newsday.com
December 12, 2001
Slamming Windows Shut on Hackers
LAST WEEK, WE TALKED about hackers and related threats to home computers on cable and DSL lines. This week, we're going to look at concrete steps you can take to secure your PC, and to secure PCs connected to a home network.
You'll probably want to buy a software firewall, and maybe you'll need a hardware firewall. But before you even think of spending money, there's a no-cost quick fix: turn off file sharing and weed out network services you don't use.
Here's the main deal: Unlike a phone connection, an always-on Internet cable or DSL connection makes you a highly visible and accessible target.
In addition, the automated setup procedure of cable and DSL modems tends to make a lot of security-related decisions for you - most of them wrong. Windows itself is a big offender here - as soon as it detects the network adapter you plug into your cable modem, it automatically enables a slew of services and protocols that can also be used by hackers to get into your computer. The idea, of course, is that this will make it easier for you to connect computers on a network. But this also tends to make it easier for hackers; in some cases, this could give full access to your hard drive and printer.
How it does this differs somewhat among Windows 95, the various flavors of Windows 98, Windows NT, 2000 and XP family, and there are additional complications added by the individual programs that install specific network adapters.
We can give basic information here for disabling unnecessary connectivity, but you're going to have to study at sites like grc.com (http://grc.com), and practically networked.com (http://practicallynetworked.com). Of course, there is also Microsoft's own technical documentation.
Here's a simple setup for a single computer. First, go to your control panel and open up the Network item. You should see a screen something like the one in the picture. There are three kinds of listings on the screen: a client (usually Client for Microsoft Networks) which is what allows your PC to share disk drives and printers; one or more protocols, in effect the "operating system" for networking, and finally the entry for the physical adapter, e.g. your Ethernet card and/or modem.
The dumb guy's way to minimal network security? Highlight "Client for Microsoft Networks" and select "remove." Once it's gone from your computer, you can't share your disk drive, and neither can hackers. True, there are other sneaky ways in, but you've closed the worst hole. If you have a network of computers, and you don't need to share files or a printer among them, repeat this procedure on each of the PCs.
What if you want to share files on your part of the network while connecting to the Internet? Well, we're into serious systems engineering. You'll have to set up the TCP/IP protocol to deal with the Internet, and layer on top of that the NetBEUI protocol to handle the local networking. You'll also have to make sure that file sharing is enabled for NetBEUI but not for TCP/IP. If you use Windows XP, you'll need to install a patch to use NetBEUI, which is no longer incorporated into the standard release. And if you plan to play networked games, in some cases you'll need to plug in the ipx/spx protocol. Beyond that, we're not going get into the details, which are really ugly. I'm not even going to suggest that you try it unless you're pretty experienced with PCs. Steve Gibson lays it all out in excruciating detail at grc.com.
One little warning here that I've never seen on any of the usual Net security sites. Suppose you have to replace your network adapter, or just rearrange the cards in you PC for some reason. If Windows reinstalls the adapter with plug-and-play, the odds are fairly good that it will undo all your careful removal of file sharing.
Internet Connection Sharing, available in later versions of Windows 98 and XP, adds yet another layer of complexity here. And because it is essentially free, lots of beginners are tempted to use it to connect their home network of PCs though a broadband connection to the rest of the Internet. The way this works: One computer becomes a "proxy" for the rest of the PCs. It has one network adapter that connects to the cable or DSL modem and a second adapter that connects to the other computers on a home network. You'll see it used more often with home phone-line networking than with standard Ethernet networks. You now have the additional hurdle of having to unsnarl file sharing from the adapter as well as the protocol. Like we said earlier, it's ugly.
Alternatives? In the ideal world of Internet security, you would follow Gibson's instructions to the letter, and install a personal, software- based firewall on your PC, and buy a router that incorporates its own firewall.
As a practical matter, all you may need is the router, and for the cost, under a hundred bucks, why get crazy? As we noted last week, the router/firewall hides everything else on your network from outsiders, and essentially separates security issues from networking issues. Assuming that you have a fairly simple setup, with an Internet connection for Web and e-mail and with file and print sharing among the PCs on your network, you can forget about complicated configuration hassles. In fact, I'll crawl out on a limb here and suggest that even if you don't have a network at home, a hardware based router/firewall is a pretty good investment.
Next week, we'll look at how to set up a router and some options for games and two-way services. |
