Secure Computing
Security Self-Test for Windows Help
Page
Self-Test
Tool > Help
Don't Panic!
If you came to this page because you ran the Security
Self-Test utility and it discovered some problems, you
should be able to find the information you need in order
to address those problems somewhere below. There is
information specific to the utility, covering its use
and limitations, as well as links to security best-practices
documents for different Windows platforms, which provide
step-by-step instructions for securing your Windows
PC based on the Self-Test utility's suggestions. If
all else fails, there is also a link to the HelpSU web
form, if you need help from ITSS technical support.
Note: If your computer belongs to a Windows
domain, or if you have a local Windows system administrator,
some of the advice below won't necessarily apply to
you. If you have local computer support, you should
talk first to your support technician before attempting
any changes other than setting a strong password for
your own Windows account, which is always important
to do!
On this page:
Working with the Security Self-Test
Tool
Help for Win9x/ME
Help for WinNT/2k/XP
Working with
the Security Self-Test Tool
System Requirements
for the Security Self-Test
Windows 95, 98, ME, NT 4.0, 2000, or XP. [This utility
is not intended for use on servers.]
Downloading and
Installing the Self-Test Utility
To download the Security Self-Test, go to the Security
Self-Test home page.
When you start the download, your web browser will
display a dialog box asking if you want to "Save"
or to "Open" the Self-Test utility's installer.
Choose the option to "Open" if you are given
it: the installer will launch automatically and guide
you through the installation process.
If you are given only the option to "Save,"
then save the installer to a convenient location, such
as your computer's desktop. To begin the installation
process, simply double-click the file that you saved.
Once the software is installed, an icon labeled "Security
Self-Test" will appear on your desktop. You run
the Security Self-Test by double-clicking its desktop
icon. If you saved the installer file, you may now throw
it away, or you can hold on to it if you want to use
it later to remove the utility.
If you installed the utility into its default directory,
you may also run it by going to your Start
menu + Programs + Stanford
+ Security Test.
Removing the Self-Test
Utility
There is no reason you should have to remove the utility
- it does nothing unless you launch it and tell it either
to look for new versions of itself on the network, or
to "Run Security Tests" - but it's nonetheless
easy to remove.
Use either the Windows Add/Remove Programs control
panel, or if you preserved the Self-Test installer,
run the installer again and choose "Remove."
How to Check for
New Versions of the Utility
The Security Self-Test has the capability to check for
new versions of itself on the network. The first time
you use it, it will display a dialog box:
"This program can check the network for a newer
version of itself when it is started. In order to do
that, however, it must access the network. Would you
like to check for program updates?"
If you respond "Yes," the utility will attempt
to go on the network and look for an update. This process
takes a few seconds, unless no network connection is
present, in which case it might take a little longer.
If there is no update available, or no network connection,
the utility will open its main window.
If an update is available, you'll be given the option
to go to the Security Self-Test's home page on the Secure
Computing web site, in order to download the new version.
If you respond "No," the Self-Test's main
window opens immediately.
Note also that there's a check-box in this "enable
self-updating feature?" dialog box: "Don't
ask me again (remember my choice)." If you click
to place a check in that box, then the utility will
assume that each time you run it, you want it either
to look for updates or not, depending on whether you
said "Yes" or "No" the first time.
You can always change your mind. The Self-Test's Preferences
menu allows you to turn the auto-update feature on or
off, as well as to "Check for Update Now."
Security Self-Test
Help Button
The Security Self-Test's "Security Self-Test Help..."
button launches your default web browser and takes you
to this page.
Important Note
on Privacy
The Security Self-Test utility is a simple, self-contained
tool that performs a set of basic security checks appropriate
to the kind of computer you run it on. The tool is non-intrusive,
sends absolutely no information about your computer
over the network, and is provided as an educational
aid in your efforts to keep your computer more secure.
The utility has been carefully designed to do nothing
unless you tell it to. It will not access the network
unless you give it permission, it will not scan your
computer until you click its "Run Security Tests"
button, and it will save none of its test results without
your explicit request.
Under only one circumstance will the utility access
the network to which your computer is attached: you
instruct it to check for an update to itself. If it
finds one, and you choose to update, it will launch
your default web browser to handle the download of the
new software. If you click the utility's "Security
Self-Test Help..." button, it will also launch
your default web browser. In both of these latter cases,
it is the web browser, not the utility, which goes on
the network.
Printing and Saving
Reports
Once you have run the security tests, you can save the
results in the form of a report, either printed to your
Windows default printer, or saved as a text file. Use
either the "Print Report" and "Save Report"
buttons in the utility's main window, or the appropriate
commands under its File menu.
One good way to make use of the Security Self-Test's
report is to send a copy by e-mail to your local technical
support person. Use the "Copy Report to Clipboard"
command in the utility's File menu, then open a new
message window in your e-mail program and paste the
copied report into the body of the message.
Help for Win9x/ME
Windows 95, 98, and ME were never designed with security
in mind. Like many other operating systems developed
for personal computers in the late 1970s and after
(such as DOS, or the Macintosh "Classic" operating
system), they assume each PC has a single user who
controls physical access to the machine by keeping
it in a locked office. The locked door is pretty much
all the security you need. Thus most of the operating
system security issues that are so very significant
for Windows NT, 2000, and XP simply aren't part of
the picture for Windows 95, 98, or ME.
Notable exceptions to this rule are computer virus
protection and Internet Explorer. It's as important
to maintain good virus protection software for Windows
98 as it is for Windows 2000. It's always a good idea
to keep Internet Explorer up-to-date, whatever platform
you're running it on.
The only other significant security measure you can
take for Windows 95, 98, or ME is to disable file and
printer sharing. If you don't need these services, they
should always be turned off.
The Security Self-Test checks to see whether you
have Norton AntiVirus installed, and whether it's
up-to-date; it also checks to see if Internet Explorer
is a secure version; and it will tell you if file
or printer sharing is enabled.
To be sure Windows and Internet Explorer are up-to-date,
you should visit the Microsoft
Windows Update page. But if you're
running Windows on older hardware, it might not be
a good idea to upgrade to the latest version of Internet
Explore. Stick with version 5.5, but be sure you've
applied all available security patches.
Green Checkmarks, Yellow
Circles, Red X's
For all tests, once you run them, the Self-Test
utility displays either a green checkmark, a yellow
circle, or a red X. The green checkmark means no
problem was found. The red X means a potentially
serious problem was found, and you should try to
take corrective action. A yellow circle is somewhere
in the middle.
Each heading below corresponds to one of the tests
in the Self-Test utility's main window.
Norton AntiVirus
One of the most important steps you can take to secure
your computer is to install and use a good virus protection
program. Stanford has a site-license for one of the
better products on the market, Norton AntiVirus, and
you are entitled to install it on all of your computers.
Virus protection software has to be maintained regularly,
and Norton makes that easy. You should schedule full
virus scans periodically on all of your hard drives.
For more information go to the Essential
Stanford Software web site, where you can download
Norton
AntiVirus and get information about how
to configure it for Windows.
File and Printer Sharing
These network services allow you to share files
with other computer users (using Network Neighborhood),
or to share a printer that's attached directly to
your PC. It is not possible to secure these services
for Windows 95, 98, or ME, so unless you absolutely
must use them, you should disable them.
Go to your Network Control Panel (Start
menu + Settings + Control Panel),
in which you'll find a button labeled "File and Printer
Sharing..." Click the button, which opens a new dialog
box, then click to remove the checkmarks from both check-boxes.
Click "OK," then "OK" again to close the Network control
panel. You must restart your computer for this change
to take effect.
Internet Explorer Version
Internet Explorer is an integral component of the
Windows operating system, and has long been a target
for various hacker exploits. Keeping Internet Explorer
up-to-date is as important as keeping Windows itself
up-to-date, and fortunately you only have to visit
one web site to update both of them.
http://windowsupdate.microsoft.com/
If you're running Windows on older hardware, however,
it might not be a good idea to upgrade to the latest
version of Internet Explorer. Stick with version 5.5,
but be sure you've applied all available security
patches.
PC-Leland
PC-Leland
is a Stanford-specific software package that provides
secure authentication, for access to university computing
resources that are restricted for Stanford affiliates'
exclusive use - such as Stanford electronic mail,
some electronic journals and databases on the Library's
web site, and so forth - as well as the ability to
store and share files very easily on the Leland system.
For more information go to the PC-Leland
web site.
Personal Web Services
Desktop computers should not be running
Web servers of any sort, IIS or otherwise. Web servers
are the most frequently exploited systems on the Internet,
and they represent a huge security risk.
If you must use IIS, keeping it secure is a full-time
job, requiring constant vigilance - but this is true
of any web server. You don't want to run it
on Windows 95 or 98, anyhow.
For more information on IIS, visit the Microsoft
IIS Community Center. To learn how to disable
personal Web services, see the appropriate best-practices
document.
Help for
WinNT/2k/XP The security tests
for Windows NT, 2000, and XP concern themselves with
the most significant vulnerabilities found in default
installations of Windows platforms.
If the Security Self-Test finds no problems, that does
not mean that your computer is perfectly secure. And
if it does find a few problems, depending on their nature
and severity, that doesn't necessarily mean that your
computer is insecure.
Some tests are more important than others; and the
ordering from top to bottom of the tests in the utility's
main window runs approximately from most to least serious.
More specific information is below.
After setting a good password, and keeping
your antivirus software properly configured and up-to-date,
probably the single most important security measure
you can take is to visit the Microsoft
Windows Update page on a regular basis, to check
for security patches and other fixes both for Windows
and Internet Explorer. The Self-Test utility isn't able
to test whether or not your system has been patched
to a current level. It's up to you to go to the Windows
Update site.
Green Checkmarks, Yellow Circles,
Red X's
For most tests, once you run them, the Self-Test utility
displays either a green checkmark, a yellow circle, or
a red X. The green checkmark means no problem was found.
The red X means a potentially serious problem was found,
and you should try to take corrective action. A yellow
circle is somewhat equivocal, and has varying significance
depending on which test has displayed it, and other circumstances.
See below for specific discussions.
Advanced
Tests
The Self-Test Tool for Windows NT, 2000, and XP includes
an "advanced" section, which you can se by
clicking on the View menu either before
or after you run the basic tests.
Because of the complexity of the issues involved, ITSS
cannot provide technical support for "advanced"
tests, which are intended for expert users of Windows.
Here's specific information on each of the tests in
the Self-Test utility's main window:
Windows
XP Home Edition
This test will only appear if you are running
Windows XP Home Edition.
If you use your PC to conduct Stanford business,
even if it's a home computer that isn't connected
directly to the Stanford network, you are strongly
encouraged not to use Windows XP Home Edition,
because it cannot be made as secure as XP Professional.
Here are some specific concerns (though not all of
these will necessarily apply to you):
- XP Home cannot join a Windows domain, so centralized
administration is not possible. Without centralized
administration, security-related group policies
and templates cannot be applied.
- XP Home does not allow users to encrypt files.
- XP Home only supports "Simple File Sharing." To
access an XP machine's resources over the network,
a user must access the insecure Guest account, which
cannot be disabled as it can for Windows XP Professional.
- In the default configuration of XP Home, all
users are granted Administrator privileges, and
are not required to set any password.
- XP Home doesn't support Remote Desktop, which
can be very useful for sharing files and other resources
between home and office, though its use also increases
one's exposure to security threats from the Internet.
(The use of Remote Desktop isn't recommended, unless
you really need it.)
- XP Home doesn't support multiple languages. While
this is not a security problem, it limits XP Home's
usefulness to some people.
Consider upgrading to Windows XP Professional.
An upgrade license isn't too expensive if purchased
through a departmental requisition. For more information
go to Stanford's Procurement
web site.
Back to list
Password
Security
Choosing strong, hard-to-guess passwords for all
of your computer accounts is extremely important.
The Self-Test utility is only concerned with the various
Windows user accounts on the computer on which it
is run. It has nothing to say about other computer
accounts you may have, such as your SUNet ID.
The Password Security test in the Self-Test's main
window is very limited: it checks only user
accounts that have Administrator privileges (see "Privileged
User Accounts" below for further explanations), and
then it only looks for "blank" or "null" passwords.
In other words, it only looks for privileged
accounts for which no password at all has been set.
If it finds any such accounts, it will list them as
having "no password set" in the utility's message
pane, and display a red X for this test.
It is critically important that you set strong
passwords for all user accounts, especially for user
accounts with Administrator privileges!
If this test finds a problem, it is imperative that
you take action as soon as possible. For specific
help with choosing and setting passwords, click on
one of these links. You can then use your web browser's
"back" button to return to this page.
How
to Choose a Strong Password
How
to Set Your Password
You are strongly encouraged also to use the Self-Test
utility's Full Password Check, if that test is available
to you (see next entry).
Back to list
Full
Password Check
Since the main window's Password Security test
is so limited, the Self-Test utility also provides
a "Full Password Check," a completely separate and
much more thorough test.
Note: The Full Password Check will not always
be available. If you can run this test, a button labeled
"Full Password Check" will appear in the utility's
main window after you click "Run Security Tests."
If you are logged in to Windows as an ordinary user,
or if there is an account lock-out policy set on your
computer, you cannot run the Full Password Check,
so its button will not appear.
How it works: The Full Password Check is not
a real password "cracker" but rather a password "guesser."
It makes no attempt to decipher any user passwords
on your computer, which are stored in an encrypted
form. It simply tries to log in to one or more user
accounts by working its way through a dictionary of
common passwords. Password "guessing" is usually how
hackers break in. Many people use very common passwords,
often without realizing they are doing so.
How to use it: To run the Full Password Check,
click the button in the utility's main window. A new
window will open and present you with a number of
options.
To begin with, in the "Options" box you should select
either "Administrators" (only user accounts in the
Administrator group are tested) or "All Users". Then
you must select at least one account to be tested.
To select multiple accounts, hold down your shift
or control key while clicking. To select all displayed
user accounts, use the button provided. There is also
a button to deselect all displayed user accounts.
Then, also in the "Options" box, you should choose
whether you want the Full Password Check to use the
smaller dictionary of more than 800 common passwords,
or the larger one containing over 3000 common passwords,
in its attempts at password guessing.
Warning: On some computers the Full Password
Check will run quite slowly, and - depending on the
options you select, as well as the number of accounts
being tested - it could take hours or even days
to finish. If this test runs too slowly to suit you,
you can always click "Cancel" to stop it immediately.
Having made your selections, click the "Run Password
Check" button to start the test.
There is a counter at the bottom of the Full Password
Check window, which shows you how the test is progressing.
As soon as the test discovers a weak password, it
displays a warning, and continues on to the next account
to be tested, if there is one.
If any of the user accounts on your computer have
weak passwords, it is very important that you change
them. See the information above, under "Password Security."
Privileged
User Accounts
A "yellow circle" rather than a "green checkmark"
for this test isn't something to worry about, but
it is something to think about. Please read on...
Computer operating systems designed to accommodate
multiple users have long depended on the concept
of user privilege. Most users are quite
limited in what they can do, and are only permitted
access to those computing resources they need for
particular tasks. Only a very few users are permitted
to have complete control over the entire operating
system, because such privilege brings with it great
responsibility. An administrative user has the power
to make or break the entire system.
With the advent of personal computers, the assumption
no longer held that computing power was always a scarce
and expensive resource that could only be cost-effective
if shared by many users. People who gained their first
exposure to computers as small, personal desktop machines
never learned to think about privileged access - beyond,
perhaps, keeping the computer in a locked office.
Windows NT, and the other Windows operating systems
that it spawned, have returned to a multiple-user
model, and the concept of privileged access is once
again important. An Administrator account on a Windows
NT, 2000 or XP computer has complete control over
the operating system.
So long as you're careful about what you do, it generally
doesn't matter that if you're an Administrator, you
have sufficient privileges to wreck your computer.
The potential for trouble arises when an interloper
gains access to your computer through your account
-- they also assume your administrative privileges,
and then have full control over your operating system.
While that interloper could be a person who physically
walks up to your computer when you've left your desk
without locking your screen, it's much likelier to
be a computer virus or other malicious program that
uses administrative privileges to wreak havoc on your
machine, and spread to other systems.
If you inadvertently open a virus program, for example,
while logged in as an Administrator, that virus has
a much easier time making trouble for you (and probably
others as well). If you're logged in as a non-privileged
user, the risk of system compromise is much smaller.
In an ideal world, Windows users would only log in
as an Administrator when system-wide privileges were
required for a particular task. Unfortunately, as
is so often the case, reality is different from theory.
You may be using software that requires Administrator
privileges to run. Or you may need to install or update
software, which requires privileged access. It is
a hassle to keep logging in and out with different
user accounts, just to perform routine maintenance
on your own PC.
Windows 2000 and XP do permit users who are logged
in without Administrator privileges to become Administrator
temporarily in order to run a specific program. Hold
down the shift key while right-clicking an application,
select "Run as..." and then supply an Administrator
password. But this trick will seem a little complicated
to many people.
So consider using an account in the "Power Users"
group, rather than "Administrators" group, for your
usual activities, if it's possible for you to do so.
For more information, please see the appropriate section
of the Windows best-practices
document specific to your operating system. Guest
Account
The Windows Guest account is used to provide temporary
anonymous access to a computer's resources, typically
over a network, and it has limited privileges.
The Guest account in Windows NT 4.0, 2000 and XP Professional
is disabled by default, because it poses a significant
security risk in a networked environment; the Guest
account in Windows XP Home Edition cannot be
disabled - and this is one of the main reasons XP
Home should be avoided.
If you use XP Home, then set a good password for
your Guest account.
Back to list
Norton
AntiVirus
One of the most important steps you can take to
secure your computer is to install and use a good
virus protection program. Stanford has a site-license
for one of the better products on the market, Norton
AntiVirus, and you are entitled to install it on all
of your computers.
Virus protection software has to be maintained, and
requires regular updating. Norton AntiVirus makes
it easy to automate these updates. You should periodically
schedule a full virus scan on all of your hard drives.
Back to list
Internet
Explorer Version
Internet Explorer is an integral component of the
Windows operating system, and has long been a target
for various hacker exploits. Keeping Internet Explorer
up-to-date is as important as keeping Windows itself
up-to-date, and fortunately you only have to visit
one web site to update both of them:
http://windowsupdate.microsoft.com
Be a frequent visitor to the Windows Update site!
Note that on some Windows systems, updates are automated.
If your computer tells you a Windows update is available,
you should go ahead and install it.
Also note: If you're running Windows on older hardware,
with limited memory, it might not be a good idea
to upgrade to the latest version of Internet Explorer.
Stick with version 5.5, but be sure you've applied
all available security patches.
Back to list
PC-Leland
PC-Leland is a Stanford-specific software package
that provides secure authentication, for access to
university computing resources that are restricted
for Stanford affiliates' exclusive use - such as Stanford
electronic mail, some electronic journals and databases
on the Library's web site, and so forth - as well
as the ability to store and share files very easily
on the Leland system.
Internet
Information Server
Desktop computers should not be running
Web servers of any sort, IIS or otherwise. Web servers
are the most frequently exploited systems on the Internet,
and they represent a huge security risk.
If you must use IIS, keeping it secure is a full-time
job, requiring constant vigilance - but this is true
of any web server.
For more information on IIS, visit the Microsoft
IIS Community Center. To learn how to disable
services, see the appropriate best-practices
document.
*
File Sharing
This test is only available in the "advanced"
view.
The File Sharing test only checks whether or not
your hard drive has been formatted with NTFS (New
Technology File System, first introduced with Windows
NT) instead of FAT (File Allocation Table). NTFS
permits you a great deal more control over users'
access privileges for specific files and folders.
Anyone with a DOS boot diskette can walk up to
a PC formatted with FAT and read everything on the
drive that isn't encrypted.
If you choose to convert your drive from FAT to
NTFS, first make a complete back-up of all user
data.
*
Domain Membership
This test is only available in the "advanced"
view.
Membership in a centrally managed Windows domain lessens
the burden on individual users to maintain their computers'
security. Some Schools and other groups at Stanford
already have well-established domains, and there is
an effort underway to provide the advantages of domain
membership to a broader segment of the university
community.
Back to list
*
Services
This test is only available in the "advanced"
view.
If your computer is part of a Windows domain or workgroup,
or if you have a local Windows system administrator,
you should talk to your support technician before
making any changes to your Windows services. Services
that are clearly unnecessary or dangerous in some
environments might be required in others.
Note that the Services test will
never display a green checkmark, yellow circle, or
red X.
*
Logon Settings
This test is only available in the "advanced"
view.
Auto-logon permits a user to log in to Windows without
manually entering a password. If you always have physical
control of your PC, this isn't necessarily a terrible
thing; but with auto-logon enabled, anyone with physical
access can get right into your Windows account. Worse
still, the password for an account with auto-logon
enabled may be saved in the Windows registry in an
unencrypted form. If the Self-Test finds your password
in the registry, it will alert you to this fact, and
tell you how to fix the problem.
It's very easy to enable auto-logon in Windows 2000,
and you can do it - but you have to work a little
harder in Windows XP.
You are strongly encouraged not to use auto-logon.
To learn how to disable this feature, see the appropriate
best-practices
document. *
Restrict Anonymous Logon
This test is only available in the "advanced"
view.
The "restrict anonymous" registry setting controls
whether or not an anonymous user can connect to
your PC and get a complete list of all the user
accounts that are on it. Once a hacker knows all
your user account names, it's that much easier to
start trying to break in.
You are strongly encouraged to set "restrict anonymous"
to "2," or at least to "1." For instructions see
the appropriate best-practices document.
Back to list
Last modified
Thursday, 17-Apr-2003 13:12:24 PDT
© 2003, Stanford University. All rights reserved.
Comments about this document? Use
the HelpSU
submission form.
Need computing help? Visit HelpSU
or call 5-HELP
(650-725-4357).
|
|
