An
Anonymous Reader writes
"If you recently set up a new PC with Windows XP,
or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.)
Update: 12/24 17:59 GMT by
T : Thanks for reader Bill Curnow for the updated link.
Update: 12/24 19:15 GMT by
T : Besides the workaround suggested below, Roblimo has a good suggestion on
avoiding the first-day-of-Windows altogether.
"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."
But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)
Bad link. (Score:5, Informative)
Check those links, people.
Easy (Score:5, Informative)
Right click on your internet connection, choose "Properties"
Click "Advanced"
Click the box to turn on the firewall
Voila. You are safe from Blaster.
As an added precaution, deselect "Client for Microsoft Networks" from all interfaces except any you really need it on.
Re:Bad link. (Score:5, Informative)
Rus
something wrong? (Score:5, Informative)
Try this instead [sans.org].
http://www.sans.org/rr/papers/index.php?id=1298
And they say Slashdot hates Windows (Score:5, Informative)
I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.
This year I've also begun recommending anti-spyware as well. It's amazing how ubiquitous that stuff's become over the past year.
Re:Bad link. (Score:3, Informative)
Site slow, here's some quick n' dirty instructions (Score:5, Informative)
Obviously, this should be done before you plug the machine into any kind of internet connection.
-Go to Start and then Control Panel.
-Once in Control Panel, choose Network Connections
-Right click on your connection of choice (if there's more than one, do it for all of them) and choose Properties.
-Go to the advanced tab and check the Firewall check box.
If you want to know more about how to configure it and modify the settings, click the link below that checkbox for directions.
Let's not forget... (Score:5, Informative)
It's not just XP (Score:3, Informative)
Some might argue that WinXP comes with the Best Before date already expired, but there's a lot of CDs for many OSs out there with "open security". (The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.)
Re:It's not just XP (Score:5, Informative)
That's FUD. XP gives you 60 days to activate your copy of windows. During those 60 days, Windows is fully functional and allows you to connect without any activation related troubles.
Slipstream (Score:1, Informative)
Re:Sadly enough (Score:3, Informative)
Mirror, just in case (Score:2, Informative)
xpsurvivalguide.pdf [compuliant.com]
Re:First day? (Score:3, Informative)
Once I got the patches, virus protector, and ad-aware installed, everything was fine, but still, there was a reason I wanted to do a clean install.
Re:And they say Slashdot hates Windows (Score:3, Informative)
Except for the folks on dialup. And don't say you can't get a worm from dialup. The payloads are really tiny - it doesn't take that long on 56K. I have personally seen two computers infected with blaster via a dialup connection. If you're on there browsing the web for more than 30 minutes or so, the chances are quite good you'll get one, what with all the scans happening. Most ISPs are blocking the ms networking ports at their border, but within a segment, it's a free for all.
The only hardware solution is to get a 2nd PC to be the gateway and run iptables on it (not practical), or to get an Apple Airport which will do that for you (because it has a built-in modem), but that's too expensive. I haven't found any other hardware solutions for dialup users - do any exist that are reasonably priced? (read: no more expensive than a linksys home router)
Re:And they say Slashdot hates Windows (Score:1, Informative)
Try the USENET newsgroups (probably comp.security.firewalls or comp.os.ms-windows.networking.*). Since I don't use dial-up, I haven't bothered to keep track of which devices do it (probably SMC).
Protect Yourself Before Screwing With The Net (Score:3, Informative)
Although Windows users incur a higher risk due to the ubiquity of the product. all operating systems are vulnerable to oen degree or another.
Personally, I am unable to install Windows and download the updates without being infected with at least one virus. When I need to install Windows, the first thing I do is to disconnect the machine from the internet. After the install, I set up my internet connection, enable the Windows firewall, and reboot. Then I download the minimim number of updates needed to install the current version of the Norton antivirus/firewall product. Then I disable the Windows firewall and install Norton.
The first widespread Linux virus will do damage to the OS' reputation beyond any reasomable limits. Consumer Linux distributions should disable all servers and activate a simple firewall by default. Give the user the option to turn it , not on.
Re:And they say Slashdot hates Windows (Score:3, Informative)
Re:And they say Slashdot hates Windows (Score:3, Informative)
For what little it's worth, I've run a variety of Windows versions on my home machine over the last 6 years and have never been compromised. I currently run a software firewall on this box, and I'm not even being portscanned, despite having an ADSL connection running pretty-much 14 or 15 hours a day, every day.
Re:Easy (Score:3, Informative)
Not sure about Blaster but, that will still leave you open to a whole host of worms, viruses and exploits; many of which don't have patches/fixes available. ZoneAlarm [zonelabs.com] (free as in beer) seems to consistently come out as the best firewall for Home Windows PCs in labs/test/reviews. I've been running it (on a number of different PCs) for quite a while now (over a year) and the only problem I've ever had with it was because one of the services it blocked was an RPC service (pretty sensible thing to block from the Internet really) which if you block the Microsoft DNS client in XP fails intermittantly. NB that's Microsoft's shitty systems design and not Zonealarm that is at fault.
Another good step is to install Mozilla as a replacement for MSIE and Outlook Express (or another mail client and browser if you prefer, I like Mozilla).
Stephen
Re:And they say Slashdot hates Windows (Score:3, Informative)
3Com used to have a device it called a "LAN modem"...it was a 56K modem, router, and 4-port (?) hub all in one box. A currently-available product that would do the same thing is the Actiontec Dual PC Modem [actiontec.com]...Fry's sells these for about $70. The specs page says it has a built-in firewall, and you can combine it with a switch, wireless access point, or whatever to make it available to more than two computers.
(A quick check indicates that while 3Com has discontinued the OfficeConnect 56K LAN Modem, the OfficeConnect Dual 56K LAN Modem [3com.com] is a currently-available product. It'll combine two dial-up connections and make them available. At about $300, it's considerably more expensive than the Actiontec product...and if you're going to pay for two phone lines and two dial-up accounts, you might as well bite the bullet and upgrade to broadband.)
Re:Easy Alternative (Score:1, Informative)
(Not agreeing or disagreeing with the comments including the fact that MS has always been security unconscious but that the jokes are no longer funny)
Plus setting any unpatched box Windows or Linux on the Internet with no Firewall in between is stupid
a Mac may be better for one reason: support (Score:3, Informative)
The reason would be the support network for when you do need support. Not everyone is or can afford to drop by, and saying "go check Ars Technica" isn't really helpful. IF they ever need professional support, it would be better to have actual phone and store support for the product.
Not to mention that you can actually expect to find common peripherals which will work out of the box, or at least have company-supported drivers that you can install.
Not everyone can justify the cost when you can get a new Linux box for half the price, but I wouldn't want someone spending extra on tech support (or downtime) just to save some money on the initial purchase.
Re:And they say Slashdot hates Windows (Score:3, Informative)
" Update: 12/24 19:15 GMT by T: Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether."
They couldn't let a not-entirely-anti-MS article go, without linking to an unrelated, "run linux!" article.
Re:Easy Alternative (Score:5, Informative)
What, you're saying that not a single Linux web browser supports cookies? A "data-mining" cookie is just a cookie to track you as you browse the web - one set by an advertising site such as doubleclick. They work just as well whatever OS you're running.
6. Use your new shiny computer as you're pleased
Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). It also pleases me to write code in C# (again, forget mono, it's not nearly there yet). Until Linux provides me the means to do these things, it'll always be my secondary OS, Windows will be my primary, and "advice" to secure my PC by wiping Windows and installing Linux will be treated with the contempt that it deserves.
However, none of those bugs/holes will expose your PC to worms such as Blaster
You are of course aware that the first internet-borne worm utilised a buffer overflow in sendmail to infect computers? Don't go getting over-confident - true, I can't think of any Linux-targetting worms at the moment, but it's been done before, and it will be done again.
Re:Need for Microsoft patch CD (Score:4, Informative)
Microsoft does have patch CDs.
In North America, Office Service Packs can be obtained free of charge on CD-ROM. Order Office Service Packs on CD-ROM [microsoft.com]
They also have a free CD as part of the Security Resouce Kit (the technet website, not the book). http://microsoft.order-4.com/securitykit [order-4.com]
I have a webpage with more home broadband security information [chebucto.ns.ca].
Surviving the first day... (Score:3, Informative)