My PC Geek

Encourage your users to follow best practices for password protection.

• Always use strong passwords.
• If passwords must be written down on a piece of paper, store the paper in a secure place and destroy it when it is no longer needed. (Don’t stick it to your monitor)
• Never share passwords with anyone.
• Use different passwords for all user accounts.
• Change passwords immediately if they may have been compromised.
• Be careful about where passwords are saved on computers. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember a password. Selecting this option poses a potential security threat.  If you must save your password on your computer use something like Password Safe.
• Any Administrator or Domain Administrator account should not be used for day to day use.  You should always run your machine under a non-privileged user account and runas administrator for administrative needs. Windows 7 UAC has really improved since Vista in help of running administrative task.

Define password policy so that all user accounts are protected with strong passwords.

• Define the Enforce password history policy setting so that several previous passwords are remembered. With this policy setting, users cannot use the same password when their password expires.
  • Recommended last 10 passwords
• Define the Maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days. With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires.
• Define the Minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old. This policy setting works in combination with the Enforce password history policy setting. If a minimum password age is defined, users cannot repeatedly change their passwords to get around the Enforce password history policy setting and then use their original password. Users must wait the specified number of days to change their passwords.
• Define a Minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords–seven or more characters–are usually stronger than short ones. With this policy setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long.  Suggested 8 Characters.
• Enable the Password must meet complexity requirements policy setting. This policy setting checks all new passwords to ensure that they meet basic strong password requirements.
  • Upper and Lower Case, Numeric, Symbols
  • Not a word found in the dictionary, language, slang, etc
  • Not based on personal info, like your last name
  • Force changed every quarter, 45 – 90 days

Be cautious when defining account lockout policy.

• Account lockout policy should not be applied haphazardly. While you increase the probability of thwarting an unauthorized attack on your organization with account lockout policy, you can also unintentionally lock out authorized users, which can be quite costly for your organization.
• If you decide to apply account lockout policy, set the Account lockout threshold policy setting to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

Service Accounts:

This is a feature I see the most overlooked but very important. Since service accounts are designed to support services running on only a limited number of computers, it makes sense to limit the scope as to where the service can logon. This will help with overall security attack surface and will also narrow the attacks to just the computers where the service account is allowed to logon when being attacked by the service account itself.

The setting to restrict the workstations where the service account can logon is located where the user is configured, which is Active Directory Users and Computers within Active Directory. When you find the service account, right-click on it and select properties. Then, maneuver over to the Account tab. From there, select the Log On To button, which will display the Logon Workstations dialog box.

Domain Administrator Accounts:

You should create two accounts for yourself.  One Restricted account that you use for day to day task as you work, check email, etc and one Domain Admin account to use for running administrative tasks.  There is no reason to run day to day tasks with a domain admin account. You should also remove your restricted account from the local administrators group as well.  It’s a pain, but it’s much more secure and with windows 7 makes it a little easier with the new improved UAC.

I am writing this article to help some users that are not so tech savvy.  I am going to make this as clear and simple as I can. I have targeted this article for the Operating System’s Windows 2000/XP/Vista/Windows7.

Let us take this family of four, Lyn and Melinda and their two kids.  They bought a computer about two years ago with Windows XP Home Edition and they set it up in their living room.  Lyn uses his computer to edit sensitive work documents with Microsoft Office, some private financial with QuickBooks and client data kept in Microsoft’s Outlook.  Melinda uses the computer to run her home business where she keeps track of the business finances also with QuickBooks.  The two children use it for mainly browsing the internet and posting their status on Myspace and Facebook and using various instant messaging utilities. The kids also keep a huge collection of music where they downloaded from Limewire.

So when they first bought the computer they brought it in their living room and simply plugged it up with all the color coded cables and turned it on.  When it first boots up it asks right out of the box to create user accounts.  They create their user accounts using Windows default settings – unwillingly giving all four users full ADMINISTRATIVE privileges.  Giving these privileges is a HUGE security risk and it allows all users to install things and change any aspect to the operating system.

Over time, everyone gets annoyed with the computer being slow, unreliable, pop-ups pop up, miscellaneous computer errors appear.  Their anti-virus has been disabled (which they have several different ones) Their other anti-virus keeps constantly keeps popping up warning a virus and malware has been found and nothing happens when you try to clean it. The family cannot seem to figure out what is causing all of the ruckus. In addition, some unusual transactions start appearing on Melinda’s bank account.  Melinda’s Bank calls her up telling her they have frozen her debit card due to 80 plus transactions that happened in just a few minutes.

Anyone that knows computer security can spot immediately major mistakes on how a computer was setup and managed.  Giving all of the users administrative privileges is a BIG NO NO! Especially giving children those privileges is even a bigger NO NO!  As any parent will testify, Children love playing computer games.  After school, they will come home download and install any game they see fit browsing around on the internet just so they can compete with their friends online.  Very rarely,  a child will ever think about running an anti-virus or malware scanner on the downloaded game before installing.   If the game has a label “free”, it is just as they say, “nothing is for free.” Most of the time “free” games come with malware. Which you then install as an administrator gives the malware full administrative privileges to everything on the system.  I hope I am scaring you a bit.  People tell me, “well it’s okay”, I have a firewall protecting me.  In this case not even 1000 firewalls will help you.  The damage has been done.  The malware has already gotten past the firewall by being downloaded by the child and installed.

So giving any account administrative privileges being used regularly is not recommended.  For general use, it’s best practice, in my personal opinion is make every user on the computer a restricted user that can ONLY make changes to their documents, and have a SINGLE administrative account that is governed and password protected and only used for system maintenance purposes and used to install “well known and trusted applications”..Similar to the practice used in linux machines.

All though this practice will not defeat all forms of malware, but it will make it MUCH harder for malicious application to take control of your system.  This means that malware arriving and installing at the child’s account it will only be able to manipulate the data on the child’s profile or document folder. Remember that when an application is run, it is subject to the same privileges and restrictions as the user who started it, therefore an application running under a restricted user account should not be able to make changes to the operation system, or access any other user’s files.

Now I am going to try to explain the best way I know possible to secure your Windows 2000/XP/Vista machine.  I know that all operating systems are somewhat different on the installation so this will be a generic tutorial.  I will break it down in steps.

1. Backup your data and wipe the hard drive.  There is no better way than starting fresh and clean.
2. NTFS or FAT?  What did you just call me? No actually, these are hard drive formats.  Have you ever installed Windows and it asks you what format would you like? Well I am not going to go into much detail about what each one does, but the format you want is NTFS.  Why NTFS? Well it is secure and it locks down user access and control of your folders and files.  Simple enough huh?
3. Create ONE administrator account.  For an example make it “SuperUser” and make all other user accounts restricted accounts.
4. Create “SuperUser” complex password.  Actually creating a complex is really easy.  I am going to show you how to create a very powerfully complex password that is easy to remember.  Take a favorite word that you well know but noting that references you that someone may know about you.  For an example I am going to use the word “Transformers”  Well take the word and replace it with special characters and add two digits at the end.  “Tr@nsf0rm3r501” So I replaced the “a” with “@”, “o” with “0”, “e” with “3” (E backwards), “s” with “5” and tagged 01 at the end.  Most easy password to remember just substitute letters with special characters that resemble letters.
5. Logon as “SuperUser” and install all of those Microsoft Critical updates.
   1. Click Start > Run, type sysdm.cpl, and press Enter.  Click the Automatic Updates tab.  Make sure the Automatic (recommended) Automatically download recommended updates for my computer and install them option is checked.
   2. Make sure the Microsoft Firewall is turned on. Go to My Computer > Right click “Internet Connection” > Select “Properties” > Click the “Advanced” tab > check the box and click “Apply”.
   3. Create user accounts for the rest of the family members.  Control Panel > User Accounts.  Create an account for yourself and the wife and kids and make sure they are all set to “restricted” including yourself. Additionally turn off “Fast User switching” by going to Control Panel > User Accounts > “Change how users log on and off”.  This will reduce the chance of a malicious application running under a restricted user account managing to “jump” over to the “SuperUser” account if both are logged on at the same time.
   4. Anti-virus!  No need to buy expensive Anti-Virus.  There are two really GREAT anti-virus software out there that are free and probably better than the leading anti-virus software on the market.  Free AVG and AVAST Anti-virus.  http://free.avg.com/ and http://www.avast.com/
   5. Testing!  Log on as a restricted user and try to install something.  You should get the error message “ Access denied – User has no administrative Privileges” error.

Part 2 will be continued…

After disappointing the many fans that expected Microsoft to announce Windows 7 RTM on July 13th, the Redmond company has yet to announce a date for the RTM. The good news is that they have just announced when some of us can expect to see the RTM ready for download:

• Independent Software Vendors and Independent Hardware Vendors : Via Microsoft Connect or MSDN on August 6th

• Microsoft Partner Program Gold/Certified Members: Via Microsoft Partner Network (MPN) Portal on August 16th. Remaining languages will be available by October 1st.

• Microsoft Action Pack Subscribers: Available to download starting August 23rd. Remaining languages will be available by October 1st.

• OEMs: Approximately two days after Microsoft officially RTM

• Volume License with Software Assurance: via the Volume License Service Center (VLSC) starting August 7th.

• Technet and MSDN: August 6th

Microsoft previously said that Windows 7 will RTM during the second half of July, and that its MSDN and Technet subscribers would be able to download it a few weeks after. Current rumors are pointing the Windows 7 RTM date at July 24th.

Windows 7 will be available to customers worldwide on October 22nd.