Lock Down Your PC

2. Software Security

Once you have the physical stuff licked, your software--both the operating system and the applications that you run--needs to be tightened up to prevent break-ins, data theft, mischief, or destruction. Your first mission: Plug the innumerable gaping security holes that many software vendors leave open by default. But securing your software doesn't stop there. You should also take advantage of optional features, like password protection, that can prevent casual to moderately determined snoops from ruining your day.

Always log in with a password: When you log in to a Windows 2000 or XP computer, you can make it very difficult for another person who uses that computer to access your files. By comparison, Windows 9x and Me passwords are laughably easy to bypass. But there's a big problem: No Windows operating system requires you to use a password at all. In fact, by default, Windows 2000 and XP Home Edition create user accounts without passwords and log you in automatically, even when those accounts belong to the all-powerful administrator group. In the absence of an account password, anyone strolling by the PC can take it over, create a password that keeps you out, or establish a passworded account for their own use. Blank passwords also make your system more vulnerable to Internet hacks.

To create a password for your account in Windows 2000, open Control Panel (Start, Settings, Control Panel), double-click Users and Passwords, and fill in the check box labeled Users must enter a username and password to use this computer. Next, press Ctrl-Alt-Del, and click the Change Password button. If you haven't created a password before, the 'Old Password' field will be grayed out; otherwise, enter your old and new passwords in the required fields, and click OK. In Windows XP, open the User Accounts Control Panel, select the account that you want to protect with a password, and click the Create a password button.

Always protect the administrator: We discussed this last month in the "Safety First" section of "76 Ways to Get More Out of Windows," but one point is worth emphasizing: The most important account to protect with a password is the administrator account. Simply renaming that account offers little protection, and you should log on to the administrator account only to perform system upgrades, install software, or configure hardware.

Choose a strong password: You know the drill: Passwords should never be names, dates, or words from the dictionary, and they should always include upper- and lowercase letters, numbers, and at least one special character--the ones on the keys in the number row work great. But how do you keep track of a bunch of strong passwords? You can use a biometric device that comes with a password manager (see "Go biometric"), or you can resort to a sophisticated method of choosing and using passwords, as discussed in the October 2003 Internet Tips column.

If you need a portable way to make and keep track of lots of passwords, check out the EBP Lite Password Manager ($65), a key chain-size password generator and storage device that looks like a high-end car alarm remote. The password manager stores passwords for up to 20 different accounts, and can even remind you when it's time to change the passwords for your most sensitive accounts.

Lock it when you leave: If you step away from your computer for a minute, what's to keep someone else from stepping in? Since you have a good password, put it to use by logging off when you go to lunch or to the loo (choose Start, Shutdown, then 'Log off username' in Windows 2000; choose Start, Log Off in Windows XP). For a handy automatic log-off, right-click the Windows desktop, choose Properties, and click the Screen Saver tab. In Windows 2000, choose a screen saver, check Password protected, and click OK. In Windows XP, specify a reasonably short time-out period in the Wait field (3 to 5 minutes suits some people, but 15 minutes is a reasonable compromise if you don't like getting timed out while you're just sitting there), check On resume, password protect, and click OK.

Windows 2000 and XP Professional have a file and folder encryption feature that makes your sensitive documents unreadable even if someone manages to copy them.
Windows 2000 and XP Professional have a file and folder encryption feature that makes your sensitive documents unreadable even if someone manages to copy them.
Encrypt your files, if you must: If you store sensitive data on your PC, consider encrypting your files--especially if the PC is portable. Windows 2000 and XP Professional (but not XP Home) include built-in encryption for files and folders; alternatively, you can purchase third-party file encryption software. Encryption makes it much harder for someone to boot your computer with an install or recovery disc, decrypt your passwords, or take control of Windows.

To encrypt a folder in Windows 2000 or XP Professional, right-click it in Explorer, choose Properties, click the Advanced button, fill in the Encrypt contents to secure data check box, and click OK twice. Click OK again in the next dialog box to accept the default choice, Apply changes to the selected items, subfolders, and files.

Now the caveats: Encrypting your whole drive is time-consuming, may retard system performance, increases the likelihood that you'll lose access to your files, and may be overkill unless you have something really important to protect. So don't encrypt just for the thrill of it.

Password-protect Outlook's in-box and identities: Some of the most sensitive information on your PC lurks in your in-box and out-box. Fortunately, a few programs allow you to encrypt and password-protect your missives.

In Outlook 2003 and 2002, choose File, Data File Management, click Settings and then Change Password, enter a password in the 'New password' and 'Verify password' fields, and click OK. Thereafter, only someone who knows this password will be able to look at previously received messages stored in your in-box, out-box, or other mail folders.

Lance Spitzner, founder of the Honeynet Project: "Don't use Microsoft's browser or e-mail client, if you can get away with it--when bad boys release an exploit, they go for the biggest bang for their buck."
Photograph: Michael Girard
If you use Outlook Express, you can password-protect only your e-mail identity (a file that contains your e-mail account user name and password) to thwart a thief who might want to steal your account information. This prevents people from being able to read your new mail, but serious snoops can still import your messages into another program. Choose File, Identities, Manage Identities, select the identity to protect, click Properties, check Require a password, click OK, and then click Close.

Auto-update key software: No matter how hard you try to protect yourself, OS and application security flaws can victimize you. There are some good arguments against allowing programs to download and install updates automatically; if a patch causes an incompatibility with a critical program or operating system component, for instance, you could end up in hot water. But for most people, the risk is probably worth taking. The alternative could be finding your computer hacked into via a software hole whose patch was released last week.

Windows 2000 systems with Service Pack 3 installed can receive automatic updates, but enabling the feature is a bit complicated. Microsoft explains it painstakingly. To arrange to receive automatic updates in Windows XP, right-click My Computer, choose Properties, select the Automatic Updates tab, check Keep my computer up to date, select one of the three options for downloading and installing updates under Settings, and click OK.

Your antivirus program is much likelier to stop the latest viruses, worms, and Trojan horses if it has the most recent virus signature databases. Many, though not all, antivirus programs will download and install their program and database updates automatically by default. Dig into your program's settings (and documentation) to make sure it's set to deliver maximum protection.

Subscribe to the Security Watch Newsletter

Comments