[LINK] Security checklist for the home user
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Sat Mar 19 09:01:09 EST 2005
I'll try and be helpful with Firewall rules.
1) Look for an "allow by exception" firewall. Most of the consumer
firewalls are excessively intrusive, but if you can say "here's what can
use the internet, block everything else and shut up" then you won't get
"what does this mean?" support calls.
2) Nothing at all is allowed "server" access to the Internet. I have
this as a universal block.
3) The e-mail client may only access the trusted zone. Add the IP
address of the ISP's e-mail server to the trusted zone.
4) Only allow client access to the Internet for things which really,
really, really need it. Firefox, yes. But why should MS Word hop off
onto Port 80? This is sometimes inconvenient - you have to download
documents before you open them - but even my 9-y-o has learned how to
get the right stuff and open it separately without pain.
[If you get a firewall that lets you spec things port-by-port, so much
the better. Then you can associate things like 25, 110, 80, 443 etc with
specific applications.]
...Please tell me they don't want media players as well, they're a
serious pain in the behind. They assume unfettered access to all ports
in and out, they're quite badly-behaved in the presence of security.
VoIP clients are similar, they're quite hostile to security.
BHODemon (www.definitivesolutions.com/bhodemon.htm) is worth having, but
will need some teaching-up because it does pop-up a dialogue on every
registry change (this is A Good Thing but can be irritating to support!).
Remove the Internet Explorer icon from the desktop so nobody starts it
by mistake (ditto Outlook or Outlook Express).
Use a NAT-capable ADSL modem. It's only weak protection, but
port-knockers are usually scripts which move on to the next address
rather than bothering with NAT.
There is the usual/mandatory disclaimer: this will not create a
perfectly secure Windows machine. No such thing, fly the flag, recite
the chants and all that. But with that, a quality e-mail virus scanner,
and very strong words about e-mail behaviour and you'll at least have
made a start.
RC
More information about the Link
mailing list