Digg this story   Add to del.icio.us  
A Home User's Security Checklist for Windows
Scott Granneman, 2004-02-13

Most people don't secure their computers or act in a secure manner, and the main reason is that the average user just doesn't know what to do. Here is a checklist on security for home computer users that you can share with your friends, family, churches and clubs.

A long time ago, in another career, I taught English to 9th graders, one of the most fun jobs I've ever had. It taught me something important about the learning process, and there's something in that process that can work for everyone, teenager and adult, 9th grade English student and home computer user.

When I first started out, I would assign the kids a paper and then a couple of weeks later they would hand the results in to me. I would mark up the papers - indicating the multitude of errors (and commending fine writing as well) - hand them back, and then talk to the class about techniques for good writing.

Unfortunately, this process was repeated over and over and over. My students' writing improved only slightly. Clearly, I needed to change my method.

Then I realized my problem. I was telling my students things like "Don't use contractions in formal writing" and "Avoid run-on sentences" and fifty other things, but that was way too much for them to keep in their heads at one time. Heck, it would be too much for any one person to keep in her head, unless she made the act of writing to be something she did so often that she absorbed all the various writing techniques and rules and they finally became intuitive.

My solution was "The Checklist". I drew up a checklist of 50 or so rules that my students were to follow when writing their papers, keyed to a style guide that I had them use. Next to the rules were columns labeled "Draft 1," "Draft 2," "Paper," "Rewrite 1," "Rewrite 2,", and so on. When a student handed in a paper to me, he was to hand in three drafts plus the checklist. The student was to use the checklist as a tool for finding and eliminating common mistakes. Every box in the first three columns should have a check in it, meaning that the problem was not found, or a minus sign, meaning that the problem was found and corrected.

I would grade the student's paper. When I got to the fifth error that the student had claimed was corrected but in fact was not, I would hand the paper back to the student, along with all the other drafts and the checklist, and make him rewrite it. And again, and again, and again, constantly keying the errors back to the checklist and the style guide.

Suddenly, the quality of my students' writing shot up. Quickly, we got beyond the little mistakes in technique and could focus on the bigger issues of form, and methods of argument and persuasion, and style. To this day, I still have former students tell me that they learned to write from my class, but really, it was The Checklist.

If you've been reading any of my columns over the past year, you'll know that the security problems of ordinary, non-technical users have been a focus of mine. One of the things I've constantly addressed is the problem that most people don't secure their computers or act in a secure manner. I think the main reason is that most people don't know what to do. Or worse, security pros try to help, but we overwhelm folks with too much information and end up sowing confusion and hopelessness.

With that in mind, I'm introducing a checklist for basic home security. I've come up with a list of steps that, if followed, would contribute an immense amount to the security of most user's computers. I'd like all my readers to print it out and walk through it with their family, friends, churches, and clubs. Fill it in with them, or better yet, explain to them how to fill it in. If they need to know more about an item, point them back to this page and tell them to click on the links I've provided. After the checklist is filled in, tell them to post it next to their computers or in a safe place, but tell them to refer to it if they have any questions.

A couple of notes about the checklist. Yes, I know that I provided space for folks to enter their passwords below. I thought long and hard about that, and it seems to me that the problem of lost or forgotten passwords, especially if it's a home computer with a limited user base, outweighs the problem of someone's wife or husband seeing a password. If it really bothers you, then don't fill those blanks in, or have someone fill in two copies of the checklist: one with passwords that is filed away in a safe place, and one without passwords that is posted on the wall next to the computer. Be flexible - you know the situations of your friends and family better than I do.

A final note: this is a work in progress. Send in suggestions via the discussion forum below, or email me directly. We'll try to update the checklist to incorporate suggestions or criticisms, and as new technologies are introduced, we'll try to add those as well. Let's make this a community project, with the goal of better security for everyone.

And now, without further ado, my latest checklist. I hope you find it useful.


The SecurityFocus Home User's Security Checklist for Windows

Windows

I am not running Windows as Administrator.
(Why shouldn't I run as Administrator?)
I picked a good password to log in to Windows: ____________________.
(What are some rules for good passwords?)

Windows Update

Windows Update is set to automatically download and install updates from Microsoft.
(How do I set up Windows Update to run automatically?)
I run Windows Update manually to download and install updates from Microsoft.
(How do I use Windows Update?)
I run Windows Update every _____ days.
If I use Microsoft Office, I check Office Update for updates.
(How do I use Office Update?)
Plus, I visit Office Update every _____ weeks.
I understand that Microsoft will never send out updates and patches, or announcements about updates and patches, via email. (What is phishing?)

Anti-Virus

I have anti-virus software installed and running.
(Why do I need anti-virus software?)
My anti-virus software is made by this company: ____________________.
My anti-virus software's title is ____________________.
My anti-virus software automatically updates itself.
My anti-virus software updates itself every _____ days.
My anti-virus software updates expire on this date: ____________________.
My anti-virus software automatically scans my computer for viruses.
My anti-virus software scans my computer every _____ days.
My anti-virus software automatically scans my IM (instant messaging) software.
(Why should anti-virus software scan IM software?)
I understand that some so-called viruses are actually hoaxes and I shouldn't worry about them. (What is a virus hoax?)

Internet

I've tested my computer's connection to the Internet.
(How do I test my computer's connection to the Internet?)

Email

I've configured my email program securely.
(How do I configure my email program securely?)
If I use Outlook, I've configured it securely.
(How do I configure Outlook securely?)
If I use Outlook Express, I've configured it securely.
(How do I configure Outlook Express securely?)
I keep my preview pane closed.
(Why should I close the preview pane?)
I know how to use email attachments securely.
I have configured Windows to show all file extensions.
(How do I configure Windows to show file extensions?)
I never open attachments unless I am expecting them.
(What are some good rules for opening email attachments?)
I never open attachments that are programs (files that end with .bat, .chm, .cmd, .com, .exe, .hta, .ocx, .pif, .scr, .shs, .vbe, .vbs, or .wsf).
I never respond to spam, even to "unsubscribe".
(Why shouldn't I try to unsubscribe from spam?)
I understand that AOL, eBay, PayPal, my bank, and other Web sites related to my money will never send out requests for passwords, PINs, or other sensitive information via email.
(What is phishing?)

The Web

I've configured my Web browser (Internet Explorer, Netscape, Mozilla) securely.
(How do I configure my Web browser securely?)
I've tested my Web browser's security.
(How do I test my Web browser's security?)
I understand that advertisements on Web sites warning me that my computer can be hacked or fixed should be ignored; if I am concerned, I will ask someone knowledgable.
(What are fake Web ads?)
When I buy online, I make sure that sensitive information is entered only on secure pages (https).
(How can I tell if a Web page is secure?)

Anti-Spyware

I have anti-spyware software installed and running.
(Why do I need anti-spyware software?)
My anti-spyware software is made by this company: ____________________.
My anti-spyware software's title is ____________________.
My anti-spyware software automatically updates itself.
My anti-spyware software updates itself every _____ days.
My anti-spyware software must be manually updated.
I run my anti-spyware software every _____ days.

Personal Firewalls

I have a personal firewall installed and running.
(What's a personal firewall?)
My personal firewall software is made by this company: ____________________.
My personal firewall's title is ____________________.
I understand when to allow software to access the Internet and when to be suspicious.
If there is a problem, I understand how to shut down all Internet activity using my personal firewall.

Router

I have a router/firewall installed and I use it.
(Why should I use a router/firewall? )
I changed the default password on my router/firewall, to ____________________.
(What are some rules for good passwords?)

Additional concerns for wireless routers

I have a wireless router/firewall installed and I use it.
(Why should I use a router/firewall? )
I've configured my wireless router/firewall to use encryption (WEP or WPA).
I'm using WEP, and my keys are ____________________, ____________________, ____________________, and ____________________.
(What is WEP? How do I configure WEP?)
I'm using WPA instead of WEP, and my key is ____________________.
(What is WPA? How do I configure WPA?)
I've changed my wireless router/firewall's SSID or ESSID.
(What is an SSID or ESSID? How do I change my wireless router's SSID or ESSID?)

Miscellaneous

I know what Mac OS X and Linux are, and I understand that these both have dramatically fewer viruses and spyware issues. I know that some people might also argue that these operating systems have a better security record than Windows, but I'll leave that to the experts to debate. Thanks for mentioning them, but I'm still going to run Windows.
(What's Mac OS X? What's Linux?)
[/html]


Scott Granneman teaches at Washington University in St. Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Linux Phrasebook, is in stores now.
    Digg this story   Add to del.icio.us  
Comments Mode:
A Home User's Security Checklist for Windows 2004-02-15
Anonymous (2 replies)
announcements, not patches 2004-02-23
Paul D
Phishing 2004-02-23
Al Macintyre
Addendum 2004-02-16
Dirk (4 replies)
Addendum 2004-02-17
Anonymous (1 replies)
Addendum 2004-02-18
Anonymous
Addendum 2004-02-17
Anonymous (2 replies)
Addendum 2004-02-24
Al Macintyre
Addendum 2004-02-23
Anonymous
A Home User's Security Checklist for Windows 2004-02-16
Arthur Tvikrok (3 replies)
Registry editors removed 2004-02-20
Kelly Martin
Norton Doctor 2004-02-24
Al Macintyre
A Home User's Security Checklist for Windows 2004-02-17
Anonymous (1 replies)
A Home User's Security Checklist for Windows 2004-02-18
Anonymous (1 replies)
A Home User's Security Checklist for Windows 2004-02-19
Anonymous (1 replies)
A Home User's Security Checklist for Windows 2004-02-20
Anonymous (1 replies)
Alternatives 2004-02-24
Al Macintyre
A Home User's Security Checklist for Windows 2004-02-18
Patrick Balleux (1 replies)
A Home User's Security Checklist for Windows 2004-02-18
Anonymous (2 replies)
Safer OS 2004-02-24
Al Macintyre
A Home User's Security Checklist for Windows 2004-02-18
Ron O (1 replies)
Opt-out 2004-02-23
Anonymous
Nice Windows Advert at the bottom... 2004-02-18
Penguinisto (1 replies)
A Home User's Security Checklist for Windows 2004-02-18
Anonymous (1 replies)
Email attachments and FTP 2004-02-23
Anonymous
Passwords 2004-02-23
Al Macintyre
Disconnect from the Internet 2004-02-25
Cornelius (1 replies)
Re: Disconnect from the Internet 2005-09-19
Anonymous
A Home User's Security Checklist for Windows 2005-10-11
nietsec@gmail.com
Shared folders 2005-11-04
Eric the Addict


 

Privacy Statement
Copyright 2010, SecurityFocus