SSL Part 2: PC Lock Down
|If you are intending to run a personal secure web server or just using your PC for surfing it’s extremely important to lock it down and implement other security measures.|
Although this write-up is for XP Home the principals are similar for other versions of Windows. Do not rely on this write-up alone I am bound to have missed something important. Search the Internet for more detailed information it’s a continuous battle hence do it regularly.
In reality trying to secure any Windows machine is a nightmare you are far better off using a Unix machine! Not what you want to hear! That said they are faced with similar security issues. Running a secure server on a machine infested with other programs is a contradiction and should not be considered.
Scared! Well you should be, still want to run a secure personal web server on your Windows box? I do using the most insecure version, Windows XP Home; ok I have locked it down as best I can. I do not use a self-signed certificate, these are open to man in the middle attacks hence I use a reputable certificate authority. A signed certificate like your personal data is extremely valuable and must be protected. The following are very important security issues you need to consider:
Router with NAT
Use a router instead of ICS (Internet Connection Sharing) they are faster, easier to configure, and more secure. This really is your first line of defense. Don't put your PC into a DMZ (demilitarised zone) use port forwarding and only forward ports that you use.
If you are using some of the P2P services consider the security implications. Check your routers manual and Internet for lockdown scenarios. The following a reasonable starting point:
- Enable any security features:
- Enable DoS Defence
- Disable P2P (eDonkey, FastTrack, Gnutella, BitTorrent)
- Consider settings in firewall, URL Content Filter etc.
- Consider Instant Messenger Applications Blocking
All routers are different some or all the above may be included. In most cases all that is required is a mouse click to enable these features.
Secure your wireless network
A wireless network (WLAN) is easy to set-up on these the default security settings do require your attention. It takes a few extra minutes to configure security the following are a must do list to protect your wireless network:
- Secure your wireless router or access point administration interface
- Don't broadcast your SSID
- Enable WPA encryption instead of WEP
- Use MAC filtering for access control
- Reduce your WLAN transmitter power
- Disable remote administration
Your router firewall is an excellent line of defence; however make sure you also have a software firewall.
XP comes with a built-in firewall (named ICF), not enabled by default (I believe this is still true), and it only filters incoming traffic, does not restrict outbound connections. If you have no alternative use it, it’s better than having nothing.
However there are several third parties providing free personal firewalls such as Zone Alarm (my personal preference). They are real firewalls designed to manage two-way traffic hence avoid ICF.
One of the most important things for protecting your system is to use anti-virus software you must ensure that it is kept up-to-date. Avast (my personal preference) does an excellent job as does Clam. Some commercial software are resource hogs these can reduce a perfectely good machine to a snail.
Disable Unnecessary Services
The following are services I disable on my XP-Home machine its not a definitive list. Before disabling any services check on the Internet that doing so will not cause you problems. However disabling network services not required for your computer will protect you from undesirable connections. I have crudely prioritised these, two stars is the highest and you don’t really want these running:
Access service control: Start > Control Panel > Administrative Tools > Services
Note: Right click on service name, select properties and then select disable
|Error Reporting Service|
|*||Help and Support|
|Human Interface Device Access|
|**||NetMeeting Remote Desktop Sharing|
|*||Network DDE DSM|
|**||Remote Desktop Help Session Manager|
|**||Routing & Remote Access|
|*||SSDP Discovery Service (Manual)||Disables the Universal PNP Service, which leaves TCP Port 5000 open.|
|**||TCP/IP NetBIOS Helper|
|Themes||Not a security risk just a pain on a slow machine|
|**||Universal Plug and Play Device Host||Allows your computer to automatically connect to network-enabled appliances. Not a good idea|
These are for other Windows versions and only intended to give you some idea what to search for on the Internet.
- * Telnet
- * IIS (not installed by default)
- * Remote Registry
Simple File Sharing
XP Home doesn't allow you to disable Simple File Sharing.
The best policy is not to use file sharing. If you must! Make sure you set your shared folders to read only, hide the file shares by using a $ sign after the folder name.
Simple File Sharing - Not XP-Home
If you are not operating behind a firewall, you should disable Simple File Sharing.
- From Windows Explorer go to Folder Options
- Select the View tab
- Go to Advanced Settings
- Clear the Use Simple File Sharing box
- Close Folder Options
Internet Connection Firewall (ICF)
If you are not using a real firewall (hardware or software) enable ICF (see note above).
To enable ICF, right-click an Internet connection in Network Connections, click Properties, click the Advanced tab, and then select the appropriate check box.
A must visit site is Gibson Research its a no holes bared practical site. Take time to explore this site and make sure you implement any security recommendations that apply to you.
Scroll down the page to ShieldsUP! for a free Internet security check-up run all the tests inparticular the open port scan test.
Tip: Run all tests with no servers running (Uniform Server, mail server etc.) you are looking to achieve a perfect “TruStealth” rating. The “All Service Ports” scan produces a grid of green squares (indicating a pass) click on any red square and read the details and issues for that port.
Enable each of your servers in turn note you will fail the “All Service Ports” test that is expected. The only ports that fail relate to the server you are running (Apache is port 80) any others are suspect so check them out.
I promise this will be my last rant about security; I want you to enjoy and explore the possibilities of running your own secure web server safely. However take a step back and ask yourself this question, do I have any personal data on this machine that I would not openly give to a stranger? If you do, take it off now and save to a memory stick or whatever secure place you have. Ever asked the same question about the machine you regularly surf the Internet with!
The above was intended to make you seriously focus on security issues. I am not a security expert and cannot possibly cover every thing you need to implement. However the above provides you with some of the terms to search for on the Internet. The real message it’s no good obtaining a signed certificate if it’s going to be compromised.
With your PC locked down the next thing you require in order to obtain a signed certificate is a domain name. You can either register one with a registrar or take the cheaper option (free) covered on the next page.