SULAIR HOME | ACOMP HOME | SU HOME

April 6, 2005
Issue No. 68

Table of Contents

• Highlights and Features
  • Important Software Updates
    
  • Make Your PC Secure
    
  • New Stanford Web Resources
    
  • Find It At Stanford
    
  • New Telecommunications Fee
    
  • Multimedia Course in Dorms
    
  • New Version of Grokker
    
  • Streaming Media Services
    
  • Google Tips and Tools
    
  • Free Assistive Technology
    
  • Student Computing Survey 2005
    
  • Your Web Pages and WebAuth
    
  • StanfordYou Enhanced
    
  • Computer Labs for Rent
    

• Library Resources
  • Music E-resources
    
  • Scholars Workshops-Spring
    
  • Black Thought Database
    
  • Literary Studies Database
    
  • New SSRC Web Site
    
  • SSDS Helps with Data
    
  • AIP Backfiles Available
    
  • CSA Illumina on SULAIR Web
    
  • New Web of Science Features
    
  • HighWire Press New Journals
    
  • Cyclopedia of Puzzles
    
  • New NYPL Image Archive
    

• Computing News
  • Software Licensing News
    
  • ATL Helps Faculty and TAs
    
  • CTL Workshops and More
    
  • Recent ATS Projects
    
  • New Wide Format Printer
    
  • Kronos Upgrade
    
  • Online Computer Training
    
  • STARS-Training Registration
    
  • Bookstore Computer Store
    
  • Stanford Joins Calconnect
    

By taking a few simple steps, and bearing in mind a few words of caution, you can make your Windows desktop or laptop PC almost invulnerable to the kinds of attacks, whether by hackers or viruses, that we most typically see on the Stanford campus. My focus will be on Windows 2000 and XP.

Before You Begin

Some of my advice is specific to Stanford, and I make a few assumptions:

• Your Windows PC is not part of a "domain," but rather "stand-alone." If you do not have to click "OK" in response to a computer and network usage policy each time you log in, and have no dedicated local technical support, then your computer and your user account are probably not in a domain. For more information please see http://windows.stanford.edu.
• You have administrator rights on your stand-alone PC. Most PC users at Stanford log in as administrators, meaning they have almost total control of their computer, within the limits imposed by Windows itself.
• You have spoken to and have the permission of your local technical support staff (if you have dedicated local support) to make the changes to your system that I will describe.
• You understand that changing security settings, or installing and running security software, can impair functionality. You can always undo any changes you make.

Install Windows XP Service Pack 2

If possible, run Windows XP in preference to other versions of Windows, and install XP's Service Pack 2 (SP2). Windows "service packs" include significant enhancements in security and functionality, bug fixes and new features: XP SP2, among other things, represents a major step forward in terms of Windows security.

To install SP2 on an existing installation of Windows XP, use Internet Explorer to visit the Microsoft Windows Update web site, http://windowsupdate.microsoft.com/.

The upgrade to SP2 may require you to install other patches first, with subsequent restarts of the system.

SP2 includes a great many security enhancements, including changes to Internet Explorer (IE). If you use any Stanford business applications, such as Oracle/PeopleSoft or Kronos, you should run a small tool provided by ITSS that will appropriately configure IE: http://www.stanford.edu/dept/itss/ess/pc/xpsp2config.html. The tool may be run either before or after the upgrade to SP2, though the instructions on the download page suggest that you run it after.

It may require an hour or more, as well as a fair amount of free disk space, to install Service Pack 2, so be sure you have time to finish the job before you get started.

Upgrade to XP Professional

If you are running Windows XP Home Edition, or any version of Windows prior to XP, on the campus network, you should consider upgrading your operating system to XP Professional if your PC's hardware will support it. Windows XP Professional includes security and other features that make it more appropriate for use on a large network; XP Home, as the name implies, is designed for home use. Windows XP, in general, is a lot easier to secure than any earlier version of Windows.

Talk to your local technical support staff or submit a HelpSU request if you need advice. Licenses and installation media for Windows XP Professional are available for departmental purchase at a very low cost through Stanford's Campus-Wide Agreement with Microsoft.

ITSS' recommendations for the replacement of aging computer hardware may be found here:

http://www.stanford.edu/dept/itss/ess/adminapps/recommended.html

The Windows Security Top Ten

Unlike some top ten lists, the following items are roughly in descending order of importance, though steps 5, 9 and 10 are special because they address your own habits as a computer user. Most of the security-related software I discuss is available on the Essential Stanford Software (ESS) web site: http://ess.stanford.edu/.

More information, supplementing the material below, is available in the form of PowerPoint slides or a PDF file on ITSS' Tech Briefings web page:

http://www.stanford.edu/group/itss-customer/ip/techbriefings/#feb18

The slides will show you how to take many of the steps in my "Top Ten" list. There isn't space here to describe all the procedures in detail. When you visit the Tech Briefings web site, consider subscribing to the mailing list, which announces upcoming briefings.

1. Patch Microsoft Windows automatically:ITSS recommends that you use both the Windows Automatic Updates service and BigFix to keep Windows patched. There will be no conflict between them, and depending on whether or not you have dedicated local technical support, Auto Updates may patch your PC sooner than BigFix. BigFix, on the other hand, is more reliable than Auto Updates, so if Auto Updates hasn't done the job properly, BigFix will handle the installation of critical security patches for you.
   
   Information about BigFix is available at http://patching.stanford.edu. You can use the Stanford Security Self-Help tool both to configure Auto Updates and to install BigFix.
   
2. Use strong passwords or pass phrases for all Windows user accounts on your PC:
   The Security Self-Help tool has a useful "Secure Password Test." For general information, please see "Passwords are Passé" an article I wrote on pass phrases, in the January 12 issue of Speaking of Computers.
   
   
3. Use and properly maintain good anti-virus software, and optionally anti-spyware software:The default configuration of Symantec AntiVirus Corporate Edition 9.0.3, as provided on ESS, is quite good. You might want to consider configuring a "scheduled scan," however, since that isn't done for you. For instructions please see:
   
   http://www.stanford.edu/dept/itss/ess/pc/docs/sav/index.html#auto_scan
   
   Spy Sweeper, also available on ESS, can scan your system for, and provide ongoing protection against, spyware and adware. If Spy Sweeper appears to cause more problems than it solves, you can remove it by going to Start | Settings | Control Panel | Add or Remove Programs. But it is generally useful.
   
4. Use a firewall, such as Windows XP's built-in software firewall:The Windows Firewall in XP SP2 is quite an improvement over the earlier XP Internet Connection Firewall, and provides good protection. It is also enabled by default. Users of Windows 2000 should either purchase a software firewall, or consider downloading the free version of ZoneAlarm from http://www.zonelabs.com/. Note that no technical support for this free software is available from Zone Labs or ITSS.
   
5. Do not open suspicious email attachments or respond to suspicious requests: Even if an email message appears to be from a legitimate or trusted source, never open unexpected email attachments, and never respond to requests to "update your financial information" (or the like) simply because you received a dire email message informing you that you must do so "or else." If in doubt, call your financial institution or submit a HelpSU request. In a phrase, "Be wary."
   
6. If you're not using it, disable the Windows File and Printer Sharing service: If you don't know what this service is, you're probably not using it. There are other, safer means to share files in any case. Please see http://filetransfer.stanford.edu/.
   
7. Disable any unneeded user accounts: There may be multiple unneeded user accounts on your computer, especially if you "inherited" your computer from someone else. The Stanford Security Self-Help tool's password checking feature will show you all the accounts on your PC, and can test whether or not they have reasonably good passwords.
   
8. Do not use "automatic logon":If you're running Windows XP and don't have to enter a password when you start your PC, most likely your primary user account has a blank password. If you're running Windows 2000 and don't have to enter a password, then you probably have "automatic logon" enabled. This is dangerous, because Windows stores your password in "cleartext" (that is, in unencrypted form) when you use this feature, and anyone who gains access to your computer can steal your password easily. To disable auto-logon see the "Preventing the Password Prompt in a Non-Domain System" section here:
   
   http://support.microsoft.com/default.aspx?scid=kb;en-us;234562
   
   These instructions actually tell you how to enable auto-logon. In your mind simply replace the phrase "click to clear the ... check box" with "click to check the ... check box." You can skip steps 3 and 4 if you wish.
   
9. Lock your PC's screen when you step away, and shut down your computer when you'll be gone for more than 6 hours: Note that if your PC is backed up during the night, for example, or if you need to access it remotely, you obviously can't shut it down, though you can and should log out when you leave. To lock your computer screen (locking your screen will not log you out) if you're running Windows 2000, press Ctrl-Alt-Delete and then press Enter. (This will usually work for Windows XP as well.) Also see these more specific instructions for Windows XP:
   
   http://support.microsoft.com/default.aspx?scid=kb;en-us;294317
   
10. Where possible, consider using a web browser other than Internet Explorer, and treat "free" software with suspicion: The Firefox web browser is becoming increasingly popular because of the vast number of security problems in and existing exploits that target Internet Explorer. Firefox is available here:
    
    http://www.mozilla.org/firefox/
    
    There are cases, however, in which you must use Internet Explorer, as when you visit the Windows Update web site, or access most Stanford business applications. And Firefox, too, has its own security flaws. Your best protection overall is being careful about which web sites you visit.
    
    And above all don't download "free" software simply because it is "cute," or appears to have useful features, or claims to provide faster connections, better performance or better security, unless you're quite sure of what you're doing. There is much excellent free software on the Internet (Firefox, for example); but a lot of it is best understood to be "spyware" or "adware"-or worse: Read the fine print.

For More Information

For more information about or assistance in making your Windows PC secure, please see ITSS' new self-help web site or send a HelpSU request to http://helpsu.stanford.edu/.