Data Security on Windows Machines? 118
mcskoufis asks: "I am running my own company from home, offering various Internet related services to customers. I have rented a server which runs Linux and there are no current security or performance problems. However, because I cannot afford to have a business site with several geeks investigating into network security, I have some sensitive data on my Windows box at home which need to be safe from malicious marketers/kiddies having fun/etc.
More and more marketing companies are working on very dirty tricks to gather email addresses and also turn windows (mainly) machines into mass mailing servers without the owners knowledge.
With the latest worm attacks and also the sophistication of them, I feel even more and more vulnerable each day. Bearing in mind the fact that it is impossible to switch to Linux at home for a number of reasons and also that because of the business I need to be online 24/7/365 what the Slashdot community suggest as the best way to have a secure environment for my data while using Windows? Anti-virus software has proven to be not enough and firewalls create problems while performing daily business tasks on the server from home."
A few ideas (Score:5, Informative)
Besides that, good virus software (we've got McAffe at work and are happy with it), using the firewall capabilities of XP (if you have it), and not using Outlook (if you can) would be good ideas. If you're really paranoid, and know how to configure it well, a Cisco pix box may add a little more security too.
About your issues with firewalls disrupting daily activities on your server, you should look into VPNs. PPTP is very simple to set up, but has problems with man in the middle attacks. IPSec can be a pain to get working with windows, but it is possible. SSL tunnels probably would be the best way to go, and they're not too hard to set up.
Re:A few ideas (Score:2)
Re:A few ideas (Score:2)
Bit of a pointless exercise as most attacks either generate their own admin account or attack the original Administrator account via its SID (which is the same on all NT-class systems).
Create a user account, add yourself to the powerusers group, and delegate that group common management responsabilities.
Take a look at the Local Security Policy and you'll see that, in terms of fending off attacks of this type, being in the Power User group
Re:This is constantly misunderstood (Score:2)
It's not just about the filesystems, nor firewalls for that matter. The security mechanisms in the NT derivatives are considerably more sophisticated than those in traditional UNIX systems. There are some interesting mechanisms for Linux under development (Flask, etc.) but I doubt that many people are getting any benefit from them right now.
Re:This is constantly misunderstood (Score:1)
I'd really like to know what those security mechanisms are. Far as I knew, the only major difference between NT and *nix, security wise, is it's much more trivial to manage giving rights of files to groups of people than it is in *nix (in general, since not all *nixes have more than the 3 octal permission setup) and you can have more combinations.
Extended ACLs in ext3 might eventually
Re:This is constantly misunderstood (Score:2)
That is one aim of "Trusted Systems".
Re:This is constantly misunderstood (Score:1)
Re:This is constantly misunderstood (Score:2)
The management of MAC is just awful on Linux. It could be awful on WinServ2K3 - who knows? It is almost undocumented at this point.
The big fun is the distributed/directory-enabled use of MAC. I don't want to think of the difficulty involved to do this on Linux MAC with Ext3 attributes/OpenLDAP/Kerb5/OpenSSL/Kame-derived IPSec, etc... It is not practical until a distro
Re:This is constantly misunderstood (Score:1)
I would guess that if anything, both could have very similar sane results given their unde
Re:This is constantly misunderstood (Score:1)
This is why Windows never has any worms and Solaris and FreeBSD have them all the time. Is this Mr Gates or Mr Balmer writing this or somebody whos only computer training is a MCSE.
Re:This is constantly misunderstood (Score:3, Informative)
The NT derivatives' mechanisms are more sophisticated. The current implementations of those mechanisms have obviously had bugs and are very often misconfigured (yeah, having a buggy portmapper exposed to the world really would be a good idea) or used badly (IIS not taking advantage of process-level protection for performance reasons). As you point out this has caused huge problems and badly damaged Windows' reputation (quite deservedly). However, it looks to me like Windows' security could be fixed
Re:This is constantly misunderstood (Score:2)
Re:This is constantly misunderstood (Score:2)
I'd like that to happen, because SELinux is leaps and bounds ahead of the competition (meaning Windows and Macintosh, not grsecurity and friends), but I really don't know whether such a sophisticated access control system will fly in mainstream IT. The re-education campaign for developers and administrators would take a long time too, in part because the UNIX world is unaccustomed to the radical changes that Microsoft foists upon the world on a regular basis (backed with $$$).
Re:This is constantly misunderstood (Score:2)
If you want MACs, use SELinux. It rocks! If for some reason you want ACLs in your filesystem anyway, you have several FS options.
As to the original poster's question: switch anyway, and run your MS Windows apps under VM
Re:This is constantly misunderstood (Score:2)
Where is NT's jail?
That's a fair point. I doubt that there could ever be anything like jail under NT because the Win32 API is so much more complex than the UNIX API (pick one, any one!). With the current virtualization trend, some folk will probably use virtualization to get an effect that's similar to jail. Virtualization is bound to be less efficient, but might be good enough for many applications.
Re:This is constantly misunderstood (Score:1)
The NT object manager is sort of like the virtual filesystem in Linux. Every device is named under the \Device object directory. For example, win32 has a symbolic link from "C:" t
WindowsUpdate (Score:4, Informative)
Re:WindowsUpdate (Score:4, Informative)
Rock, Hard Place (Score:2)
firewalls create problems while performing daily business tasks
AFAIK, there's no way around sacrificing convenience for security (or the other way).
If you really need some of those "convenient" business network traffic, you can try to setup a VPN so your Windows box remains behind a secure firewall.
Firewall Woes (Score:2)
Depending on your level of knowledge and the type of traffic you're seding to-from work, any linux based solution should be able to facilitate your needs. Mind you, mroe complex problems may require more complex solutions.
Get a "Work" workstation (Score:5, Informative)
I'd also suggest buying a smart card reader and storing all of your private keys on the card.
Re:Get a "Work" workstation (Score:1)
Re:Get a "Work" workstation (Score:2)
Buy a cheap computer that is strictly for pr0n and work. Don't let your wife and kids on it. (Well, if your wife digs it, what y'all do is your own business.)
The only secure machine is the machine not on a network. Assuming sufficient pr0n on the machine, you won't have to connect it to a network!
Firewire (Score:2, Informative)
I've done this for years. (Score:5, Informative)
Set your user machines to both TCP/IP and Netbeu or IPX, depending on which the server is set for.
Set your firewall to only allow mail, http, https and whatever else might be essential.
No guarantees, but like I said, it's worked for me for years.
Re:I've done this for years. (Score:1)
Re:I've done this for years. (Score:2)
Re:I've done this for years. (Score:2)
Yes, and it REBOOTS automatically too. Which is more or less acceptable for a server in the basement that no one uses, but not so good for a server with a bunch of users and a dodgy hardware problem that requires cold reboots (the Adaptec SCSI card didn't re-init properly for some reason when reset, it had to be powered off and it took me ages to figure out what the hell was causing the box t
Re:I've done this for years. (Score:2)
Re:I've done this for years. (Score:2)
The Helpfile says:
Of course, you're not normally logged in to a server box. At night.Re:I've done this for years. (Score:2)
Not to mention that it shouldn't be too hard to figure out what's rebooting the server sin
Re:I've done this for years. (Score:2)
But it doesn't APPLY the patches. OK, we'll try this again: It's a server. It's not continually manned. Actually, it wouldn't even have a monitor attached to it unless I had to figure out WTF was happening to it. There's no option for mailing me when there's an update that needs installing/rebooting.
Let's say I set it to download, but not update. It downloads security patches. Now, the server sits there, displaying a little icon
Re:I've done this for years. (Score:2)
Re:I've done this for years. (Score:2)
Re:I've done this for years. (Score:2)
As I see it, if it works, it works. I'll tell you this one thing, my Commodore 64 hasn't been hacked in decades!
Re:I've done this for years. (Score:2)
Even so, any virus/worm that gets into the workstation that looks for content on network drives is still going to find his data...
Re:I've done this for years. (Score:1)
All the solutions you state, have been in place. The only thing I didn't know was the TCP/IP setting. Will try it out.
My question relates to the fact that even with tight security precautions (unpriviledged user, norton antivirus, inactive non essential services and so on) the blaster worm got through to my system. Thankfully it was just meant to hit the windows website off. But how long before something even more disasterous hits the net?
Have also used ZoneAlarm firewall, but could not connect to sev
Rebuttal to your points: (Score:2)
Secondly, I use Zonealarm and manage 8 servers on the net remotely. ZoneAlarm doesn't block based on ports, it's a program policy based firewall that blocks access to processes that are not trusted (they are not trusted until you click "allow this program to access the internet").
Go to "Program Co
Re:I've done this for years. (Score:2)
The patch was out before the worms hit, so you probably didn't run Windows Update often enough. DCOM is not listed in services (it's bound to RPC, but that one can't be disabled). If y
On the network == wide open (Score:2)
Viruses aren't the issue: the Microsoft software that came with your machine has all the vulnerabilities the hackers need.
Of course, you haven't told us what's so valuable about your data. Will your business immediately fold if it leaks out? Are you worried about having your customer list stolen? Do you have customer credit card numbers on you
Drop the tired rhetoric. (Score:2)
Software has holes, period. There was a time not so long ago that people would laugh if the words "Unix" and "Security" were used in the same sentence. At this point, there is little difference between Windows, Linux and Commercial Unix.
Encryption (Score:2, Interesting)
Re:Encryption (Score:2)
Works quite well, too -- it's tied to your logon account and is secured so that anyone who doesn't have your logon account gets an access denied error when they try to open the file. If you have services that need to access that file, you can secure it under the service account and the service will be able to access it transparently. Doesn't wo
Re:Encryption (Score:1)
Pull the cord. (Score:5, Insightful)
Then get some good locks and a security system. Nothing trumps physical security.
-molo
Re:Pull the cord. (Score:1)
ok seriously now, i think you should try to look at some system balancing e.g. if some of your services really need windows then a windows machine could do it but for the security of data keep the data on a shared network drive (on linux or bsd box). so if the windows machine goes down with a big whistle (beli
Re:Pull the cord. (Score:1)
Why a shared network drive on a Linux or BSD box? Does he really need two different operating systems to keep up-to-date? Security comes from knowing your system inside and out. The security of any given box has much more to do with the knowledge and diligence of the administrator than with his/her choice of operating system. All tha
What I use.. (Score:5, Informative)
The only two windows machines on my network are actually my kids games machines (Windows, because there's very little good educational software for Linux yet!)
I've replaced Outlook and Internet Explorer with FireFox and ThunderBird. I've also got open-office installed. Original files, drivers, and games CD's are all on the Samba server. Anything they type up or scan in gets saved on the Samba server. If anything weird happens to the Windows boxes, I simply nuke-and-pave.
I haven't had any problems with Viruses or anything yet, but the kids don't tend to download stuff or share their email addresses too widely.
Re:What I use.. (Score:1)
Not foolproof, but low-maintanence and works (Score:5, Informative)
1. Up-to-date anti-virus and zonealarm firewall on the laptop;
2. Mozilla and Thunderbird for web browsing and email;
3. A Mitel SME (formerely e-smith) Linux box between the laptop and the internet -- the firewall is very unobtrusive, but effective -- and the distro itself is low-maintenance;
4. No wireless;
5. Important but not commonly updated information backed up on CD-R and removed from the machine (you can't get information off the machine if it isn't there).
"impossible"?! (Score:1)
Switch now before its too late
http://www.newsforge.com/business/03/08/13/1258
why not firewall it? (Score:1)
Ofcourse a firewall like that will not protect you from your own stupidity (if that is a factor, ie opening emailed viruses etc) or certain windows flaws, but as far as a firewall can go in security enhancement, you can't go wrong with a properly setup PF wall.
Change the problem there's a solution (Score:2)
As far as anti-virus: keep your machines patched and don't open spam. In concert with a firewall, you should be fine.
Removable Hard Drive... (Score:1)
Please Re-examine (Score:4, Informative)
So you need Windows. Which is ok -- put Linux on another box, and secure it. I just bought a Compaq with 128MB of memory, 20GB or so hard drive, 400Mhz processor for 100$ CDN (80$ US or so). Used.
Something like that would make a good firewall for you.
Alternately, home routers also have reasonably firewalling. My SMC Barricade (gasp, yet, I know that a REAL geek wouldn't use one) offers the ability to drop in-bound traffic, and only allow certain ports through. This can provide you 80% of what you need (it does for me). Staying on top of patches can bring you the rest of the way. Just don't enable the "DMZ" feature!
As you mentioned, you have external hosting -- which means that you don't have to allow incoming HTTP, or SMTP. If you don't need to administer externally (and since you use Windows, you *probably* don't), you don't need port 22. So, close off ALL inbound connections. Just leaves you with FTP as an issue -- some router boxes will accomodate, or you can learn to love the PASV command (and, AFAIK, MS browser FTP does that automagically).
If you AREN'T using a small home router, GET ONE. They are even cheaper (I have seen brand new units selling here for $20 CDN, approx. $15 US).
Don't forget a good backup plan, just in case you get rooted (or other disaster strikes).
Still, buying a cheap box or two is reasonable. One for a "real" firewall, and another for SAMBA, and other internal services (DNS).
Ratboy
My own experience (Score:1)
Personally, I have an old P3-500 box running Mandrake 9.2 (only 'cos that's the distro I'm familiar with) that's hooked up to my ADSL connection.
Firewall services are provided by Shorewall, and I use a combination of fetchmail, qmail, qmail-scanner, spamassassin, clamav, maildrop and courier-imap to clean my incoming mail.
On my Windows XP boxes, I use Norton AntiVirus 2004, and Spybot - Search and Destroy.
All in all, I find this reaches a decent balance between functionality and security, and I've never
Firewall + data encryption, etc (Score:2)
1. Add a firewall if you don't have one. IPCop on an old Pentium will work (and be less hassle hardware-wise than the 386 or 486 it could also run on), which you can probably get for free by asking around.
2. Encrypt the data on your hard-drive. DriveCrypt [securstar.com] looks pretty good for that and can encrypt the entire drive as well as specific directories.
3. PGP/GPG-sign your email. Thunderbird [mozilla.org] does this with a simple plugin (takes about 15 minutes to set up). The commercial PGP works with Outlook
Re:Firewall + data encryption, etc (Score:1)
4. Get rid of Outlook and Outlook Express. These two email programs are major security holes. There is little that Thunderbird can't do for email, and for scheduling use something like the old Lotus Approach or Microsoft Schedule+.
[/quote]
Mozilla has a nice Calendar extension you can use for scheduling: http://www.mozilla.org/projects/calendar/ [mozilla.org]
Brian
It's really not that tough... (Score:2)
-use a non-administrator account on the PC for regular work
-maintain Windows updates
-use strong passwords
-turn off all unnecessary services
-configure only required networking
-don't leave access "holes" like telnet, FTP, VNC, Remote Desktop, etc.
-don't use dynamic IP services
-don't put the PC in a DMZ
-don't use the work PC for ANYTHING other than work-related stuff
-maintain firewalls as needed either through a router, ZoneAlarm, or both
Continually be vigilent and aware of things-
If your business needs it, pay for it (Score:2)
Expert (Score:1)
- Good router/firewall at gateway (all ports closed by default, then open what you need and no more)
- Clean WindowsXP install, all updated drivers/patches, ALL unnecessary services turned off, ALL unneccesary startup software turned off, and any unused windows components uninstalled (a good win
How about... (Score:2)
When was the last time an OS/2 WARP Server was rooted? When was the last time OS/2 had a virus?
Then again, when was the last time OS/2 WARP Server was available for purchase?
Damn. If only I still had a copy...
Re:How about... (Score:2)
karma be damned...i can't resist (Score:2)
You seem to have a cheap/free/software-only firewall. Try this Router/Firewall/VPN/File and ftp server [usr.com]. It's basically a linux-based router with an Intel IXP422 processor. Disclosure: I work there [usr.com], but aside from that, it's a pretty sick little toy.
Unlike most cheap/software-only firewalls, you can configure the firewall on many levels (initial/final/input/output/WAN
Physical Security! (Score:4, Insightful)
What I ended up doing was simply keeping the sensitive documents etc. on a zip disk that I kept ejected except when I was modifying a list or looking up something. The rest of the time it was ejected. Granted, you would probably want some encryption on it as well, to further protect yourself but really physically separating your data from your computer should be paramount.
I would like to echo getting decent anti-virus, running windows update, using some sort of firewall, run with less priviledged accounts, etc.... all good practices as well.
Re:Physical Security! (Score:2)
The other thing that I would look at closely is which version of W
Poor man's firewall. (Score:4, Insightful)
My first advice is to sacrifice an old PC to a real standalone OpenBSD or Linux firewall.
If that's not possible, go to CompUSA and plunk down $50 for an internet connection-sharing NAT box. (LinkSys, NetGear, etc. usually call them modem-sharing/gateway/routers [*SHUDDER*]) If you aren't willing to invest in building and maintaining a real rule-based standalone firewall on a PC using Linux or OpenBSD, this is probably the next best thing and you can't beat the price. IT IS NOT TOTAL SECURITY - you still have to deal with internal threats (ActiveX, spyware, viruses, etc.) be aware thatthe models that are based on Linux kernels may actually be hackable to serve a terminal prompt (though I don't think it's been done) but the NAT/masquerading it provides will block incoming connections and hide your internals, and for most home/so users with Cable/DSL/Wireless connections, a NAT box plus Spybot S&D and Avast AntiVirus should be sufficient.
If that's too risky, do what GNU does - keep the real (sensitive) data offline on an unnetworked box.
A few suggestions (Score:1)
I'm going to assume that the Windows system at home is some kind of workstation, in addition to being a data repository of some kind, and that based on your comments, you need secure, remote access to this system. I'm also assuming that you want to maintain the confidentiality, integrity, and availability of your data.
Some of my suggestions are processes. Some of them are specific technologies or products. In order of increasing complexity (and ridiculousness), do the following:
Take Your Windows Machine Off-Line (Score:2)
1. Run your Linux server as you do, it seems to work.
2. Take your MS Windows offline. No network connection at all.
Do whatever you want on that computer. If it is incommunicado you are safe from long distance interlopers.
Ah, but now you are going to say you do need to get some data across between the two. Okay:
3. Get another computer, put Linux on it, set it next to your Windows box. Keep it secure*.
Freeware windows security 101 (Score:5, Informative)
Not a well-configured software one. It's not as safe as a hardware firewall, but it is a heck of a lot safer than running around with your pants down, not knowing when your machine is connecting and what it is sending. It makes it difficult to connect *to* the machine, but your home winbox shouldn't be a remote server anyway.
Grab ZoneAlarm [zonelabs.com] NOW, and put up with a few extra dialog boxes until it is trained.
Furthermore, good Antivirus software will detect many trojans. Get AVG [grisoft.com] if you have alredy abandoned your AV of choice.
This must sound like free windows security 101 by now, but get AdAware [lavasoftusa.com] and / or Spybot [safer-networking.org], and schedule a regular download / check for once every week.
For encrypting sensitive or old data, you can either use windows built-in encryption (which uses your user password, enable this now if your machine is fast enough) and / or pick up a (non-free) copy of Dekart Private Disk [dekart.com], AKA The Bat! Private Disk [ritlabs.com], a simple encrypted virtual disk creator. Anything you really don't want people to see should go here... Just remember to shut it down when you're done.
Furthermore, don't use I.E. and don't use Outlook. What many people refer to as "computer" viruses or "windows" exploits are really just I.E. exploits or Outlook viruses. Firebird, I mean, Thun... Firefox [mozilla.org] is a powerful little internet surfer, which while not as flexible as my beloved Opera [opera.com] (ducks), does render pages faster, is more beginner friendly, and is free. Thunderbird [mozilla.org] is a good mail replacement, though pegasus mail [pmail.com], Opera's built in e-mail client, and the non-free The Bat! [ritlabs.com] are all good choices. If you want the most security possible, try Secure Bat [ritlabs.com]. At 140 dollars per copy, it isn't cheap, but it does encrypt all of your personal files and utilizes hardware token authentication to ensure that you really are who you say you are.
Finally, don't forget to regularly back up your disks to something not normally connected to the computer. For simplicity's sake, I'd attach an external USB drive and run Polder Backup [xs4all.nl] once a week, removing the drive when done. For a more automated approach, get a PC controllable X10 [smarthome.com] unit, and have it turn on and off the external USB drive, so that backups can be completely automatic.
Re:Freeware windows security 101 (Score:2)
"Firebird, I mean, Thun... Firefox"
What you really wanted to say here was:
"Phoenix, I mean, Firebir... Firefox"
Thunderbird is the email app and still called Thunderbird AFAIK.
Re:Freeware windows security 101 (Score:2)
i feel bad for.... (Score:2, Funny)
Re:i feel bad for.... (Score:1)
No problem! Ask Slashdot is always glad to help. Repeat after me...
You just need to take it from here! Your first task is to modify this to become a *nix clone by inserting choice SCO source code...(*rimshot*)
Lighten up, it's a joke.
If data must stay on the machine (Score:2)
Encryption might be helpful against a physical break-in or computer theft. It might also aid against _some_ successful hacking, provided that you do not keep an encrypted volume mounted (thus accessible) when not necessary. This won't help if you've been rooted and keylogged, though.
so you want to skip firewall totally? (Score:2)
on a more serious note, have the computer behind firewall(or 2, one firewall off the computer). maybe even have the computer behind nat if that's not too much of an extra effort(this all just to make it harder, that windows might have open services by mistake).
don't use outlook, don't use ie. sure you can have proxys for both that would scan for malicious stuff and not let it go through but really would you trust that?
update frequently(maybe with windowsupdate even). however, if
What I do with the windows systems here. (Score:2)
2. Dedicate purpose, do not use one machine to fill multiple roles, instead use different systems for different tasks and run firewalls on each that are configured for just what traffic needs to go in and o
Re:What I do with the windows systems here. (Score:2)
No one force you to use the DMZ. If that is not what you meant, I'd sure like to know because this didn't make much sense to me.
15. Bios password the systems, prevent floppy booting, etc, change these pas
Re:What I do with the windows systems here. (Score:2)
You are aware that most of the hardware firewalls permit ALL outbound traffic by default and allow all traffic in that is initiated from inside the firewall?
"Useless, if they can get to the BIOS it usually means that they have physical access. This means that they can just pull a quick jumper, or use something like CMOSRAM.EXE to wipe all the existing settings (and password)."
Re:What I do with the windows systems here. (Score:2)
I gotcha, now I understand what you meant by a trusted interface. I thought you meant setting a DMZ to a machine inside the trusted zone or something, I just misunderstood.
Thanks for the clearing up
It's a trade off (Score:2)
The most drastic solution is to take the computer off the internet. The fact is that if it is on the internet, it could potentially be cracked.
The next possible solution is to change away from windows. Since you don't want Linux you may want to consider a Mac with OSX or a second hand SGI with IRIX. But to be honest, if you don't know what you are doing then
Run firewall software... (Score:2)
Uhmmm... Oops. [computerworld.com]
Reasonable security is possible. (Score:1)
access to the system. (If you have to protect against your family or your
landlord, you're screwed.)
First, get rid of Outlook. No, I mean it, get rid of Outlook. (This includes
Outlook Express.) 100.0% of all known email-born viruses and worms[1] have
exploited Outlook exclusively; get rid of Outlook, and you can stop worrying
about email-borne malware.
This leaves the issue of stuff that comes in over open ports, exploiting
various
Re: Reasonable security is possible. (Score:1)
> Linux box for this (IP Masquerade)
Incidentally, this doesn't have to be expensive, since it isn't doing a
whole lot other than sitting between your Windows system and the internet.
It needs whatever it needs to connect to the internet (a modem, if you're
on dialup), but you might be able to scavange that off your Windows system
if the modem you have has hardware flow control. Assuming you don't need
this Linux box for anything else
Sygate Personal Firewall (Score:2)
Basically, it's really simple, it starts up on login, and how it works, is it'll prompt you when a program attempts to access the internet, and you say [yes/no (and remember choice)] and it will block or allow that program, really simple, fast UI, I NEVER got a virus in almost 3 years of windows.
Windows Update maybe once a month never hurts
Buy a second computer. (Score:1)
Some security measures you can take (Score:1)
same as any O/S (Score:2)
install appropriate AV software if needed,
backup,
keep sensistive data on more secure machines/areas.
Get a linux file server for home (Score:1)
If you have critical (read: confidential and/or mission critical) data, never, ever trust a single hard drive and windows. I learned this the HARD way.
Find some slow hardware (a PII will do the trick if you don't need a ton of crypto), slap
(Win xor Inet) == true (Score:1)
Windows online 24/7/365 ???? (Score:1)
How To (Score:1)
1) Format C:
2) Download OpenBSD, FreeBSD or some Linux distro of the month before performing step #1.
3) Install download from previous step.
4) Profit!!! you clod.
Surf some pr0n [empornium.us].