Run a security analyzer to test your computer



last revision August 10, 2004

Suggestions to secure your Windows PC:
  1. Use strong passwords
  2. Install security patches
  3. Share files correctly
  4. Use anti-virus software
  5. Protect against email viruses
  6. Install PCLeland
  7. Minimize open network services
  8. Run a security analyzer
  9. Do regular backups
  10. Apply special Windows XP fixes

Stanford's Information Technology Systems and Services (ITSS) department has created a Security Self-Test Utility for Windows. Anyone who is connecting a Windows PC to the Earth Sciences network is required to download and run this tool, and then to correct any serious problems (red X marks) that it finds. This tool does very basic tests for such items as Administrator accounts with no passwords, open guest accounts, and whether you have Norton Anti-Virus installed and up-to-date. After running the basic test, which only takes a few seconds, you are encouraged to run the Full Password Check, which checks your account passwords against a list of about 3000 common passwords that are easily guessed. This check can take several minutes, but could save you from being hacked.

Microsoft has recently released a Baseline Security Analyzer tool to examine Windows NT, 2000, or XP computers for security vulnerabilities. This will first check to make sure that you have correctly installed all Windows security fixes. It will then examine many of your specific system configurations, such as guest account status, file sharing status, non-existent or trivial account passwords, which network services are turned on, etc. It will indicate which settings are potential security holes. In all cases, it offers complete explanations of the scanned items and how to fix the problems that are found. Run this after you have taken all the steps listed above to secure your computer. Request help via HelpSU from our desktop support consultant if you don't understand the recommendations. Users of Energy Resources Engineering department supplied computers should consult Nick Petalas first before making any changes to the registry, services, accounts, or file shares.

You can also run a network scan of your Windows system to find out which ports and services are visible on the network, and thus potential points of attack for a hacker. Gibson Research Corporation provides a free testing service called ShieldsUp!. Start at http://grc.com and click on the ShieldsUp! link. When you get to the ShieldsUp! page, click on the Probe My Ports! button. This page will launch a network probe of your computer and display results indicating which service ports are open and accepting connections. This can be useful to tell you, for example, that you may have a telnet or web server running on your PC.

Be cautious about implementing any of Gibson's recommendations for closing open ports. Some of his recommendations conflict with needed settings for the Stanford network. For example, he recommends removing NetBIOS over TCP/IP, which will prevent outside hackers from probing for insecure file shares. But this will make a computer that is tightly managed as part of the Windows domain, such as those in Energy Resources Engineering, completely unusable (can't even login). For stand-alone computers, disabling NetBIOS over TCP/IP will prevent you from accessing any campus file servers. Similarly, Gibson says that the IDENT service is unnecessary and should be blocked by a firewall. But at Stanford, this is the port used by PCLeland, which is essential. If you run this test on a Stanford computer and are concerned about the results, enter a HelpSU ticket to ask for recommendations from our desktop support consultant, or consult Nick Petalas if you are using a Energy Resources Engineering department supplied computer.

Comments or Questions?