Wednesday, November 11, 2009

Use Least Privileges Policies Basic to In-depth Home Computer Security Guide Page 9

Use Least Privileges Policies

Another area that should not be overlooked among your client defenses is the privileges assigned to users under normal operation. I would recommend adopting a policy that provides the fewest privileges possible to help minimize the impact of malware that relies on exploiting user privileges when it executes. Such a policy is especially important for users who typically have local administrative privileges. Consider removing such privileges for daily operations, and instead using the RunAs command to launch the required administration tools when necessary.

For example, a user who needs to install an application that requires administrator Privileges could run the following setup command at a command prompt to launch the setup program with appropriate privileges:

runas /user:mydomain\admin "setup.exe"

You can also access this feature directly from Microsoft Windows Explorer by performing the following steps:

To run a program with administrative privileges

1. In Windows Explorer, select the program or tool you want to open (such as a Microsoft Management Console (MMC) snap-in or Control Panel).

2. Right-click the program or tool and select Run As.

Note: If Run As does not appear as an option, press and hold the SHIFT key while you right-click the tool.

3. In the Run As dialog box, select The following user: option.

4. In the User name and Password boxes, type the user name and password for the administrator account you want to use.

Operating System Security

* Operating System is the important program that runs on the computer. It performs basic tasks like recognizing the input from the key board, controlling various files and directories in the hard disk and also various peripheral devices like printers, scanners etc.

* It will control the programs in such a way that they do not interfere with each other.

* It is responsible for securing the system by not allowing the unauthorized users to access the system.

Need for Securing the Operating System

The security of the operating system running on various PCs and servers plays an important role in the security of the network as a whole. Not updating one system in the network may effect the security of the other systems in the network. Today we have a highly sophisticated operating system with lots of features, but it may be vulnerable if they are not administered, configured and monitored properly. Sometimes updating the operating system with latest patches may lead to interoperability issues with other operating system. Hence proper care should be taken while updating the operating system.

Countermeasures for Securing the Operating System

* Activate a password for the screen saver so that when ever the operations are not active it will lock the computer automatically after particular period of time.

o In Windows, to activate a password for a screen saver, go to Settings-->Control Panel-->Display--> click Screensaver Tab. Under screen saver section, check the box on resume password protect click apply and click ok to close the window.

* Always use a strong password for your operating system to protect the system from unauthorized users.
o A strong password should be at least eight characters in length and the password should be a combination uppercase, lowercase, numerical and special characters. The password should not contain the words that are in dictionary:

An example of a good password is Th!5iS@g0odP4s5wD

* Turn off file sharing in the computer when there is no need to access files in that system.

§In windows, to turn off file sharing right click on the directory which we no longer want to share and click sharing and security. Under Network sharing and security section uncheck the option “Share this folder” on network.

* Make sure that the firewall is ON so that it prevents unauthorized users access to your system.

§In Windows to turn on the firewall, go to start-->settings-->control panel-->Windows firewall-->select the option on (recommended) and click ok to close the window.

* Delete the softwares and features of operating system which are not in use.

§To add or remove software in Windows, go to start-->settings-->control panel-->select add or remove programs. In that particular window, under change or remove programs section, select the software which is to be removed and click remove.

* Disable the default guest account so that it makes the unauthorized users harder to gain access to the system.

§In Windows to disable the guest account, go to Start-->Run-->Type nusrmgr.msc and click ok. Now a window opens showing the users and groups directory. Double click user directory and in the right pane. Right click guest account and click on properties. Under general tab, check the box “Account is disabled”.

* Use an updated Antivirus software to protect operating system from virus. Check for latest virus updates daily to keep the software up-to-date. This helps in detecting viruses that may try to affect your system.

* Update the operating system with the latest patches mainly with critical security updates for the operating system.

* To update windows operating system, open the Internet Explorer browser window and go to “tools” and click “windows update”.

* Backup critical data which will be helpful in case of operating system failure.

§To take entire information of the system backup, in Windows go to Start-->Programs-->Accessories-->System tools-->Backup. A wizard opens to assist you in backing up the system. Click on next --> select option backup files and settings and click Next-->select the appropriate option depending on the requirement and click Next-->Specify the name and place where to store backup and click next-->click finish to start taking backup of the desired data.

* In an organization, before planning to install a service pack in all the systems first install it in a test system. Since installing a service pack may cover a large range of functionality. Once the service pack is tested and everything is working normally it should be deployed in to the other systems.

* A normal user should be provided with least privileges which do not disturb his normal working.

o To create a user account with limited privileges in windows, go to Start-- >Settings-->Control panel-->User accounts. In the users accounts window, click the option create a new account. In the next window, type the user name and click Next-->Choose the option Limited as account type and click “Create account”. Then a user account with limited user privileges is created.

·User accounts should set their passwords according to the defined security policies.

§In windows to check predefined password policy settings, click Start-->run and type ¡§secpol.msc¡¨. In the right pane of the window, double click account policies and in the expanded list double click on the password policies. Then, in the right pane we find a list of settings regarding password policy.

·Administrators should be careful while configuring the privileges for an employee of the organization.

·Services and security polices should be reviewed daily.

·While using windows operating system, make sure that the file system used is NTFS, which is more secure. Also set the PC to not display the previously logged in user in log on dialog box which can be seen by pressing “Ctrl + Alt +Del” at start up to login.

Restrict Unauthorized Applications

If an application is providing a service to the network, such as Microsoft Instant Messenger or a Web service, it could, in theory, become a target for a malware attack. As part of your antivirus solution, you may wish to consider producing a list of authorized applications for the organization. Attempts to install an unauthorized application on any of your client computers could expose all of them and the data they contain to a greater risk of malware attacks.

If you wish to restrict unauthorized applications, you can use Windows Group Policy to restrict users' ability to run unauthorized software. How to use Group Policy has already been extensively documented, you will find detailed information about it at the Windows Server 2003 Group Policy Technology Center on at:

The specific area of Group Policy that handles this feature is called the Software Restriction Policy, which you can access through the standard Group Policy MMC snapin. The following figure displays a Group Policy MMC screen showing the path to where you can set Software Restriction Policies for both your computers and users:

Figure:10 The path to the Software Restriction Policies folders in the Group Policy MMC snap-in

To access this snap-in directly from a Windows XP client, complete the following steps:

1. Click Start and then Run.

2. Type secpol.msc, then click OK.

A detailed explanation of all the setting possibilities is beyond the scope of this guide.
However, the article "Using Software Restriction Policies to Protect Against Unauthorized Software" on TechNet at:

will provide you with step-by-step guidance on using this powerful feature of the Windows XP Professional operating system.

Warning: Group Policy is an extremely powerful technology that requires careful configuration and a detailed understanding to implement successfully. Do not attempt
to change these settings directly until you are confident you are familiar with the policy
settings and have tested the results on a non-production system.

Make a boot/ERD disk and keep it current

A boot disk allows the user to boot from a diskette instead of the hard drive. This can prove useful in accessing the system in the event of either a security incident or hard disk failure. It must be done before an incident requiring its use arises. In Windows 9x :

• Go to Start\Settings\Control Panel\Add or Remove programs.

• In Add or Remove Programs window, click on the tab Startup Disk, click on tab create

Some versions of Windows, e.g. Windows NT, Windows 2000 and Windows XP can use the emergency repair procedure to fix problems that may be preventing the computer from starting. However, using the emergency repair procedure to fix the system generally requires an existing Emergency Repair Disk (ERD). This disk should be regularly updated and stored in a safe place.

An ERD is created differently depending on the version of Windows. The Backup utility in both Windows 2000 and Windows XP is used to create an ERD; while in Windows NT the “rdisk /s” command is used.

As a general practice, the ERD should be made immediately after the installation of operating system. And should be updated whenever any security update is applied or any configuration of operating system is being changed.

Install and keep up-to-date Antivirus Software

Anti Virus software look at the contents of each file, search for specific patterns that match a profile – called a virus signature – of something known to be harmful. For each file that matches a signature, the anti-virus program typically provides several options on how to respond, such as removing the offending patterns or destroying the file.

Viruses can reach the computer in many different ways, through floppy disks, CD-ROMS, email, web sites, and downloaded files. It needs to be checked for viruses each time before using any of them. Anti-virus program do these automatically, if configured properly. Anti-virus vendors provides regular update for these virus signatures, because everyday many new viruses are discovered and released, making the system prone to virus attacks and without an antivirus update, antivirus is ineffective against such attacks.

The anti-virus software should include features such as the automatic updating of its virus definition files, scanning and cleaning of both incoming and outgoing email messages, script blocking and real-time anti-virus protection.

Installing an anti-virus program and keeping it up-to-date is among the best defenses for home computer and offers the effective protection against computer viruses.

These programs can detect, remove, and block viruses from infecting your computer here is the list of Antivirus tools download and install them and always be secure below mentioned:

These are some of the freeware & shareware antivirus software available on internet :

Windows Platform Antivirus:

Macintosh Platform Antivirus:


No comments:

Post a Comment

You Have Successfully Posted the Message.