Saturday, October 6, 2012

Improving Security on Your Windows Box

Several years ago, I was reviewing my home router log out of curiosity.  I was surprised to see how many machines from every region of China and the rest of the world were attempting to break into my home network.  The number of malicious attempts can give you pause. Being of the mindset “you cannot be paranoid enough”, I have already been applying Microsoft’s and additional recommendations for secure computing practices since WinNT4 times. 

Here are a number of steps (most of them will cost you nothing, except time) that you can apply to your network firewall and Windows 7 PC or a Win2003/2008/2012 server to make them more secure. 

  • If you have not done so yet, educate yourself.  You can start here at Microsoft Safety & Security Center.
  • Run a good anti-virus service and keep it up to date!  I like Norton.  You can read AV reviews and decide for yourself.
  • Download and run Microsoft Baseline Security Analyzer.   Consider and apply recommendations, as long as they do not interfere with the way you intend to use your system.  Even if you do not apply all the recommendations, at least you will have a better idea what risks you are incurring by maintaining a larger profile for possible attacks.
  • Configure your extranet facing firewall to explicitly reject all inbound network traffic from IP ranges that should never have access to your LAN.  Here are some of my reasons:
      • I do not know and do not do business with anybody in China, or Brazil, or Egypt, etc.  Hence, I construe as malicious any attempts to access my LAN from systems in those parts.
      • You can use free MaxMind geo-IP databases to figure out IP ranges of different parts of the world to from which to reject traffic.  For individual lookups, I also use magic-net.
      • Here is a sample of some rejected Chinese IP ranges:,,,,,,,
      • If you need to use Skype or some VoIP products to talk with people overseas, your can add Skype and other IPs to your firewall white list.
  • If your AV does not have its own firewall, configure Windows Firewall.  If it does, and it can be configured, add the same rejection rules as on the extranet firewall (see above).  Here you can also exclude specific systems or subnets that should not try to communicate with your box.
  • Here are examples of my Windows Firewall “deny” rules:



  • Tighten down other inbound application ports.  For example, if you want to allow Samsung AllShare to only accept traffic when on your home network, then make sure that only rules for “private” network are present, and you can define ports and an IP range from your home network in the “scope”.  The same principle applies if you are hosting an enterprise WCF service that should only be called by some webMethods services from specific hosts or from a certain subnet.
  • You can use some free network scanning apps to make sure you do not have services listening on ports that you do not intend.  For home use, I have found Android Fing to be quite helpful.
  • Install Microsoft EMET.  If you get tricked into clicking on a link that leads to a malware site, or you visit a legitimate site that is compromised, it may prevent some exploits.  Just read to understand the background.

These steps will make your system “more secure”, but they will not help you against DDOS style of attacks, or prevent you from clicking on a link referencing a malware site.  Nevertheless, taking simple steps to make your systems more secure can save you or your customers good money or extra work dealing with consequences.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.