Securing Windows

Most of these items are described as Windows 2000 specific but are applicable to all Windows systems, including XP. We recommend that all users observe these guidelines.

Disable File and Print Sharing:

File and Print Sharing allows other computers on the network to access shared resources on your computer. When this is disabled, other machines on the network will not see your computer in their browse list. Running this service is one of the major security holes in Windows. If you do not need it on, please turn it off. If you do need it on, please consider a hardware or software firewall to protect your machine.

To disable File and Print Sharing, navigate to

Start → Settings → Control Panel → Network and Dial-up Connections → Local Area Connections → Properties
Uncheck the box for File and Print Sharing.

Disable Web-related Services:

A majority of Windows 2000 security issues come from web-related services. The Code Red worm propagated itself via Windows computers with IIS running. IIS should be shut off unless you plan on hosting web services from your machine. During installation of a Windows 2000 machine these services are installed and turned on by default.

Use the Task Manager to see if your machine has these services running

<CTRL-ALT-DEL> → Task Manager → Processes

If you see the Inetinfo.exe process running, then these services are enabled.

Disable these services by navigating to

Start → Settings → Control Panel → Administrative Tools → Services

Stop the IIS Admin and World Wide Web Publishing service and change the Startup type to Disabled or Manual.

To remove the services completely, if you do not plan to host any web services, navigate to

Start → Settings → Control Panel → Add/Remove Programs → Windows Components → Internet Information Services (IIS)

and remove the service.

Windows updates and patches:

Keep your Microsoft software up-to-date with current patches, upgrades and services packs from Microsoft Windows Update. Installing Windows Critical Update Notification is recommended. We strongly recommend that you set your machine up to receive automatic updates.

You can search on other product updates at Microsoft Downloads

Secure your System Configuration:

Microsoft offers a web application to check for vulnerabilities in your Windows 2000 configuration. The Microsoft Personal Security Advisor will identify weaknesses, explain them and recommend fixes.

Anti-Virus Software:

Symantec, a maker of anti-virus software, provides a searchable virus encyclopedia, which provides information about current as well as past viruses. You are strongly encouraged to install and run a virus scanner on your machine. Duke OIT site-licensed software provides McAfee Virus Scan free to Duke students, staff and faculty. Symantec also provides an anti-virus product, Norton Antivirus, for purchase.

Hardware Firewalls:

If your computer uses a broadband connection to the internet, such as ADSL or a Cable modem, you should consider a hardware firewall. Many routers with network address translation (NAT) are available for around $200.00 and small office, home office (SOHO) devices are driving these price down even further.

These devices often include packet filters, proxy servers and application and protocol-specifiable gateways. Check out the firewall guide - www.firewallguide.com.

If you have any questions about these devices please contact the labstaff.

Firewall Software:

There are several firewall applications, all of basically equal value. These typically cost below $60.00.

Questions about features and advantages/disadvantages can be directed to the Lab staff.

XP Internet Connection Firewall:

XP Professional ships with a built-in firewall. It is a one-click firewall; enabling it with the default settings provides the maximum security.

Enable or configure the firewall by navigating to

(Properties of) My Network Places → (Properties of) Local Area Connection → Advanced

Vulnerability Scanning Services

There are several sites that will scan and let you know what vulnerabilities exist on your machine. An excellent example is Steve Gibson's Shield's Up scanner. It is very informative to know what the hackers will see when they look at your machine. After you have completed all of the above suggestions, we suggest that you use a testing site to make sure that you did not miss anything.

Please see the CS Lab's Online Documentation page for additional information.