14.5 The Best Steps Toward Securing Any Windows PC

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 14.  Defense

You must assume all end users will ignore or forget any of the advice this book gives about running untrusted code. You must assume that end users will visit malicious web sites, open any email, run any attachment, and use infected diskettes and programs. The truth is that end users shouldn't have to concern themselves with how to prevent malicious code. They just want to use their computer and surf the Web.

If you want maximum malicious code protection, disable Internet access, uninstall any Internet browsers, remove email, and disable the floppy drive. If you only need reasonable protection the following recommendations, summarized from previous chapters, are the steps you should make to any PCs under your control. If you are a network administrator, take this list and tell your staff to accomplish each item on every PC. I promise you that if you follow these steps, the number of malicious mobile code attacks against your environment will be minimized.

Install an antivirus scanner

Introduced in Chapter 2, and discussed in nearly every chapter after, installing a reliable, up to date antivirus scanner is the single best thing you can do to prevent malicious mobile code. The bigger question is where to scan: desktop, file server, email gateway, or firewall.

Disable booting from drive A

Also discussed in Chapter 2, disabling the ability for a PC to boot from drive A will prevent boot sector viruses from infecting a hard drive's partition table or boot sector. If the PC's ROM BIOS chip has the ability, use it to write-protect the boot areas of the hard drive.

Install the latest versions of the software

Where possible, install the latest versions of all known exploitable applications and operating systems. This not only means Windows, Microsoft Office, and Internet Explorer, but all other applications, too. Make sure to download and apply service patches and interim upgrades. This is especially essential as our computers become even more Internet-connected.

Reveal hidden files and extensions

Introduced in Chapter 4, and discussed several times afterward, make sure to unhide Windows default hidden files and file extensions. This means setting options under Windows Explorer and editing the registry (for file extensions like .SHS ).

Tighten file and registry security

If you use Windows NT or 2000, research file security and registry permissions. Tighten down default permissions to the bare minimum needed to allow the PC to run.

Rename dangerous executables

Although not considered an elegant way to prevent malicious mobile code attacks, renaming common files used by malicious hackers is an easy way to prevent attacks. The following files can be renamed or deleted depending on your environment's potential use of them:

FORMAT.EXE

REGEDIT.EXE (or REGEDT32.EXE )

DEBUG.EXE

WSCRIPT.EXE (and CSCRIPT.EXE )

Remove HTA and WSH file associations

Chapter 9 revealed how to prevent an HTML application from running no matter where it was located. Chapter 12 discussed how to prevent common script files from utilizing the Windows Scripting Host and the FileSystemObject by reassociating .VBS and .JS files with a nonthreatening application, like WordPad.

Remove unnecessary programs and services

Most PCs I come across are running lots of unnecessary programs and services. Your inventory should reveal a lot of software that isn't needed on each PC. Remove them. For example, if your environment does not need TELNET.EXE , delete it. You can always add it back later if the occasion arises. Otherwise, you have just removed a known buffer overflow exploit. Use Task Manager and Dr. Watson to learn what services are running and determine if they are needed. Look in Network Neighborhood and delete unnecessary protocols and bindings. For example, disable NetBIOS over TCP/IP and disable NetBEUI from binding with Dialup Adapters. Of course, be sure to do your homework and test the results of anything you remove or disable.

Clean up startup areas

This goes along with the last recommendation. Check all the startup areas: the registry, the startup folder, WIN.INI , SYSTEM.INI , AUTOEXEC.BAT , CONFIG.SYS , WINSTART.BAT , and DOSSTART.BAT , and remove unnecessary programs.

Use a firewall

Any PCs connected to the Internet should use a firewall. Either a personal software-based firewall located on the PC or a centralized hardware-based solution to protect a network. A firewall will prevent thousands of malicious hacks and stop remote-access Trojans from contacting their originators.

The next two recommendations are for Microsoft Office users:

Set macro security to Medium or High

Chapter 5 discussed how to disable macros and how to set macro security to prevent unsigned macros from executing.

Automate document scanning

Chapter 5 also mentioned that any antivirus solution you implement be able to automatically scan Microsoft Office documents when opened.

The following steps should be taken with browser users:

Configure security zones to not run untrusted code

Chapter 10 and Chapter 11 discussed the importance of not running untrusted browser code. Make sure the browser's default security settings do not allow untrusted content to run. Typically, Internet Explorer, versions 5.01 and above, has default security zone settings that can be relied upon to give adequate security in a normal environment.

Remove or disable unneeded plug-ins, applets, and ActiveX objects

Chapter 11 reviewed the steps necessary to locate, delete, or disable unneeded plug-ins, Java applets, and ActiveX controls. These objects can be located within your browser or manually deleted as individual files using Windows Explorer.

Confirm file downloads

Chapter 5 revealed the way to make file downloads require confirmation before executing. For example, MS Word documents located on the Web should require end user prompting before automatically opening up. This will notify the user about a potential download and prevent some known holes from being exploited.

The following two steps, as discussed in Chapter 12, should be used with Microsoft Outlook clients :

Disable HTML scripting and Active Content in email

I am a firm believer that all HTML content should be disabled in email. Being able to see HTML-enabled content in an email is not worth the risk of malicious mobile code.

Implement Outlook security patch

One of the single best things a large Outlook environment can do is to disable malicious code file attachments and content from getting to the end user in the first place. The Outlook Security Update Patch has a heavy-handed approach, but it works. Just be sure to understand the full implications, as covered in Chapter 12 before you install.

Each PC in your environment must be configured as stated above, and extra effort taken to ensure new PCs brought into the environment are similarly configured. Take special note when installing new updates and software that they do not undo one of these steps. For example, installing new versions of Internet Explorer will often reinstall WSCRIPT.EXE . Installing Norton Utilities will reassociate a renamed WSCRIPT.EXE with .HTA and .VBS files.

If you are in charge of a large PC environment, use automated tools where possible. Common logon scripts can be used to rename and delete files. Automated software update tools, like Microsoft's SMS, can be used to install updated software. Where possible, use the vendor's product to automate updates and to enforce common security settings.