Saturday, October 6, 2012

Improving Security on Your Windows Box

Several years ago, I was reviewing my home router log out of curiosity.  I was surprised to see how many machines from every region of China and the rest of the world were attempting to break into my home network.  The number of malicious attempts can give you pause. Being of the mindset “you cannot be paranoid enough”, I have already been applying Microsoft’s and additional recommendations for secure computing practices since WinNT4 times. 

Here are a number of steps (most of them will cost you nothing, except time) that you can apply to your network firewall and Windows 7 PC or a Win2003/2008/2012 server to make them more secure. 

  • If you have not done so yet, educate yourself.  You can start here at Microsoft Safety & Security Center.
  • Run a good anti-virus service and keep it up to date!  I like Norton.  You can read AV reviews and decide for yourself.
  • Download and run Microsoft Baseline Security Analyzer.   Consider and apply recommendations, as long as they do not interfere with the way you intend to use your system.  Even if you do not apply all the recommendations, at least you will have a better idea what risks you are incurring by maintaining a larger profile for possible attacks.
  • Configure your extranet facing firewall to explicitly reject all inbound network traffic from IP ranges that should never have access to your LAN.  Here are some of my reasons:
      • I do not know and do not do business with anybody in China, or Brazil, or Egypt, etc.  Hence, I construe as malicious any attempts to access my LAN from systems in those parts.
      • You can use free MaxMind geo-IP databases to figure out IP ranges of different parts of the world to from which to reject traffic.  For individual lookups, I also use magic-net.
      • Here is a sample of some rejected Chinese IP ranges: 58.0.0.0-62.255.255.255,218.0.0.0-223.255.255.255,66.171.0.0-66.171.255.255,69.4.0.0-69.4.255.255,77.0.0.0-95.255.255.255,85.0.0.0-85.255.255.255,89.0.0.0-89.255.255.255,156.63.0.0-156.63.255.255
      • If you need to use Skype or some VoIP products to talk with people overseas, your can add Skype and other IPs to your firewall white list.
  • If your AV does not have its own firewall, configure Windows Firewall.  If it does, and it can be configured, add the same rejection rules as on the extranet firewall (see above).  Here you can also exclude specific systems or subnets that should not try to communicate with your box.
  • Here are examples of my Windows Firewall “deny” rules:

image

image

  • Tighten down other inbound application ports.  For example, if you want to allow Samsung AllShare to only accept traffic when on your home network, then make sure that only rules for “private” network are present, and you can define ports and an IP range from your home network in the “scope”.  The same principle applies if you are hosting an enterprise WCF service that should only be called by some webMethods services from specific hosts or from a certain subnet.
  • You can use some free network scanning apps to make sure you do not have services listening on ports that you do not intend.  For home use, I have found Android Fing to be quite helpful.
  • Install Microsoft EMET.  If you get tricked into clicking on a link that leads to a malware site, or you visit a legitimate site that is compromised, it may prevent some exploits.  Just read http://m.computerworld.com/s/article/9231367/Update_Hackers_exploit_new_IE_zero_day_vulnerability to understand the background.

These steps will make your system “more secure”, but they will not help you against DDOS style of attacks, or prevent you from clicking on a link referencing a malware site.  Nevertheless, taking simple steps to make your systems more secure can save you or your customers good money or extra work dealing with consequences.

Sunday, June 10, 2012

Azure IaaS

MS is officially moving into IaaS territory.  I just finished configuring firewall and intrusion detection on my ubuntu v12 not long ago.  How fortuitous!  A C# Mono application that I wanted to host internally, might just find a new home on an Azure VM.

Besides ubuntu Azure will allow hosting SUSE, as well as some other Linux flavors.

Sunday, April 1, 2012

ZXing C# port challenges

Since Windows Mobile 6.5 I have attempted to use the C# port branch of the ZXing.  I was working on a basic barcode reading application on Win7, looking to move it to WinPhone.  Althogh I kept working through exceptions and issues with bitmap color mapping, slow performance and high ratio of failed recognitions convinced me to set it aside for a while.  The performance difference between the Barcode reader on Android and its C# port also led me to believe the library would benefit from some serious refactoring.  I do intend to pick it back up when WinPhone hardware is capable of delivering comparable performance to Android without major changes to BarCode C# or my resorting to C++.