Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
A Home User's Security Checklist for Windows
Scott Granneman, 2004-02-13

Most people don't secure their computers or act in a secure manner, and the main reason is that the average user just doesn't know what to do. Here is a checklist on security for home computer users that you can share with your friends, family, churches and clubs.

Comments Mode:
A Home User's Security Checklist for Windows 2004-02-14
Fred Bacon (5 replies)
You may have thought about the idea of writing down passwords, but you still came to the wrong conclusion. Never, under any circumstances, encourage users to write down passwords. Many of those home users also work in offices, and they will take the same bad habits to work with them.

I got in...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-16
Anonymous
There are also some very horrible encrypted password managers, such as Gator, which we know are rife with spyware.

Let's not use a techno-crutch. What exactly is wrong with writing it down and putting it in your wallet? Would you leave your credit cards on your desk? As long as users understan...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-17
Alvaro
Regardeless the fact the author is asking to write the password down (and remember: he says if you don't feel confortable don't do it) we have to consider the article and the ideas a prove that someone is trying to do something for the end-users. As a infosec professional, my friends ask me every da...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Roger
I'm a bit ambivalent on the issue myself. On the one hand we've all seen morons who stick important passwords on a post-it note on the side of their office monitor. This is obviously very bad. But I've come to think that on balance, the traditional "never write it down anywhere, under any circumstan...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Anonymous
Proper English book:

Strunk and White's "Elements of Style"...

[ more ]  [ reply ]
Writing down passwords 2004-02-23
Anonymous
I think a blanket "never write down passwords" statement is unhelpful. The important thing is to keep any written passwords somewhere safe.

- I don't demand that users never write down passwords, because I find their fear of forgetting them encourages bad habits -- such as picking weak passwords...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-14
Anonymous
Excellent idea! (not really a new idea, but a hard copy list to post and pass on) I salute you....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2007-08-21
Anonymous (1 replies)
First, automatically downloading and installing windows updates is a very *bad* idea. It means your computer may automatically reboot or change configuration without your knowledge. A *far* better approach is to have windows notify you of updates, even to download them when the network resources a...

[ more ]  [ reply ]
Re: A Home User's Security Checklist for Windows 2007-10-07
Anonymous
"First, automatically downloading and installing windows updates is a very *bad* idea. It means your computer may automatically reboot or change configuration without your knowledge."

Windows should ask the user if he wants to restart. I've never seen Windows restart itself without permission....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-14
Anonymous
OMG, this might be a better solution then repeating myself constantly at the office. I will definitely send this around to my 9th...I mean engineers....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-15
Anonymous (1 replies)
Re: Not running Windows as an Administrator.

I agree with the idea, but.

This is not an option for all the stand-alone installations of Symantec Antivirus. LiveUpdate is stated by the Symantec Knowledgebase to only work with Administrator permissions. Tests confirm this behavior (I have had so...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Roger
Our office has some instances of NAV corporate edition v7.6 on NT 4 Sp6. I have had success just going into the Services control panel, selecting the various NAV services, going into their startup settings, and setting LogOnAs as an admin user. (Actually I created a special NAV user in the admin gro...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-15
Anonymous (1 replies)
Nice list. It will certainly help me in making my family and friends a bit more security aware.

Some additions:
- Disabling unused Windows accounts (especially the guest account)
- Disabling common services that are enabled by default but shouldn't be (for example Windows Messenger Service)
- ...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-17
Anonymous
My thoughts exactly. Disable File and Printer sharing as well.

I don't know why you would configure WU to automatically update and install. In my book that's a no-no.

...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-15
Anonymous (2 replies)

I understand that Microsoft will never send out updates and patches, or announcements about updates and patches, via email. (What is phishing?)


Microsoft regularly sends out announcements about patches if you have requested the updates....

[ more ]  [ reply ]
announcements, not patches 2004-02-23
Paul D
That is "sends out ANNOUNCEMENTS OF patches", not "sends out patches".

And users should probably be advised to go to the manufacturers update site USING THEIR BOOKMARKS and NOT the link given in any possibly fake email.

P...

[ more ]  [ reply ]
Phishing 2004-02-23
Al Macintyre
I don't know if this will be filtered out ... here are some recent articles about Phishing


http://www.antiphishing.org/
http://news.ists.dartmouth.edu/todaysnews.html#internal13272

http://www.ecommercetimes.com/perl/story/32906.html
http://www.gcn.com/vol1_no1/daily-updates/25000-1.html
h...

[ more ]  [ reply ]
Addendum 2004-02-16
Dirk (4 replies)
[ ] I DON'T know why I have to take half a computer science degree just to use a product that I paid hundreds of dollars for, when all I wanted is to write some documents, emails and surf the web....

[ more ]  [ reply ]
Addendum 2004-02-17
Anonymous (1 replies)
You probably pay from $500-$2000 per month for some sort of housing. Feel free not to lock the doors, since all you need is a place to eat and sleep......

[ more ]  [ reply ]
Addendum 2004-02-18
Anonymous
Amen Brother.

In fairness, however, there is a Catch-22 here -- They add options to make the software useful. They leave them on by default so you don't need a computer science degree to setup the computer and get it working on day 1. And now you need a computer science degree to make your comp...

[ more ]  [ reply ]
Addendum 2004-02-17
Anonymous (2 replies)
[] I DON'T know why others want me to switch to another OS that requires a full computer science degree just to use a product that does little more than write some documents, emails, and surfs the web....

[ more ]  [ reply ]
You need a full CompSci degree to use OSX !? 2004-02-18
Penguinisto (1 replies)
OSX is drop-dead simple to use, easier than Windows, and certainly easier than Linux.

Anyone that claims that Joe Sixpack needs any serious training to use OS 10.anything is either ignorant beyond belief, or willfully stupid in favor of their pet OS...

...and this is a Linux guy telling you t...

[ more ]  [ reply ]
You need a full CompSci degree to use OSX !? 2004-02-20
Anonymous
Well first off I wasn't referring to OSX I was referring to Linux. Second it was just a tongue in cheek response to the original post claiming that Windows requires half a CS degree to use....

[ more ]  [ reply ]
Addendum 2004-02-24
Al Macintyre
Most people want to spend as little money as possible on buying technology, and get what they paid for ... lousy security, open to lots of exploits, and the jobs to make it moved off shore.

OS/2 did everything Windose did except did not break down, did not have exploits, did not have to be reboot...

[ more ]  [ reply ]
Coumpters are not THAT different from anything else 2004-02-23
Paul D
[ ] I DON'T know why I have to take hours o finstruction just to use a car that I paid thousands of dollars for, when all I wanted is to go to work, visit some friends and go for a drive.

:-)...

[ more ]  [ reply ]
Addendum 2004-02-23
Anonymous
[ ] I DON'T know why I had to take a full driving course either just to use a product that I paid hundreds of dollars for, when all I wanted is to go to work and the grocery store.

Maybe we should require computer "driver's licenses" before users are allowed on the internet? Maybe then they'll l...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-16
David Bala?ic (2 replies)
"I am not running Windows as Administrator."

Oh, and what about the large amount of software (some from Microsoft itself) that does not run at all or does not run correctly without Administrator privileges ?...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Anonymous
That's easy... If you are a real computer technology user, then you should not use Windows at all. If you do, then you'll have
to deal with it's inherent security holes.

Grab a copy of OpenBSD and make your life
easier. One will say, what about games?
Games are a pain to configure in OpenB...

[ more ]  [ reply ]
Software that requires Administrator rights 2004-02-23
Anonymous (1 replies)
99% of the time such software only needs Administrator privilages to *install*. It runs perfectly well after that as an unprivilaged user.

Some software, unfortunately, will not install for "All Users", so sometimes you have to temporarily give your user account Administrator privilages for the ...

[ more ]  [ reply ]
Software that requires Administrator rights 2004-02-24
Anonymous
If Microsoft would make a working sudo (or allow me to use Run As... to start cmd.exe, explorer, and mmc successfully, rather than having spawned processes not always keep the elevated privileges), it would make life *so* much easier.

Heck, I'd even be pretty happy if we could get the suid-bit ca...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-16
Arthur Tvikrok (3 replies)
Putting RegClean (and other registry cleaners) on the checklist for beginners is not a smart thing to do.


The problem is that RegClean (and similar software) has a severe problem with false positives -- they mark registry entries for deletion that should NOT be deleted, as they're either in use...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows (Scott read this) 2004-02-19
Anonymous
This is to get Scott's attention to update his article before more people screw themselves... Thanks Arthur Tvikrok for pointing out KB 299958 that Regclean is incompatible with:

Microsoft Office 2003, All Editions
Microsoft Office XP (Setup)
Microsoft Office 2000 (Setup)

and has been specif...

[ more ]  [ reply ]
Registry editors removed 2004-02-20
Kelly Martin
Based on the above feedback and numerous emails, the section on registry editing has been removed. Thanks for your comments.

-editor...

[ more ]  [ reply ]
Norton Doctor 2004-02-24
Al Macintyre
Software to "clean" your PC of garbage needs lots of memory and disk space to work properly ... if you are running out of that stuff, then it is too late to use the Doctor.

The state of art of some of these things, and their interfaces and documentation ... just not for the beginner.

Get peopl...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-16
Anonymous
This is the most constructive thing I have seen come out of Security Focus in a long time. There is normally a lot of blathering on about how the average user is not security conscious usually coinciding with the latest in the vast onslaught of worms and viruses. Or there is the technical article ...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-17
Anonymous
Can "Webopedia" explain all of the technical terms and define them to the average layman?...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-17
Anonymous (1 replies)
Bravo! It's nice to see such an informative, comprehensive guideline being written for "the average user". More importantly, it's nice to finally see it written without the typical bias towards or against any specific software maker(s). I think software editorials are becoming too political, and ...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Anonymous (1 replies)
"More importantly, it's nice to finally see it written without the typical bias towards or against any specific software maker(s). "

I would agree right up until the last checkbox. I fail to see the reason for including it....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-19
Anonymous (1 replies)
> I would agree right up until the last
> checkbox. I fail to see the reason for
> including it.

I think the point is that this checklist is ~CLEARLY~ aimed at Windows users, and the goal he set out to accomplish was creating a comprehensive "Do" list for all those Windows users. I find it v...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-20
Anonymous (1 replies)
"He acknowledged the fact the Linus and Mac both have better security track-records, but isn't trying to make anyone get a new OS when it's likely much easier to secure what they're already running."


The question is for what purpose? Why does a Windows user need to check of that other OS's have...

[ more ]  [ reply ]
Alternatives 2004-02-24
Al Macintyre
Quote # 1: "He acknowledged the fact the Linus and Mac both have better security track-records, but isn't trying to make anyone get a new OS when it's likely much easier to secure what they're already running."


Quote # 2: "The question is for what purpose? Why does a Windows user need to check...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-17
Anonymous
Please note that the following ramble is based on the tone of your original comment. It sounded like
you got frustrated with the user and things got
heated. If I?ve misread the tone, I do apologize.

I currently serve an Infosec function for my
company. We do both Awareness and Investigation...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-17
Bob
Brilliant! This may finally solve the problem with my parents, friends and mother-in-law continually calling to ask questions. I can give them advice on the more complex issues and send them a link to this list for the rest of it!

...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Patrick Balleux (1 replies)
---------------------------------
I know that some people might also argue that these operating systems have a better security >record than Windows, but I'll leave that to >the experts to debate. Thanks for mentioning >them, but I'm still going to run Windows.
--------------------------------

I...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Anonymous (2 replies)
The problem is Microsoft has the world's big "Kick me hard!" sign on it. In the last 7 days there has been more Windows virus than any other system for the last few weeks. While I personally use unix/linux I often recommend people get themselves a Mac. The system costs more but there are so few viru...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-20
Patrick Balleux
I've made some reasearch in last December and I found out that here, on securyty focus there are around 70 vulnerabilities for Mandrake, Suse, around 200 for Red Hat et 500 for Windows.

Just do a filter on vulnerabilities for each vendor (MS, Mandrake, Suse, IBM, etc...)

You will be suprised...

[ more ]  [ reply ]
Safer OS 2004-02-24
Al Macintyre
IBM makes several types of computers that cannot get viruses, be hacked, etc. but they are too expensive for the home market. I am happy to see that many ISPs are moving to those kinds of boxes and in the future will be offering services to home users so the bad stuff can be stopped before it gets ...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Ron O (1 replies)
I think this checklist is a great idea. I do, however, have to disagree with one point in the list -- responding to spam to unsubscribe. With the recent CAN-SPAM Act that Congress passed (for those of you in the USA) the whole spam game has become an "opt out" one. Everyone is essentially allowed...

[ more ]  [ reply ]
Opt-out 2004-02-23
Anonymous
The problem is it's hard to know what opt-out addresses are legitimate.

I tend to just filter instead of trying to opt out. It's too risky.
...

[ more ]  [ reply ]
Nice Windows Advert at the bottom... 2004-02-18
Penguinisto (1 replies)
...bleah. And you were doing so well, too...

/P...

[ more ]  [ reply ]
Nice Windows Advert at the bottom... 2004-02-19
Anonymous
Windows Advert?

It sounded more like a Mac/Linux advert to me....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Bob
This checklist is a great idea.

But, it could be simplified for non-computer administrators/gurus.
For example: (Why shouldn't I run as Administrator?) is great for someone who is skeptical and wants to know why before following someone else's advice. But for the novice who is willing to believ...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Anonymous (1 replies)
NetBIOS? RPC? Remote Registry? WMI? DCOM?
uPnP?

These are the stuff that you must plug
prior to secure Internet Explorer and most other Windows insecurities. Browser
attacks can ONLY occur if one uses the Browser, network attacks taking advantage of the services listed above, can be successfu...

[ more ]  [ reply ]
Email attachments and FTP 2004-02-23
Anonymous
That's great if it works for you, but it's just not realistic for most people. Email has become the defacto way of sending electronic documents.

Besides, FTP is an abomination of a protocol and really shouldn't be used anymore. It's insecure by design, and doesn't work well with firewalls. You...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Anonymous
"With the recent CAN-SPAM Act that Congress passed (for those of you in the USA) the whole spam game has become an "opt out" one. Everyone is essentially allowed to spam you once but has to give you (among other things) an easy way to be removed from their list."

--

Err, I wouldn't be too awfu...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-18
Cob
Scott,

This is a nice list. I wish you would make a PDF version of the checklist with links to some of the supporting info.

I would probably add a bunch of items to your list, like turning off Windows Messaging service and DCOM, and turning off raw Windows sockets, but I certainly understand ...

[ more ]  [ reply ]
A shorter checklist for the lazy user 2004-02-19
Anonymous
1. I only browse with FireFox - this is my default browser.

2. I do not use any Microsoft based email clients.

3. I have windows update set to run automagically....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-19
Anonymous
Really a great idea!
Thank you for that list. It's so simple but miles away from all that FAQ and HOWTO stuff out there. I have recently discussed about PersonalFirewalls and the unability of new computer users to configure their system safe and getting the necessary knowledge for doing that throu...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-20
MGibson
What a great site and a great resource to enable users to learn how to better maintain their computers! Thank you for sharing it!!...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2004-02-23
Al Macintyre
I posted a link to your article in YAHOO group TYR http://groups.yahoo.com/group/TYR/message/15716 message # 15716 and feedback there says that your article was great, and the stuff I posted was also a good addition to your list ... since then I have seen that allegedly we can have anti-phishing pro...

[ more ]  [ reply ]
Passwords 2004-02-23
Al Macintyre
Here's what I do ... I come up with the WORD ... some word I can remember without writing it down ... and I come up with a way to capture a few characters related to the site that needs a password ... perhaps their initials, perhaps first few letters of name of outfit ... then I combine the WORD wit...

[ more ]  [ reply ]
forget about - disabling unnecessary services 2004-02-24
phreeb
Nice article, but I think one checklist item was left off. Often times, vendors will ship their OS's with all kinds of daemons enabled by default (programs that are run in the background without any input from the user, but also can be accessed over the network). Every Windows XP box I use, I wind u...

[ more ]  [ reply ]
Disconnect from the Internet 2004-02-25
Cornelius (1 replies)
I really liked the list, I think it can be a very helpful tool. However, I would add the following for anyone with Cable Internet:

Disconnect from the Internet when you have no reason to be connected. There is no reason to remain connected 24 hours a day if you only actively use the Interent fo...

[ more ]  [ reply ]
Re: Disconnect from the Internet 2005-09-19
Anonymous
turn off cable modem , why when it is a lot easier to just right click on local area connection and disable it, considering the time it takes to reboot and sync a cable modem , seem that would be easier.
Better yet use a personal firewall that let u lock down the connection ....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2005-07-23
Vaceituno
Nice list, but too technical. I think most users want just to check if they have a problem and a wuick fix for it.

I maintain a website with home user security, http://www.seguridaddelainformacion.com/seg_0e.htm

...

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2005-10-11
nietsec@gmail.com
Hey..Very nice checklist...
...

[ more ]  [ reply ]
Shared folders 2005-11-04
Eric the Addict
I noticed a receipt (including account information and SSN) in a shared folder once on a Laptop. Perhaps it would be recommended that users check what is being shared, and change the sharing status of the folder if it shouldn't be....

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2005-12-27
Anonymous (1 replies)
When you published this list in 2004, it was one of the few online resources for home users. For me, it was a small miracle--since my PC came with a Windows operating system and no security information--this article was something of a guidepost as I tried to learn the basics (item by item in my spar...

[ more ]  [ reply ]
Re: A Home User's Security Checklist for Windows 2007-11-16
Anonymous
make that ...all these years!
Of course an update might be nice.......

[ more ]  [ reply ]
A Home User's Security Checklist for Windows 2006-04-10
john
Thanks for the checklist; I would like to see a modified version of this for the work place. I've seen many businesses that fail to practice these guidelines as well.

Thanks....

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus