Protect Yourself - Restrict Your Privileges

One of the advantages of having your own computer is all the things that you can do with it. From surfing the web, and holding instant audio / video conferences with friends and family, to paying your bills and maintaining data used in your various hobbies, your computer lets you do marvelous things.

Unfortunately, what your computer can do, the bad guys can use, if you don't stop them. Would you want unknown persons having access to lists of your bank accounts? Would you want unkown persons having the ability to create files and folders on your system, without you knowing about them? How about if somebody were to encrypt the contents of your system, and provide the ability for YOU to use what's on YOUR computer, only after you pay them?

Back when the web was just getting started, a browser (like Internet Explorer) was used to display text documents, that used hypertext to reference other documents. Then somebody added the ability to display pictures. Every web page needs at least a picture or two - look at the upper right portion of this windows - do you see the MVP logo? That's a picture (and one that I'm pretty proud of too). Click on the logo, and you can see my picture too.

Unfortunately, with every ability given to your browser, comes the ability of the bad guys to use that ability against you.

Are you using Internet Explorer right now? Download one of the absolutely neatest utilities that you can get for Windows NT based (NT, 2000, 2003, XP) operating systems. Process Explorer will tell you 100 times as many details as the native Windows Task Manager will. Process Explorer is free, and does not require any installation process - just drop it into an available folder. Please don't drop it into the root of C:, or anywhere into the C:\Windows structure - create a folder for it, such as "C:\Utilities", or "C:\Program Files\Process Explorer".

Now Process Explorer, and other utilities like it, is provided to us by SysInternals and Mark Russinovich, the guy who caught Sony with their pants down. You can trust anything from SysInternals (my professional opinion anyway). And you can trust anything else that I tell you about - really. I don't recommend any products - free or otherwise - that I don't use myself. But please don't indiscriminately download software from the web.

So, did you just download Process Explorer? Did you do that using Internet Explorer? If so, you used a scripting program known as ActiveX. That window, like a small Windows Explorer, that popped up asking you where to put the file being downloaded is written in ActiveX. A lot of small programs (we call them applets generally) are written in ActiveX. Unfortunately, the mini-Explorer applet, like most ActiveX scripts, can be used by you locally, or thru your browser.

What happens if you surf to Hackerz-R-Us, and download one of the games there? Do it using Internet Explorer, and you may find yourself Owned. An ActiveX script that has system level capabilities, and can be called from your browser, has enormous potential to do you harm.

Having said that, it would NOT be in your interest, even if you could, to delete the ActiveX libraries. Nor can you even remove ActiveX totally from Internet Explorer. Windows Update, which you absolutely better use regularly, depends upon ActiveX to update your system.

Short of something stupid, you can do several things.



Use The Browser As A Restricted User
Knowing that Internet Explorer would be essential to your using Windows, Microsoft built into it the ability for you to designate some websites (such as WindowsUpdate) as absolutely trustworthy, and others (such as Hackerz-R-Us) as absolutely untrustworthy. And you can disable ActiveX, and other dangerous browser features, for untrusted websites.

One of the best known security experts on the web, Eric Howes, explains how to do this, and provides a regularly updated database of known dangerous websites.

Don't Surf To Dangerous Websites
Right. Do't go there. Stay away from http://www.hackerzrus.org! Unfortunately, this may not be an effective strategy. A DNS hijack, whether local (using your Hosts file), or networked (using your DNS server), could redirect traffic for windowsupdate.microsoft.com to www.hackerzrus.org.

Use The Computer As A Restricted User
How often do you install software? Most useful software requires you to close all open applications, and / or forces you to restart the system after installing. If you're like me, you install once / day, or once / week.

So why should you login to your computer as an adminstrator routinely? If you do all of your web surfing as a non-adminstrator, and you accidentally (yeah right) surf to http://www.hackerzrus.org, don't run any scripts there. View the pictures, and read the text, just don't run any of their programs.

But what if you surf to a malicious website, but one with a benevolent name? How about http://www.sys1nternals.com?

One of the best ways to protect yourself is to NOT use Internet Explorer, by policy, except when doing Windows Updates. When you're surfing the web, sign in as a user, and a user with non-adminstrative privilege.

Aaron Margosis, a Microsoft security expert, has a very dynamic blog discussing the pros and cons of running with limited privilege. And Derek Melber, of WindowsSecurity, has Using Dual Accounts for Administrators.

0 comments: