There are some normal tasks that require you to have local administrative privileges to get things done – adding a new printer, for example. So how do you accomplish this? Well, the tedious way would be to log out of your normal user account, and then log back in as an administrator, add the printer, then log out of the administrator account, and back in as your normal user account. Sounds like fun, doesn’t it?

Fortunately, there are better ways to hack this one. Unfortunately, not all of them are super-simple, owing to Microsoft’s way of managing things, but they should be an improvement over logging into and out of different accounts.

If you are running Windows XP or 2000, the preferred method would be to use the RunAs command. So, using our printer example from earlier, if you go to the Printers and Faxes icon in the Start Menu, you will see an Add Printer icon. Right-click on it, see anything interesting? Probably not, but if you hold down the “Shift” key on your keyboard, and then right-click, you should notice a new option, “Run as…” If you click on this, you will be prompted for a user name and password. Enter in the information of the local administrator account that you created, and click OK. Congratulations! You have now started the Add Printer Wizard using your powerful administrator account instead of your lowly user account.

You can also use RunAs from the command line, using the following syntax:

RUNAS /user:<UserName> <application of your choice>

You will then be prompted to enter the password for the user account.

You can find a massive amount of information on getting around without being an administrator at Aaron Margosis’ “Non-Admin” Weblog . (This link is to all posts in the “Non-admin for home users” tag.) Some of Aaron’s posts are a bit technical, but the information he provides is invaluable.  Plus he’s from Microsoft, so he knows what he’s talking about.

There are a number of ways to “demote” yourself into a regular user account. The first method is to create a new user account that is a standard user, and use it instead of your current local administrator account. That would leave the admin account there for you to manage your computer as needed. The downside to this method is that the account you will be using on a regular basis will need to be customized from scratch, because all your settings and files will still be associated with the old account.

The method I prefer is to create another account, but this time give it the local administrative privileges. So you would go into Control Panel, and open up User Accounts. Go to New User, and create a new user. Name it something subtle, like “All-Mighty Admin.” No, seriously, go for something that doesn’t scream “hack me, I’m the account with all the power!” I suggest something like “maint,” “user1,” or maybe a pet’s name. Then give it a nice strong password.

The next step is to log into your new local administrator account, and make sure everything looks like it is working properly. Now, from that account, go to Control Panel > User Accounts again, and select your old administrator account. You can change the type from Administrator to Limited User. Why didn’t I say Power User? Well, that’s the subject of another post, but for now, just know that a Power User account has virtually the same privileges as an Administrator, including relatively easy access to elevate the account to an actual Administrator! So stick with the Limited User classification, I promise it won’t be that painful.

Then log into your newly demoted user account, and make sure everything works for you. There are some programs that have “issues” with the lack of administrative privileges, however. If you find any, please post in the comments, and I will try to assist you in getting it running properly. We will also discuss methods of temporarily running as an administrator when needed in the next part of this series.

What is a local administrator?  This is the account on your computer that has absolute power over Windows.  Anything you want to do - such as install drivers, update the system, install new programs, or manage user accounts – can be done from the local administrator account.  This account is appropriately named “Administrator” by default.

Why is this bad?  After all, it’s your computer, don’t you want to have full control over everything?  While you certainly need the local administrator account to properly manage your computer, you shouldn’t be using it for your day-to-day tasks.  Web surfing should never be done from a local administrator account.  Why?  Because any program you run as an administrator has the same level of access that you do.  So if you go to a website that has malicious code on it, that code could direct your computer to install programs, delete files, or many other equally dangerous tasks.

Convinced, but not sure if you are using a local administrator account?  There’s a number of ways to find out.  Go to the Start Menu, and click on Run.  In the window that comes up, type “cmd” (without the quotes).  In the Command Prompt window, type “net localgroup administrators” (again, without the quotes).  A list of users who are local administrators will come up, so check to see if you’re in there.  Another way to check would be to go to Control Panel, and click on User Accounts.  You should see your account there, with a word such as Administrator, Power User, or Limited User with it.

In the next part, I’ll show you how to turn your account into a regular user account, without losing all your carefully customized settings and files.

What does this have to do with security?  Well, for starters, Windows includes Internet Explorer with the base operating system.  Because of the way the components of IE are tied to the components of Windows, Microsoft successfully argued to the antitrust courts that it was impossible to truly uninstall IE.  Sure, as a result of those antitrust proceedings you can have a different browser as your default, but IE is still there, hiding in the background.  Because of this collusion between IE and Windows, I believe IE has an easier path into the operating system in the event of a security breach.  What I mean by this is that a malicious website that exploits a vulnerability in IE is more likely to break through into Windows itself, as opposed to a similar vulnerability in a browser that is simply installed on top of the operating system.

My browser of choice is Mozilla Firefox.  There are many reasons for this.  First of all, in my experience it loads pages considerably faster, and crashes less often.  Second, it is extremely customizable.  You can load different themes to totally change the look and feel of the browser, and you can install add-on applications that perform different tasks to make the browser more useful to you.  Since you can choose which add-ons you install, your browser can become very personalized.

Again, what does this have to do with security?  A lot of these add-ons are used to enhance the security of an already reasonably secure browser.  For instance, I use an add-on to block advertisements, which can prevent certain malicious pop-ups from loading.  My favorite add-on is known as NoScript, which is an amazing tool if you can deal with how it breaks certain sites.  NoScript effectively disables all scriptable components of any website, include Javascript and ActiveX.  Without scripts, it is practically impossible to have a malicious site compromise Firefox.  Of course, many sites use these scripts to provide basic functionality – YouTube, for instance.  The point is you can pick and choose which sites you want to enable scripts on, and any other site will be script-less the first time you visit it. Play around with it, I’m sure you’ll get to enjoy the feeling of only allowing sites to run scripts that you specify.

 What’s your choice for the most secure browser?  Let me know in the comments.

For Windows users, if you are running Windows XP or later, you should be using Automatic Updates.  Automatic Updates is a feature that allows you to configure Windows to automatically download (and optionally install) any new security updates that Microsoft releases.  I personally have chosen to configure it to download the updates automatically and then prompt me when they are ready to install, so I can choose to install them at a convenient time.  You may also choose to have the updates downloaded and installed automatically, but that may cause you to lose data if you leave your computer with applications open and Windows tries to restart after applying the updates.

If you prefer to have more control over the updates Microsoft is sending your computer, you can choose to use the Windows Update site.  Here you can pick and choose what updates you want to install – but I recommend you install anything Microsoft considers a “Critical Update.”  You can also find updates that have nothing to do with security, such as new versions of Windows Media Player.  Windows Update is also the method you should use if you have an older version of Windows.

If you want to be even more comprehensive with your updates, go to Microsoft Update.  This site includes everything you get from Windows Update, but also adds updates to other Microsoft Applications besides Windows, such as Microsoft Office.  Don’t forget that any software, not just your operating system, can have problems, so be sure to update them as well.

Speaking of which, pay attention to what other applications are loaded on your computer.  Almost every computer has a Java client installed. Java is often the target of security researches, and consequently is updated frequently.  Fortunately, if you have a recent version of Java, it should prompt you to download and install the latest version whenever there is an update.

Your antivirus program is probably configured to download new virus definitions on a regular basis, but does it ever update the program itself?  Some do, but others require you to manually perform updates.  I will try to put together a post on the methods to update AV programs in the near future.

Well, this post ran a little longer than I expected it to, so I’ll have to give you the methods for updating Macintosh and Linux systems another day.  Hopefully this gives you a little more information on the methods to update your Windows System.

We already talked about how to lock down the USB ports. This is not always possible, so, at least a good way to know what devices are or have been connected to the computers in our network is needed.

This is what EndPointScan provides. With an easy and simple installation, this application allows to specify a list of computers from our network that will be scanned. The only thing we will need to do is going to EndPoint Security site and click on Scan my network.

For this, we will need Internet Explorer, as this is an ActiveX control which will be downloaded and executed locally. Once we have executed it, it will provide a detailed report of the devices that have been connected to the computers: iPods, external harddisks, floppy drives,…

Not only this, but it also will tell us the threat level of each device and the computer risk level, so we know where we should concentrate on.

It requires Windows 2000, XP or 2003 and administrator rights in the computer. Using it is completely free, so there’s no harm in trying it to see if it works for you.

Most users got conscious and disabled the use of macros, so the virus couldn’t get executed and many mail providers blocked e-mails with attached Office documents.

This is not the case anymore, as macro viruses are very rare now, but a recent Word vulnerability has made DOC files dangerous again. This time the problem is not with macros inside the document, but a vulnerability that allows to execute malicious code when the document is open.

There is no patch yet for this vulnerability, as Microsoft won’t release it until June, so you should be extremely careful with documents you receive, specially if they are unexpected.

For now, this doesn’t seem too widespread, as only one attack has been detected against a company, and it was a very targeted one, directed specially to them, but it wouldn’t be strange to find it in the wild in some days.

In computers located at Internet cafes, public libraries or school the risk of being infected by spyware or viruses is very high, as they are used by people who, sometimes, are not very knowledgeable about security. So copying files from them or accessing important sites from there can be very dangerous.

Microsoft has released Shared Computer Toolkit for Windows XP which makes it easier to manage this computers in a secure way. The main features of this toolkit are Windows Disk Protection, User restrictions and Profile Manager.

Windows Disk Protection clears the changes made to the hard disk when the computer is rebooted so, if it gets infected with a virus it will be deleted next time you turn the computer on. You can also define some zones which must not be cleared, for example where the users save their documents.

User restrictions allows the creation of user profiles in an easy way, so you can give different sets of permissions to the different users or groups of users who must use the computer. For example, you can disallow the use of unauthorized software or set timers which limit the time a user can be logged on.

With Profile manager you can create permanent spaces which will not be cleared by Windows Disk Protection, where the users can save data.

This is a good solution unless you have a large number of computers, because the control is not centralized. In that case it will be better to use Active Directory and Group Policy. It will also allow you to test software in your own computer without fear of destroying important data.

To use Shared Computer Toolkit you will need a legal copy of Windows XP, as you must pass the Windows Genuine Advantage validation. You will also need 5 MB of space in your hard disk and a NTFS file system.

For more information and download you can go to Microsoft Shared Computer Toolkit for Windows XP.

These applications are free (some are open source, others are simply gratis) and will improve greatly the security of your computer. Anyways, they are not infallible so you must take basic measures to protect your computer besides using these tools.

I usually prefer using open-source tools, but sometimes there is no useful open-source equivalent in some category, so a closed-source option must be used. Anyway, I have always found a freeware option which fulfilled my needs, so you don’t need to pay anything to keep your computer secure.

Secure Navigation

• Firefox. The alternative browser built by the Mozilla Foundation. It has been getting a lot of attention lately and its usage is in the rise, with some studies saying it has a 10% market share. Download it at Firefox site.
• Opera. The third browser in the war. It’s one of the fastest browsers, with a really good security trail. Although it’s not open-source it has been free for some versions. Download it at Opera site.
• K-Meleon. Based on the Gecko engine, the same used by Firefox so it’s compatibility is really high, it’s built specially for Windows and is lighter than Firefox. Download it at K-Meleon site.

Secure E-mail

• Thunderbird. The companion to Firefox. It’s also built by the Mozilla Foundation based on the Gecko engine. It is open source and available for different platforms. What I like from it is the integration of S/MIME for secure e-mail, so I can check the identity of people who send me mails. Download it at Thunderbird site.
• GnuPG. The free alternative to PGP. Many people use this instead of S/MIME and certificates, so it’s a good tool to have. You can download it at GnuPG site. If you want integration with Thunderbird, there’s a plugin, Enigmail, which allows Thunderbird to access GnuPG features. You can download it at Enigmail site.

Antivirus

• Avast! Home Edition. Although I have never tried it, some colleagues say this is one of the best free antivirus, so I will trust them. It has real-time protection and firewall capabilities. You can donwload it at Avast! Home site.
• AVG Free Edition. This is the one I always install and it has worked really well for me. It includes a resident memory scanner and an e-mail scanner. It has versions for Windows and Linux. You can download it at Grisoft site.
• Clamwin. This is a Windows GUI for the ClamAV scanner engine, an open-source antivirus. It works greatly but it doesn’t have a resident module, only an scheduler for automatic scanning. You can download it at Clamwin site.

Malware detection

• Ad-Aware Personal. This is one of the most used malware detection tools, although it’s effectiveness has been questioned lately. You can download it at Lavasoft site.
• Spybot Search & Destroy. Although I don’t recommend to use two antivirus at the same time, doing it with two malware detection is a good choice. I always use these two detectors, Ad-Aware and Spybot. You can download the later at SpyBot site.
• Windows Defender. The detection tool provided by Microsoft. Although it is still in beta, many people have used it successfully and even in some tests has been rated as the best one. You can download it at Microsoft site.

Firewall

• Windows XP SP2. The last Windows XP Service Pack includes a firewall, although its functionality is pretty basic because it doesn’t control outbound connections. Anyway,  you can activate it if you don’t have anything else at hand.
• Zone Alarm. This is the one I most usually use because of its simplicity and powerness. It can block incoming and outcoming connections, giving access only to authorized programs. You can download it at Zone Alarm site.
• Kerio Personal Firewall. I have found that this gives more options and control to the user than Zone Alarm, so it might be better suited for advanced users. You can download it at Kerio site.

Various

• Updates. One of the best ways to keep our computer secure is update it when new security updates get out. Microsoft usually publishes them the second Tuesday of each month, so it’s a day to pay attention to it. If you want to get your computer up to date you can go to Windows Update. Another way to check your computer is Microsoft Security Baseline Analyzer which, apart from the updates needed, will scan for some common vulnerabilities like weak passwords.
• Password Safe. It’s not a good idea to use the same password everywhere, but with the quantity of passwords we have to remember it can be difficult to track them all. With Password Safe, you only need to remember a master password which will give you access to the rest, which can be really long and secure, as you don’t need to remember them. You can download it at Password Safe site. There is also an older version which works in Pocket PC.
• EruNT. This tool allows to make backup copies and restores of the Windows registry. This can come handy in case it corrupts. You can download it at EruNT site.
• Eraser. When you delete a file it doesn’t really disappear from the disk, it’s only is marked as deleted, but it can be recovered with some tools. To make sure the file is really unrecoverable you can use Eraser, which overwrites the file several times with random data. You can download it at Eraser site.

These are some of the basic tools which will help you to protect your computer and stay secure online. If you have any suggestion or any other tool you think I should add, don’t doubt to comment in this post.

If you liked this post, please vote for it pressing Digg this post. Thanks.

Once booted, it recognises your Windows partitions and allows downloading F-Prot, a free virus scanner, which checks your hard drive for virus. If you find any, you need to delete the files containing them.

It is also a good idea to download updates for Windows at this time, as it is safer to browse the web from the Knoppix CD.

You can download the Knoppix CD from the official site. It’s a good idea to have it at hand, just in case you need it urgently.

From | O’Reilly