select "run as Administrator" (not available for everything) or you will be prompted for an Administrator account name and password. If you do not run as an Administrator it is much less likely you will ever get infected by malware. Even if you do get infected the malware will be restricted to the users profile. This makes it much easier to clean up the infection.
Set Good Passwords on All Accounts.
Remote attacks and malware want to get the highest privileges on your system, an Administrator account. They do this by attempting to login as a user account and guess the password. If malware is running on your system and you are a standard user it will be limited in what it can do, you may see odd login prompts for an Administrator account while malware tries to do things it cannot do as a standard user. If you have not set a password on the Administrator account then hackers and malware will get the Administrator rights immediately. If you set a bad password, a password which is a single dictionary word or a name, then the password will be guessed in around 2-5 seconds using a brute force dictionary attack. You should set good passwords on all accounts on the computer.
What is a good password?
What defines a good password is open to debate. However the following should be used as a guide.
- A minimum of 10 characters long (ideally 15 characters or more).
- Not a dictionary word, a name, two short words joined together or a sequences of numbers.
- Contain a mixture of upper and lower case letters.
- Contain at least 4 numbers and special characters.
- Do not use a password more than once.
NOTE: You can use spaces in your password or phrase (see below), however you should avoid using spaces at the start or end of a password or phrase.
You may wish to try a pass-phrase which is a sequence of words which makes up your password. Passphrases will by their nature be longer and more secure than passwords, provided you do not use common well known phrases or sayings.
Keep your operating system and all software up to date
All software requires updating, some more than others. A lot of malware relies on unpatched operating systems and software in order to spread and infect systems. As an absolute minimum you must keep Windows up to date. Microsoft release major security updates on the second Tuesday of every month, but other updates are released all the time.
Windows Update/Microsoft Update
You need to check for updates at least once a month, preferably weekly as a minimum but ideally daily. The easiest way to do this on Windows is to turn on Windows Updates. Older versions will use Automatic Updates. Windows Update will provide updates for Windows and (some) inbuilt software. Microsoft Update requires additional (minimal) configuration and will provide updates for any other Microsoft software you may have and need such as Office. You should be updating Windows and all Microsoft software.
Setting your System to Update
We suggest that you set your system to check for updates every day and to have them install automatically. In addition you should enable Microsoft Update to make sure that all of your non Windows Microsoft software is being updated.
Do the following
- Enter "Windows Update" in the search bar on the start menu
- Ensure that Windows update is enabled and tick all of the available options to get all updates
Other software on your machine will also require updating. Some programs can be configured to check for updates on a regular basis, they will normally ask to do so as part of the install process. Adobe, iTunes, Mozilla Thunderbird, Firefox, Java and Flash Player are all examples of programs which require updating and all of which have an option to automatically check for updates. Programs which do not have an 'automatic update' facility will need to be checked manually for updates by visiting the vendors website or some may have an option within the application to check for updates. However you can download a free application called the Secunia Personal Software Inspector (PSI) which will run and periodically check for some of these applications for you.
The Computing Service supplies McAfee VirusScan Enterprise to its members for institutional and home use free of charge. McAfee VirusScan is updated on a daily basis and provides comprehensive anti-virus and antispyware protection. You can check to see if you are using the latest version of VirusScan by clicking here. An update takes a few minutes to complete assuming you are on broadband so the task doesn't normally cause great inconvenience.
Departments or Colleges may also provide other software which they may say you have to use instead. Please consult with your local Computer Officer if you are taking your personal laptop into work.
Windows comes with Windows Defender which is an active anti-spyware program which runs in the background. It is a limited product in that it is designed to only look for spyware. If you install McAfee VirusScan Windows Defender will be disabled, VirusScan has it's own inbuilt anti-spyware detection.
Microsoft Security Essentials
Microsoft Security Essentials is a free anti malware product which replaces Windows Defender when you install it. Microsoft Security Essentials is free for use for home computers (its licence does not permit it to be installed on computers owned by Departments or Colleges). If you don't want to use McAfee VirusScan you should at least install Microsoft Security Essentials instead.
Unfortunately no one product is perfect and re-assurance is a good thing. For that reason we recommend that you also get a copy of Malwarebytes. Malwarebytes (Free edition) is an excellent product which has an excellent track record of detecting and removing malware of all types. You should use it to run periodical scans of your system just to make sure that you don't have anything on your system.
The Windows Firewall
Windows will normally warn you if you do not have the Windows Firewall turned on and it should be enabled.
All users on the CUDN should allow inbound ping connections to comply with CUDN regulations. This command is also used to allow the Computing Service to check machine security and to help with basic network troubleshooting.
A style of product which combines security features into suites of products. These will often have firewall, anti-virus, anti-spyware, backup and web-browser security functionality as part of them.
If you are running any products of this type do not install any other anti-virus software or another firewall as these will potentially conflict with the existing products and cause both to fail as well as slowing down your machine.
If you experience difficulty in configuring these type of products please ask your Computer Officer or the email@example.com for help.
If you have more than one machine connected to a broadband or other home network, for security reasons you will probably want to install a suitable hardware or wireless router, rather than simply using one machine as the router. Routers can also require updating and some come with a default Admin password, which will also need changing, as they are usually very simple passwords. Check with your ISP (Internet Service Provider) about keeping your router up-to-date and help with changing the Admin password.
If you are using Windows to share a family network of computers, then you should consider using the new HomeGroup facility (which produces a secure password for each computer connecting to the network group) to increase your network security.
Practice Safe Surfing
There are currently a lot of websites running hidden scripts which can casually infect your machine if you visit them. These infections are difficult to protect against, but there are some steps you can take to protect yourself. There are many plug-ins or add-ons available for most browsers which will block adverts and prevent unwanted scripts from executing in your browser, we advise you to investigate ad blocking plug-ins for your browser of choice.
Some additional points for consideration:
- Do not randomly download software or other files you don't know from sites you have never heard of. Some of these sites are targets for hackers, and may carry software with a virus attached. P2P sites offering "free" pirated software, movies and other desirable commodities (music, games) are also frequently infected.
- Do not open random attachments sent to you by unknown people, or even from friends if you are not expecting an attachment. If you are an Outlook user, this generally means don't double-click on them.
- If you are in the least uncertain, wait and ask your Computer Officer or the firstname.lastname@example.org for advice. Prevention is a lot better than cure.
- Home Network Security - US-CERT's page of information aimed specifically at the home user.
- PC Firewalls - a summary of firewall and security suite products which are currently available for the home user market.
- The Ten Immutable Laws of Security - an overview of how your machine can be made vulnerable.