|Internet Connection Security for Windows Users|
|by Steve Gibson, Gibson Research Corporation|
|What can you do to protect yourself?|
There is no better defense than knowledge. Acquiring the knowledge you need to defend yourself against the bad guys on the Internet will not be instantaneous, but, thanks to this web site . . . at least it's free!
So I ask you to make some time to read through the following pages. If you do, you will easily learn enough about networking to feel comfortable with the task of securing your computer and those of your friends.
Beyond the knowledge which you'll need, the exact answer to how you proceed depends upon your Internet usage patterns, your communication needs, and the level of security and privacy you require. The checklists below provide some guidelines and strategies to consider. Please read both sets of answers since your requirements may combine aspects of each.
|If you DO NOT NEED to share files across the Internet:|
|Windows insecure networking can be easily neutered to immediately disable file sharing across the Internet!|
The single BIGGEST security hole that exists is Windows File and Printer Sharing over your TCP/IP (Internet) connection. I've encountered many freely available scanners that specifically target "open Windows shares" and password crackers are free for the downloading.
If your Internet-connected computer is not networked to any other machines there's absolutely no need to have file and printer sharing installed and often no need to have Microsoft networking loaded, running, consuming precious RAM memory, and dramatically lowering your Internet security!
Client for Microsoft Networks Just Say No
The "Client for Microsoft Networks" is only used when connecting your Microsoft operating system to other Microsoft operating systems. It has NOTHING to do with the Internet (which somehow manages to operate even without the help of Microsoft.) All web browsing, eMail, newsgroups everything will continue to work just as it did before. It was unnecessarily installed and should be immediately removed. The next page shows you how! (There are a few known exceptions to this for some but not all users of the @Home Internet cable modem system. This is explained on the pages that follow.)
For the vast majority of Internet users . . .
Internet security is to cut yourself loose
from the Client for Microsoft Networks!
Unbinding the Client for Microsoft Networks
After you "unbind" the Client for Microsoft Networks (and its related file and printer sharing) from all of your TCP/IP-using adapters, it quietly disappears from sight and your system's security skyrockets.
You won't miss it at all, Windows will boot faster, and you'll have more memory for things you do need. And if you later decide to share your files with another computer (which is almost the only reason for Microsoft's networking) it's very easy to bring it back from the grave.
Not only does unbinding TCP/IP from the Microsoft networking components prevent your computer's files from being accessed through abuses of Microsoft's networking, but as you can see from the text in the image above, even Microsoft knows that turning this stuff off will speed up your computer!
The next page provides detailed instructions for improving your Internet security by cutting your system loose from Microsoft's Networking for Windows 9x and NT.
After making these changes and rebooting your machine your files can not be accessed across the Internet though the NetBIOS file sharing system.
There is no evidence to suggest that any intruder has ever been able to use NetBIOS to remotely access files on a Windows machine that had either removed its networking components or "unbound" and disabled its file and printer sharing over TCP/IP. (And given how wiley these Net hackers are, that's saying a lot!)
|Beware OTHER backdoors|
It is very important to note, however, that removing or disabling file sharing does not preclude the possibility of an intruder gaining access to your system through any of a number of other Internet services or systems that might be present in your computer. For example, numerous exploits have been documented of hackers entering a system through Microsoft's Personal Web Server, IRC, ICQ, telnet, web browsers, eMail readers, and anything else you can imagine! Therefore, if the security of your system is of true concern, you must act to proactively guard against intrusion. Any component within your system that touches the Internet creates a potential opening for attack.
The Master Hackers are REALLY good. I've been very impressed by what I've seen them achieve. They are arguably more talented and focussed than most of the people writing the software that's being attacked. They don't have "management" telling them to ship this stuff before it's ready and still littered with known bugs and security holes, and they love nothing more than a challenge. Therefore, the only workable strategy is for you to keep a low profile and give them as little as possible to chew on. Speaking of which . . .
|Protect your privacy|
Windows opens the NetBIOS file sharing ports 137-139 unless the Client for Microsoft Networks is completely removed. While it's open all passing Internet scanners will find and log its presence. And if the Networking Client is bound to the TCP/IP transport (as it is by default), Windows will be blabbing your user, computer, and workgroup names out across the Internet.
You can demonstrate all of these variations for yourself by using the Shields UP! tests and the Port Probe (see the "Evil Port Monitors" page for details). If you don't make any of these changes, any scanner can sweep past and log the fact of your existence along with your user, computer, and workgroup names! You should keep that in mind when choosing them.
since any intruder who stumbled over that in his scanner logs
would probably go nuts trying to break into your system!
So try to choose share names that don't sound like they're worth cracking ... like "Favorite DustBunnies" or "Freudian Quips". Those ought to be safe.
Some folks append a "$" (dollar sign) onto the end of share names to "hide" them. But this merely prevents Windows from DISPLAYING them! Those shares remain completely visible to anyone who knows how to look for them on the Internet! See the "COMPLETELY HIDE your Share names!" topic below for all the details.
|What's a little firewall between friends?|
The Personal Firewalls page discusses firewall technology in detail and contains my reviews of five I have looked at closely. A true personal firewall can provide extremely robust intruder protection, analysis, and monitoring of all internet activity. My favorite firewall, ZoneAlarm 2, is FREE for individual use. I think this stuff is way cool so I will be creating a feature-packed firewall of my own, see box below.
If you have no immediate need to share your files with any other computer local or remote the safest, cleanest, and simplest solution is the "unbinding" of Windows insecure networking client from your network. And you should ABSOLUTELY do this even if you plan to get a firewall . . . mine or someone else's.
It should be noted, however, that using a prophylactic program (like a firewall) to suppress the operation of another (like Microsoft's Networking) is not nearly as safe and sane as removing the program whose operation and behavior you wish to suppress.
If you MUST share files across the Internet:
If Windows File and Printer Sharing is bound to the TCP/IP protocol (and thus free to wander the Internet) because you need to share files with your office, family, or friends, you must address some serious security concerns:
Not ONLY will your user, computer, and workgroup names be public knowledge, but so will the names of ALL your shared resources. (Shields UP! can show this to you at any time.)
If your computer has a persistent connection to the Internet it will be quickly located, logged, and targeted as an opportunity for break-in by Windows share scanning intruders. The following measures will minimize your exposure:
|Choose uncrackable passwords|
As we've already seen, Windows file share password cracking programs are commonplace on the Net. Their especially insidious aspect is that Windows provides no indication when a cracker is pounding away at the passwords protecting your protected shares! Cracking attempts can also be "overlapped" so that hundreds of attempts can be going on simultaneously. And these password crackers succeed much more often than you might imagine. Such programs are typically based upon a dictionary of proper names and words because most people choose the names of their children, pets, or relatives as their passwords. Since these programs have all the time in the world and since you have no idea when they're grinding away at your machine trying and failing to get in this guessing approach usually succeeds sooner or later.
Therefore, you will want to immediately employ STRONG, cryptic, and unguessable passwords to all exposed file shares. You'll want to keep in mind that anyone trying to access your files will already know your user, machine, and workgroup names (Thanks to Windows NetBIOS blabbing.) Your passwords should therefore have NO relationship to any of those always visible names. Ideally they should be LONG random strings of characters. A good one might be something like: "4F3hw9Egh84d2" (But DON'T use that one since it's mine. (Just kidding)) I know it's annoying to have a password like that, but any phrase that is meaningful to you might either be in a password cracker's dictionary (see below) or be guessable by someone who knows you.
system really IS being watched!
It's creepy but true!
|Share Names can NOT be COMPLETELY HIDDEN!|
You must NOT depend upon "Hidden Shares" for any sort of security! Many people falsely believe that appending a '$' (dollar sign) to the end of a share name provides useful protection by hiding its existence from external prying eyes. But in typical insecure Microsoft fashion, that's not the case at all! Although Microsoft's Windows does not show any share names that it receives from a remote computer, it continues blabbing those hidden share names at every opportunity! This means that anyone with a little bit of technology can readily see and attack those "hidden" shares!
|Always watch out for backdoors!|
Other means of entry into your system must be avoided. Since the presence of your computer's shared resources will be obvious to any curious cracker, this will tend to draw more attention to your system than other machines that are blabbing less about themselves. Therefore, everything I wrote about other means of entry applies to you more strongly. You need to be very careful. Remember: Many of these guys are really good!
|If you MUST share files across the Internet a|
personal firewall is the ONLY WAY to be safe!
If you've noticed how much I enjoy providing free solutions to relatively small problems (things people shouldn't have to pay for) then you know that I don't like recommending that you spend money to fix something that shouldn't be broken in the first place. That's why I'm committed to creating a small freeware firewall to address these key problems myself. (To be notified when that's ready, be sure to join my User-Managed eMail System.)
But until I can get around to making something available for free (and that won't be happening until next year, some really good firewalls are very inexpensive at just $29 to $39 and well worth the price for the comprehensive protection and detection they provide. I have located and examined some inexpensive firewall products which I describe on the Personal Firewalls page.
But before we look at them, a serious issue needs to be addressed: The frenzy to secure our Internet connected PC's has spawned a hoard of really bad pseudo-firewalls. So please don't miss my discussion of "Evil Port Monitors" which follows the next page . . .
|Purchasing Info||GRC Mail System||To GRC's Home||Tech Support||Steve's Place|