No. of Recommendations: 48
Safety tips for home Windows computers

Backing up

What would you do if your hard drive became completely inoperative right now? Could you get your system running again? Could you get your documents and other data back? How about if your computer was destroyed in a fire, or stolen? What if a virus erases everything? (Even a virus that doesn't erase everything can be so difficult to remove, it's easier to restore your system from a recent backup — if you have one.) Backing up your data can be one of the most important steps you take.

The first thing you should do is make a startup disk (which will let you reinstall Windows onto a new hard drive, or even access the hard drive if Windows won't start). This is also called a “DOS boot disk”. In Win98, you click on Start | Settings | Control Panel, then double-click on Add/Remove Programs, and click on the Startup Disk tab. Follow the instructions there to make a floppy disk you can use to boot up with access to your CD-ROM drive. Then slide the little tab on the floppy disk (in the corner, on the back side) to expose a hole, thus write-protecting the disk (on a 1.44M floppy, there will then be a hole showing in two corners).

You should then check that the disk actually works and lets you access your CD-ROM drive. Put a CD in the CD-ROM drive, shut the system down, and boot up from the floppy disk. Choose option 1, “Start computer with CD-ROM support” during bootup. It will take a while to boot, and there may be a number of error messages as it tries to find a CD drive using various techniques (just ignore the errors).

Once you get a DOS prompt, (that'll be “A:\>” on the screen), see if you can access all your drives, by typing a DIR command for each (you type DIR, a space, the drive letter, a colon, and hit Enter).

Normally, DIR C: will show the hard drive, DIR D: will show “Volume in drive D is MS-RAMDRIVE” which you can ignore, and DIR E: will show the CD-ROM drive (I get “Volume in drive E is WIN98” with my Win98 CD in the drive). If you have two (or more) hard drives, the CD-ROM drive will probably move up to being drive F (or higher).

Once you're satisfied the floppy works OK, remove it, and reboot by holding down Ctrl and Alt while pressing Del.

In Win2000 you can make something called a “setup disk”, but I strongly recommend finding a Win98 system and making yourself a DOS boot disk (test it on your actual system, not on the system you use to make it). If you wish to make a setup disk, you put a blank formatted floppy in the floppy drive, put the Win2000 CD in the CD-ROM drive, click Start | Run and in the text box type “d:\bootdisk\makeboot a:” without the quotes (where d: is the drive letter for your CD-ROM drive and a: is the drive letter for your floppy), and click OK. Follow the instructions presented (you'll need four floppy disks altogether).

Image programs
There are two main types of backup programs. One type makes an “image” of your hard drive, and the other type are more general backup programs that back up just the files on the drive. Programs that make an image are a bit specialized, and they have specific uses that you may find appealing — you may want one in addition to a general backup program.

An “image” type program creates a complete copy of the entire hard drive (or, if your hard drive has more than one partition, you can make a copy of each partition). The copy is called an “image file”. The image file can be restored, thus recreating the entire contents of the hard drive (or partition) at the time the image was made. This is useful if you replace the hard drive (with one the same size or larger), or if your system becomes so trashed you want to put everything back to a known-working state.

The two most popular programs are Norton Ghost by Symantec http://www.symantec.com/sabu/ghost/ghost_personal/ and DriveImage by PowerQuest http://www.powerquest.com/driveimage/

I'll have a bit more to say about these in the next section.

General backup programs
Most backup programs can make three types of backups: “full” which backs up all the files, “differential” which backs up files that have changed since the last full backup, and “incremental” which backs up files that have changed since the last full or incremental backup. Differential and incremental backups must be used in conjunction with full backups (and don't mix differential and incremental, use one or the other). The idea is to save time. A full backup may take quite some time to perform, and you may want to do it on a weekly or monthly schedule. A differential or incremental backup will be much faster; if you're doing weekly full backups you can do these daily, or with monthly full backups you can do them weekly. (And of course you don't have to use a schedule, but you may find it helps you remember to keep your backups up-to-date.) The difference between differential backups and incremental backups is that once you have completed a differential backup, you no longer need any previous differential backup (you DO need the previous full backup). With incremental backups, you must save every incremental backup you make along with the full backup.

Personally, I find that differential backups are preferable to incremental. Although incremental backups can be faster, the hassle with saving every backup (and restoring them in the right order) isn't worth it.

You can make your backup to a variety of removable media. Tape and CD-RW are the most popular choices. I find that I'm more likely to do regular backups if it is really easy to do. One thing that discourages doing backups is tedium from swapping discs. For example, if you can do your backup to a single 10GB tape rather than to fourteen 700MB CD-RW discs, you're more likely to do it. You can start the backup to tape and go off to dinner, instead of popping in all the time to swap in the next CD-RW. Also, if you can do your backup to a single tape (or other media), you probably don't care much how long it takes (you can let it run overnight if need be), and so you can set your backup program to also read the backup after its finished. This insures the backup is good, and that your tape or CD-RW hasn't worn out.

You may want to do your full backups and differential backups to different media, for example a full backup to tape and a differential backup to CD-RW. You can also backup to a hard drive on another computer using a home network (see the FAQ for my posts on setting up a home network).

It's a good idea to have more than one set of media for backups. For example, if you do a full backup to tape and you only have one tape, what would happen if something should fail while you are making your backup? Your old backup is partially erased, and your new backup isn't finished — neither are usable. It's best to at least have two sets and switch back and forth.

Win98 and Win2000 both come with simple backup versions. The backup that comes with Win2000 is a scaled-down version of Veritas Backup MyPC (formerly called Backup Exec Desktop) http://www.veritas.com/products/category/ProductDetail.jhtml?productId=bedeskmypc by Veritas. You may find that the version in Windows is all you need, or you may like some of the features in the full version.

Note that if you need to do a restore to a non-working system (say, after a hard drive dies), most backup programs require you to install Windows before you can restore your backup. This can take some time, and can even be a problem if you wind up with a mix of the Windows you have on CD and the Windows you were running when you made the backup (with updates and patches downloaded in). There are two ways around this. One is to use one if the “image” type programs (mentioned above) to make an image of your computer after you have Windows all properly set up (and make a new image after any major download upgrade). Then you can easily restore the image, and go on to restore your backup. The other is that some backup programs (like Veritas's Backup MyPC) make bootable floppy disks that allow you to restore a backup without having Windows.


Virus Control


Use an up-to-date anti-virus scanner on your email and downloads.
Why? By far the most likely security problem for your Windows computer is getting a virus program (also called trojans [as in Trojan horse] and worms). You will occasionally see news stories about a new virus causing problems, or an old virus popping up again. And the most likely places to get a virus are in email and in files you download from websites (or FTP sites). Nearly all viruses in emails are in attachments that are harmless until they are opened, so not opening attachments is actually a pretty good way to avoid getting a virus. But most people get attachments that they do need, or want, to open. And there are some viruses that function without the user opening an attachment (usually due to bugs in Outlook Express or Outlook). So an anti-virus scanner is highly recommended. You can also get a virus from a floppy disk, zip disk, CD-R, or any other media given to you by someone; but it is more common to get them over the Internet via email or downloads.

There are several popular anti-virus scanners. One of the most popular is Symantec's Norton AntiVirus http://www.symantec.com/nav/nav_9xnt/ Other popular programs are Trend Micro's PC-cillin http://www.antivirus.com/pc-cillin/products/pcc2000.htm and McAfee's VirusScan http://mcafeestore.beyond.com/FrontDoor/0,1076,3-18,00.html

Note that all of these products rely on a database of known virus characteristics. Therefore, besides buying and installing the program, you need to frequently update the database. Of course brand-new viruses will not be detected until (a) they are added to the company's database, which for major viruses usually happens in a matter of hours, and (b) you download the updated database, which will depend entirely on how frequently you download. Some anti-virus programs look for things that are so suspicious it might be a good idea to warn the user, even if nothing is detected using the database (like a .vbs file attachment in an email — that's more likely a virus than something you really wanted).

Typical users need an anti-virus program that will scan incoming email (preferably before it reaches your email program, in case you're using Outlook Express or Outlook, especially with the preview pane enabled), and any files you download. You should also scan all the files on any removable media you receive (like floppies). It doesn't hurt to occasionally scan your entire hard drive (especially after you update the database), but it should not be necessary to scan every file read from the hard drive (which some anti-virus scanners do).

Personally, I find Norton AntiVirus to be overly “intrusive”. And most Norton products do not uninstall cleanly, and generally seem to be prone to causing system problems by doing non-standard (and, again, intrusive) things. However, it is probably the most popular.

McAfee was at one time very highly regarded, but since McAfee himself sold the company and moved on, there have been reports that the quality has suffered. I personally haven't used the program since McAfee left. They also have an on-line version which I've heard is a bit on the weird side.

TrendMicro's PC-Cillin is a nice, basic anti-virus scanner. It is unobtrusive, limiting itself mainly to scanning incoming email (which it does before your email program gets it) and files being downloaded. You can also scan any drive on command. It can be set to scan your hard drive automatically (say, once a week) and to download database updates automatically (say, once a day). TrendMicro claims one of the features of the program is that the database updates and the most compact of any major anti-virus program, meaning they load very quickly.

Don't hide file extensions
Why? Because virus attachments in emails can use that to hide. For example, an email attachment named “FREE XXX SITES.TXT.pif” will show as “FREE XXX SITES.TXT” which you might think is a safe .txt (text) file when it is really a .pif file (Program Information File, used by early versions of Windows as part of an executable program). [Although, get real — any attachment named FREE XXX SITES might as well be named THIS IS A VIRUS.EXE. Use a little common sense!]

It should come as no surprise that by default Windows is set to hide file extensions. To solve this, double-click on My Computer, then click on View, then Folder Options, then on the View tab. (In Win2000, click on Tools, then Folder Options, then on the View tab.) Make sure the box next to “Hide file extensions for known file types” is not checked. Click OK to close the dialog box.

Open attachments in emails carefully
Why? Because virus attachments in emails can be tricky. As just mentioned, an email attachment may be named “picture of my dog.jpg.pif”, where the length of the name is chosen so it shows as “picture of my dog.jpg....” in Outlook or Outlook Express. That makes it look like a .jpg file when it isn't.

Instead of double-clicking on an attachment to open it, right-click on it and choose “Save As...”. In the “File Name” box, you will now be able to see the full name of the file. If it looks OK, you can go back and double-click it to open it, but a safer method is to go ahead and save it in a folder you've set up for this purpose. Then open it from the folder. This will give you a chance to verify the icon as well. It also gives anti-virus scanners that monitor all hard drive access another chance to spot it.

Remember: a file with two extensions is ALWAYS a virus, no one does this in normal circumstances. Any file extension you don't recognize should not be opened. Any file that you recognize as an executable extension (like .exe, .com, .bat, .pif, .vbs, .vbe, .scr) should not be opened unless you are really sure about the file.

Also remember: most viruses spread from an “infected” computer by emailing to email addresses found in the address book or emails on that computer. So when you receive a virus, it will probably be from someone you know. Also, some viruses pick subjects and/or attachment filenames from text found on the computer, so the subject or filename may be familiar to you. In fact, it may even be something you've recently discussed with the person the email appears to be from. So if you receive a file attachment from someone you know, that does NOT mean it isn't a virus.

Set Word and Excel to check for Macros
Why? Because some viruses are macros inside a Word (.doc) or Excel (.xls) file.

Enable Macro Virus Protection in Word and Excel. The procedure varies depending on the version, so check under “virus” in the Help text, or try Tools | Macro | Security.

Use “Windows Update” to install the latest security patches from Microsoft.
Why? Because people keep finding security faults in Microsoft's products, and Microsoft puts out their feeble attempts to solve them. Unfortunately, Microsoft often frequently introduces new problems in their updates. So you really need to gauge for yourself whether you want to immediately download an update as it becomes available, or wait a while and see if there are complaints from the people who did jump in.

Generally you will find Windows Update when you click on Start. You can also browse to http://windowsupdate.microsoft.com/

Remove Windows Scripting Host.
Why? Because it's used by some email viruses. Unless you have some need for it, you might as well remove it.

Here's an interesting article: http://www.zdnet.com/products/stories/reviews/0,4161,2568111,00.html

In Win98, Start | Settings | Control Panel. Double-click on “Add/Remove Programs”. Click on “Windows Setup” tab. Highlight “Accessories” (under Components) and click on “Details…”. Make sure box next to “Windows Scripting Host” is not checked (you'll have to scroll down to find it). Click “OK” as many times as needed.

In Win2000, probably the easiest thing is to change the file association so that script files are displayed (using Notepad) rather than executed. Double-click on My Computer, click on Tools, Folder Options..., and click on the File Types tab. Scroll down (way down!) to find the entry for VBS, which should be VBScript Script File. Click on VBScript Script File to highlight it, then click on the Advanced button. Highlight the Open entry (under Actions:) and click on the Edit button. Find “Wscript.exe” in the “Application used to perform action:” box, and change it to “Notepad.exe” (leave the rest of the text in the box as-is). Click OK. Repeat for the Open2 entry, changing “Cscript.exe” to “Notepad.exe”. Click OK (in the Edit File Type window). Repeat the procedure for the following extensions: .VBE (VBScript Encoded Script File), .JS (Jscript Script File), .JSE(Jscript Encoded Script File), .WSF(Windows Script File), and .WSH (Windows Script Host Settings File). Then click on Close (in the Folder Options window). If you ever need to restore Windows Scripting Host, just change the Notepad.exe's back to Wscript.ext and Cscript.exe.

Put Outlook/OutlookExpress in Restricted Zone.
Why? To limit what HTML email can access. This is a really, really good idea, and it stops a variety of serious problems (including most viruses that activate when you read or preview the email, without even double-clicking the attachment). Note that if you are already using Restricted Sites in Internet Explorer, you need to think about how you want things to work, because the settings are shared with Outlook (and possibly other programs).

In Outlook, click on Tools | Options… and click on the “Security” tab. Under “Secure content” “Zone:” select “Restricted sites”. Then click on “Zone Settings…” and make sure everything is set to the safest settings (click on “Custom Level…” to see the settings). Usually the “safe” settings are “disable” or “prompt” (assuming you know when to say no to those prompts). Click “OK” as many times as needed.



General tips


Disable “NetBIOS over TCP/IP”
Why? Because a hacker can access certain system functions if you leave this enabled (see the section on hacking below). It is truly a mystery why Microsoft has this enabled by default, since there's practically no one in the entire world who needs to have it enabled. At least I've never heard from anyone who did, nor can I think of any reason why a home user would need it.

To disable NetBIOS in Win98, start by right-clicking on “Network Neighborhood” and select “Properties”. Click on the “Configuration” tab. You will see various protocols listed. The procedure may vary depending on your exact system configuration, so you may need to check each protocol. Click on TCP/IP protocol to highlight it and click “Properties”. In TC/IP Properties dialog, click on the “NetBIOS” tab. Make sure the box next to “I want to enable NetBIOS over TCP/IP” is not checked, and click OK. Repeat for each TCP/IP protocol if you have more than one.

In Win2000, right-click “My Network Places”, then select “Properties”, then right-click on “Local Area Connection” (the name may vary), then select “Properties”, and select the “General” tab. You will see various protocols listed. The procedure may vary depending on your exact system configuration, so you may need to check each protocol. Click on “Internet Protocol (TCP/IP)” to highlight it and click “Properties”, then click on “Advanced…” and select the “WINS” tab. Select “Disable NetBIOS over TCP/IP”, and click OK as needed. Repeat for each TCP/IP protocol if you have more than one (you may have to look around a bit to find the setting).

Unbind Microsoft Networks from TCP/IP
Why? For the same reason as described above for NetBIOS over TCP/IP.

In Win98, start by right-clicking on “Network Neighborhood” and select “Properties”. Click on the “Configuration” tab. You will see various protocols listed. The procedure may vary depending on your exact system configuration, so you may need to check each protocol. Click on TCP/IP protocol to highlight it and click “Properties”. In TC/IP Properties dialog, click on the “Bindings” tab. Make sure the boxes next to “Client for Microsoft Networks” and “File and printer sharing for Microsoft Networks” are not checked, and click OK. Repeat for each TCP/IP protocol if you have more than one.

In Win2000, if you're not using file and printer sharing, you can simply remove that protocol. If you are, then you'll have to figure out how to unbind it from TCP/IP, because I don't have it installed so I can't go through it. (Sorry!)


Internet Security


What is “hacking”?
Hacking is unauthorized use of a computer. [“Hacking” at one time referred to certain types of skilled programming, and so those who were once called hackers object to the terms “hacking” and “hackers”, preferring “cracking” and “crackers”. But in reality the language has moved on and that's just the way it is now, tough.] There are two main types of hacking: in person, and remote. To hack a computer in person, you show up where the computer is located, usually breaking in or at least accessing an area you're not authorized to access. For home users, this is not usually a big concern, and I'm not going to cover it here. To hack a computer remotely, the computer must be connected to a network, and the hacker accesses it through the network. Of course the most popular network these days is the Internet.

What sorts of things do hackers do?
There are two main goals of hacking. One is to read, change, or erase files stored on the computer. There are many reasons for doing this, such as reading trade secrets from a competitor, but the most common reason is simple vandalism (that is, the hacker does it because he can, and it's annoying, and he gets pleasure from annoying others or recognition from his fellow hackers). The other is to cause the computer to execute a program, thus stealing processor time. The usual scenario is to put a program called a “trojan” on thousands of computers, and at a selected moment cause the thousands of computers to bombard a particular website, thus jamming the website and rendering it inoperative (called “denial of service”). Also, a hacker may want to execute a program on the computer being hacked so as to achieve the first goal (reading, changing, or erasing files) if he can't get the operating system or other programs already on that computer to do it.

How do hackers hack into computers remotely?
The most common approach is to send queries via the Internet to random addresses (or even to all addresses). For example, Unix computers generally come with Telnet, a program that allows a computer to be used remotely as if you were sitting at the keyboard. Hackers will query the Telnet port, and see if it responds. If it does, they can try the default password for various known versions of Unix, or try passwords using names or entries from a dictionary. If the hacker can find the password, he can use the Telnet port to do anything a person could do who was sitting at the computer. Another common port to query is FTP (File Transfer Protocol), a Unix scheme for uploading and downloading files.

What are “contact alerts”?
As just described, some hackers query certain ports of random addresses or even go through every IP (Internet Protocol) address one at a time. There are hackers all over the world, so it's actually quite likely that sometime in the next few weeks, for instance, a hacker in Singapore might query your computer's Telnet port. If your computer doesn't have Telnet running, then no harm is done.

It's a bit like if Procter & Gamble mails a coupon for Pampers to every house in America. If you're single and have no kids, then you will throw away the coupon when you get it in the mail. At some houses, they will luck out and the coupon will reach parents with kids, who may respond to the coupon. And some junk mail isn't as innocent as a Pamper's coupon. There are credit card offers that suck you in with a low teaser-rate and then jack the interest up after a month, checks that if you cash them your long-distance carrier is switched on you, and worse. But do you panic and run around yelling “My God, how did they get my address!?! Why is Procter & Gamble targeting my house?! Right there inside MY MAILBOX!!!” Of course not. You know the mail is going to millions of houses.

The “contact alert” question often comes up when someone installs ZoneAlarm, a popular firewall program designed to protect your computer from remote hackers. As I've just mentioned, there are thousands of hackers all around the world sending queries to millions of computers every day. Naturally your computer will receive a number of these, just like you'll find junk mail in your mailbox. ZoneAlarm can report these contacts, and generally people react with, well, Alarm. There's really no cause for worry though. First of all, nearly all these contact attempts are harmless (indeed, by using the suggestions in this document, they are all harmless). Windows will simply throw the query away, much like you might throw away a Pampers coupon. Of course ZoneLabs, the makers of ZoneAlarm, hope that you will wring your hands and exclaim “Thank God I've got ZoneAlarm protecting my computer!!”. In reality, it makes little difference whether ZoneAlarm throws away the coupon (that is, the query) or Windows does. Either way it's ignored. Is ZoneAlarm really protecting your computer? In many cases, no — it's simply doing what Windows would have done on its own anyway. For some users, the answer is yes — ZoneAlarm is operating to protect them from a particular problem. The information below will help you decide which situation applies to you.

[ZoneLabs responds: While we don't want people 'wringing their hands' because ZoneAlarm reported Alerts (benign or nasty) :>, we do believe in peace of mind. We think that basic Internet security should be available and should be free, which is why we offer ZoneAlarm for free for personal and non-profit use.]

Can a Windows machine be hacked?
There are two ways to hack any computer. One is to plant a trojan (virus program) on that computer, and then communicate with that program. This is another reason why having an anti-virus scanner is very important. Anti-virus scanners have been covered above. The other is by contacting a program that already exists on the computer.

The Internet uses a protocol called TCP/IP (Transmission Control Protocol / Internet Protocol). Whatever the hacker is going to do, if he's hacking your computer remotely, must be done within the abilities of TCP/IP. TCP/IP is organized into a large number of “ports”, and a program called Windows Sockets (Winsock) in Windows manages communications over these ports. None of these ports do anything unless a “server” program is running and listening on that particular port. For example, I've already mentioned Telnet and FTP. A server written to perform Telnet functions would listen for queries on port 23, and a server for FTP on port 21. In a typical home installation, Windows does not include a Telnet server or an FTP server, so there would be no program listening on those ports.

So, a Windows machine cannot be hacked unless it is running a server (or has an active virus program designed to facilitate hacking). There's only one server program in Windows itself in a typical home installation, and that's “File and printer sharing for Microsoft Networks”. To have any other server on your computer, you'd have to install it. There are many server programs, such as Microsoft's PWS (Personal Web Server) and IIS (Internet Information Server), Symantec's pcAnywhere, and of course Telnet and FTP server programs are available.

What can a hacker do to me though File and Printer Sharing?
File and printer sharing operates through NetBIOS. If you have “NetBIOS over TCP/IP” disabled, then a hacker can't do anything through it (with one exception having to do with old cable modems, which I'll get to later). Windows won't even respond. So your best bet is to turn that feature off (as described above).

If you have “NetBIOS over TCP/IP” enabled, a hacker can ask what your computer name, computer description, and workgroup are. In Win98, right-click on Network Neighborhood and select Properties, then select the Identification tab. (In Win2000, click on Start, Settings, Control Panel; double-click on System, and click on the Network Identification tab.) You will see your computer name, computer description (except in Win2000), and the name of your workgroup. If these happen to be things like your social security number, it might not be so good if a hacker could see them.

If you also have “File and printer sharing for Microsoft Networks” enabled, then a hacker can also ask for a list of the names of the shared folders and shared printers. If you don't have any folders set as shared, or printers set as shared, the list will be empty. If you do have shared folders and/or printers, the hacker can try to access them by guessing the password. If you left the password blank when you set the folder or printer to be shared, then (surprise!) the password will be really easy for the hacker to guess.

If the hacker guesses the password, he can print on your printer, and access files in the shared folder. Whether he can change or erase those files depends on whether you shared the folder as read-only or not. Of course, being able to access your files is a bad thing. Fortunately, you can protect yourself from that... read on!

So tell me about File and Printer Sharing
As the only TCP/IP server actually present within the Windows operating system itself, “File and printer sharing for Microsoft Windows” is the focus of protecting your Windows computer from remote hackers (again, assuming you have the anti-virus angle covered).

File/printer sharing is actually a pretty useful thing if you have more than one computer. You can connect your computers with an Ethernet network, and (as the name implies) share files and printers between your computers.

If you don't have more than one computer, or don't need to share files or printers, then you should definitely disable file and printer sharing entirely.

To remove it in Win98, start by right-clicking on “Network Neighborhood” and select “Properties”. Click on the “Configuration” tab, and click on “File and print sharing...”. Make sure the boxes next to “I want to be able to give others access to my files” and “I want to be able to allow others to print to my printer(s)” are not checked, and click OK.

To remove it in Win2000, right-click “My Network Places”, then select “Properties”, then right-click on “Local Area Connection” (the name may vary), then select “Properties”, and select the “General” tab. You will see various protocols listed. Remove the file and printer sharing protocol.

With either Win98 or Win2000, when removing file/printer sharing also disable NetBIOS over TCP/IP and unbind Microsoft Networks from TCP/IP (as described above).

If you do want to use file and printer sharing, see how to make it safe (next).

Making file/printer sharing safe
The trick here is to make file and printer sharing work over your local network, or LAN (Local Area Network), but not over your WAN (Wide Area Network). Your LAN consists of your own computers that are connected together by Ethernet, and your WAN is the Internet which connects to millions of computers all over the world.

Remember that file and printer sharing works using NetBIOS. Usually you will want to use NetBIOS over NetBEUI. NetBEUI is a relatively simple protocol which is non-routable. “Non-routable” means it will not get past a router, and since all ISP's (Internet Service Providers) connect you to a router at some point, the NetBEUI protocol cannot be transmitted over the Internet. But it will still work over your home network, through your hubs and/or switches.

Begin by making sure you have NetBEUI installed. That's really beyond the scope of this document, but the procedure is fairly obvious (if you know the manufacturer is “Microsoft”) once you get to the protocol list (as described in various places here, like under “Disable NetBIOS over TCP/IP”).

NetBEUI should be bound to “Client for Microsoft Networks” and “File and printer sharing for Microsoft Networks”, and TCP/IP should NOT be bound (see “Unbind Microsoft Networks from TCP/IP”). Make sure all your computers are set for the same Workgroup (again, beyond the scope of this document, check it out in Windows help).

That will put NetBIOS on NetBEUI over your local network. Now, to keep NetBIOS off the WAN. That's easy. Just disable NetBIOS over TCP/IP and unbind Microsoft Networks from TCP/IP (as already described).

Special case: old cable modems
Originally, cable modems connected everyone on the same branch of the cable TV wire into a cute little local Ethernet network. Unfortunately, that meant you could “see” your neighbor's network traffic. Indeed, you could see his shared folders and printers if he had any. Of course, people quickly realized that this was a very bad thing indeed. In 1998 a new specification for cable modems called DOCSIS came into being, and it called for data to be encrypted (among other improvements). If your cable modem is compliant with the DOCSIS standard, then none of your neighbors can see any of the network traffic between you and your ISP. Naturally, you still have to protect yourself against the data that reaches the Internet, as described throughout this document.

If you have an older cable modem, then you might want to give some thought to the fact that your neighbors who also have older modems can “see” your data. With the right tools, they could see what websites you are browsing (except when you're at a secure site; then they'd need tools like the NSA denies having). If you are going to use file and printer sharing, or any other server application, for computers you have networked together in your home then you should definitely use a hardware firewall between your computers and the cable modem. Most software firewalls will be of no use (since they only cover the TCP/IP protocol).


Firewalls


You may have noticed everything comes in “two main types” in this document. Well, I wouldn't want to disappoint you, so once again...

There are two main types of firewalls: hardware and software. Both are designed to limit what information passes between your computer and the Internet.

Hardware firewalls
With the advent of cable modems and DSL, routers which allow more than one computer to share one of these high-speed Internet connections have become very popular. Because a router already controls the flow of information between the LAN (the little network connecting the computers in your home together) and the WAN (the Internet), it is easy to also make the router function as a firewall. However, none of these products have as many protection features as products designed exclusively as hardware firewalls.

Popular models include the Linksys BEFSR41 http://www.linksys.com/products/product.asp?prid=20&grid=5 and their model that includes a wireless LAN access point, the BEFW11S4 http://www.linksys.com/products/product.asp?prid=173&grid=5 the SMC SMC7004ABR http://www.smc.com/smc/common/prodPreview.cfm?prod_code=SMC7004ABR and their wireless version, the SMC7004AWBR http://www.smc.com/smc/common/prodPreview.cfm?prod_code=SMC7004AWBR and various models by D-Link http://www.dlink.com

These firewalls are particularly good at isolating your computers from the Internet. Why? (And I'm simplifying the technology here to make it understandable.) You know you can have, say, 2 different windows of Internet Explorer open and viewing different websites at the same time. How does this work? You may also know that, while you're using the Internet, you have a unique address called the IP (Internet Protocol) address. Let's say your IP address is 64.94.26.1 (IP addresses are traditionally written as four numbers from 0 to 255 separated by periods.) In one window you go to the Fool's home page, and your computer sends “hey, Motley Fool, this is 64.94.26.1 window 1, please send me the home page”. Meanwhile in the other window you go to Yahoo, and your computer sends “hey, Yahoo, this is 64.94.26.1 window 2, send me the home page”. When the Fool replies, it sends the information back to 64.94.26.1, marked for window 1. That's how it winds up at the right computer (yours) and in the right Internet Explorer window (the one that's browsing the Fool).

OK, now connect two computers to one of the routers mentioned above. The router takes on the 64.94.26.1 address, and assigns semi-arbitrary addresses to the two computers, like 10.1.1.1 and 10.1.1.2. Let's say computer-1 has 3 windows open with Internet Explorer, and computer-2 has 2 windows. The router is going to make that look like one computer that has 5 windows open. Say on computer-1 you use the 3rd window to access the Fool, and on computer-2 you access Yahoo with the 1st window. Computer-1 sends the request to the router as 10.1.1.1 window 3, and the router changes that request to 64.94.26.1 window 103; computer-2 sends the request as 10.1.1.2 window 1, and the router changes it to 64.94.26.1 window 201. When the Fool responds to 64.94.26.1 window 103, the router changes that back to 10.1.1.1 window 3. And the Yahoo response to 64.94.26.1 window 201 is changed to 10.1.1.2 window 1. As far as the Internet is concerned, your two computers seem like one computer.

Now let's say a hacker sends a query to the Telnet port at 64.94.26.1. The router is not expecting this query, and it does not know which computer to send it to. So, it just ignores the query. Your computers become “invisible”. (What if you wanted to run Telnet? You'd have to tell the router which computer to send Telnet queries to.)

Hardware firewalls are really good at protecting your local, non-Internet, data as well. For example if you are using file and printer sharing over NetBEUI, a hardware firewall will not pass any of the NetBEUI data on to the WAN. In fact, it can't — NetBEUI does not use IP addresses, so there's no way to send the data over the Internet. Even if you use file and printer sharing over TCP/IP, most hardware firewalls are set by default not to pass any data over the NetBIOS ports to (or from) the WAN. People on the Internet will not be able to access your files using NetBIOS.

Do you need a hardware firewall?
Most home users do not need a hardware firewall. The exceptions would be:

1. If you are using file and printer sharing between your 2 or more computers. If you have an old cable modem, you really need a hardware firewall. If not, it might be worth the peace of mind, and protection from “NetBIOS over TCP/IP” becoming inadvertently enabled.

2. You have other server applications running on your home network, such as a webpage server, that you don't want accessible on the Internet.

3. You are really, really paranoid and a hardware firewall lets you sleep at night. Of course at night, you might as well turn your computer off (which makes it completely safe against remote hacking, for as long as it stays off) and you can sleep anyway.

Software firewalls
Popular software firewalls include ZoneAlarm by ZoneLabs http://www.zonealarm.com/products/index.html and BlackICE Defender by Network ICE http://www.networkice.com/products/blackice_defender.html

BlackICE Defender works much the same was as hardware firewalls, by examining the TCP port numbers used by the data received. However, reviews have reported that BlackICE does nothing with regard to outgoing data.

ZoneAlarm also checks the port number of incoming data, but it has an interesting feature where it examines what program on your computer is trying to send data over the Internet. Hardware firewalls cannot do this, because the TCP/IP data does not identify which program is the source.

You may recall that earlier I said there are two ways to hack a computer, using the servers present on the system, or by planting a trojan program on it. Generally speaking, a software firewall is not used to protect servers present on your system. Why? Because if you're not using the server, you should not have it running; and if it's not running, it can't respond and therefore needs no protection. On the other hand, if you are using the server, you have to tell the firewall to let the data for the server through — otherwise the server won't be useful. So again it offers no protection. (This is also true for hardware firewalls, with the exception that a hardware firewall can let your computers, on your local network, access the servers and still prevent computers on the Internet from doing so.)

Now, how about protection from trojan programs? Of course, your first line of defense against trojans should be an up-to-date anti-virus scanner. While a software firewall may detect certain virus programs (for example, ZoneAlarm can detect a virus that tries to send data over the Internet by alerting you with the virus's name), it won't detect the virus until after it is already on your computer. By then it may have done quite a bit of damage, besides trying to access the Internet. So a software firewall is generally not a good defense against viruses.

Note that ZoneAlarm and ZoneAlarmPro both include an anti-virus feature as well as being a firewall, although I would still recommend a full-featured anti-virus scanner even if you are using either of these products.

Do you need a software firewall?
Most home users do not need a software firewall. The exceptions would be:

1. If you are worried about “spyware”. Spyware is software that sends information gathered from your computer to someone else. For example, it has been reported that RealNetwork's RealJukebox program maintained a list of every song you played, and occasionally sent that list to RealNetworks. A common allegation is that there are programs that keep track of every website you visit, and send that information periodically to some company. In some cases, ZoneAlarm will detect spyware when it tries to access the Internet to send the data. In other cases, like the RealJukebox example, it may not, because in order use RealJukebox you have to tell ZoneAlarm to let it access the Internet. (ZoneAlarm also makes a distinction between programs that merely send and receive data, and those that act as a server. If the company collecting data wants to access your computer at a time of their own choosing, their spyware has to be configured as a server, which makes it easier to detect with ZoneAlarm.)

Note that if spyware did anything really nasty, the anti-virus companies would classify it as a “virus” rather than as “spyware”. Then it would be detected by your up-to-date anti-virus scanner. Of course, you personally might have a different notion of what's “nasty” than the anti-virus companies, so if that's the case, a program like ZoneAlarm can help you.

2. If you are really paranoid about viruses and want an extra “edge”. As mentioned earlier, a brand-new virus can get on your computer (usually through an email attachment you open, or in a file you download) because it hasn't made it into the anti-virus company's database, or because you haven't updated your database recently. Most viruses that slip through your anti-virus scanner will not attempt to use the Internet and will not be detected by a software firewall. Still, there's a chance you will detect a new virus with a software firewall, especially using ZoneAlarm as mentioned above. Keep in mind that even a virus that a firewall can detect might do a lot of damage before it is detected by the firewall, so a firewall is absolutely NOT a primary defense against viruses (your up-to-date anti-virus program should be your primary defense).

3. If you are using file and printer sharing between your 2 or more computers, you should be protected simply by disabling “NetBIOS over TCP/IP” and unbinding Microsoft Networks. However, a software firewall can give you additional peace of mind, and protection from “NetBIOS over TCP/IP” becoming inadvertently enabled. You'll need the firewall on each computer.

4. You are really, really paranoid and a software firewall lets you sleep at night. See the joke about sleeping at night under hardware firewalls, above.

Is having an “always-on” Internet connection or a static IP address an additional risk?
You will often see articles claiming that having an always-on connection, like DSL or a cable modem, is a reason to PANIC because it is SO MUCH more dangerous than dial-up. This is nonsense. First of all, there's no risk anyway, if you just follow all the instructions above. Second, the risk (if there were any) comes from how long your computer is connected to the Internet, not the method of connection. A computer that's turned on an hour a day but is connected with DSL is far less vulnerable than a computer that has its dial-up link active 12 hours a day. The reason is, the longer your computer is on-line, the more likely its IP address is to be selected at random (or in sequence) by a hacker. But it is a negligible risk in any case, once you've taken the few simple precautions recommended above.

OK, now for the shred of truth. It's true that if you've made a bunch of blunders and you're running file and printer sharing over TCP/IP and you have shared folders, a hacker could try to guess the password for those folders. If you're not online very long, and if you're using a system where your IP address is assigned each time you connect, then the hacker has to manage to guess it and do his dirty work during that session. If you have a permanent (aka static) IP address, the hacker can keep guessing whenever you're online, and do his dirty work at his leisure (again, some time when you are online). This is very rare, unless you've pissed off some hacker and he's out to get you (also very rare). So before you go pissing off hackers, make sure you've got your system security properly set up.
Print the post  

Announcements

What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Community Home
Speak Your Mind, Start Your Blog, Rate Your Stocks

Community Team Fools - who are those TMF's?
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and Glassdoor #1 Company to Work For 2015! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.
Advertisement