• Use a good bi-directional firewall that will monitor all incoming and outgoing traffic and will alert you for access permission if such traffic is detected. It also has the ability to hide your presence from intruders by completely blocking access to the ports that are used for the transfer of information. Select the highest security level for your internet zone and set all programs to prompt you for access - even those you use frequently. When in doubt, deny access of a program until you know for sure its identity.
  
   
• Use a virus scanner (anti-virus), keep the virus data files current (check for updates at least once a week), enable the "Heuristics" or "Bloodhound" feature (for detection of virus-like activity of yet-to-be discovered viruses), and set it to scan all downloads and e-mail attachments - before they are opened. Let it quarantine and destroy anything suspicious. If it has settings for scanning ActiveX Controls and Java Classes for potentially harmful content, use that too. For even greater protection and a wider range of configuration options, combine the use of a virus scanner with a trojan scanner.
  
   
• Disable File and Printer Sharing in your network settings if you are using a computer that is not connected to a Local Area Network (LAN). This will shut all NetBIOS ports - those which are used for the sharing of files.
  
   
• Be extremely careful when using any P2P (peer-to-peer) network service for sharing/swapping files across the Internet. Be sure you are not exposing any drive folder other than the one designated for access by these services, and keep your virus scanner active at all times. Even better, also use a third-party File & Folder Access Protection program to lock access to all other areas of your hard drive during the time you open the P2P connection for a file sharing session.
  
   
• Secure your IMs. It is wise to use an IM encryption utility to secure your AIM, ICQ, MSN, or Yahoo! messages, but be aware that the encryption will only be effective if the utility is used on both ends.
  
   
• Know your IP. If you know the IP address of your internet connection (and the IP ranges used by your local network), you will recognize when an outsider is trying to break in.
  
   
• Use a registry guard such as Greyware Registry Rearguard or RegistryProt to protect your registry, startup directories, and startup files from malicious programs. Incoming trojans can go undetected. They will place a specific set of instructions in the registry or other system files and will activate the next time you shutdown/restart your computer. A 'rearguard' will alert you before the damage is done. It is also a useful tool for alerting you of changes when installing new software.
  
   
• Never allow a downloaded application or any downloaded executable content to launch on its own, and be especially careful of downloading files that end in exe, bat, vbs, and com.
  
   
• Disable file transfers in IM (instant messaging) programs, as this feature, if configured incorrectly, can enable the sharing of more than you intend. AIM, .NET Messenger, and others let you disable file transfers from the Preferences or Options menus. If someone wants to send you an image or file, use e-mail to verify that the request is legitimate.
  
   
• Never accept and run an "ActiveX Control" or "Java Class" unless it comes signed and from a trusted site. It is best to force your browser to prompt you for permission. If you are using Internet Explorer, these settings are located under Control Panel - Internet Options - Security - Internet , Custom Level. Mozilla, Opera, and Netscape users are prompted by default.
  
   
• Disable "Install on Demand" if you are using Internet Explorer so your browser will be forced to prompt you if additional components are needed in order to display certain content. This setting is located under Control Panel - Internet Options - Advanced.
  
   
• Never, ever, enable JavaScript for e-mail or e-mail attachments. While JavaScript may be fine for internet browsing, it can be dangerous when enabled for e-mail. See JavaScript Info for more details and How to disable JavaScript in e-mail programs for step-by-step instructions.
  
   
• Disable HTML for e-mail or choose to view all messages as plain text if your e-mail client has such options - the better ones do; or use an e-mail content filter for web bugs and embedded content originating from a server other than the one belonging to the sender of the e-mail. Today's cleverly-coded e-mail worms can execute just by viewing HTML-formatted e-mail.
  
   
• Never allow your e-mail client to "View Attachment Inline" ...unless you are sure it arrived from a trusted sender.
  
   
• Never open e-mail attachments from strangers. Period.
  
   
• Use encryption software such as PGP (Pretty Good Privacy) for sending your most private e-mail messages. If you don't, keep in mind that what you are sending is the equivalent of a postcard. Also remember that encryption is for the message body only - it does not hide the subject line nor does it hide the message headers.
  
   
• Never, ever use e-mail to send confidential information such as credit card numbers, bank account numbers, or your Social Security number. Even if you use encryption and the correspondence is for legitimate business, you cannot be certain that the recipient will protect this information once it is delivered and decrypted. It will only be as secure as the recipient's system permits.
  
   
• Never respond to e-mail asking for confidential information. Any e-mail you receive requesting your credit card numbers, bank account numbers, or Social Security number either via e-mail or a web site link is surely an identity theft scam.
  
   
• Keep your OS and browser up-to-date, in addition to any service or application that has access to the Internet. Apply updates and patches as they are released.
  
   
• Learn to identify which system services and applications are known to compromise security and do not allow them to have open access to the Internet. When in doubt, have your firewall prompt you for permission.
  
   
• Be sure your browser is SSL-capable (Secure Socket Layer) and the encryption strength, or cypher strength, is not less than 128-bit.
  
   
• Never submit a secure form on an insecure server. Period.
  
   
• Avoid using easily recognizable passwords such as the names of family members or pets, birthdays, or anniversaries. Make them as cryptic as possible; and if you must write them down, do not store them on your computer or any other place where someone may have access to them. If you must use your browser's password manager, never use it to store important passwords such as those used for banking.
  
   
• Never visit untrusted sites. If you do, be extremely cautious.
  
   
• Do your best to prevent being a victim of data or identity theft. See Data Theft.
   

 to top

• Use a router between your LAN and the Internet if you have an 'always-on' connection using DSL, cable, or any connection where you are assigned a static IP address. If your ISP advises against this, FIND ANOTHER ISP. A router uses Network Address Translation (NAT) to mask the IPs of your internal network from the outside world. A router that also combines a hardware firewall is even better.
  
   
• If you choose a hardware firewall make sure it includes Stateful Packet Inspection (SPI) for closely examining packet data structures.
  
   
• Block NetBIOS ports over TCP/IP to all Internet traffic if you need to enable file sharing for your LAN so no one from the outside can access the contents of your hard drives through these ports. This can be accomplished with either one of these two methods:
  
   
  1. Preferred method: Block incoming and outgoing access to ports 135, 137-139, and 445 with your firewall. ZoneAlarm does this by default when you set the Internet Zone Security level to "high". (The "medium" default security setting only blocks incoming access to NetBIOS ports and you can manually change that to include outgoing, but remember - any setting lower than "high" is not recommended for use in the Internet Zone.)
     
      
  2. Alternate method: Manually disable NetBIOS over TCP/IP. This method is for advanced users only and is something we now consider unnecessary in these modern days of routers and bi-directional firewalls like ZoneAlarm. Complete instructions for Windows 98 and Windows NT can be found at ShieldsUp!! - Network Bondage. Instructions for Windows XP and Windows 2000 can be found at Daniel Petri's MCSEworld. Be aware that with Windows XP, the results can be unpredictable and highly dependent on how your network is configured, so be sure to read all instructions before proceeding.
     
      

     IMPORTANT:  We are including this information for those who wish to follow this 'alternate method'. If you need to make adjustments to your network configuration and are unfamiliar with making changes to system settings, you should consult a friend or professional who has knowledge and experience in this area, and always back up your registry and system files before you make any changes. Although it is not something that is difficult to learn, this method is can be complex and you will need a basic understanding of network adapters and protocols in order to correctly remove the appropriate bindings needed to manually disable NetBIOS over TCP/IP. Be aware if you are using Windows 98 your LAN must use some other network protocol besides TCP/IP in order to access local file shares. Other protocols are not installed by default if you are using Windows XP, but you can still disable NetBIOS over TCP/IP and depending on how your network is configured Windows XP will default to using SMB over TCP/IP for file sharing on the LAN over port 445. If you are using Windows XP and need to see file shares on a Windows 98 machine that is using NetBEUI, you can manually install it on Windows XP (you'll find instructions here). We recommend that Windows XP users visit the following sites. Pay close attention to all topics related to NetBIOS, NetBT, and SMB Device, and do not apply any of these changes unless you fully understand the outcome: Daniel Petri's MCSEworld - What's port 445 used for in Windows 2000/XP? Tip Quarry - Tweaks and Repairs for Windows XP/2000 DO NOT REMOVE TCP/IP itself - you will not be able to connect to the Internet without it.

     
     
• Periodically check for heavy traffic on your router's LEDs and check each PC's log files for new entries that are unfamiliar. These factors could indicate malicious activity.
  
   
• Turn on WEP (Wired Equivalent Privacy) on your wireless router or access point if you are connected to a "wireless" network.
  
   
• Require a login user name and password for every computer connected to your LAN. For any hard drives that are configured as shared: Windows 98 users - require a user name and password there, too. Windows XP users - do not configure share permissions to allow 'anonymous logon' or any access by groups or users outside your LAN.
  
   
• Secure your sensitive files on any computer you use to connect to the Internet. Never place sensitive files in folders that are configured as shared. For extra protection, use access protection software.
  
   
• And remember that even though only one computer is actually making the internet connection, any other computer sharing that connection, or is sharing files on a network with that computer, needs the same protection!
   

 to top

• Use a web content filter (or browser filter) to prevent remote site contact through ad banners and embedded web bugs.
  
   
• Use a cookie filter. They are built into most browsers these days, but third-party programs usually offer better filtering options.
  
   
• Disable HTML for e-mail or choose to view all messages as plain text if your e-mail client has such options - the better ones do; or use an e-mail content filter for web bugs and embedded content originating from a server other than the one belonging to the sender of the e-mail.
  
   
• Disable cookies in e-mail if your e-mail client has such an option - the better ones do.
  
   
• Set your browser for maximum privacy, forcing it to prompt you for permission for everything possible from cookies to downloads as well as security permissions for Java Classes (Mozilla, Opera, and Netscape) and ActiveX Controls (Internet Explorer) as mentioned above. Once you become familiar with a site you can always add it to an 'approved' or 'trusted' sites list in your content filter or browser to avoid the annoyance of continuous prompts, but apply some caution as this is for absolutely trusted sites only.
  
   
• Clear your browser cache (called "Temporary Internet Files" in IE) and browser history often, and always after visiting any site where you performed personal business - online banking, making a purchase, etc.
  
   
• Don't tell sites anything you don't want them to know. Use common sense when filling out forms or submitting any personal information unless you are absolutely sure it won't be misused.
  
   
• Read a site's privacy policy. The presence of a privacy policy does not mean that a company won't collect or sell your information. Read it carefully. If it is vague or unclear, watch out. If you can't find one, get out!
  
   
• Don't install spyware, and use adware cautiously. See Adware vs. Spyware, and you can search the online Spyware Lists for offenders. Also be aware that some freeware, shareware, and adware programs can contain viruses, or worse - trojans!
  
   
• Opt out of everything from mailing lists to requests to use your personal information for whatever purpose is intended, and beware of sites that offer some sort of reward or prize in exchange for your contact or other information.
  
   
• Never respond to spam by using their "click here to unsubscribe" or "follow this link for removal from our list". The one and only thing this does is verify that the spam was delivered to a valid e-mail address and confirm that you saw it. The sender has no intention what so ever in honoring your request. In fact, by responding you are guaranteed the delivery of even more spam from the same sender plus those who were sold your confirmed-valid address. Destroy the spam without responding to anything.
  
   
• Never give your personal e-mail address to a commercial vendor. This applies to anything from making a purchase online to responding to an online survey. Apply for a free Webmail account or subscribe to a Disposable E-mail Service and use that address instead. You can always dispose of it and acquire a new one quite easily if necessary. Several good Webmail and Disposable Service providers are listed under Links & Resources - Mail Services.
  
   
• Never use your personal e-mail address when posting to message boards or newsgroups. Always use a webmail address. Spiders are constantly crawling these places for valid addresses to use for spam. If you must use your personal address, or any valid address you plan to keep, always insert some text that the viewer will know to remove when responding to you. No one will question your intent - this is standard practice. Examples can be found at E-mail & Spam - Spam Prevention.
  
   
• Never reveal personal details to strangers. Period.
  
   
• Realize you may be monitored at work. Avoid sending highly personal e-mail to anyone including mailing lists, and keep sensitive files on your home computer.
  
   
• Use anonymizers where both privacy and security are a risk such as browsing to unfamiliar sites or posting to certain newsgroups. A list of resources can be found at Links & Resources - Anonymizers - Surfing & Usenet and Links & Resources - Anonymous Remailer Software. It is, however, far better to avoid the sites where an anonymizer might be needed.
  
   
• Keep informed. Visit privacy sites frequently. Read the news. Apply what you learn.
   

 to top

• Use one of the services (even better, use two or more) listed under Links & Resources - System Security Testing to test the security of your computer's connection to the Internet. Be sure to include a check for identity vulnerabilities and port scanning.
  
   
• Examine the results and make adjustments to your firewall and/or network settings and apply software patches wherever required for maximum defense. Closed ports are good - stealthed ports are better - but keep in mind that more often than not, security problems exist with the software and not with the ports through which they are granted access.
   

 to top

• Examine your firewall and router logs frequently for suspicious incoming or outgoing traffic. If you suspect you are a victim of a hack attack, that someone did in fact compromise your system, go to www.fbi.gov for instructions on gathering proof and filing a report. Also look for changes on you hard drive such as unknown or changed files and folders and decreased hard drive space. Do not delete but rather quarantine anything suspicious mainly because you will need this information for evidence, but also because a file that looks suspicious is not always bad - it might be critical system or program file that you need to restore.
  
   
• Keep current backups of all personal and system files. A backup can restore lost data in the event your system's security is compromised or your critical files become corrupt. Keep copies of everything you would need for both a simple restore (the replacement of just one or two damaged files) and a major restore (bringing your system back to its original state). And in the event of something very serious - like a hard drive crash or trojan damage - you should always be prepared to re-install your OS from scratch. This means not only keeping your installation CD for Windows in a safe place, but also the installation CDs for all of the other programs you have installed plus any personal files (address books, e-mail, documents, etc.) that will certainly be destroyed when you re-format a hard drive partition. If you backup your files to another hard drive partition for easy access, ideally you should also place copies onto external media such as a CD, Zip disk, or removable hard drive.
  
   
• What system files to backup? Daily backups of your registry files are recommended and you should keep at least 7 of the most recent copies. In addition, always create a backup before installing any new program or making any changes to your system settings.
  
  For Windows 98 users - keep backup copies of Windows\System.dat and Windows\User.dat. If you are using User Profiles, you will also find a copy of User.dat under each Windows\Profiles\profilename. Simply copy these files to another location for safe keeping. If you need to restore these files, just boot to a command prompt and copy the files back to their original locations.
  
  Since system files in Windows XP cannot be simply copied while they are in use, XP users should use System Restore to create restore points. (A shortcut is placed by default under System Tools in the Start Menu, or you can find it at %SystemRoot%\System32\restore\rstrui.exe.) In addition, we recommend a wonderful freeware utility called ERUNT (The Emergency Recovery Utility NT). ERUNT is a Registry Backup and Restore for Windows NT/2000/XP and will copy your critical system files in their original form to any location you specify. ERUNT will create a backup set which includes a utility for restoring the files to their original locations. To restore the registry from outside Windows, just copy the files back to their original locations.
  
   
• If you are selling your computer, thoroughly clean your hard drive. Deleting files and reformatting is not enough. Reformatting does not overwrite every sector, and private information can remain retrievable. Use a secure delete or disk wiping utility to overwrite every sector on all hard drives. Be sure to use a utility that supports the U.S. DoD standard of seven passes or wipes. While this method is good enough for most people, be aware that the only absolute way of destroying all traces of everything your hard drives is to have these disks degaussed (demagnetized) and physically destroyed.