In order to keep your computer secure, you must be sure that your files are confidential, that intruders can't change them, and that the files are accessible to you and other authorized users on demand.
Any time your computer is connected to the Internet, it may be exposed to attacks from intruders (also known as hackers or crackers) who want to read your files and e-mail, steal your credit card numbers and financial records, and use your computer for their own nefarious purposes. Some of these creeps are nothing more than simple vandals, whose idea of fun is to alter or destroy your files or damage your hard drive. Obviously, you must protect your computer against this kind of thing.
The same high-speed communications channels that we all use to send and receive messages and retrieve information from all over the world are also available to the hackers and crackers. Whenever somebody discovers a new and better technique for breaking into computers, the news moves around the world within a few days. The battle between the bad guys who want to break into computers and the good guys who want to stop them goes on and on.
Online intruders are not the only kind of threat to your computer. You must also protect your files and data from unauthorized users with physical access to the machine with passwords, encryption, and other tools that allow only legitimate users to operate the system.
To protect your files from unwanted attention by people with physical access to the computer-relatives, co-workers, and visitors to your office who might walk in when you're not there, and even random intruders-you can use several tools to protect your data. These include passwords, encrypted text and data, fingerprint readers, and other devices that a user must operate before the computer starts.
In Windows, you can easily assign a password to each user account; if a user can't provide the password, the operating system doesn't accept a login to that account. To assign or change an account's password, follow these steps:
From the Control Panel, choose User Accounts. The User Accounts window shown in Figure 48.4 appears.
Figure 48.4: Use the User Accounts utility assigns or changes a password.
Choose the name of the account whose password you want to change. You might have to scroll down the User Accounts window to see the list of existing accounts.
Under the What do you want to change headline, choose Create (or Change) a Password. The Create a password for your account window shown in Figure 48.5 appears.
Figure 48.5: Use this dialog box to assign a new password to an account.
Type the new password in both the new password and the confirm fields. Add a password hint if you want. Click the Create Password button to save your choice and close this window.
Be sure to assign a password to each account; just one account not protected with a password provides a way for intruders to start the machine.
If you leave the computer on when you walk away from it, an intruder doesn't need a password to open your files and steal your data.
Some new laptop computers include a fingerprint reader as standard or optional equipment. These devices allow a user to pass a finger across a scanner that creates an image of the fingerprint and compare it with the stored images created by authorized users. If the new fingerprint matches one already stored in the computer, the security program sends the user's name and password to Windows or another protected file or program. If there is no match, the computer (or the individual program) does not start.
Using a fingerprint reader is faster and easier than typing a password, and it's also more secure, because it's not possible to guess another person's fingerprint or copy it from a list. It's true that dedicated crackers can still break into a computer with a fingerprint reader, but it takes more time and trouble than breaking into a computer that uses a typed login and password.
When you encrypt the contents of a file, the text or data in that file is impossible to read unless you apply the corresponding un-encryption process first. Intruders who try to read the encrypted version see nothing but gibberish.
No encryption scheme is completely secure because it's almost always possible to decode the text if you throw enough computing power at the file. But even a relatively simple encryption scheme is enough to protect your data from casual thieves and crackers.
In Windows XP, you can use the Encrypting File System (EFS) to encrypt a single file or all of the files in a folder. If an intruder gains access to your computer, either onsite or through a network or the Internet, the encrypted files remain secure.
EFS is particularly useful on laptop computers; even if your computer is stolen, your sensitive or confidential files is still protected.
To encrypt a file, folder, or an entire drive, follow these steps:
Open My Computer.
Open a drive and drill down to a specific folder or individual file that contains the file or folder you want to encrypt.
Right-click the file or folder you want to encrypt, and choose Properties from the pop-up menu. The Properties dialog box shown in Figure 48.6 appears.
Figure 48.6: Encryption is an Advanced Attribute of a file or folder.
Click the Advanced button to open the Advanced Attributes dialog box shown in Figure 48.7.
Figure 48.7: Turn on the Encrypt contents option to encrypt this file or folder.
To encrypt a file, enable the Encrypt contents to secure data option near the bottom of the window. To remove encryption from a previously encrypted file, disable this option.
When a file or folder is encrypted, the name appears in My Computer in green rather than the usual black. You can still open the file, but if another user (either from a different account on the same computer, or from another computer through a LAN) tries to read it, Windows refuses to open the file.
As an alternative to the encryption service supplied with Windows, you might want to try a free open-source encryption program such as TrueCrypt, which is available from http://www.truecrypt.org/.
When you connect to the Internet through a Wi-Fi access point, you are using radio transmitters to send data between the access point (also called a wireless router) and your computer. Anybody else with a Wi-Fi–enabled computer or a specialized radio receiver can also receive those signals. Unless you protect your Wi-Fi network, anybody with a Wi-Fi network interface can use it to connect to the Internet and possibly open files on your own computers.
In many neighborhoods and business districts, as many as a dozen or more different Wi-Fi signals are floating around. For example, Figure 48.8 shows the Wi-Fi networks within range of my house in Seattle. Most of my neighbors have turned on their access points' security features, so it's a lot more difficult to grab an unauthorized connection from any of them than to break into a network through an unsecured access point.
Figure 48.8: Five different Wi-Fi networks are active in this neighborhood.
There are methods out there for cracking Wi-Fi encryption, but most intruders look for an unsecured network rather than taking the time to break through encryption. However, no wireless network is totally secure without additional (and expensive) tools, so your best defense is to make your wireless network more secure and more difficult to crack than the one across the street.
Most Wi-Fi access points support two types of security: encryption and access control. The exact procedure for turning on these features is different for each make and model of access point, so you have to consult the manual supplied with your access point to learn how to set them for your network.
When you install a Wi-Fi access point, remember to use a network name (the SSID) that doesn't tell a snooper who you are, and to turn off SSID broadcast. And don't forget to change the access point's default password, which is widely known, and often the same on hundreds of thousands of units. The manual supplied with your access point or base station contains the specific instructions for making these changes.
Wi-Fi encryption uses the same key code on the access point and on each client computer to provide access to encrypted data. To add a key code to a Wi-Fi connection profile in Windows, follow these steps:
From the Control Panel or the system tray, open the Wireless Network Connection Properties window and choose the Wireless Networks tab. The dialog box shown in Figure 48.9 appears.
Figure 48.9: Choose an encrypted network from the list of preferred networks.
Find the name of the network in the list of Preferred networks and click the Properties button. The Properties dialog box shown in Figure 48.10 appears.
Figure 48.10: Use the Properties window to enter the network key for this Wi-Fi network.
Open the drop-down Data encryption menu and choose WEP or WPA. If the program offers you a choice of key lengths, choose the longest possible number of digits.
Type the same network key that you used to set up encryption on your access point in both network key fields.
Click the OK buttons in both open Properties windows to save your settings and close the windows.
Many access points also offer an Access Control option that limits the network to computers (and other devices) with specific MAC (Media Access Control) addresses. To turn on Access Control, consult the manual supplied with your access point for specific instructions.
To find the MAC address of your Wi-Fi adapter, look for a label on the back or bottom of your computer, or on the USB or PC Card wireless adapter itself. Figure 48.11 shows the MAC address of a Wi-Fi adapter on a PC Card.
Figure 48.11: The MAC address of a Wi-Fi adapter is normally marked on the device.
If you can't find a MAC address on the outside of your computer or Wi-Fi adapter, use the Device Manager (Control Panel System Hardware) to open the Properties window for your wireless adapter. Look in the Advanced tab for a MAC address. Figure 48.12 shows the Properties window for an Intel adapter-the layout of the Advanced tab is different for other makes, but the MAC address is always someplace in the window.
Figure 48.12: The MAC address for this Intel adapter appears near the bottom of the Properties window.
Every computer or LAN connected to the Internet should include a firewall to protect it from intruders. Firewalls are not 100 percent effective, but they can turn away a lot of unwanted attempts to connect to your computer or network. A firewall can be a software package or a hardware device; either way it filters every incoming and outgoing request for a network connection and rejects the ones that don't match a preset list of security rules. For more effective protection, you can use both software and hardware.
For example, a firewall might accept incoming data that was requested by your Web browser or FTP program, but it rejects packets addressed to other services. Another filter in the same firewall might examine the contents of e-mail files and reject messages from senders that are known to be sources of spam.
A good firewall can protect your computer from many kinds of attacks, including:
Remote access to your files and programs.
Access to bugs in Windows and other programs.
Attempts to use your computer to relay e-mail from an outside source. This can make spam and other unwanted mail difficult or impossible to trace.
Denial of service attacks and e-mail bombs. These are two forms of massive attacks that send thousands of messages or requests for connection to the same address, with the hope that the recipient will become overloaded and break down.
The latest versions of Windows XP include firewall software, as do many network gateways and routers (described in Chapter 44). It generally doesn't hurt, and it might be helpful, to use more than one firewall at the same time. If the Windows Firewall isn't already active, Windows will probably harass you until you turn the thing on. Even if you already have a separate firewall in place, go ahead and turn on the Windows Firewall:
From the Control Panel, open Security Center. The window shown in Figure 48.13 appears.
Figure 48.13: The Windows Security Center shows the current state of your security software.
If the firewall is off, scroll down to the bottom of the window and click Windows Firewall under Manage Security Settings. The Windows Firewall window shown in Figure 48.14 appears.
Figure 48.14: The Windows Firewall window controls the firewall software.
Click On (recommended) to turn on the firewall software. Unless you have a reason to change them, keep the default settings in the Exceptions and Advanced tabs.
To test the effectiveness of your firewall, you can use one or more of the online security testing Web sites. These programs send harmless probes to your Internet address that test many of the most common gaps in computer security. If your computer fails one or more of these tests, check your existing firewall or install a new one.
These Web sites offer useful security tests: