Lock Down Your PC

1. Physical Security

Even if you adopt the best encryption schemes, employ the strongest passwords, and implement the toughest security policies on your PC, an insider--a coworker, a contract employee, or even a family member--can still steal information right out from under your nose if you don't protect the physical integrity of the PC itself and turn off some settings that let an insider bypass your stringent software security.

How bad is the insider threat? Pretty bad, according to the FBI and the Computer Security Institute. In their 2003 Computer Crime and Security Survey, a poll of top corporate IT managers, 45 percent of the companies reported unauthorized access of data by insiders. What's worse, insiders are harder to detect and repel than some anonymous hacker pinging your firewall.

Boot-proof it: Your Windows password may be 26 characters long, with letters, numbers, and special characters--but if an intruder can read your hard drive without having to boot up Windows, what good will it do you? Armed with a freely available, custom boot floppy or CD, a knowledgeable snoop can access your digital goods without ever entering Windows. To prevent this, use the system BIOS to disable boot devices other than the hard disk (or, if that's not possible, select the hard disk as the first boot device). For computers located in hard-to-protect public areas, consider removing floppy and CD/DVD drives, and disabling or removing USB and FireWire ports, to prevent people from booting the PC with a Linux disc, IPod, flash memory USB drive, or FireWire hard disk.

Password-protect the BIOS: Most types of BIOS let you create a user password that must be entered thereafter to permit the system to start up. If the BIOS supports it, an administrator password will prevent intruders from changing your BIOS settings (including the boot password). To get started, check your system's online or printed documentation to find out how to enter the BIOS setup program. In most cases, you'll need to reboot and then press Delete, Esc, F1, or another key or key combination to enter the BIOS setup utility. (Newer computers may come with a configuration program that lets you modify BIOS settings from within Windows.) Once in the program, look for a security or password section; then simply follow the on-screen prompts, enter the password, save the new settings, and restart the system.

Two important warnings: First, write down this password (carefully--it's often case-sensitive) someplace where you'll be able to find it but others won't.

Second, don't assume that a BIOS password will stop everyone. Some systems accept "master" passwords, lists of which appear on the Web. Holding down certain keys or mouse buttons will sidestep password security on other models.

And anyone with the opportunity to open the system's case can clear the passwords by moving a jumper on the motherboard, or by disconnecting the battery that powers the BIOS settings' memory chip. If you're worried about that happening, get a lock for the case itself.

Bruce Schneier, CTO, Counterpane Internet Security: "Keep your laptop with you at all times, like a wallet or purse. Regularly purge unneeded files from it, and encrypt the rest."
Photograph: Steve Woit
Eliminate data to reduce risk: Is the value of your data so high that its loss or destruction would be a calamity? Are you keeping a supersensitive file on your laptop unencrypted, and carrying it to out-of-town business meetings? If you have no pressing need to carry that valuable stuff around with you, stick it on your file server (or on a CD) and delete the sensitive documents from your hard drive today.

Shackle that laptop: Do you and your notebook spend hours in libraries, coffee shops, airports, hotel rooms, and other public or semipublic places? Depending on where you are, leaving your laptop unattended falls somewhere between risky and just plain nuts.

Cable locks deter out-in-public, broad-daylight thefts (but not in private places, like your hotel room; bolt cutters slice through cables like butter). Most laptops, some desktop PCs, and even some flat-panel monitors are designed with standard cable-lock slots. Just be sure to wrap the cable around something substantial and escape-proof--unless it's bolted to the floor, a straight table leg won't do. The 6.5-foot Targus Defcon CL lock sells for less than $30 (street), and Kensington's $43 (street) MicroSaver Guaranteed Notebook Replacement lock offers theft reimbursement of up to $1500 if someone steals your locked laptop.

BIOS passwords, accessed through your PC's setup utility, prevent unauthorized people from bypassing Windows security. Some newer BIOS utilities let you create one password for logging in to the computer and another for making changes to the BIOS.
BIOS passwords, accessed through your PC's setup utility, prevent unauthorized people from bypassing Windows security. Some newer BIOS utilities let you create one password for logging in to the computer and another for making changes to the BIOS.
Go biometric: Ready to go all James Bond on your coworkers? Consider using a biometric device, such as a fingerprint reader. Many biometric devices include password manager software to keep track of passwords for networks, Web sites, and even other applications. For instance, the Fellowes Secure Touch Mouse ($70 list) combines a biometric fingerprint scanner with Omnipass password management and encryption software from Softex. After training either device with your fingerprint, you will be able to log in to Web sites or Windows, or encrypt and decrypt files and folders, with merely the press of a finger.

PC, phone home: If someone manages to swipe your PC or laptop despite all your precautions, you stand a chance of getting your machine back if you've installed tracing software on it. Programs like Absolute Software's ComputracePlus ($50 per year) and ZTrace Technologies' ZTrace Gold (also $50 per year) lurk invisibly, checking in with the vendor's tracking servers whenever the computer is connected to the Internet. When you report the computer stolen, the software vendor can help authorities locate the laptop and the thief.

2. Software Security

Once you have the physical stuff licked, your software--both the operating system and the applications that you run--needs to be tightened up to prevent break-ins, data theft, mischief, or destruction. Your first mission: Plug the innumerable gaping security holes that many software vendors leave open by default. But securing your software doesn't stop there. You should also take advantage of optional features, like password protection, that can prevent casual to moderately determined snoops from ruining your day.

Always log in with a password: When you log in to a Windows 2000 or XP computer, you can make it very difficult for another person who uses that computer to access your files. By comparison, Windows 9x and Me passwords are laughably easy to bypass. But there's a big problem: No Windows operating system requires you to use a password at all. In fact, by default, Windows 2000 and XP Home Edition create user accounts without passwords and log you in automatically, even when those accounts belong to the all-powerful administrator group. In the absence of an account password, anyone strolling by the PC can take it over, create a password that keeps you out, or establish a passworded account for their own use. Blank passwords also make your system more vulnerable to Internet hacks.

To create a password for your account in Windows 2000, open Control Panel (Start, Settings, Control Panel), double-click Users and Passwords, and fill in the check box labeled Users must enter a username and password to use this computer. Next, press Ctrl-Alt-Del, and click the Change Password button. If you haven't created a password before, the 'Old Password' field will be grayed out; otherwise, enter your old and new passwords in the required fields, and click OK. In Windows XP, open the User Accounts Control Panel, select the account that you want to protect with a password, and click the Create a password button.

Always protect the administrator: We discussed this last month in the "Safety First" section of "76 Ways to Get More Out of Windows," but one point is worth emphasizing: The most important account to protect with a password is the administrator account. Simply renaming that account offers little protection, and you should log on to the administrator account only to perform system upgrades, install software, or configure hardware.

Choose a strong password: You know the drill: Passwords should never be names, dates, or words from the dictionary, and they should always include upper- and lowercase letters, numbers, and at least one special character--the ones on the keys in the number row work great. But how do you keep track of a bunch of strong passwords? You can use a biometric device that comes with a password manager (see "Go biometric"), or you can resort to a sophisticated method of choosing and using passwords, as discussed in the October 2003 Internet Tips column.

If you need a portable way to make and keep track of lots of passwords, check out the EBP Lite Password Manager ($65), a key chain-size password generator and storage device that looks like a high-end car alarm remote. The password manager stores passwords for up to 20 different accounts, and can even remind you when it's time to change the passwords for your most sensitive accounts.

Lock it when you leave: If you step away from your computer for a minute, what's to keep someone else from stepping in? Since you have a good password, put it to use by logging off when you go to lunch or to the loo (choose Start, Shutdown, then 'Log off username' in Windows 2000; choose Start, Log Off in Windows XP). For a handy automatic log-off, right-click the Windows desktop, choose Properties, and click the Screen Saver tab. In Windows 2000, choose a screen saver, check Password protected, and click OK. In Windows XP, specify a reasonably short time-out period in the Wait field (3 to 5 minutes suits some people, but 15 minutes is a reasonable compromise if you don't like getting timed out while you're just sitting there), check On resume, password protect, and click OK.

Windows 2000 and XP Professional have a file and folder encryption feature that makes your sensitive documents unreadable even if someone manages to copy them.
Windows 2000 and XP Professional have a file and folder encryption feature that makes your sensitive documents unreadable even if someone manages to copy them.
Encrypt your files, if you must: If you store sensitive data on your PC, consider encrypting your files--especially if the PC is portable. Windows 2000 and XP Professional (but not XP Home) include built-in encryption for files and folders; alternatively, you can purchase third-party file encryption software. Encryption makes it much harder for someone to boot your computer with an install or recovery disc, decrypt your passwords, or take control of Windows.

To encrypt a folder in Windows 2000 or XP Professional, right-click it in Explorer, choose Properties, click the Advanced button, fill in the Encrypt contents to secure data check box, and click OK twice. Click OK again in the next dialog box to accept the default choice, Apply changes to the selected items, subfolders, and files.

Now the caveats: Encrypting your whole drive is time-consuming, may retard system performance, increases the likelihood that you'll lose access to your files, and may be overkill unless you have something really important to protect. So don't encrypt just for the thrill of it.

Password-protect Outlook's in-box and identities: Some of the most sensitive information on your PC lurks in your in-box and out-box. Fortunately, a few programs allow you to encrypt and password-protect your missives.

In Outlook 2003 and 2002, choose File, Data File Management, click Settings and then Change Password, enter a password in the 'New password' and 'Verify password' fields, and click OK. Thereafter, only someone who knows this password will be able to look at previously received messages stored in your in-box, out-box, or other mail folders.

Lance Spitzner, founder of the Honeynet Project: "Don't use Microsoft's browser or e-mail client, if you can get away with it--when bad boys release an exploit, they go for the biggest bang for their buck."
Photograph: Michael Girard
If you use Outlook Express, you can password-protect only your e-mail identity (a file that contains your e-mail account user name and password) to thwart a thief who might want to steal your account information. This prevents people from being able to read your new mail, but serious snoops can still import your messages into another program. Choose File, Identities, Manage Identities, select the identity to protect, click Properties, check Require a password, click OK, and then click Close.

Auto-update key software: No matter how hard you try to protect yourself, OS and application security flaws can victimize you. There are some good arguments against allowing programs to download and install updates automatically; if a patch causes an incompatibility with a critical program or operating system component, for instance, you could end up in hot water. But for most people, the risk is probably worth taking. The alternative could be finding your computer hacked into via a software hole whose patch was released last week.

Windows 2000 systems with Service Pack 3 installed can receive automatic updates, but enabling the feature is a bit complicated. Microsoft explains it painstakingly. To arrange to receive automatic updates in Windows XP, right-click My Computer, choose Properties, select the Automatic Updates tab, check Keep my computer up to date, select one of the three options for downloading and installing updates under Settings, and click OK.

Your antivirus program is much likelier to stop the latest viruses, worms, and Trojan horses if it has the most recent virus signature databases. Many, though not all, antivirus programs will download and install their program and database updates automatically by default. Dig into your program's settings (and documentation) to make sure it's set to deliver maximum protection.

Are Alternative OSs More Secure Than Windows?

We often hear that other operating systems are more secure than Windows, but all three major OSs offer at least basic security out of the box. Nevertheless, Windows XP's popularity is its Achilles' heel: Malicious code writers virtually ignore Linux and Mac OS X, targeting their malware at Windows.

3. Network Defense

You meet the biggest threat to your computer when you connect it to the Internet. Given the huge volume of well-crafted worms and infectious spam, it's a wonder more computers haven't turned into zombies obeying the commands of malicious hackers. Here's how to prevent your PC from joining the digital undead.

Put a firewall on every PC: Regardless of its connection type--dial-up, broadband, or wireless--any computer that connects to the Internet needs a firewall to protect it from attacks over the network and rogue programs sending data out. In fact, your best bet is to use two firewalls: an external, hardware firewall, such as the kind built into most wired and wireless routers (and some cable or DSL modems); and a software firewall that runs on your PC, watching your applications.

In addition to blocking unsolicited incoming and outgoing traffic, hardware firewalls provide Network Address Translation. NAT, in combination with the router's built-in Dynamic Host Control Protocol (DHCP) server, masks your true IP address from computers outside your local network, making your PC nearly impossible to target. Because hardware firewalls are the first line of defense against incoming attacks, properly configuring them in accordance with the manufacturer's documentation is crucial. In particular, you have to create a strong administrator password to prevent someone from taking control of your firewall.

Software firewalls protect you from inside threats--viruses, Trojan horses, and spyware--that may come to reside on your PC. For more details on both types of firewalls, including a list of four free software firewalls, see the December 2003 Internet Tips column.

Whitfield Diffie, Chief Security Officer, Sun Microsystems: "To protect yourself fully, the right thing to do is to replace Windows with a Unix-like operating system, like Linux, Mac OS, or Solaris."
Photograph: Eric Butler
Spurn spyware: If new programs unexpectedly show up in your taskbar or browser toolbar, you've probably been stung by some form of adware or spyware. To avoid spyware, watch out for unwanted components while installing freebies, and use free anti-spyware utilities like PepiMK Software's Spybot Search & Destroy and Lavasoft's Ad-aware. Commercial keylogging software--spyware installed on your PC by a boss, spouse, or other snoop when you're not around--is harder to detect and remove. See this month's Internet Tips for advice on tracking it down and removing it.

Boost wireless network security: Wireless networks are a wonderful innovation, but they're also a security nightmare because they have no boundaries. Anybody who lives, walks, or drives within radio range of your wireless hub can probably hitchhike on your wireless LAN, if you never change its default settings. Here are a few basic steps for safer wireless networking:

  • Set your wireless access point or router so it won't broadcast its SSID (the access point's name). Most access points are set by default to send a short announcement every few seconds to any computer within range. If you turn yours off, passers-by might bypass your Wi-Fi.
  • Change the default SSID. Even if your router isn't broadcasting its SSID, the default ones used by major manufacturers are common knowledge to people experienced at borrowing connections from others. Changing even one character of this name makes it harder for unauthorized users to tap into your broadband.
  • Encrypt your connection with WPA (the newer, more secure method) or WEP (an older, less secure, but still useful scheme). The toughest level of protection your access point can handle, and a hard-to-guess passphrase, will stop all but the most determined data snoops. If your access point or router lacks WPA, you might be able to get it with a firmware upgrade from the manufacturer.
  • Enable media access control filtering. Each wired or Wi-Fi network card has a unique MAC address. You can set your access point to grant wireless network access only to computers with MAC addresses you specify (see the April 2003 Internet Tips for more MAC filtering advice).
  • Be careful when you use public wireless networks. Other users can easily capture your passwords when you check your e-mail, and they can also read e-mail messages and other data you transmit or receive. If your office has a VPN, by all means use it whenever you're on a public Wi-Fi network. If a VPN isn't possible, ask your ISP about secure mail server log-in options, or use a secure Web-based e-mail interface. If you have Windows file sharing turned on, your café co-denizens can browse those shared files and folders; to prevent this, you'll need to disable file sharing, remove the shared resources, or block access with a software firewall.

Browse more securely: Internet Explorer is the world's most widely used Web browser. Advertisers, spammers, and con artists have learned to take full advantage of its ability to shower you with pop-up ads and "helpers" that hijack your home page, install adware, or steal data.

You can block many of these threats by boosting IE's security and refusing to install the ActiveX controls that Web sites ask you to download (see the September 2003 Internet Tips for specific steps to tighten IE's security settings). Better yet: Switch to an alternative browser that doesn't support ActiveX controls, such as Mozilla.org's Mozilla or Opera Software's Opera.

Don't mess with spam: Your e-mail in-box is probably the most dangerous thing on your computer, harboring viruses, worms, and phishing attacks--messages designed to trick you into revealing passwords, credit card numbers, and other personal information. Here are a couple of ways to reduce your vulnerability:

  • Use an antispam program, such as the PC World Best Buy, Sunbelt Software's IHateSpam for Outlook, to block most spam.
  • Never launch a file that's attached to an e-mail message unless you are absolutely sure it's safe.
  • Configure Windows to keep virus-bearing attachments from masquerading as safe file types. In the Control Panel, open Folder Options, click the View tab, uncheck Hide extensions for known file types under 'Advanced settings', and click OK.

Process-monitoring utilities, such as the freeware TCPView from Sysinternals, can show you which programs have made connections to the Internet, and which are just listening for them.
Process-monitoring utilities, such as the freeware TCPView from Sysinternals, can show you which programs have made connections to the Internet, and which are just listening for them.
Figure out which program is blabbing: Even if your computer seems not to be doing anything, you might see modem lights blinking. Often this is just because an automated process is downloading software updates or performing some other housekeeping procedure. But occasionally, it can indicate that your PC has been taken over by an outsider, and is communicating with its digital overlord.

With Windows XP, you can nail down the programs and find out who they're talking to. While connected to the Internet, choose Start, Run, enter cmd in the 'Open' field, click OK, and then enter the command netstat -no; in response, Windows will list all the active network connections, including your IP address, the destination IP address, and the process identifier (PID) number of the program on your computer that is making the connection. Every running program, even if it is running in the background, gets a unique PID. (In case you're curious, the address, which shows up frequently in these lists, just means "your PC".)

In this screen shot

Until Windows XP, without a special utility you couldn't figure out which programs were communicating with other computers over the Internet. Now you can use the command line and Task Manager.
, one program, using PID number 476, has connections open to three different computers. To figure out which program is associated with a particular PID, you need to see the Processes list in Task Manager (press Ctrl-Alt-Del and click Task Manager). Select the Processes tab. Scanning down the PID column for the system in the screen shot reveals that PID 476 is none other than the IM software Trillian (whew). Sysinternals' free TCPView utility will show you the same thing in one handy utility, as will most firewalls' application logs.

If you see a program whose name you don't recognize, don't panic: Many Windows components have oddball names. Check the WinTasks Process Library, or look up the file name on Google; if you discover a worm or Trojan horse, update your antivirus software, cut off your online and network connections (pull the cord out of the back of your PC if you have to), and do the most thorough scan possible. In an extremely rare, worst-case scenario, you may not be able to remove the malware; you might have to format your hard drive and reinstall Windows from scratch.

Kill Viruses Before They Get You

Of all the threats to your PC's security, viruses (and their kin, Trojan horses and worms) seem the scariest. Using an up-to-date antivirus program will prevent many virus attacks, but if a virus hits before you update, you can still get infected and spread that infection to others. To protect yourself from unknown attacks, you need to anticipate the hackers and know how to lock down the part of your computer where the next virus will strike--before the attack happens. Here are a few ways to do just that.

Back it up: The MyDoom worm wiggled onto hundreds of thousands of computers, but fortunately it didn't destroy or steal files. If it had, you would have been really glad that you backed up your important data before it struck. The next worm may not be so benign. See "Backing Up to Happiness," part of the February issue's "The Trouble-Free PC," for a review of reliable backup utilities.

Install all critical updates ASAP: The Blaster worm hit only people who hadn't installed a patch issued months earlier. Setting Windows and your applications to update automatically is best for most people (see "Auto-update key software"). To be really thorough, however, glance at Microsoft's Security Bulletins once a week--patches sometimes show up there days (and occasionally weeks or months) before they get into Windows Update. Programs that lack automatic updating may still offer menu commands that check for updates.

Sign up for e-mail alerts: The United States government's Computer Emergency Readiness Team sends out missives the instant it hears about serious threats to the nation's computers. You don't have to be a systems administrator to understand them. You can browse the alert list at your leisure, or sign up to get e-mail notification the minute the CERT learns of new viruses, hack attacks, online scams, or other Net threats.

Test for flaws: Once you've rigged your PC for battle, check its readiness by using one or more free security scanners. Microsoft's Baseline Security Scanner probes for missing security updates and service packs, weak passwords, and misconfigured security zone settings in Microsoft Office, Outlook, and Internet Explorer. Steve Gibson's Shields Up site scans your PC for open network ports and running services, looks for browser vulnerabilities, and determines whether Windows XP's spam-prone Messenger service is running.

Scott Spanbauer is a contributing editor for PC World, and writes the monthly Internet Tips column.

Subscribe to the Security Watch Newsletter