Stop Christmas-Gift PCs From Feeding Worms

An Anonymous Reader writes "If you recently set up a new PC with Windows XP, or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches. Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.

"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."

But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)

Bad link.

[Animats]

xp.homepc.org not found.

Check those links, people.

Easy

[skinfitz]

Click Start > Network and Dial up connections

Right click on your internet connection, choose "Properties"

Click "Advanced"

Click the box to turn on the firewall

Voila. You are safe from Blaster.

As an added precaution, deselect "Client for Microsoft Networks" from all interfaces except any you really need it on.

Re:Bad link.

[rf0]

http://www.homepc.org/ looks like a dynamic DNS service. I bet all the requests caused the user to get dumped.

Rus

something wrong?

[Stanza]

Bad link? It doesn't seem to work.

Try this instead [sans.org].

http://www.sans.org/rr/papers/index.php?id=1298

And they say Slashdot hates Windows

[Ridgelift]

There's been a lot of "Slashdot posts ever anti-Windows article that exists", but this article debunks that.

I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.

This year I've also begun recommending anti-spyware as well. It's amazing how ubiquitous that stuff's become over the past year.

Re:Bad link.

[jejones]

Looks like the link should be http://www.sans.org/rr/papers/index.php?id=1298 as nearly as I can tell. Note that it will take you to a PDF file.

Site slow, here's some quick n' dirty instructions

[rebelcool]

I figure if you're reading this on slashdot you don't need screenshots to find your way around a monitor...

Obviously, this should be done before you plug the machine into any kind of internet connection.

-Go to Start and then Control Panel.
-Once in Control Panel, choose Network Connections
-Right click on your connection of choice (if there's more than one, do it for all of them) and choose Properties.
-Go to the advanced tab and check the Firewall check box.

If you want to know more about how to configure it and modify the settings, click the link below that checkbox for directions.

Let's not forget...

[GarfBond]

those great OSS packages that you can install on Windows, if your recipient insists on keeping that as the main OS :)

• Mozilla, for firebird and thunderbird [mozilla.org]
• Gaim [sourceforge.net]
• OO.o [openoffice.org]

It's not just XP

[AndroidCat]

Any distro of anything should be installed with some caution about exploits that may have popped up since the distro was made.

Some might argue that WinXP comes with the Best Before date already expired, but there's a lot of CDs for many OSs out there with "open security". (The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.)

Re:It's not just XP

[SoCalChris]

The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.

That's FUD. XP gives you 60 days to activate your copy of windows. During those 60 days, Windows is fully functional and allows you to connect without any activation related troubles.

Slipstream

[Anonymous Coward]

You can slipstream [theeldergeek.com] all the patches for XP and install from that.

Re:Sadly enough

[KingDaveRa]

Its hard and it isn't hard to keep an image up to date. If you're an OEM building systems, you basically build a base install and you then go into a special 'system builder' mode. This enables you to configure the system, load software and set everything up, all without accepting a license agreement or entering user details. If you did that, the copy of windows would be licensed to you, and you only. When its all sorted, you put the PC into its Out Of Box Experience mode. The OOBE is the first thing a new PC will do, which includes the EULA and entering serial numbers and the like. If your image has been entered into the sysprep stage, then its pretty damn hard to coax it back out again. They probably could take an image of it pre-OOBE, but the trouble is, none of these OEMs like to just whack patches on as soon as they come out. If they put on a patch which conflicts with something and they've not tested it, they could be in for a lot of trouble. Its a liability thing on their part mainly. Maybe a better option would be enabling the firewall and the like. I know the OEM we buy PCs from at work are funny about patches and things. We had to ask if upgrading the BIOS on some Intel boards to the latest would bugger up warranties and the like. Thankfully they agreed. It is a catch-22, but it saves headaches for OEMs in some respects, but creates them in others.

Mirror, just in case

[dobedobedew]

It took me five tries to get the PDF, so here is a mirror if anyone needs it.

xpsurvivalguide.pdf [compuliant.com]

Re:First day?

[pavon]

No kidding, I just setup some computers for my brothers who just started college. I got a windows messenger (not the IM one) popup before I even had a chance to click on the windows update icon. That was 30 seconds after I logged in, at most 3 minutes since I turned the thing on.

Once I got the patches, virus protector, and ad-aware installed, everything was fine, but still, there was a reason I wanted to do a clean install.

Re:And they say Slashdot hates Windows

[jdreed1024]

I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.

Except for the folks on dialup. And don't say you can't get a worm from dialup. The payloads are really tiny - it doesn't take that long on 56K. I have personally seen two computers infected with blaster via a dialup connection. If you're on there browsing the web for more than 30 minutes or so, the chances are quite good you'll get one, what with all the scans happening. Most ISPs are blocking the ms networking ports at their border, but within a segment, it's a free for all.

The only hardware solution is to get a 2nd PC to be the gateway and run iptables on it (not practical), or to get an Apple Airport which will do that for you (because it has a built-in modem), but that's too expensive. I haven't found any other hardware solutions for dialup users - do any exist that are reasonably priced? (read: no more expensive than a linksys home router)

Re:And they say Slashdot hates Windows

[Anonymous Coward]

They do exist and I think the one that I heard of has an RS232 port to hook up an external modem.

Try the USENET newsgroups (probably comp.security.firewalls or comp.os.ms-windows.networking.*). Since I don't use dial-up, I haven't bothered to keep track of which devices do it (probably SMC).

Protect Yourself Before Screwing With The Net

[reallocate]

When installing any operating system, you need to be protected before you open your machine to the depravatoins of the internet.

Although Windows users incur a higher risk due to the ubiquity of the product. all operating systems are vulnerable to oen degree or another.

Personally, I am unable to install Windows and download the updates without being infected with at least one virus. When I need to install Windows, the first thing I do is to disconnect the machine from the internet. After the install, I set up my internet connection, enable the Windows firewall, and reboot. Then I download the minimim number of updates needed to install the current version of the Norton antivirus/firewall product. Then I disable the Windows firewall and install Norton.

The first widespread Linux virus will do damage to the OS' reputation beyond any reasomable limits. Consumer Linux distributions should disable all servers and activate a simple firewall by default. Give the user the option to turn it , not on.

Re:And they say Slashdot hates Windows

[zog karndon]

SnapGear's Lite2 [snapgear.com] and Lite2+ firewalls have dialup connection. They're a bit more than a Linksys at $199, because they're a much smaller company than Linksys. Also, SnapGear firewalls run embedded Linux, for those who care.

Re:And they say Slashdot hates Windows

[Tim C]

Slashdot does hate Windows. Just wait for all the "Windows - so insecure, they have to write a guide to getting through a single day without getting r00ted!!" comments.

For what little it's worth, I've run a variety of Windows versions on my home machine over the last 6 years and have never been compromised. I currently run a software firewall on this box, and I'm not even being portscanned, despite having an ADSL connection running pretty-much 14 or 15 hours a day, every day.

Re:Easy

[stephenbooth]

Not sure about Blaster but, that will still leave you open to a whole host of worms, viruses and exploits; many of which don't have patches/fixes available. ZoneAlarm [zonelabs.com] (free as in beer) seems to consistently come out as the best firewall for Home Windows PCs in labs/test/reviews. I've been running it (on a number of different PCs) for quite a while now (over a year) and the only problem I've ever had with it was because one of the services it blocked was an RPC service (pretty sensible thing to block from the Internet really) which if you block the Microsoft DNS client in XP fails intermittantly. NB that's Microsoft's shitty systems design and not Zonealarm that is at fault.

Another good step is to install Mozilla as a replacement for MSIE and Outlook Express (or another mail client and browser if you prefer, I like Mozilla).

Stephen

Re:And they say Slashdot hates Windows

[ncc74656]

Except for the folks on dialup. And don't say you can't get a worm from dialup. The payloads are really tiny - it doesn't take that long on 56K. I have personally seen two computers infected with blaster via a dialup connection. If you're on there browsing the web for more than 30 minutes or so, the chances are quite good you'll get one, what with all the scans happening. Most ISPs are blocking the ms networking ports at their border, but within a segment, it's a free for all.

The only hardware solution is to get a 2nd PC to be the gateway and run iptables on it (not practical), or to get an Apple Airport which will do that for you (because it has a built-in modem), but that's too expensive. I haven't found any other hardware solutions for dialup users - do any exist that are reasonably priced? (read: no more expensive than a linksys home router)

3Com used to have a device it called a "LAN modem"...it was a 56K modem, router, and 4-port (?) hub all in one box. A currently-available product that would do the same thing is the Actiontec Dual PC Modem [actiontec.com]...Fry's sells these for about $70. The specs page says it has a built-in firewall, and you can combine it with a switch, wireless access point, or whatever to make it available to more than two computers.

(A quick check indicates that while 3Com has discontinued the OfficeConnect 56K LAN Modem, the OfficeConnect Dual 56K LAN Modem [3com.com] is a currently-available product. It'll combine two dial-up connections and make them available. At about $300, it's considerably more expensive than the Actiontec product...and if you're going to pay for two phone lines and two dial-up accounts, you might as well bite the bullet and upgrade to broadband.)

Re:Easy Alternative

[rikkards]

There needs to be a new moderation added. Call it "Tired" as in this joke is old and isn't really that funny. Kind of like how the French always surrender and that Bush is a moron.

(Not agreeing or disagreeing with the comments including the fact that MS has always been security unconscious but that the jokes are no longer funny)

Plus setting any unpatched box Windows or Linux on the Internet with no Firewall in between is stupid

a Mac may be better for one reason: support

[JonathanF]

I'm glad to hear that the user on linux.com is happy with her copy of Mandrake, but I can't help but think that a Mac would be much, much better so long as a given person can afford it (remember, you don't need a dual G5, just an eMac or iBook).

The reason would be the support network for when you do need support. Not everyone is or can afford to drop by, and saying "go check Ars Technica" isn't really helpful. IF they ever need professional support, it would be better to have actual phone and store support for the product.

Not to mention that you can actually expect to find common peripherals which will work out of the box, or at least have company-supported drivers that you can install.

Not everyone can justify the cost when you can get a new Linux box for half the price, but I wouldn't want someone spending extra on tech support (or downtime) just to save some money on the initial purchase.

Re:And they say Slashdot hates Windows

[Tim C]

Oops, shoulda waited a few minutes before posting:

" Update: 12/24 19:15 GMT by T: Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether."

They couldn't let a not-entirely-anti-MS article go, without linking to an unrelated, "run linux!" article.

Re:Easy Alternative

[Tim C]

you won't get any spyware or data-mining cookies sneaked onto your computer

What, you're saying that not a single Linux web browser supports cookies? A "data-mining" cookie is just a cookie to track you as you browse the web - one set by an advertising site such as doubleclick. They work just as well whatever OS you're running.

6. Use your new shiny computer as you're pleased

Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). It also pleases me to write code in C# (again, forget mono, it's not nearly there yet). Until Linux provides me the means to do these things, it'll always be my secondary OS, Windows will be my primary, and "advice" to secure my PC by wiping Windows and installing Linux will be treated with the contempt that it deserves.

However, none of those bugs/holes will expose your PC to worms such as Blaster

You are of course aware that the first internet-borne worm utilised a buffer overflow in sendmail to infect computers? Don't go getting over-confident - true, I can't think of any Linux-targetting worms at the moment, but it's been done before, and it will be done again.

Re:Need for Microsoft patch CD

[rakerman]

Microsoft does have patch CDs.

In North America, Office Service Packs can be obtained free of charge on CD-ROM. Order Office Service Packs on CD-ROM [microsoft.com]

They also have a free CD as part of the Security Resouce Kit (the technet website, not the book). http://microsoft.order-4.com/securitykit [order-4.com]

I have a webpage with more home broadband security information [chebucto.ns.ca].

Surviving the first day...

[luckyguesser]

is called "TCP/IP port filtering". I have encountered this experience personally, on my dorm network. When I reinstalled WinXP, I didn't even have time to download SP1 before a virus made its way onto my computer and the IS dept shut off my port. However, I've found that if I leave my network cord unpliugged (card disabled, etc) until I have setup my TCP/IP filtering settings to allow only port 80, I can then download the necessary patches, update, and remove the filter. No problems yet!