The hidden costs of windows security for non profits

shipley.c:

I completely disagree with your statement that for now autorun is a non event for anyone running Windows as a desktop.

The patches provided by MS provide protection against the methods currently used by criminals to exploit autorun. Your podcast details additional methods that can be taken to completely disable all autorun features if this is something people want to do - MS TAMS provide the same information - noting "autorun" is more than just the ability to automatically run an application, it also provides context menus and other features.

To put this into a real world simile...

The patch locks your doors and windows. You shouldn't need to manually intervene or change anything (as suggested by other posters to this thread) providing automatic updates are enabled.

The registry hacks provided by MS (and highlighted on your podcast), put additional bars on your windows and a couple of Doberman dogs in the front yard...

Some people like to go to these lengths - and good luck to them - personally I have never seen the need. For me basic housekeeping is enough to ensure I do not get viri or worms on my Windows (or Mac or Linux) computers. The patch works, however people should be aware there are additional steps they can take should they wish to further lock down their machines.

Chris you should be commended for providing this information.

What comes to mind here is the Sony root kit boondoggle.  That autorun was fortunately stopped with a limited account log in, but I would consider disastrous having a PC infected by simply putting a music CD into your computer's cd drive.

Dave

Yeah, my strategy has never been to strictly rely on MS for how to secure Windows.  I understand that some people consider it enough.  I'm hoping to convince people that its not.

dwelp:

What comes to mind here is the Sony root kit boondoggle.  That autorun was fortunately stopped with a limited account log in,

Hi Dave,

The rootkit was only the start of the vandalism exercised by Sony. Remember the later "fix" provided by Sony to remove the rootkit did not come by CD and was not activated by any autorun sequence - it was provided by 'net download, yet was itself more exploitive than the original rootkit. It was a combination of events that finally stopped Sony...

- Anti-virus vendors recognized the Sony software was genuinely malicious and included protection against it in subsequent  AV updates.

- Microsoft released patches preventing future infections.

- Public pressure, particularly the legal cases commenced by the US states of Texas and New York forced Sony to concede; to stop the practice, and to offer recompense for people impacted by this crime.

There's no doubt that any opening into a computer system offers a potential for criminals to exploit the opening - however I don't think promoting security paranoia is necessarily a good response. At the end of the day what Sony did was wrong and created a media / legal / emotional outcry... however considering it in context... it also did very little real damage.

Computer exploits always generate a range of emotions, bring parochialisms to the fore and generate... ummm... a range of extravagant claims... but we can still enjoy our computers without locking them in a vault 24x7. We just need to be sensible.

truly fellow NPO operators,,, your words may be useful. but as one who's depended on computer apps since 1968 and facing my own blindness, I pray you do some common sense edit downs.... give overview summary concisely stating ,,, 1, 2, 3... zip. Yes, I recommend this forum do a summary of the posts in lieu of the initial posting and let those needing to build new setups and/or IT network policy

It's wonderful to bring one another greater awareness. But, in fact,,, I am not sure after reading next to 90 % of what you've said as of 5-25-09, I feel short changed.

Kenneth Koym, Psychotherapist, Retired Military Research Scientist and Recipient of a beloved 65,000 hour professional volunteer award. 

Kenneth,

I am not so sure that a ten step guide is practical. Every organization is going to have differing needs. Combine that with the myriad of installation combinations of external anti-virus and firewall protections, and the definition of "optimal setup" becomes gray, to say the least.

What many fail to realize is that security is a moving target. What works well today might very well be out the window tomorrow. A competent system administrator keeps up with the trends and best practices in the industry.

If anything is to be gleaned from this thread, it is that vigillance is the skill to have.

Hi.

It's 2009 and windows seems more vulnerable than ever.   Once again users who have full protection are getting infected by surfing websites with that should be safe.  However, the websites are powered by a windows server and the server is hijacked, spreading their virus to people who surf their website.   In these infections, the browser is Internet explorer.

I've found the most simple way to avoid viruses on windows machines is to

a) disable Internet Explorer
AND
b) demote the user accounts to "disabled"

here are the basic steps below:

=============================================================

a) Install firefox and only then, follow the steps in the URL below

http://pcsupport.about.com/od/browsers/ht/disableiedef.htm

or for windows XP that has not been updated to SP3 follow these steps

 http://www.techsupportalert.com/how_to_disable_internet_explorer.htm

Both methods above work great to stop IE.  The zero proxy method also prevents windows from updating.  But if you don't have SP3 my guess is that you are not using a machine that is so old and slow, it would die a slow death if you let windows update run.   I've seen many very heathy XP SP2 computers that have no virus protection other than a) killing IE and using firefox  and b) demoting the user to disabled and c) having someone smart enough not to download executable files

 ================================================================

b) open up your control panel, then users and follow these steps:

create a user called "mechanic", and set that user to have "administrator" privlidges or rights.  Then logout, and logon as mechanic.   Be sure to create a good password hint for this account.    Once you get to the desktop, again open the user control panel and now change the accounts for the other users.  Demote them from "administrator" rights to "limited".  When you need to do software updates on the computer, logon as the mechanic.  As the mechanic you can run IE but limit that surfing to the microsoft.com website. 

Now, to reply to the humans who love windows, and love to sell it to others without the truth and whole truth.    I could be wrong here but the average non profit does not have an IT person who runs an Active Directory server, which as stated, avoids the need to walk from desk to desk and demote all the user accounts.   The average non profit does not have image backups/restore , or if they have it, it covers only half of the computers.

So for most of the world, security means your geek person must walk from desk to desk and do a lot of prevention, and when windows dies, someone has  to spend a lot of time re-installing windows from CD, if it has not been lost over the years by the many different staff in a non profit office.

I'm positive that demoting users to "disabled" would make them unable to use the computer at all.  I think you mean demoting users to the "User" group instead of "Administrators" or "Power Users".

Disabling the Administrator account on computers today is kind of a worthless step.  Just set a strong password for the account (and the one you use).  The exploits you are explicitly referring to don't require you to have an account on the computer called "Administrator."  These are usually taking advantage of buffer overflow errors that allow them to execute code at an elevated privilege regardless of your privilege level, and they don't require the existence of an enabled Administrator account.

It's not just Windows servers that get hacked to provide the malicious code you are talking about.  There are a whole bunch of ways to compromise a server, even Linux.

All that being said, then the best thing users can do is to practice safe computing habits (as we've already started a thread on).  Wallydallas, I think you're trying to help, but your posts unnecessarily promote FUD.

Wallydallas, I would strongly advise against disabling Internet Explorer as there are some sites that will only work with IE.  The discussion that Chris has pointed you to is a very good discussion on security and proper training of users.  Our non-profit uses IE exclusively.  We have not had a bit of spyware in over 2 years.  Our philosophy is that you can lock someone down tight, but will they be able to perform their job duties after?     

Does Automatic Update (or Microsoft Update) work without IE enabled?

The actions prescribed by WallyDallas are uneducated at best, or blatantly passive aggressive at worst.

Perhaps, in an effort to lend credence to this conversation, we can use him as a poster child for the "security challenged", and assume that he may very well represent a percentage of the computer-user population that simply does not know how to compute securely.

Admittedly, the "out of the box" settings for most software on the market are a bit shy of spectacular. This is not a fatal blow to the software, but rather a fact of life. Learning how to optimize the software to meet the needs of the end user are the key to success. A user that does not possess these skills will always be an order of magnitude less satisfied with the results. What seems to be a numerator is today's societal problem of not being able to take either the responsibility or the initiative to set things up for their own needs.

The simple fact of the matter is that if you do not have the ability or desire to create a safe computing environment in today's day and age, it says more about you than it does about the software. For those that can relate to analogies, If you drive into a drug infested neighborhood after dark and start yelling obscenities at the locals, don't blame Chevrolet because you get shot through panes of glass that were not bulltproof.

My point is that your computing habits and choices are every bit as important to your computing success as any security software on the market either now or in the future. Take some personal responsibility and adjust your environment to suit your web surfing style.

tclaremont:

My point is that your computing habits and choices are every bit as important to your computing success as any security software on the market either now or in the future. Take some personal responsibility and adjust your environment to suit your web surfing style.

I agree 110% with this statement.  A couple of years ago, we had a user tell me when I was cleaning up her computer from malware for the 4th time that I should be making sure this stuff wouldn't attack them.  I told her she wouldn't have this problem if she stayed out of websites that she shouldn't be on.  The problem never came back. :)  Tim, I think as a society, people are always looking to deflect blame.  Blaming Microsoft for viruses and malware would be like blaming the Krylon spray paint company on graffiti.

glamontagne:

there are some sites that will only work with IE.

I would not worry much about sites that work only with IE, but it is not uncommon still to encounter software that will use only IE to phone home for support issues. (So, will Windows updates work without IE? When I try it in Mozilla Firefox, Windows refuses, but I have not diabled IE)

What is the idea behind the EU trustbusters getting M$ to offer Windows without IE? Will everyone suddenly become standards-compliant?

When it comes to the EU getting MickeySoft to offer Windows without IE, it always struck me as a solution without a problem. I don't feel obligated to use IE just because it comes with Windows any more than I feel obligated to use notepad as my word processor.

I admit that the issue is likely deeper than that, but I think i got the gist of it!