Since TechRepublic is a community of IT professionals, I'm sure there are many ideas floating around about what steps to take when preparing a new PC for the Internet? What have we missed?
Do you have a standard procedure for preparing your PCs?
Discussion on:
View:
Show:
Not mentioning the FREE Microsoft AntiSpyware specifically and is a significant omission and step 1 should include a firewall, rather than mentioning it as an afterthought in step 4.
I wouldn't consider a router merely "another significant" layer; it should be considered an ESSENTIAL layer of protection.
Unfortunately, the last time I allowed AOL to be installed on a system, it created a VPN tunnel right through my router (with VPN pass-through as a feature), defeating that layer of protection. For the first time ever, the Norton Internet Security log was showing all kinds of port scans and hacking attempts that had never been able to get that far before.
While their VPN was protecting my AOL connection from outsiders, it was opening up my system to all the hackers from within the AOL community.
I don't know if AOL still does that (I haven't allowed it to be installed since v6 or 7), but that was enough reason to ban it from my system. I was only installing it for the trial period so I could help to support a client using it, but that client is on their own now!
I wouldn't consider a router merely "another significant" layer; it should be considered an ESSENTIAL layer of protection.
Unfortunately, the last time I allowed AOL to be installed on a system, it created a VPN tunnel right through my router (with VPN pass-through as a feature), defeating that layer of protection. For the first time ever, the Norton Internet Security log was showing all kinds of port scans and hacking attempts that had never been able to get that far before.
While their VPN was protecting my AOL connection from outsiders, it was opening up my system to all the hackers from within the AOL community.
I don't know if AOL still does that (I haven't allowed it to be installed since v6 or 7), but that was enough reason to ban it from my system. I was only installing it for the trial period so I could help to support a client using it, but that client is on their own now!
It would not matter the order you install the AV and firewall as the computer is not connected to the internet until AFTER all ten steps are done.
I ALWAYS do the AV, then the spyware software. Then I RUN BOTH.
After the scans are done, then I reboot and continue very identical to that list.
After all updates and restore points are done, I defrag then reboot.
Then the FIRST thing I do after I am live, is to apply any MS updates.
Software firewall AND router are strongly recommened, with a clear understanding that the computer will be toast if they don't.
If they chose not to follow this advice, I have no problem six months later charging another $120 to wipe and reload the system.
I ALWAYS do the AV, then the spyware software. Then I RUN BOTH.
After the scans are done, then I reboot and continue very identical to that list.
After all updates and restore points are done, I defrag then reboot.
Then the FIRST thing I do after I am live, is to apply any MS updates.
Software firewall AND router are strongly recommened, with a clear understanding that the computer will be toast if they don't.
If they chose not to follow this advice, I have no problem six months later charging another $120 to wipe and reload the system.
I'd typically charge $200 to wipe and reload, assuming no wacky hardware issues that require major additional work because "someone" *cough*theclient*cough* lost all the driver installers. I'd charge by the hour if they wanted the system cleaned up without a nuke and pave treatment, which would sometimes end up costing more (depending on how badly they let the system get hosed and how much time I ended up needing to parse the registry by eye).
As much money as I made at that, I much preferred customers who just used a decent router/firewall appliance, plus less-vulnerable software (Firefox and Thunderbird instead of IE and OE, f'rinstance) and saved me the trouble.
As much money as I made at that, I much preferred customers who just used a decent router/firewall appliance, plus less-vulnerable software (Firefox and Thunderbird instead of IE and OE, f'rinstance) and saved me the trouble.
Apotheon
I tire of the "corporate" dog-eat-dog computing environment and am considering a change I am sure consulting would be just the opposite
Question - in your $200 wipe/reload fee how much data preservation and application loading did you typically include? Did you get much push-back from the "I only paid $500 for the whole machine, I can't afford $200 for a reload" crowd?
thanks,
CL
I tire of the "corporate" dog-eat-dog computing environment and am considering a change I am sure consulting would be just the opposite
Question - in your $200 wipe/reload fee how much data preservation and application loading did you typically include? Did you get much push-back from the "I only paid $500 for the whole machine, I can't afford $200 for a reload" crowd?
thanks,
CL
I'd typically just copy everything on the hard drive to CDs or to another hard drive, nuke and pave, then either create a directory to move everything to from the backup on the other hard drive or just hand over the CDs. In either case, I'd say "Use this at your own risk. I recommend against it." I'd do that much only if I was feeling generous, basically. A nuke and pave is generally exactly what it sounds like: burn the village to save it. If your primary concern is data recovery, you'll have to pay for the time spent on cleaning up the data so that it's not a threat.
There have been times when I've told someone it's going to cost $200 to reload the OS with no data recovery, and was told pretty much exactly what you said: "It only cost me such-and-such to buy the computer in the first place!" At that point, the correct answer has always been "You could always just format and reinstall it yourself, or buy a new computer, then." I wasn't cruel about it: I'd offer advice, help 'em get a good deal (at a nominal profit to the consultancy), and so on. Frankly, though, if they wanted professional support, they'd have to realize that they'd be paying professional rates.
Plus, y'know, one or two times of this, and they suddenly start listening when I make recommendations about what sort of software to use, the importance of a router/firewall, and so on. I really did aim to help my clients save money, which is why they kept calling us -- but I couldn't justify just doing work for free, or at a massive discount, when that takes away from the time I could be using to do work that pays the bills.
Consulting's a pain in the butt, by the way, and one of the major reasons for that is that though it pays very well when it pays, it pays irregularly. I prefer a steady paycheck. It makes budgeting much, much easier. Plus, y'know, I've got a great job in a primarily Linux-based shop. I don't really have to deal with crap like spyware, adware, viruses, and so on. Even with the few Windows systems, I pretty much control the environment. My biggest support concern with the Windows systems is Microsoft screwing everything up with a broken patch.
There have been times when I've told someone it's going to cost $200 to reload the OS with no data recovery, and was told pretty much exactly what you said: "It only cost me such-and-such to buy the computer in the first place!" At that point, the correct answer has always been "You could always just format and reinstall it yourself, or buy a new computer, then." I wasn't cruel about it: I'd offer advice, help 'em get a good deal (at a nominal profit to the consultancy), and so on. Frankly, though, if they wanted professional support, they'd have to realize that they'd be paying professional rates.
Plus, y'know, one or two times of this, and they suddenly start listening when I make recommendations about what sort of software to use, the importance of a router/firewall, and so on. I really did aim to help my clients save money, which is why they kept calling us -- but I couldn't justify just doing work for free, or at a massive discount, when that takes away from the time I could be using to do work that pays the bills.
Consulting's a pain in the butt, by the way, and one of the major reasons for that is that though it pays very well when it pays, it pays irregularly. I prefer a steady paycheck. It makes budgeting much, much easier. Plus, y'know, I've got a great job in a primarily Linux-based shop. I don't really have to deal with crap like spyware, adware, viruses, and so on. Even with the few Windows systems, I pretty much control the environment. My biggest support concern with the Windows systems is Microsoft screwing everything up with a broken patch.
Apotheon:
THANKS for the reply! I was afraid that would be the most frequent response "I only paid $400 for the whole @#$$%#$^ computer...". I do like your response very much, and will take liberties with it if I end up going that way. I'm an older geek and can probably deal with the fluctuation in income but would not enjoy getting beat about my rates every time I made a "house call". If not a long commute I would offer to "take it back to the shop" so as to not be sitting around watching counter-spy do its work.... that way would be able to do something else productive and keep the bill lower @ the same time.
thanks again!
CF
THANKS for the reply! I was afraid that would be the most frequent response "I only paid $400 for the whole @#$$%#$^ computer...". I do like your response very much, and will take liberties with it if I end up going that way. I'm an older geek and can probably deal with the fluctuation in income but would not enjoy getting beat about my rates every time I made a "house call". If not a long commute I would offer to "take it back to the shop" so as to not be sitting around watching counter-spy do its work.... that way would be able to do something else productive and keep the bill lower @ the same time.
thanks again!
CF
My thought was to download all desired programs and updates to a HDD. Copy them to CD's unopened. That would allow installing updated programs and patches before the new PC ever headed off to the wild side.
There exists a utility called 'WSUS Offline Update'. It was originally developed and published by the German pc magazine C'T, but recently it got its own web page :
www.wsusoffline.net
It allows you to collect OS and Office updates from the internet once, to be used later after Windows re-installation(s).
Even in case of the updates not having been brought up the most recent level, the installation of the majority of available updates will make the retrieval of the few remaining ones by Windows Update a much, much safer event.
www.wsusoffline.net
It allows you to collect OS and Office updates from the internet once, to be used later after Windows re-installation(s).
Even in case of the updates not having been brought up the most recent level, the installation of the majority of available updates will make the retrieval of the few remaining ones by Windows Update a much, much safer event.
The steps mentioned in the article are very good but apart from installing and anti-virus, anti-spyware and firewall, I go a step further and install SafeSystem, which is a security tool that perfectly complements my other security programs. This program doesn't need to know in advance which virus, worm, spyware or malicious code is trying to infect my computer, it simply doesn't allow any program to be installed or copied to my system while I'm surfing the Web or working with my computer.
I found SafeSystem at: http://www.gemiscorp.com/english/safesystem/info.html
Also, you can see a good PR about this program at: http://www.prweb.com/releases/2006/1/prweb339444.htm
IMPORTANT: I want to clarify that I don't have any direct or indirect relation with the company that owns the product I'm suggesting, so my posts shouldn't be considered SPAM.
I found SafeSystem at: http://www.gemiscorp.com/english/safesystem/info.html
Also, you can see a good PR about this program at: http://www.prweb.com/releases/2006/1/prweb339444.htm
IMPORTANT: I want to clarify that I don't have any direct or indirect relation with the company that owns the product I'm suggesting, so my posts shouldn't be considered SPAM.
Using a Sonicwall with content filter and AOL still lets one user, the owner, through to filtered sites/keywords.
What a nightmare, I try to isolate his machine as much as possible.
Hey he is the one paying for the fix
What a nightmare, I try to isolate his machine as much as possible.
Hey he is the one paying for the fix
It seems to me that this should have been about PCs in general, and not Windows-specific. Sure, there's more that needs doing with a Windows system if you want a (somewhat) secure system than with a Linux system, but that doesn't mean you have to run Linux bare-assed.
why it was .01
that gives 99 more steps to hit 1.0
so we can even include distro centric securing areas.
that gives 99 more steps to hit 1.0
so we can even include distro centric securing areas.
With Windows Vista around the corner and Windows 2k being pushed out of the support cycle, the costs involved with the 'necessary' upgrades that a lot of organisations will be facing makes a look at Linux security in a business environment a worthwhile topic to investigate.
(That's what I think anyway)
(That's what I think anyway)
I've had 3 different callers within the last 24 hours who, after loading the most recent version of Vista onto their machines. In all 3 cases, the resolve was a complete wipe and reinstall of the OS.
Put linux on it. Then install WMware and run ANY preferred Windows on top of that, if you for some obscure reason MUST use native Windows.
Put linux on it. Then install WMware and run ANY preferred Windows on top of that, if you for some obscure reason MUST use native Windows.
Put linux on it.
Then install WMware and run ANY preferred Windows on top of that, if you for some obscure reason MUST use native Windows.
Then install WMware and run ANY preferred Windows on top of that, if you for some obscure reason MUST use native Windows.
So many novice PC users have norton/symantec installed with their PC "from new". The trouble is that such people tend not to pay the fees required to keep the anti-virus up to date. So what happens next is that these virus libraries become out of date AND...
And the worst is these novice users still think they are fully protected. They cannot/do not want to afford the prices for these products but think they are running in the background and protecting them.
Such pre-installed programs are the worst enemy of those trying to protect against viruses. They consume computer resources and are very bad protection against the latest viruses. You can easily argue it is these anti-virus programs that actually help new viruses propagate!
And the worst is these novice users still think they are fully protected. They cannot/do not want to afford the prices for these products but think they are running in the background and protecting them.
Such pre-installed programs are the worst enemy of those trying to protect against viruses. They consume computer resources and are very bad protection against the latest viruses. You can easily argue it is these anti-virus programs that actually help new viruses propagate!
You suggest putting Adaware on the PC before going on the Net, but some antivirus programs a nailing Adaware for it's activities and ability to provide information about you instead of protecting you. When my antivirus software identified Adaware as a problem, I tried to uninstall Adaware, but it wouldn't uninstall properly. That makes me distrust it even more. Before I ever use it again, I'd need to know that I can get rid of it if when it causes problems, and I'd want to see some reviews that clarify whether it's really blocking spyware, or just stopping it's own spyware competitors.
Make sure you're really using Lavasoft Ad-Aware, and not a counterfeit. There are literally hundreds of things named similarly to Ad-Aware that claim to do the same thing, trying to capitalize on the name, and the only one that isn't adware or spyware itself is the original Ad-Aware from Lavasoft.
Ad-Aware SE of Lavasoft Sweden at present is the free, uninstalleable, correct version, free for home use!
As others have also added, the humbugs and fakes are numerous, also you need to check for new data files (def.ref), usually at least weekly!
It might not delete all problems, but it is a reliable proven tool!
John
from Hungary
As others have also added, the humbugs and fakes are numerous, also you need to check for new data files (def.ref), usually at least weekly!
It might not delete all problems, but it is a reliable proven tool!
John
from Hungary
Spybot Search & Destroy (also FREE) by Safer Networking make a perfect duo! Just make sure SbS&D's "Resident 'Tea Timer'" is on.
They both UNinstall quite cleanly.
I've use these two programs together for over five years and have found them to be extremely reliable. My computer(s) haven't been infected with anything without me knowing it and giving me the chance to take care of it IMMEDIATELY before losing data. And that has only happened a very small of times. But, I'm a home user. I also practice "safe surfing" techniques, never use Outlook for mail and don't open ANYthing from someone I don't know (even through Y!).
They both UNinstall quite cleanly.
I've use these two programs together for over five years and have found them to be extremely reliable. My computer(s) haven't been infected with anything without me knowing it and giving me the chance to take care of it IMMEDIATELY before losing data. And that has only happened a very small of times. But, I'm a home user. I also practice "safe surfing" techniques, never use Outlook for mail and don't open ANYthing from someone I don't know (even through Y!).
I have been using these two free anti-spyware tools for at least three years now. As btljooz mentioned they do compliment each other perfectly.
They are both regularly mentioned and highly rated by various PC magazines and are completely safe to use. I have never had any problems uninstalling them.
Obviously, as with any programs, make sure you download the installers from the manufacturers site or reliable source. I always d/l Ad-Aware from Lavasoft directly.
I also use Kaspersky Anti-Virus, I find it's a lot more efficient and unobtrusive than Symantec or McAfee products. It will list some Ad-Aware files after a scan, but only to say they were password protected and it was unable to scan them. Don't confuse this with a possitive virus detection, the files are perfectly safe.
They are both regularly mentioned and highly rated by various PC magazines and are completely safe to use. I have never had any problems uninstalling them.
Obviously, as with any programs, make sure you download the installers from the manufacturers site or reliable source. I always d/l Ad-Aware from Lavasoft directly.
I also use Kaspersky Anti-Virus, I find it's a lot more efficient and unobtrusive than Symantec or McAfee products. It will list some Ad-Aware files after a scan, but only to say they were password protected and it was unable to scan them. Don't confuse this with a possitive virus detection, the files are perfectly safe.
I've installed AVG Anti-Virus Free, Lavasoft AD-Aware, Spybot S&D, and SpywareBlaster as a package on all the machines I've sold or repaired for almost 3 years now (well over 200). Not a one has become infected! I believe the page blocking abilities (immunization)of Spybot and SpywareBlaster contributes mostly to this. Had a customer bring in an old Win ME machine I worked 3 years ago yesterday that was slowing down. Not a single infection, pretty good testament to how well these programs work.
ccleaner (crap cleaner)
I found this little beauty one day whilst idly browsing the net, It removes the crap that ad-aware or spybot dont catch.
It also has a startup menu editor and a very useful uninstaller service, much better than using add/remove programs.
www.ccleaner.com
I found this little beauty one day whilst idly browsing the net, It removes the crap that ad-aware or spybot dont catch.
It also has a startup menu editor and a very useful uninstaller service, much better than using add/remove programs.
www.ccleaner.com
the adaware is bad, it is spyware.
ad-awaer from lavasoft is not an issue and it is anti-spyware
ad-awaer from lavasoft is not an issue and it is anti-spyware
Myself
1. I always make sure that my clients have a decent firewall on
right away right after startup and before registration and before
connecting the internet and configure the firewall.
2.Install AVG antivirus. it is free and works better than
Symantec.
3.Get the updates
4. Get OS updates
5. Advise them client on importance of making sure they
regularly check for updates av, firewall, OS
6. train client on importance of not clicking on attachments from
people they dont know, or have not advised them in advance
that they are sending something other than message.
7. Inform them of d/l and the dangers involved.
8. Change from Outlook or express to something less open like
Thunderbird. or Eudora
9. Make sure the client knows how to do all updates and keep
thier computer secure and what could happen if they dont.
10. TELL THEM HOW MUCH IT WILL COST TO FIX IT AFTER
THEY GET THE COMPUTER COMPROMISED $100 EACH TIME
1. I always make sure that my clients have a decent firewall on
right away right after startup and before registration and before
connecting the internet and configure the firewall.
2.Install AVG antivirus. it is free and works better than
Symantec.
3.Get the updates
4. Get OS updates
5. Advise them client on importance of making sure they
regularly check for updates av, firewall, OS
6. train client on importance of not clicking on attachments from
people they dont know, or have not advised them in advance
that they are sending something other than message.
7. Inform them of d/l and the dangers involved.
8. Change from Outlook or express to something less open like
Thunderbird. or Eudora
9. Make sure the client knows how to do all updates and keep
thier computer secure and what could happen if they dont.
10. TELL THEM HOW MUCH IT WILL COST TO FIX IT AFTER
THEY GET THE COMPUTER COMPROMISED $100 EACH TIME
Rather than simply advising the client on the importance of checking for updates, I schedule it to occur periodically, in addition to enabling auto-update wherever possible.
These are all scheduled to run late at night and "wake" the computer, assuming a broadband connection. The system is already configured to go back to sleep after 1 hour of inactivity.
Since I use Norton Internet Security for my clients, I create a scheduled LiveUpdate to occur weekly, just to get the non-critical updates that aren't automatically pushed.
I do the same for Windows Update (now Microsoft Update) and tell the client to click on "Custom" when they find Windows Update open in IE in the morning, and call me - if they have any questions about the results. If they use Office a lot, I also create a scheduled Office Update. Although it is now covered by MS Update, the Office Update doesn't even require the user to click a button to scan; the results are ready and waiting when they wake up the system in the morning.
I also schedule weekly scans for Spy Sweeper, CounterSpy (or MSAS), Spybot S&D and NAV and confirm that ScanDisk and Defrag are scheduled as needed according to their usage profile. Most of these anti-spyware products have an option to update automagically prior to a scan.
Of course I don't schedule these to occur all on the same night. A different item runs each night and if I have to double up, I separate their schedules appropriately, to avoid conflicts.
These are all scheduled to run late at night and "wake" the computer, assuming a broadband connection. The system is already configured to go back to sleep after 1 hour of inactivity.
Since I use Norton Internet Security for my clients, I create a scheduled LiveUpdate to occur weekly, just to get the non-critical updates that aren't automatically pushed.
I do the same for Windows Update (now Microsoft Update) and tell the client to click on "Custom" when they find Windows Update open in IE in the morning, and call me - if they have any questions about the results. If they use Office a lot, I also create a scheduled Office Update. Although it is now covered by MS Update, the Office Update doesn't even require the user to click a button to scan; the results are ready and waiting when they wake up the system in the morning.
I also schedule weekly scans for Spy Sweeper, CounterSpy (or MSAS), Spybot S&D and NAV and confirm that ScanDisk and Defrag are scheduled as needed according to their usage profile. Most of these anti-spyware products have an option to update automagically prior to a scan.
Of course I don't schedule these to occur all on the same night. A different item runs each night and if I have to double up, I separate their schedules appropriately, to avoid conflicts.
Hey ITSecurityGuy. Configuring scheduled scans and Automatic Updates wherever possible sounds like a really great way to protect naive and unsophisticated users before you allow them to connect to the Internet and to protect them afterwards. The devil is in the details.
I don't know about Norton Internet Security, but last I knew, Norton had not fixed the security problem that their Norton Antivirus AutoUpdate had to be run by an account with Administrator privileges. The Windows XP "run as" facility does not allow Norton Antivirus AutoUpdates. This means that an account with Administrator privileges must schedule the AutoUpdate and be logged into the computer when the update occurs. Essentially you must always be logged on as an Administrator to use the AutoUpdate feature.
Although Windows Updates may be mending their ways, I believe that this is also true for applying Windows AutoUpdates. Anyone can download them but to apply them you have to be a member of the Administrators group. I am not familiar with the privileges required by the other programs you are scheduling.
Security best practice says never run with more privileges than you absolutely have to have. The principle of least privileges puts one more layer of security between the latest unpatched exploit and full control of your computer. I wonder how secure it is to always leave an Administrator account available for the latest unpatched exploit, so that you can schedule automatic updates?
Of course, if you don't schedule automatic updates using an always logged on Admin account, and you always assign every user a non-Admin account for day to day use, then I'm sure that Granddad, Mom, the Kids and Joe Smallbusiness all know that on a daily basis they need to close all their apps and use Windows XP fast user switching to log into the renamed Administrator account with a strong password to get their Norton Anti-virus updates and apply all their Windows and Office Critical Updates, then log out of the Admin account before they go back to doing whatever they really wanted to be doing.
And if the updates require a reboot, I am sure they will remember to log back into the renamed Administrator account after the reboot to let the updates finish applying before they log back out of the Admin account and log back in to their non-Admin account so that they can go back to what they were trying to use the computer to accomplish.
In my opinion naive users, security and Windows shouldn't be used in the same sentence.
I don't know about Norton Internet Security, but last I knew, Norton had not fixed the security problem that their Norton Antivirus AutoUpdate had to be run by an account with Administrator privileges. The Windows XP "run as" facility does not allow Norton Antivirus AutoUpdates. This means that an account with Administrator privileges must schedule the AutoUpdate and be logged into the computer when the update occurs. Essentially you must always be logged on as an Administrator to use the AutoUpdate feature.
Although Windows Updates may be mending their ways, I believe that this is also true for applying Windows AutoUpdates. Anyone can download them but to apply them you have to be a member of the Administrators group. I am not familiar with the privileges required by the other programs you are scheduling.
Security best practice says never run with more privileges than you absolutely have to have. The principle of least privileges puts one more layer of security between the latest unpatched exploit and full control of your computer. I wonder how secure it is to always leave an Administrator account available for the latest unpatched exploit, so that you can schedule automatic updates?
Of course, if you don't schedule automatic updates using an always logged on Admin account, and you always assign every user a non-Admin account for day to day use, then I'm sure that Granddad, Mom, the Kids and Joe Smallbusiness all know that on a daily basis they need to close all their apps and use Windows XP fast user switching to log into the renamed Administrator account with a strong password to get their Norton Anti-virus updates and apply all their Windows and Office Critical Updates, then log out of the Admin account before they go back to doing whatever they really wanted to be doing.
And if the updates require a reboot, I am sure they will remember to log back into the renamed Administrator account after the reboot to let the updates finish applying before they log back out of the Admin account and log back in to their non-Admin account so that they can go back to what they were trying to use the computer to accomplish.
In my opinion naive users, security and Windows shouldn't be used in the same sentence.
I agree with your concern, but you seem to have come back around to my unstated conclusion that limited user accounts are not practical for non-domain PCs, as implemented in XP. I look forward to Vista's improvements in this area.
You all know (of course) that AVG Free is free ONLY for personal and private use therefore installing it on a client's business computer is breaking the licensing agreement.
my standard procedure is to set it up so that it is not complicated to the user. take away all those useless programs. set up antivirsus and let it roll.
I will do these things,
* install good antivirus
* install good spyware control program
* keep system free with good memory space and diskspace
* create a seperate login for internet browsing
* make a copy of book disk and OS disk (sometimes it is required)
* use a proper downloading manager
* use Opera browser
* configure email clients instead of webmails
i have to think about more points..
* install good antivirus
* install good spyware control program
* keep system free with good memory space and diskspace
* create a seperate login for internet browsing
* make a copy of book disk and OS disk (sometimes it is required)
* use a proper downloading manager
* use Opera browser
* configure email clients instead of webmails
i have to think about more points..
Is replace Microsoft Windows with a linux Distribution. Any linux Distribution will do, but for ease of use, and the GUI administration tools I suggest Mandriva or SuSE.
I think that step one is unrealistic for 98% of computer users.
Step 1. Should be purchase the computer from a knowledgeable computer store / VAR that does the service packs, critical updates, and anti-virus installation and updates before delivering the computer to the end user.
Step 2. Use a router for cable or ADSL Internet access. Turn off wireless or at least secure the wireless with WAP. Make your first connection to the Internet is via CAT5 network cable connected to the router. Ideally the router has real firewall protection and does not just rely simply on NAT to provide protection. I think that stateful packet inspection is essential though most routers only offer NAT protection.
Step 3. If the major brand computer company does not prepare the computer for using the Internet safely then basically follow the instructions from Mark Kaelin.
I would suggest that within 24 hours of accessing the Internet that the end user run a full virus scan (Norton, McAfee, TrendMicro), SpyBot scan and an Ad-aware scan. If the computer scans find any viruses then use the Windows XP or restore CDs to start over again. If the computer finds any serious malware then it should be scanned again within 24 hours to make sure that computer is now malware free.
As the owner and one of the techies that works on several new computers and numerous fresh installations of Windows everyday I believe that the most important thing is to have multiple backups of important documents, e-mail, and pictures onto CD-R, flash drive, external hard drive, tape backup, DVD-R. Afterall a lot of viruses and malware come in the 5'10" variety which can strike within 12 minutes of accessing the Internet and almost always within 30 days of accessing the Internet even with MS critical updates and quality anti-virus protection.
I hope my opinions lead to further discussion.
Step 1. Should be purchase the computer from a knowledgeable computer store / VAR that does the service packs, critical updates, and anti-virus installation and updates before delivering the computer to the end user.
Step 2. Use a router for cable or ADSL Internet access. Turn off wireless or at least secure the wireless with WAP. Make your first connection to the Internet is via CAT5 network cable connected to the router. Ideally the router has real firewall protection and does not just rely simply on NAT to provide protection. I think that stateful packet inspection is essential though most routers only offer NAT protection.
Step 3. If the major brand computer company does not prepare the computer for using the Internet safely then basically follow the instructions from Mark Kaelin.
I would suggest that within 24 hours of accessing the Internet that the end user run a full virus scan (Norton, McAfee, TrendMicro), SpyBot scan and an Ad-aware scan. If the computer scans find any viruses then use the Windows XP or restore CDs to start over again. If the computer finds any serious malware then it should be scanned again within 24 hours to make sure that computer is now malware free.
As the owner and one of the techies that works on several new computers and numerous fresh installations of Windows everyday I believe that the most important thing is to have multiple backups of important documents, e-mail, and pictures onto CD-R, flash drive, external hard drive, tape backup, DVD-R. Afterall a lot of viruses and malware come in the 5'10" variety which can strike within 12 minutes of accessing the Internet and almost always within 30 days of accessing the Internet even with MS critical updates and quality anti-virus protection.
I hope my opinions lead to further discussion.
use old images to set up the machines. So it's likely to be out of datae in many respects when you plug it in.
Also I would never recommend subscription model av to a home user. They are too likely to let it lapse. AVG auto updates, so does Sygate for a software firewall.
AVG now auto updates the software it self as well as definitions.
Hostageware has no place for home users.
Also I would never recommend subscription model av to a home user. They are too likely to let it lapse. AVG auto updates, so does Sygate for a software firewall.
AVG now auto updates the software it self as well as definitions.
Hostageware has no place for home users.
Microsoft is one of the rishest companies in the world. Linux was put together by a bunch of amatures. Am I the only one who sees an irony in this?
I've installed a couple of machines for clients, out of the box and unprotected. Then I ran intrusion testing on them and fonnd.. nothing!
I'm amazed, simply amazed, that anybody who calls themselves a computer expert would advocate a solution that 1) costs more 2) doesn't come with lots and lots of applications (C, Perl, Open Office, MySQL, etc., etc., etc.) 3) is less efficient, 4) is less secure.
GIven that the machines are crackable within minutes of getting it out of the box, how do you justify giving those machines to computer-illiterate customers?
I've installed a couple of machines for clients, out of the box and unprotected. Then I ran intrusion testing on them and fonnd.. nothing!
I'm amazed, simply amazed, that anybody who calls themselves a computer expert would advocate a solution that 1) costs more 2) doesn't come with lots and lots of applications (C, Perl, Open Office, MySQL, etc., etc., etc.) 3) is less efficient, 4) is less secure.
GIven that the machines are crackable within minutes of getting it out of the box, how do you justify giving those machines to computer-illiterate customers?
...computer illiterate PC "techs" who know very little else.
I have multiple CNE\CNA quallies, a couple of MCSE quallies and am now going the Linux route. I have built several PCs (all SUSE) for friends who are very happy. They too see the irony that you mentioned above. And now that you can get a refund form DELL for the MS "tax" a Dell PC gets even cheaper - although all the machines I have done so far have been custom built by another shop for me. One couple who have a SUSE machine love the fact that they are runnig Linux. For a fairly computer illiterate couple they had heard of Linux and think that they are now cool in having it at home. They are not young - both in their fifties. Smashing
I have multiple CNE\CNA quallies, a couple of MCSE quallies and am now going the Linux route. I have built several PCs (all SUSE) for friends who are very happy. They too see the irony that you mentioned above. And now that you can get a refund form DELL for the MS "tax" a Dell PC gets even cheaper - although all the machines I have done so far have been custom built by another shop for me. One couple who have a SUSE machine love the fact that they are runnig Linux. For a fairly computer illiterate couple they had heard of Linux and think that they are now cool in having it at home. They are not young - both in their fifties. Smashing
I run a mac/windows network through a Linux Server.
Anybody care to guess which platform causes 90% of the
problems?
Could you imagine peoples reaction if, when buying a car,
you had to go through some 10-step procedure to ensure it
worked ok?
I am guessing that Microsoft is kind of betting the farm on
Vista to be their saviour from all this crap, good luck to
them.
Anybody care to guess which platform causes 90% of the
problems?
Could you imagine peoples reaction if, when buying a car,
you had to go through some 10-step procedure to ensure it
worked ok?
I am guessing that Microsoft is kind of betting the farm on
Vista to be their saviour from all this crap, good luck to
them.
Since my agency is part of a group of state agencies, our network is bogged down with viruses and worms from unprotected computers.
12 seconds after plugging a new computer into the network, the machine would instantly be infected.
I have placed all shared printers on print servers, and I have also disabled the Remote Registry, Server Service, Computer Browser service and installed Symantec Anti-virus before plugging into the network.
12 seconds after plugging a new computer into the network, the machine would instantly be infected.
I have placed all shared printers on print servers, and I have also disabled the Remote Registry, Server Service, Computer Browser service and installed Symantec Anti-virus before plugging into the network.
I always format the disc so that there is an operating system partition and a data partition, and teach users how to use it. Then I move the mail folders etc. onto the data partition.
I also try and get people to consider the Computer as a filing cabinet, with Windows explorer the means of finding stuff, and double clicking on files to open them - let the file determine the application.
That way I can back up the whole partition easily, and also restore the operating system without losing data. [which of course you have to do with windows periodically].
I also try and get people to consider the Computer as a filing cabinet, with Windows explorer the means of finding stuff, and double clicking on files to open them - let the file determine the application.
That way I can back up the whole partition easily, and also restore the operating system without losing data. [which of course you have to do with windows periodically].
Agree 100%! Having one gigantic partition - especially with todays massive drives is just asking for problems, and is just plain lazy!
But I go even farther than that! I use Partition Magic and split into 4 partitions. Then I use Norton Ghost to copy the system and data partitions completely. Then I Use Partition Magic to HIDE the copies! making them effectively invisible to Windows.
This has saved my bacon more than once when a user has screwed something up, or when malware has taken its toll!
When people go on vacation, I do a complete servicing of their system to ensure that all patches have been applied, and that the machine is virus and malware free. Then I re-ghost the hidden copies.
I am pretty much a one man show and I just cannot aford the time to play around trying to fiure out if malware has been truly completely removed! An ounce of prevention is worth sixteen tonnes of cure from where I sit. Barring an actual hard drive crash, I could have most users "up and running" in 30 minutes! They might have to pick up some pieces, but that is THEIR time - not mine! And for some "mission critical" PCs (like the CEO and the Head of R&D) I actually do an additional ghost onto and external hard drive and then stash the drive - just in case! Hard drives are CHEAP - lost productivity is NOT!
And generally, we don't have problems - well not ones that have a lasting impact.
A couple of other things I do before commissioning a system:
1) Use SpinRite 6 to do a complete scan of the hard drive to make sure it is sound
2) Use RAMExam to do a comprehensive memory test
Years ago when I set up my first WinNT server, I had heard all the horror stories. When I did my research, it occurred to me that most people were not validating the hardware before deploying it! So I did just that. I tested EVERYTHING. Then I made sure I had all the correct drivers on disk BEFORE the install!
That installation AND deploymet went off without a hitch, and took less than a day - and that server was rock solid. Only required reboot for MS Updates.
It is very easy to take pot-shots at Micro$haft, but often the problems can be traced back to flakey hardware! If you make sure the hardware is sound before deployment, then you take that variable out of the support equation. And that is a GOOD thing!
But I go even farther than that! I use Partition Magic and split into 4 partitions. Then I use Norton Ghost to copy the system and data partitions completely. Then I Use Partition Magic to HIDE the copies! making them effectively invisible to Windows.
This has saved my bacon more than once when a user has screwed something up, or when malware has taken its toll!
When people go on vacation, I do a complete servicing of their system to ensure that all patches have been applied, and that the machine is virus and malware free. Then I re-ghost the hidden copies.
I am pretty much a one man show and I just cannot aford the time to play around trying to fiure out if malware has been truly completely removed! An ounce of prevention is worth sixteen tonnes of cure from where I sit. Barring an actual hard drive crash, I could have most users "up and running" in 30 minutes! They might have to pick up some pieces, but that is THEIR time - not mine!
And for some "mission critical" PCs (like the CEO and the Head of R&D) I actually do an additional ghost onto and external hard drive and then stash the drive - just in case! Hard drives are CHEAP - lost productivity is NOT!And generally, we don't have problems - well not ones that have a lasting impact.
A couple of other things I do before commissioning a system:
1) Use SpinRite 6 to do a complete scan of the hard drive to make sure it is sound
2) Use RAMExam to do a comprehensive memory test
Years ago when I set up my first WinNT server, I had heard all the horror stories. When I did my research, it occurred to me that most people were not validating the hardware before deploying it! So I did just that. I tested EVERYTHING. Then I made sure I had all the correct drivers on disk BEFORE the install!
That installation AND deploymet went off without a hitch, and took less than a day - and that server was rock solid. Only required reboot for MS Updates.
It is very easy to take pot-shots at Micro$haft, but often the problems can be traced back to flakey hardware! If you make sure the hardware is sound before deployment, then you take that variable out of the support equation. And that is a GOOD thing!
I partition my drive so my OS and programs are in a separate partition. This way the primary files are separated from the user's data. Then I Ghost the partition before I go on the Internet or give the PC to a user. This has saved my cookies more than once.
This is a good practise, and is commonplace and second nature anywhere else than in Windows.
Unfortunately Windows will try to create 'Documents and settings' - including'MyDocuments and other personal stuff - on the C: drive at any given opportunity.
Unfortunately Windows will try to create 'Documents and settings' - including'MyDocuments and other personal stuff - on the C: drive at any given opportunity.
If the OS didn't come with a firewall then go to the Zone Labs website, for example, and get the free firewall downloaded, click & install, reboot into safe mode and installed first thing before anything else. Next is Antivirus. Then any updates that may exist for the OS. Then anti-spyware and anti-adware.
I sit on a corporate network, and services state is:
Disabled: 45
Automatic : 26
Manual: 24
Security apps services: 8
Most of those set to manual, could really be disabled.
All these services are a potential security risk, and ALL of them are switched on as default. It is really amazing just how much unneeded stuff are running on a PC.
In the network settings remove 'File and printer sharing for Microsoft networks'. Many people think this is needed for being on a MS network, but the explanation reads 'Allows other computers to access resources on your computer' - and thats exactly what it does.
Remove all unwanted protocols, and now we have dumped efficient NetWare for clumsy Windows, this normally means that you remove anything except IP.
Windows is a swiss armyknife system, it has fair tools for everything, but not the real professionel tools. Remove or disable EVERYTHING that you are not going to need, and your systems will run smoother and with fewer errors. Throw out excess luggage.
Disabled: 45
Automatic : 26
Manual: 24
Security apps services: 8
Most of those set to manual, could really be disabled.
All these services are a potential security risk, and ALL of them are switched on as default. It is really amazing just how much unneeded stuff are running on a PC.
In the network settings remove 'File and printer sharing for Microsoft networks'. Many people think this is needed for being on a MS network, but the explanation reads 'Allows other computers to access resources on your computer' - and thats exactly what it does.
Remove all unwanted protocols, and now we have dumped efficient NetWare for clumsy Windows, this normally means that you remove anything except IP.
Windows is a swiss armyknife system, it has fair tools for everything, but not the real professionel tools. Remove or disable EVERYTHING that you are not going to need, and your systems will run smoother and with fewer errors. Throw out excess luggage.
I'd suggest inventorying it, perhaps with a comprehensive, free tool such as WinAudit, that records as much specific information, serial numbers, MAC addresses of NICs, serial numbers of drives, installed software versions and licenses, etc.
Going thru all the posts to date I see no mention about ROOTKIT prevention.
The worst kind of rootkit has the ability to take over a PC and place itself between the hardware the operating system with all its
anti-virus, anti-spyware tools you have mentioned.
It runs the operating system as a virtual machine so it has absolute control of the operting system and its applications.
To learn more about this vicious threat visit
en.wikipedia.org/wiki/Rootkit or do a search on Google.
Warning do not visit rootkit.com. Bad, bad news!
I had 13,000 plus maleware files loaded on to my PC by interacting with this site. The Windows API could not see any of these files, only one of 3 rootkit scanners could find them.
Wikipedia gives details about rootkit scanners for both Windows and Linux.
Visit http://www.av-comparatives.org/ then click on the menu selection "Comparatives. Down the near the bottom of the page you will find a pdf document called - Comparative of various protection tools "October 2006". This document contains a list of tools that deal with the short-comings of the anti-virus and anti-spyware products i.e trying to block stealth rootkit infection attacks.
Two products that help with safer surfing are SiteAdvisor and Scandoo. There are a few others.
The product I favour most for browsing is Opera. It is less vunerable than IE and Firefox.
Have your choice of alternate browser, anti-rootkit tool etc. on CD or flashdrive to load before you go online.
A good idea is to run a check on a site like secunia.com to see if any of the software that is loaded on to the new PC - before it goes online - has any unpatched vulnerabilities.
Dont bother to check IE.
The worst kind of rootkit has the ability to take over a PC and place itself between the hardware the operating system with all its
anti-virus, anti-spyware tools you have mentioned.
It runs the operating system as a virtual machine so it has absolute control of the operting system and its applications.
To learn more about this vicious threat visit
en.wikipedia.org/wiki/Rootkit or do a search on Google.
Warning do not visit rootkit.com. Bad, bad news!
I had 13,000 plus maleware files loaded on to my PC by interacting with this site. The Windows API could not see any of these files, only one of 3 rootkit scanners could find them.
Wikipedia gives details about rootkit scanners for both Windows and Linux.
Visit http://www.av-comparatives.org/ then click on the menu selection "Comparatives. Down the near the bottom of the page you will find a pdf document called - Comparative of various protection tools "October 2006". This document contains a list of tools that deal with the short-comings of the anti-virus and anti-spyware products i.e trying to block stealth rootkit infection attacks.
Two products that help with safer surfing are SiteAdvisor and Scandoo. There are a few others.
The product I favour most for browsing is Opera. It is less vunerable than IE and Firefox.
Have your choice of alternate browser, anti-rootkit tool etc. on CD or flashdrive to load before you go online.
A good idea is to run a check on a site like secunia.com to see if any of the software that is loaded on to the new PC - before it goes online - has any unpatched vulnerabilities.
Dont bother to check IE.
A really good list to follow, but I'd advise to add another simple but important step to the list: To really be able to count on the router, one should change the default admin passwords of each and every connected network device, especially the router's.
I'd also add the suggestion of enabling DEP (Data Execution Prevention) for "all programs and services." By default, XPsp2 and Vista are configured in opt-in mode, wherein only certain Windows progs/services are typically covered by DEP. Enabling it for all programs affords far greater protection (namely if the processor supports NX/XD; all new processors will have this capability now).
I would rather format the machine, than uninstall unwanted crApps.
Ideally, after fully setting up the final gleaming PC, I would image it to another HD using the brilliant and free XXClone.
It would be great to know that down the line there's a dormant OS waiting to spring into life.
Ideally, after fully setting up the final gleaming PC, I would image it to another HD using the brilliant and free XXClone.
It would be great to know that down the line there's a dormant OS waiting to spring into life.
I make certain all programs are on a separate partition with the OS. After doing the necessary things to the configurations (per the article and all other tweaks)-- I make an image of my "perfect state"....
I have used Disk Imaging software from Acronis and it is quite a speed-up when you have to recover the system state instead of a whole new lengthy installation.
Moreover, you can have multiple states backed-up.
Moreover, you can have multiple states backed-up.
This is my procedures for new PCs re: account protection:
1- Rename ADMINISTRATOR account and, of course, assign a complicated password ( like: uad%tr64T )
2- Deactivate accounts like: SUPPORT, HELPASSISTANT and GUEST
1- Rename ADMINISTRATOR account and, of course, assign a complicated password ( like: uad%tr64T )
2- Deactivate accounts like: SUPPORT, HELPASSISTANT and GUEST
in fact, I always run Belarc Advisor which benchmarks XP or 2000 Pro versions acording to CIS standards (http://www.cisecurity.org) and flags any thing like this.
I also run Microsoft's free Baseline Security Analyzer, which will also flag SQL vulnerabilities. These are common when only the Desktop Engine is installed for something like Outlook 2000 with Business Contact Manager.
I also run Microsoft's free Baseline Security Analyzer, which will also flag SQL vulnerabilities. These are common when only the Desktop Engine is installed for something like Outlook 2000 with Business Contact Manager.
Remove 'everybody' everywhere, and change that to at least 'authenticated users'. Normally I put Domain Admins on top of the drives with full control, and domain users as 'change'. Individual folders are tailored by using GROUPS. Never ever assign rights to persons, or you will very quickly lose control ending in a complete mess.
Really though, Windows IS part of the problem. It would be quite nice if MS would actually make an attempt to secure it out of the box...jeez...
/puts on flamewear
/puts on flamewear
Steps to Secure a New Linux Box:
1. Install Debian (or another suitable "lean and mean" distribution) as a "minimal" install, with no software beyond the base system.
2. Install only the software you need.
3. Check your firewall configuration to ensure it's configured for your needs (since it's already running).
4. Ensure you use good passwords
5. Set up tripwire, chkrootkit, and any logging/monitoring you want to use.
6. Connect to the Internet only through a separate router/firewall.
7. Use your package manager to keep up to date on security patches.
8. There really isn't anything past 7 for most Linux systems. You could run AV if you want to help prevent the spread of Windows viruses, I suppose.
1. Install Debian (or another suitable "lean and mean" distribution) as a "minimal" install, with no software beyond the base system.
2. Install only the software you need.
3. Check your firewall configuration to ensure it's configured for your needs (since it's already running).
4. Ensure you use good passwords
5. Set up tripwire, chkrootkit, and any logging/monitoring you want to use.
6. Connect to the Internet only through a separate router/firewall.
7. Use your package manager to keep up to date on security patches.
8. There really isn't anything past 7 for most Linux systems. You could run AV if you want to help prevent the spread of Windows viruses, I suppose.
I myself am a Fedora person (for home use anyway)
Perhaps a business oriented distro comparison could be useful to the uninitiated, as well as a look at wine and other crossover projects (I don't know about the rest of you, but as System Admin, I don't get much of a say in what productivity software we use, and most of ours is poorly written garbage that is windows specific).
Perhaps a business oriented distro comparison could be useful to the uninitiated, as well as a look at wine and other crossover projects (I don't know about the rest of you, but as System Admin, I don't get much of a say in what productivity software we use, and most of ours is poorly written garbage that is windows specific).
Gentoo - The other Slack meat
Slackware - A "roll your own" distro. Quite nice, but not for the faint of heart
Debian - Apo has sung its praises, but it is a good distro. With apt and ease with which you can move from a minimal install to exactly what you need is nice.
Red Hat - A good "all around" distro. While not good at any one thing, it is a jack of all trades.
SuSe - The root of all evil. Perhaps Novell with fix it?
Slackware - A "roll your own" distro. Quite nice, but not for the faint of heart
Debian - Apo has sung its praises, but it is a good distro. With apt and ease with which you can move from a minimal install to exactly what you need is nice.
Red Hat - A good "all around" distro. While not good at any one thing, it is a jack of all trades.
SuSe - The root of all evil. Perhaps Novell with fix it?
Here's the short version of a rundown on some major Linux distributions (assuming that's what you were asking for), in alphabetical order:
Debian: My favorite Linux distro to date, it has the best CLI based software management available (which also means the most scriptable software management). This is a lean distribution: it allows for very minimal installs. Because of the excellent software management system (and the single largest repository of binary software packages available to any distribution), it is absurdly easy to configure exactly the way you want from an initial minimal install. Its stability is legendary, and an unfortunately well-kept secret of Debian is that you can also get more cutting-edge releases of it by using the Testing or Unstable versions, or even the Experimental versions, if you don't need the rock-solid unchanging workhorse stability of the Stable version. Of course, Testing and Unstable tend to be at least as stable as the "stable" releases of most other distributions, because Debian has the single largest community of any major distribution, and they test the livin' bejeebers outta the packages that go into its software repositories.
Fedora: This is the community-based spinoff of the Red Hat line. It's meant to be the cutting-edge testbed for Red Hat Linux technologies that, after sufficient testing, will end up in RHEL. It has a fairly strong community, and tends to be well supported (for a noncommercial distro) by commercial software vendors because they tend to default to Red Hat support first (the fools). It's a kitchen-sink distro, the the extent that the friggin' installer is a GUI system written in Python. Seriously.
Gentoo: This is a minimal distro that allows for very easy management of custom compilation. This makes for a very customizable system. It'd be awesome if it didn't take three friggin' days to upgrade KDE or GNOME because of all the recompilation that has to occur, and if it wasn't for the cloud of Ricers who hang out on the fringes of the Gentoo community giving it a bad name. (Of course, KDE and GNOME are huge bloated heaps of cruft that I tend to think should be avoided, but I know I'm in the minority on that one.)
Mandrake: The root of all Linux evil. No, that title doesn't belong to SuSE, no matter what jmgarvin says. At least SuSE has better manpages and a better software management system. This is a kitchen-sink distro with lots of clicky stuff. It includes a lot of distro-specific configuration utilities, which is typically a bad thing. It's RPM-based, with all that entails -- but the RPMs are not always compatible with the RPMs that work with the Red Hat distros.
OpenSUSE: This is the community version of SuSE, completely FLOSS-based. I don't know yet what it'll be like, but I tend to think it'll help to improve on the SLES base from which it is grown.
RHEL: Red Hat Enterprise Linux is sorta the canonical corporate Linux. It's a kitchen-sink distro with lots of clicky stuff. It's encumbered by expensive "mandatory" support licensing, which some businesses consider a good thing and others not.
Slackware: This is about as lean a distro as you can get. The only way you get leaner is with Linux From Scratch, which isn't a distro at all -- it's a set of instructions for building your own distro from nothing. Slackware's really meant to be managed with tarballs (compressed archives of source code) rather than with package management or source management, though it does have a binary package manager. Of course, the package manager sucks. If you're not interested in doing all your software management with only basic tools, you're probably better off using a different distro. Still, for those who find it to their liking, using Slackware can be very rewarding, and is about as "pure" a Linux experience as you'll get from a major distribution. It's also the oldest still existing distribution of Linux, older than Debian by about two months.
SLES: SuSE Linux Enterprise Server is to OpenSUSE as RHEL is to Fedora. Novell is taking some cues from Red Hat. Another kitchen-sink distro, this has one of the most comprehensive GUI software management tools available, and it works quite well. It's a little short on the ability to make it easy to find what you need when looking for something specific, but that's more a function of it being GUI based than any fault of Novell's/SuSE's. On the other hand, the fact that it lacks good CLI based software management is, indeed, Novell's/SuSE's fault.
Ubuntu: Here's an end-user kitchen sink distro based on Debian. It's not really compatible with Debian's software repositories any longer, and it has some very "protect the user from himself" configuration defaults about it, like the fact that it's impossible to actually log in as root under default configuration conditions (everything administrative is done by sudo). A lot of people like it quite a bit. I don't.
Okay, I thought this was going to be short. I skipped a bunch of distros that aren't quite as "major" as these for purposes of open source community impact, permanent install base (as opposed to LiveCD use), and so on. I hope I didn't forget something I should have included.
Debian: My favorite Linux distro to date, it has the best CLI based software management available (which also means the most scriptable software management). This is a lean distribution: it allows for very minimal installs. Because of the excellent software management system (and the single largest repository of binary software packages available to any distribution), it is absurdly easy to configure exactly the way you want from an initial minimal install. Its stability is legendary, and an unfortunately well-kept secret of Debian is that you can also get more cutting-edge releases of it by using the Testing or Unstable versions, or even the Experimental versions, if you don't need the rock-solid unchanging workhorse stability of the Stable version. Of course, Testing and Unstable tend to be at least as stable as the "stable" releases of most other distributions, because Debian has the single largest community of any major distribution, and they test the livin' bejeebers outta the packages that go into its software repositories.
Fedora: This is the community-based spinoff of the Red Hat line. It's meant to be the cutting-edge testbed for Red Hat Linux technologies that, after sufficient testing, will end up in RHEL. It has a fairly strong community, and tends to be well supported (for a noncommercial distro) by commercial software vendors because they tend to default to Red Hat support first (the fools). It's a kitchen-sink distro, the the extent that the friggin' installer is a GUI system written in Python. Seriously.
Gentoo: This is a minimal distro that allows for very easy management of custom compilation. This makes for a very customizable system. It'd be awesome if it didn't take three friggin' days to upgrade KDE or GNOME because of all the recompilation that has to occur, and if it wasn't for the cloud of Ricers who hang out on the fringes of the Gentoo community giving it a bad name. (Of course, KDE and GNOME are huge bloated heaps of cruft that I tend to think should be avoided, but I know I'm in the minority on that one.)
Mandrake: The root of all Linux evil. No, that title doesn't belong to SuSE, no matter what jmgarvin says. At least SuSE has better manpages and a better software management system. This is a kitchen-sink distro with lots of clicky stuff. It includes a lot of distro-specific configuration utilities, which is typically a bad thing. It's RPM-based, with all that entails -- but the RPMs are not always compatible with the RPMs that work with the Red Hat distros.
OpenSUSE: This is the community version of SuSE, completely FLOSS-based. I don't know yet what it'll be like, but I tend to think it'll help to improve on the SLES base from which it is grown.
RHEL: Red Hat Enterprise Linux is sorta the canonical corporate Linux. It's a kitchen-sink distro with lots of clicky stuff. It's encumbered by expensive "mandatory" support licensing, which some businesses consider a good thing and others not.
Slackware: This is about as lean a distro as you can get. The only way you get leaner is with Linux From Scratch, which isn't a distro at all -- it's a set of instructions for building your own distro from nothing. Slackware's really meant to be managed with tarballs (compressed archives of source code) rather than with package management or source management, though it does have a binary package manager. Of course, the package manager sucks. If you're not interested in doing all your software management with only basic tools, you're probably better off using a different distro. Still, for those who find it to their liking, using Slackware can be very rewarding, and is about as "pure" a Linux experience as you'll get from a major distribution. It's also the oldest still existing distribution of Linux, older than Debian by about two months.
SLES: SuSE Linux Enterprise Server is to OpenSUSE as RHEL is to Fedora. Novell is taking some cues from Red Hat. Another kitchen-sink distro, this has one of the most comprehensive GUI software management tools available, and it works quite well. It's a little short on the ability to make it easy to find what you need when looking for something specific, but that's more a function of it being GUI based than any fault of Novell's/SuSE's. On the other hand, the fact that it lacks good CLI based software management is, indeed, Novell's/SuSE's fault.
Ubuntu: Here's an end-user kitchen sink distro based on Debian. It's not really compatible with Debian's software repositories any longer, and it has some very "protect the user from himself" configuration defaults about it, like the fact that it's impossible to actually log in as root under default configuration conditions (everything administrative is done by sudo). A lot of people like it quite a bit. I don't.
Okay, I thought this was going to be short. I skipped a bunch of distros that aren't quite as "major" as these for purposes of open source community impact, permanent install base (as opposed to LiveCD use), and so on. I hope I didn't forget something I should have included.
gawd, M$ cant even get patch's right thou, you often get top level patch's to fix exploits in last months black tuesday release.
Install Modded firefox W/flashblock, Adblock, and adblock update. Install Spywareblaster and spybot with updated definitions from Jumpdrive. Cripple IE, or remove shortcuts entirely. Install modded version of Hosts file from here:
http://www.mvps.org/winhelp2002/hosts.htm
Make Hosts file "read only". Make DNS Client a manual service. Rename admin account, pass protect. Create multiple user accounts, all restricted without passes. Install VMWare player and configure browser. Install ZoneAlarm, and AVG from preconfigured .bat file. Hand the customer a copy of knoppix on disk. Sit back and relax.
http://www.mvps.org/winhelp2002/hosts.htm
Make Hosts file "read only". Make DNS Client a manual service. Rename admin account, pass protect. Create multiple user accounts, all restricted without passes. Install VMWare player and configure browser. Install ZoneAlarm, and AVG from preconfigured .bat file. Hand the customer a copy of knoppix on disk. Sit back and relax.
I could go along with most most of this ... except ... If you cripple IE and the end users only have non-admin accounts, how do your clients keep patched via Windows/Microsoft Update?
Also, if you as an admin make the hosts file read only, hidden, and system, how is the non-admin user supposed to keep the host file updated?
I can appreciate your giving the user Knoppix on disk, but as you have just tightened down a Windows installation, what is the point?
I often use bootable Knoppix CD's to check out hardware that normally runs Windows. I don't think that anyone would argue that Knoppix does some of the best hardware detection of any Linux distro. And, Knoppix does come with Open Office for accessing MS files on the hard drive should the user choose to boot the Knoppix CD. But, by default Knoppix maps the hard drive partitions as Read Only. Any user who needs help tightening down Windows is going to be baffled by the proceedure to remount a hard drive as Read Write in Knoppix. Without at least creating a swap partition on the hard drive and saving the users Knoppix settings to disk, Knoppix would not be able to perform as well as Windows on the same hardware.
I think the point of this thread is to try to elucidate different strategies we as IT pro's use to tighten down new Windows PC deployments.
I think we are in agreement that the current version of Windows cannot be made secure. One must choose between allowing the end user to be an Admin so that Windows and applications like Norton anti-virus can be kept up to date, or tightening the machine down as an admin then locking the end user out of updates by making users run as non-Admin.
From experience I know that if you give the end user an Admin account that is only supposed to be used for patches and updates, the user will end up running as Admin all the time.
When you deploy a new Windows XP machine you pick your poison you tighten down the OS and deploy with the end user as Admin to allow updates but expose the Admin account to exploit, or tighten down the OS and deploy with end users as non-Admin thereby preventing updates to keep your end users secure.
Also, if you as an admin make the hosts file read only, hidden, and system, how is the non-admin user supposed to keep the host file updated?
I can appreciate your giving the user Knoppix on disk, but as you have just tightened down a Windows installation, what is the point?
I often use bootable Knoppix CD's to check out hardware that normally runs Windows. I don't think that anyone would argue that Knoppix does some of the best hardware detection of any Linux distro. And, Knoppix does come with Open Office for accessing MS files on the hard drive should the user choose to boot the Knoppix CD. But, by default Knoppix maps the hard drive partitions as Read Only. Any user who needs help tightening down Windows is going to be baffled by the proceedure to remount a hard drive as Read Write in Knoppix. Without at least creating a swap partition on the hard drive and saving the users Knoppix settings to disk, Knoppix would not be able to perform as well as Windows on the same hardware.
I think the point of this thread is to try to elucidate different strategies we as IT pro's use to tighten down new Windows PC deployments.
I think we are in agreement that the current version of Windows cannot be made secure. One must choose between allowing the end user to be an Admin so that Windows and applications like Norton anti-virus can be kept up to date, or tightening the machine down as an admin then locking the end user out of updates by making users run as non-Admin.
From experience I know that if you give the end user an Admin account that is only supposed to be used for patches and updates, the user will end up running as Admin all the time.
When you deploy a new Windows XP machine you pick your poison you tighten down the OS and deploy with the end user as Admin to allow updates but expose the Admin account to exploit, or tighten down the OS and deploy with end users as non-Admin thereby preventing updates to keep your end users secure.
By crippling IE, I mean, quite simply whitelist MS Updates, and none else. Delete all shortcuts, make the .exe, read only, and pass protect. I'm dealing with home users. In a corporate environment, updates may be disabled. Recently we've seen a rash of zero day exploits, and allowing auto-updates, may be the lesser of 2 evils. At least these can be safely undone.
Our sysadmin told me he didn't like Firefox, because it could disable Flashmedia, at the user's discretion. I'm not seeing a problem with this. Plain old HTML isn't flashy enough for him, I'm happy to block the crap.
My customers, especially those limited to dial-up, are thrilled with the performance boost. Bout time to leave the factory, and concentrate on my corporation.
Our sysadmin told me he didn't like Firefox, because it could disable Flashmedia, at the user's discretion. I'm not seeing a problem with this. Plain old HTML isn't flashy enough for him, I'm happy to block the crap.
My customers, especially those limited to dial-up, are thrilled with the performance boost. Bout time to leave the factory, and concentrate on my corporation.
I wish removing or crippling IE was the answer. You come across a whole lot of web sites which will respond properly only in IE. How do you accomodate such sites except for blaming the web designers who used quick fix software like FrontPage? I have come across sites of even large multinationals which appear terribly bad under Firefox. Half of the links simply don't function.
I deal with it by not using those websites. I have the luxury of doing so. I know there's a small percentage of people who really truly NEED to be able to access certain IE-only websites, and I feel for them. For my own purposes, however, it is perfectly acceptable to avoid IE-only websites for the express purpose of maintaining system security.
Let me start by saying that Firefox is a great product. IE comprises 89% of my visitors. Firefox - 7% and the rest goes to Safari and so on. While the web person should be checking compatibility, he has to be able to produce for the majority of his viewers. Until we get a true standard in browsers it will always be a problem. But then they will all be susceptible to the same attacks.
it's just that some browser designers haven't felt the need to follow it, coupled with the fact that doing so would break a very large percentage of sites.
Anyone who has dealt with virus's over the last 2 years will know NOT to enable system restore. Why? because it is a nice B&B for that virus to hide after you thought you had got rid of it. Then on the next reboot, its BACK again. Back up your infromation and wipe the disk, that is best thing to do.
Hi I am an IT expert
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
Hi I am an IT expert
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
Go into IE and turn OFF all active scripting. Scriptlets are the cause of most of virus on Windows. Turning OFF active scripting eliminates the threat much better then Anti-Virus software.
Some have argued, that turning OFF all scripting in IE eliminates the need for Anti-Virus software.
Some have argued, that turning OFF all scripting in IE eliminates the need for Anti-Virus software.
I like the idea of making sure you have all the protection tools you need before taking your old system off-line.
How about making an image/backup of the system? Maybe just BEFORE connecting to the Internet.
If you can't do this, make a bootable disk/CD, have a copy of your OS, and any patches, available to install
How about making an image/backup of the system? Maybe just BEFORE connecting to the Internet.
If you can't do this, make a bootable disk/CD, have a copy of your OS, and any patches, available to install
What's a ?starter? CD-ROM. (I'm not an IT Techie, sorry.) It sounds like it?s a handy way to ?suck? the security applications, drivers and such from a presumably clean machine and swiftly get the machine setup after a reformat & OS reinstall.
How do I go about making one? I do have a concern though, is there not the risk of re-introducing whatever compromise the old load may have had???
How do I go about making one? I do have a concern though, is there not the risk of re-introducing whatever compromise the old load may have had???
for the software you want to put on and burn it to a cd /dvd on your old PC. That way you don't have to risk going on the web to download it.
According to research published by Sophos in July 2005, there is about a 50 percent chance that an unpatched PC will be infected with malicious software within 12 minutes of connecting to the Internet. Once infected, it is almost impossible to get a PC clean again
BS- IF THIS IS TRUE NO PC WOULD WORK AT ALL CAUSE 100 per cent of them would be compromised. BESIDES when you get a pc and hook it to the internet to do updates Especially a fresh computer takes about a hour to download just the microsoft updates.
NOW WHAT NO ONE TALKS ABOUT IS THE INFECTED MACHINES SITTING IN STORES DIRECT FROM THE FACTORY THAT ALREAY HAVE VIRUSES ON THEM
MARK
BS- IF THIS IS TRUE NO PC WOULD WORK AT ALL CAUSE 100 per cent of them would be compromised. BESIDES when you get a pc and hook it to the internet to do updates Especially a fresh computer takes about a hour to download just the microsoft updates.
NOW WHAT NO ONE TALKS ABOUT IS THE INFECTED MACHINES SITTING IN STORES DIRECT FROM THE FACTORY THAT ALREAY HAVE VIRUSES ON THEM
MARK
Good informative article.
12 minutes until infection though seems a long infection time.
In 2004, I saw a fresh XP installation, minus firewall, infected in 4 minutes. It's likely to be much sooner than that now in many regions.
12 minutes until infection though seems a long infection time.
In 2004, I saw a fresh XP installation, minus firewall, infected in 4 minutes. It's likely to be much sooner than that now in many regions.
Don't mind to update your piece...
I also check for updates and create a restore point and move it to 100% I love AVG anti-virus
I have been checking out a few of your stories and i can state pretty good stuff. I will definitely bookmark your blog
reverse phone
reverse phone
There is noticeably a lot of money to know about this. I assume you made particular nice points in features also.
cell phone directory
cell phone directory
Useful information. Fortunate me I found your web site by chance, and I am stunned why this accident didn???t came about in advance! I bookmarked it.
reverse cell phone lookup
reverse cell phone lookup
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
