The Windows Security Nightmare

latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

Heh not me.

[grub]

This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP

I took the extreme opposite approach: I don't help family or friends with their Windows problems if they've asked me for advice and gone against it. (as written about in my journal [slashdot.org] last March.)

How to stay alive

[Anonymous Coward]

all it takes it to issue "shutdown -a" and the 60 second shutdown screen disappears. you can then finish downloading patches

New "casino" concept is needed

[Anonymous Coward]

Microsoft should send XP SP2 CD-ROM to everyone that has registered Windows XP. After user installs and visits some web site, they enter into Microsoft award contest. 100 random users that install XP SP2 receive 50.000$ award each. I guess everyone would upgrade if they could receive an award.

Small price for Microsoft, great effect on security.

Update CDs for family

[thewldisntenuff]

I think the biggest problem in making an update cd or instructions on how to update their computer is not getting the right programs together - it's getting them to properly use and learn how to be on top of security issues.

Case in point-
I return home for the semester break, and my sister's pc is riddled with spyware, malware, you name it. The thing is no longer functional, so I had to format the hard drive, yadda yaddda yadda...I gave her a full lesson, and made sure she knew exactly what to do. Yet a month later, the computer was back in the crapper again...She stated that she lost all of the programs she liked when I fixed her computer-

That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...No matter how many times you teach/tell someone about computers and online security, for most noobs or non-users, it just doesn't seem to click...

As far as issues with Windows Update...Best bet is to download from someone else's high-speed pc. I had a similar incident with SoBIG and a reinstallation of XP.

i use windows

[takitus]

and have a hardware firewall, run ie and outlook express and have never had a problem. it can almost always be chalked up to not knowing how to operate things properly. i have made similar cds that are all automated. i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that. best buy was chargin $80 for the same thing that my cd did =). either way... windows is only as safe as you make it. the only thing required to keep viruses from getting in a windows box is running the patches, and even that isnt that necessary if you have a firewall. all of the rest of the viruses are contracted through user error. poo!

Re:Use the Firewall

[jdreed1024]

People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.

Too bad the firewall software loads *last* in the startup sequence, leaving a gaping hole of anywhere from 20 seconds to two minutes (on a slow machine) when your machine is on the net and unprotected. And during the height of worm activity, that's *more than enough* time to get infected.

Re:Use the Firewall

[Neil Blender]

My wife has a laptop that she hardly ever uses. 90% of it is used for Quicken. Once in a while, she will buy a cd or book online. She does not receive email in any form on this computer and never has. Our home network is behind a netscreen 5 with everything blocked. There are no other windows machines in our house. A few weeks back, I went to use her laptop and the thing was absolutely infested with spyware. So, here is an example of being behind a firewall, hardly ever using the computer and spybot is telling me there are something like 50 different spyware apps on it.

Install patches right from the installer

[ohad_l]

That's what Mandrake Linux, for example, does (I'm sure many other *nix distributions do as well). Once installation is finished, a small component goes online and downloads all important patches which were made available since the CD it's sitting on was burnt. This makes sense to me from a security standpoint - it should be far easier to secure a single program with independent network code, than a fully up-and-running system.

Re:Burn a cd?

[dicepackage]

I have found that a cheap USB key drive is a great way to keep all of the necessary patches in one place that can be re-written fast.

Re:Use the Firewall

[Sean80]

I still don't get it sometimes when people say this. I would only feel comfortable making this sort of statement based on some evidence. Not a troll or anything, but has anybody ever seen any evidence which indicates what majority of the PC-using community understand what a "firewall" means, and, if they do, how to turn it on when they receive their brand-spanking new PC from Dell?

If that number turned out to be unusually low, perhaps the key is to really shove this sort of education down people's throats. How? I don't know. A series of ads on TV? Not likely. Get it into the headlines? Not likely. So I'm just not sure how this could be done.

One thing's for sure, my mom wouldn't know what a firewall is, nor how to turn it on, and I shudder at the thought of trying to explain it. Honestly.

Teddy Bears of Doom and Windows networking

[Halvard]

That's what the "Teddy Bears of Doom" are/were all about. They were the people that beat up the programmers for buggy code. They were immortalized as one of the four random faces in the Windows 3.1 Easter Egg (I believe Gates, Ballmer, I forget but I think it was the project manager who left after 1 year cycling sabatical, and the Teddy Bear).

My wife uses Windows 98...

[hal2814]

...and she has never run into a problem that SpyBot can't fix (aside from the occasional reboot when game software goes haywire).

I run Linux and have been hacked once about three years ago (back when I had a cable modem connection). The only reason I knew they hacked me was when I noticed an extra user with several p0rn media files in their home directory. It has gotten me into the habit of patching Linux regularly and being much more strict on my firewall rules.

I think the only real difference between Linux and Windows from a security standpoint is that in Linux you can usually turn off the offending service much more easily until a patch is available.

Re:Service Pack 2?

[Anonymous Coward]

"Isn't that the same SP2 that's scheduled for release this summer?"

Nope, he's actually trying to patch Windows 2000, currently at SP4, although judging by the rest of the article - and the half-baked conclusions - I wouldn't be surprised if he had no idea what he was talking about.

Installing Win is easy, sure. And the sky is green

[Jesus_666]

As a matter of fact the only way to get a working XP is by installing it, connecting to the 'net from behind a NAT router, downloading and executing/installing XP Antispy, a virus scanner and an HTTP filter, fixing a few Registry settings by hand and configuring the system not to use any of the stupid new "features", effectively turning it into Windows 2000. Do not attempt to do this without a NAT router, except if you like to reboot every 60 seconds.
then you can connect to MS Update and try to get your updates (which probably requires disbaling the HTTP filter and some of Antispy's settings).

Seriously, Windows XP takes about a day to set up so you can start installing any programs besides what's absolutely required.
One thing I leanred when I switched to Linux - it's actually faster and easier to set up. Says someone who thinks of himself as a Windows poweruser...

Of course this does not apply to Debian Woody, Slackware, Gentoo and RedHat. (RedHat pretends to be user friendly, but the installer tries to trick innocent Windows emigrants into destroying their MBR. To Win emigrants (if there are any besides me): Don't believe the anaconda propaganda! RedHat/Fedora can boot from /, even if it's not within the first 1024 sectors! anaconda tells you otherwise because it hates you!)

Windows for the Masses

[GraWil]

To all those who are replying with, 'duh, unplug the network cable.' How many times have you tried to lead your computer using mom, grandma, sister, brother through this? It just doesn't work in my family. NB: my mom is a physicist. Microsoft windows is used by the masses, not just tech savvy slashdot users.

Sucks, but he's right

[erikharrison]

I've been working tech support for an ISP for years, and this guys fundamental conclusion is correct - Joe User can't keep his system secure - he just can't. And Joe Sysadmin has a damn hard time of it himself.

The amount of "repair" functionality inside of MS products is a huge sign that users and developers are sick of the reinstall cycle, but that the OS design makes it very difficult to fix. Internet Explorer, Outlook Express, Office all have "repair my installation" tools built in, XP and ME have System Restore.

I have watched users get the Sasser virus, run system restore, have system restore break the XP firewall, cause a port lockdown, resolve the port lockdown so they can run windows update, only to become reinfected with the sasser. Maintainence of Windows is hard, OS reinstall is easy. OEM aren't value adding to the OS by providing solid maintanence tools, their providing restore disks, because writing such a maintanence tool is INCREDIBLY difficult.

I understand MS's need to stay commited to this design, at least through Longhorn and it's revs. But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates. Let OEMs and (in my case) ISPs ship critical fixes on CD so that we can help our users. Make System Restore a fine grained tool, where I can back up critical system files and DLLs, as well as the registry. Don't force me to go to a third party for a "registry cleaner". Provide me with the OS for the tools that I need and that vendors need to maintain the OS.

Small private subnet and proxy fix windowsupdate.

[dameron]

Here's a possible solution I was discussing not twenty minutes ago.

1) add private network ip address (10.0.1.1) to existing public server

2) do no NAT or other routing on this ip

3) have squid running on 10.0.1.1 to accept connections from a handful fo addresses in 10.0.1.x or do proxy authentication

4) when installing/updating/troubleshooting windows boxes assign them a 10.0.1.x address and set windowsupdate to use the proxy

Windows update runs, the machine is on its own tiny network isolated from all legit traffic and can't compromise your network plus it it can't be infected from outside as it's safe behind the proxy. When you feel it's safe (you've got all patches, firewall, etc configured) restart with DHCP and get an address on your "real" network.

Or you could roll your own installation cd with the correct service packs and security updated included, but why fix a software problem with software...?

-dameron

Re:Use the Firewall

[19thNervousBreakdown]

I do ISP tech support, and end up asking about a firewall on about 25% of my calls. Of the people I ask, around 10% actually have any idea whatsoever what a firewall is.

Just off the cuff statistics, but they're probably pretty close to reality.

Re:Couple points here...

[maximilln]

-----
If the registry or the filesystem gets bloated because of malfunctioning application uninstallers, how is that MS' fault?
-----
The registry was a bad idea from the start. The registry may have been designed and implemented for storage of specific useful information which would contribute to interoperability between applications but it doesn't take a brain surgeon to look ahead and see that every screen saver, toolbar, and "neat app" author would start filling the registry full of excess junk keys that mean nothing to the rest of the system. Additionally there are more than a few ways to hijack .dlls using the registry, Back Orifice, Sub7, and NetBus come to mind.

That is why I blame MS for the registry. It would be a good idea if the user was consulted for every new key added. That can't be done because the user can't be bothered. Unfettered, unrestricted application access to a housekeeping system with as much clout as the registry should plain not be possible. Since it's impossible to secure the registry the registry never should have been implemented.

KDE and Gnome are following the same path to h-e-double-toothpicks.

Re:Use the Firewall

[Marc Desrochers]

This is not a perfect solution but it does greatly reduce the risk of infection:

I only rebuild a WinBox behind some kind of NAT. At least I don't have to worry too much about being nailed by a worm before the updates are done.

Not a very convincing article

[Quarters]

The author installed a bunch of 30 day trial software that borked his system. He then chose a registry cleaner without doing much research on them and ended up using a pretty poor one. Then he complains because his machine got fuggered when he had to reinstall the OS.

Cry me a river. A tool like Norton System Works that has both an installation watcher and a great Windows configuration diagnostic/repair tool would've solved his problems. Grabbing the first tool listed on Download.com when you type in "Registry Cleaner" is not the inteligent way to go about system maintenance.

Re:that's easy...

[Keruo]

Knoppix is great sysadmin tool to carry around.
I've fixed several NT machines with it skipping the need of complete reinstall.
The read/write ntfs driver is what makes the cd so powerful.
In most of the cases I've come across, it's enough to throw the cd in, reboot, mount the root ntfs, edit/replace boot.ini or some other system file with error, save, reboot, and there you have it, working NT box.
It's awesome if you know what you're doing with it.

Legal?

[sfjoe]

This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

I can't stay awake long enough to read the EULA, but making copies for other family members like this sounds like a violation.

"They don't recognize them as usability problems"

[dpbsmith]

Best quote in the article: "Windows users are so accustomed to usability problems that they don't even recognize them as usability problems."

Unfortunately, this extends far, far beyond Windows. This is a problem for the entire industry.

It reminds me of the way nuclear power plants are (were?) licensed. If, during review, the nuclear regulatory commission finds a safety issue that is unique to the particular installation, the licensee must address it before it can be licensed. If, however, the licensee can demonstrate that the issue is actually "generic"--that is common to all nuclear power plants--the licensee need not do anything about it.

In the PC world, any problem that persists for more than a few years is not longer perceived as a problem. It becomes "generic."

The phenomenon is even getting worse over time, thanks to the general public's increasing familiarity with computers. During the eighties, when manufacturers were trying to seduce individuals into buying home PCs (and IT managers into abandoning those hard-to-use green screens for easy-to-use GUIs), usability disasters were treated as important. No more.

Computers hit their peak of usability sometime in the eighties and have been in steady decline ever since.

One of the biggest issues noted in the article is the instability of Windows over time as software packages are installed and uninstalled. But this is hardly limited to Windows. The irony here is that the ability to uninstall software properly was supposed to be a logo requirement for Windows NT 4.0 software, and one of the features that Microsoft used to urge its superiority to 3.5.

Unfortunately, software installation and uninstallation is not a trivial problem. To do it right would require a great deal of functionality that can only be performed by the OS, which would need, for example, to track which system components were in use by which applications. And it would need to have the ability to associate specific versions of system components with applications, so that it would not be vulnerable to the assumption that Version 3.6.1 of the Frammis Service is absolutely guaranteed to have fewer bugs and be totally backward compatible with every previous version of the Frammis Service that has ever been released.

And before sixteen people reply explaining that .NET fixes all that, spare me. As I pointed out, it has been true FOREVER that Microsoft has claimed that the next release of NT/Win2K/WinXP/Longhorn/whatever would fix all that.

Microsoft didn't solve the problem. They just sort of declared that it had been solved. Installshield and friends kludge their way through installations, merrily making clumsy guesses and assumptions about the history of the system and the needs of other applications and overwriting files and changing registry settings. SQA departments are happy if the installed application runs after installation on a clean OS with no other software installed and don't have the time or the mission to make sure that (say) installing the application doesn't break anybody else's application. (Indeed, one suspects that in some parts of the industry, it's consider a plus if installing one application breaks other applications, if they happen to be competing applications).

I could go on and on. (Indeed, I already have). In the world of PC's (and I include both WIndows and Macs--and nothing I've read makes me think Linux is very different), an awful lot of things don't work very well and NOBODY SEEMS TO CARE because it's "always" been that way. Laypeople have gotten accustomed to blaming themselves ("my computer hates me,") IT departments don't even expect computers to work properly after about three years; developers/hackers/sophisticated users enjoy the challenge of troubleshooting the latest glitch... ...and formerly tame, humble consumer devices like televisions sets, cars, and cameras are getting computers built into them and are declining in usability too.

It's a conspiracy!

[Anonymous Coward]

Windows NT/2000/XP all have the ability to limit the damage done by virii and worms. I thought this quite nice and created accounts for everyone at my home sans admin privs.

That lasted about 5 weeks. Why? Because every damnable application requires admin priv to install. Huh? Why does turbo-tax need admin? Why does nearly every damned game in the universe need it?

All have admin now. I seem to be hit with some piece of malware once a week or more. My time is valuable (to me anyway) and so I've instructed my "users" to save anything they really want on the network disk -- A Linux/Samba server. It's just plain easier than having them run to me all the time to install Martha's cookbook program or Tiny-tots goes to visit grandma.

Let's save a little bit of the blame here for the app developers too. They are just as guilty at generating the current situation as Mickeysoft.

Registry?

[jon514]

I may be missing something here, but as I understand it the windows registry is just a repository for configuration information. The real problem lies in the system config settings that are exposed in the registry eg. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run & the general lack of access control to update such keys.

On a unix box a virus could achieve similar effects by writing itself into the /etc/init.d directory - except of course the default permissions mean you normally need root access to do that, making unix a little more secure by default. Otherwise, the /etc directory performs a pretty similar function to the windows registry.

Re:Heh not me.

[Anonymous Coward]

If you had a friend who was an auto mechanic and he told you to "Buy brand $FOO" but to save a few bucks you bought brand $BAR, would you expect your friend to bend over backwards to service your vehicle?

Which 3 year old OS would survive?

[Eristone]

Okay, I read through the article and just have a few questions.

1) Which OS that if you reinstalled from the original installation disks (which is what he is doing) would be able survive on a live internet connection long enough to download all the most recent patches and updates?

2) He knew he was going to re-install - why didn't he download SP4 (or already have it downloaded most likely) and make a CD with it before he wiped his system?

3) Along the same vein, why didn't he download the additional patches before wiping the system?

This particular case is more of poor planning on the part of the system rebuilder.

I skip the CD part for home ...

[twigles]

Since we have 2 win2k boxes and multiple bsd boxes I always have some harddrive with my collection of patches. You can just rename them by prepending the download date like this:
2004-04-13-Windows2000-KB837001-x86-ENU.EXE

and rebuild a machine behind a NAT box while calmly reading a magazine. Yes, it does suck that we need a network appliance between our hosts and the internet but this isn't a windows-only problem, it's just much much worse on windows for many obvious reasons.

Keeping local copies of patches and having a secure network to set boxes up is just what I consider the cost of doing business (on M$, on BSD/Linux you just turn the service off until you dl the patch).

Issues with Windows

[gmletzkojr]

One of the difficult things associated with Windows is that you can't always get online to download the updates. Where I live, the majority of people still use dialup, and gathering the Windows updates is like sucking peanut butter through a straw. The other problem is that alot of people don't know what updates really are, and how they can affect their pc. Also, try getting the most recent patches for an OS that is not the most current one (or shockingly, one not connected to the internet). MS makes it really hard to download and install updates on a machine that is not running the latest OS and has a slow (or no) connection to the internet.

Re:Use the Firewall

[pohl]

How about you wait until the firewall is loaded before plugging in the network cable?

+5 Funny. This reminds me of a situation at work. We sort of have two separate halves of the software development department: Java and the Microsofties. One day I wandered by the server room where the most brilliant of the Microsofties was installing some sort PDF-indexing engine on one of their Windows servers. They were being thwarted by some dialog box that kept comming up during the install. His solution to the problem at the moment that I happened by was...I swear to god...to jam a penny into the keyboard such that it kept the return key held down, so that the key-repeat would dismiss the dialog box over & over again, in hopes that it would happen rapidly enough to get through the install.

I swear, it's a totally different culture. Some of us insist on good software architecture. Others have an amazing capacity to assfucked by bad software architecture and keep going back for more. You can bother about yanking and reinsertintg your ethernet if you really want to. I'll work around the problem by being a more selective consumer, thank you.

Re:Use the Firewall

[bonkedproducer]

I have Win XP SP2 Beta running on my XP box. I do notice that the firewall is much better and easier to use (seems like a weak ZA clone,) except it does some weird things. The first time I used Windows Media Player in SP2 Beta, to view some movie trailers, I had the player maximized and after watching three or four, I minimized the player to check my e-mail.

When I minimized I saw my first experience with the new and improved firewall, it was a nice message in the center of the screen that had been obscured by the player stating "The Program: Windows Media Player is trying to access the Internet, should I: Block this program, Unblock this program, Block this program but ask again in the future" (I'm paraphrasing there) even though I hadn't told it to unblock the program, it was allowing it download content from the web.

I thought this was odd, and assumed maybe it only received stuff but wouldn't allow sending. Well, when I used Yahoo Messenger the first time, same thing popped-up, so I left the box on screen and did some IMing, and sent some files to friends - all without interacting with the firewall. So I must assume the the firewall by default lets anything go through until told otherwise. This is security? I've noticed this behavior with many programs, and telling it to block does work, but until told to block it leaves the holes open.

Custom CD

[Cigamit]

Custom Update CDs are by far the easiest way to fix most of your family members problems without actually having to be there (or netmeeting ect...)

My custom CD auto runs upon insertion, and with the help of a little autoit script, it does this

- Pops up a windows telling them to politely leave the PC the hell alone (and updates the status along the way)
- Locks all user keyboard and mouse input (don't want them screwing anything else up)
- Executes "ipconfig /release" (die network!)
- Runs the latest McAfee Stinger (silently)
- Runs the latest McAfee Command Line scanner from the extracted SuperDat files
- Checks Whether its 2000 or XP and makes sure that the latest SP is installed, if not, it installs it (and then reboots)
- Installs all the latest Critical Updates for that OS
- Updates their McAfee or Norton Anti-Virus with the lastest dats on the CD (unless older)
- Runs Spybot (copies config file over first, which autostarts/autofixes everything upon running)
- Verifies that several of the services are set to the correct status (stopped/disabled or started/automatic)
- Installs a registry file to help speed up the menus, ect...
- Reboots

This has saved me more time than I can possible count. Before switching to this method, my life was hell (not to mention how high my gas bill was), now I just Fedex them a Updated CD anytime they call, and 99% of all problems are solved.

Re:Whether you are offended

[captainClassLoader]

2names comments:

"Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore."

Then again, you might be surprised. I once did a benefit ambient gig at a retirement home, and then wound up giving a seminar on my set-up after the gig, as a pile of people crowded around my gear to ask me how I got all those sounds. My impression was that this retirement home was a pretty boring place, and a guy showing up with a bunch of synths to crank out strange quiet downtempo stuff sorta made their day...

oki, here is a nice solution or two :

[da5idnetlimit.com]

As we all know, computers, aren't meant to be in the hands of users, but strictly confined to (some) admins.

There is a solution that any knowledgable admin can use : whenever a new service pack is out, you create an updated Windows installation cd (or dvd) that include the latest service pack => When reinstalling, you do that from SP4k or whatever, and it gives you an nice, almost secure config to start updating from...

Also, a standard practice in my home is the use of Ghost just after the installation of all the basics softwares and updates...=> ditto.

Now, a solution I have personnaly used on a friend computer after the usual "crashed before it even updated" episode : I booted her compuer using knoppix, downloaded the latest service pack and quite a bit of separate updates on a separate partition and then made an install without the net on...Ironic, using Linux to get a windows install running...

Also (but that is only true on my own home network) I use a dedicated firewall (yeah, Linux) on my network, and I only keep open the ports I need...So, if I need to make a "virgin" Windows install, the firewall protects me from the nasty worms/exploits/whatsoever...

Repeat after me : No Lusers in my Computer room ! 8)
(Happily supporting my dad since Windows 3.11, I made my preceding comments a rule... backup often, streamline your updates, use a dedicated firewall...and NEVER let your dad (or any Luser) with a root/administrator account...btw, he's still using 98...

Re:Use the Firewall

[dasmegabyte]

Actually, the problem isn't Microsoft's innovation making products unusable...it's shady types committing what are essentially con jobs to get people to bypass the browser security Microsoft innovated to make it easy to extend the web with third party plugins such as Flash, or any of a number of useful active X acessibility widgets such as that used by TrendMicro's housecalls free virus scanner or some of the multiple file upload tools used on popular image sites.

Obviously, since this technology hadn't existed before, Microsoft hadn't anticipated that some folks would hijack the API and use it to get people to install software that will spy on them. You can't plug holes in a bucket you haven't made yet! And now that these companies are out there, even Microsoft locks things down tight as can be, there will still be shady types instructing people on how to bypass their own security to install some bitchincool new screensaver (with only a few hundred added pieces of malware).

The reason for this is that it's just too easy to fool people in the digital world, because they don't care about the precious data on their computers as much as they do pretty widgets. Windows software is attacked not because it is inherently insecure, but because so many people who just don't care use it.

Of course, one wonders how useful it is to spy on people who do nothing with their PCs but install spyware...

similar issue

[cheeseSource]

I have xp pro and one of the worms that hit gave me 20 seconds to resolve the issue before the computer shut down. Damn that was fun. Quckly access the net, search for the patch, download the patch - computer shuts off. Repeat until you are quick enough to beat the worm. It was like a horrible video game...

Re:Sucks, but he's right

[kabocox]

But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates.

MS should have a free 800 windows update dailup number that anyone can connect to and download the updates. Why not make a free windowsupate MSN account and give it out to the world?

I don't know what this guy is doing wrong...

[joshv]

He seems to think that as a Windows installation ages, the registry accumulates cruft that eventually makes the system unusable.

The presence of unused registry entries may take up disk space, and slightly slow registry lookups, but it's not going to significantly impact system performance.

I've got systems that have been running on the same windows installation for over 4 years, with plenty of installation/de-installation.

More than likely this guys had a host explorer extensions or system tray applets that he forgot about. The important thing is to vigilantly clear out old services and auto-run entries.

"autoruns", available free at sysinternals.com, will show you every piece of crap that runs automatically when you login. You can use autoruns to delete the entry, or to figure out what programs to de-install. I've also had good success using this tool to whack mal/spyware.

You can also audit your services. Sort the service list by everything that in a "running" status, and stop/disable those services that you know you no longer need.

In my experience, it's the Windows users who don't know what they are doing that are always telling me how they had to "wipe their system and reinstall windows". I've only once met a system that I couldn't repair (a failed Windows XP upgrade).

I just emailed the guy.

[skinfitz]

To: questions@techuser.net
Subject: Solution to your install problem.

Just read your article at http://www.techuser.net/index.php?id=47

Here is how to avoid worms and messenger spam during patching:

Turn on the XP firewall.

Do this BEFORE going online. You can do this by going to the network control panel, getting the properties for your net connection, click the "Advanced" tab then click "Protect my computer...".

You will find this renders you immune to blaster et al while you patch your machine.

Regards. //

For someone who claims to have a Masters Degree in CS he's not too bright is he?

First thing I do with a new Windows install is...

[5n3ak3rp1mp]

1) run any security updates
2) strongly suggest not using Outlook
3) Completely lock down the "Internet" security zone in IE and force users to add sites that don't function properly (due to scripting turned off) to "Trusted Sites" (which has scripting on)
4) Strongly suggest that users use Firefox instead of IE wherever possible
5) Install antivirus software
6) Install Spybot Search & Destroy and AdAware

This keeps most spyware, virii and worms out.

As a curious side-note, the first thing I do with a new OS X install is...
1) Apply security patches
2) There is no Step 2 ;)

Would You Like Some Cheese...

[Macgruder]

... To go with that whine?

At first, I thought he had a valid complaint, but then as he goes through his shopping list of ills, he generalizes and skips over potential fixes any tech worth his salt would pursue. (and these are quite simple enough for any reasonably intelligent user to perform. I have instructed my own father over a the telephone, how to perform these items)

1) I have an IBM Thinkpad A22m, purchased in November 2001. It came with Win2k.

Only once have I performed a system reinstall (3 weeks ago or so) to free up hard drive space from numerous programs, and not because of any issues with the operating system.

In the 2 1/2 years I've used this incarnation of Win2K, I have applied Critical Updates from MS as they were released. I also ran McAfee 6.0 (retail), and IE 6 was the browser of choice.

Until this last fall, I did not run any type of popup blocker or spyware utility.

Prior to starting the system reinstall, I visited the Windows Update site, and used thier tool to determine what updates I had installed. Each item that I no longer had the files for, I d/l again, and burnt all the hotfixes and updates to a CD.

I did the same thing for the most recent drivers for this laptop, as well as for all the peripherals I had.

Then I compiled a list of utils that I find invaluable (Avant Browser, Adaware, Spybot, SpywareBlaster, and other goodies) and put on a CD.

Now, I have the orginal Win2K install CD for the laptop, a CD with all the drivers, a CD with the hotfixes / SP4 and handy utils. (plus CDs for the original applications,such as MS Office, Photoshop, etc)

The whole idea is to not put the machine on the net until it's relatively secure.

So now, I format the drive, and boot from the OEM Win2k CD. 45 mins or so for the install, then another 45 to install SP4 and the hotfixes (using MSs qpatch util, I don't have to reboot the machine until after all the hotfixes are installed)

At this time I turn off Windows Messenger Service, and finish installing my utils. That takes about another 30 mins.

Now, the machine is secure from pop-ups, spyware, viruses, and most MS OS-based exploits.

Time, about 2 hours. It takes me longer than that to setup and patch a RedHat 9 machine.

Re:that's easy...

[horza]

Knoppix is great sysadmin tool to carry around.
I've fixed several NT machines with it skipping the need of complete reinstall.
The read/write ntfs driver is what makes the cd so powerful.
In most of the cases I've come across, it's enough to throw the cd in, reboot, mount the root ntfs, edit/replace boot.ini or some other system file with error, save, reboot, and there you have it, working NT box.
It's awesome if you know what you're doing with it.

Knoppix was the first thing in my mind... why not take it one further? A specialised Knoppix which boots and then has one clickable icon on the desktop. Launching this automatically detects NTFS/FAT partitions, downloads the latest definition files over the 'net, and automatically cleans up a Windows machine. It can even detect if the user has Norton or another anti-virus and use that engine to do the cleaning.

It can also happen to have a few useful apps installed, plus a GUI to apt-get showing 1000's of titles ready to install immediately for free, in case they shouldn't wish to remove the CD upon next boot...

Phillip.

Re:Uh huh!

[zoloto]

"Microsoft has set aside a $5 million fund for paying off informants on malware authors


Maybe microsoft should pay the money to themselves and redesign their software

You know, if the next version of Windows(TM) pulls what Apple did with their OS X, built a bsd underbelly to it and didn't allow backwards compatibility outside of a sandbox of sorts I wouldn't cry. Then it would be possible to secure the system and hopefully they'd get rid of their god forsaken registry / file and drive permissions / insecure nature for the most part.

It won't be infallible, but simply less insecure for the current vulns out there.

Then again, MSFT might implement this shiz so badly and incorrectly that we'd be stuck with a bunch of new prolems of which we haven't a clue to fix.

just my 2cents

Re:oki, here is a nice solution or two :

[Pxtl]

1) working from behind a standard router is good, as you say. Any basic NAT will block most attacks.

2) you outline a problem - using anything but windows update for updating a machine is the domain of super-l33t windows geeks. Not normal people. I know my way around a windows box very very well, but trying to update anything on a win box without the updater I find nearly impossible. Yes, there are admin downloads, but I find them outright scary to slog through.

IMHO, they need something simpler - 2 things.
a) a way to generate an updater CD to re-apply all windows update patches currently installed on your PC (for when you wipe) and b) up-to-date updater CD ISO's available to download for each currently supported MS OS for when you need to set up a friends computer. I recently set up a friends '98 box and it was a headache - a nice "download this disk and burn it for patching" that I could launch from XP would be ideal. If they're concerned about bandwidth, throw some of their mass of coders to make an MS torrent-a-like for said ISOs.

Fixes are not as simple as they seem...

[Digital_Quartz]

Such a CD should be shareable amongst users, so that if someone doesn't have an update CD, he/she can simply get one from a friend or an acquaintance.

Well, first off, there's nothing to stop you doing this now. You can just download all the patches individually and burn them to a CD. But what's the problem with this?

The short; this just means you'll be distributing virii by sneakernet. (Which is, admittedly, much slower than the Internet, but none the less...)

You know, back before we had this newfangled "interweeb", we still had virii and worms. They were passed around on corperate networks, from networks to other machines and networks by floppy disk, and also they were sometimes distributed on BBSs with sloppy sysadmins.

A "sharable" disk means that, instead of going through the effort of downloading those hundreads of megs of patches, I can just go copy a friend's disk. A copy of a "friend or an aquaintence"'s disk, however, is not a copy from a trusted source. Where did they get the disk from anyways? Who did they copy it from? It would strike me as very easy to craft a disc which would install a few intentionally malformed patches.

There are a couple of solutions to this problem. You could, for example, make your machine compare a the cryptographic hash of each patch against a known cryptographic hash. In order to get the known hash, however, you'd have to connect to that ol' public network again, with an unprotected machine. Since this functionality does not exist in current versions of Windows, you would also need some kind of initial patch from Microsoft to pull this off.

Another fix would be to cryptographically sign everything with a public key cryptosystem. This works great, so long as noone breaks your cryptosystem and/or finds the private key. Again, the functionality doesn't exist in today's implementations of Windows, so you still need another initial patch. (At least, as far as I know... I suppose XP might have signed updates; I've never tried to forge one.) This might be promising for future versions of windows. Microsoft has already bet your system security on a public key system with signed .NET objects, so this isn't so bad.

Both of these can easily be circumvented by a "sharable CD" that uses autorun to install nasty things before you install any patches at all. Of course, autorun is another feature of windows with questionable security.

In the end, the public network isn't really such a bad tool for delivering patches. Microsoft's implementation could be improved upon; upon installation of a "fresh" copy of XP, for example, the install could connect to the net and download all required patches prior to opening any ports on the system. (You don't need RPC to download patches, afterall). This is, more or less, the idea behind having the personal firewall enabled by default (only that's a little more kludgey).

Very good...let's go a step further.....

[Chanc_Gorkon]

I think that Motorola and other cable modem makers should provide a basic ethernet router with NAT between their public IP and the IP of the internal network. Your NOT going to get Roadrunner and others to do the right thing and install a cheap Linksys router between the Cable Modem and the PC so just build a cheap 1-2 port router into the Cable Modem. The Cable Modem/Router with NAT won't provide for the ultimate security, but will help against these worms immensely. Also, these cable modems/roters should also put a LCD status screen and a few simple buttons on them. Press one to block the internet when your loading a new Windows install and blam....no wormies. When the install is complete, press button 3 or whatever to open up Windows Update and Windows Update ONLY. When your updates are installed, press for to open up most commonly used ports (which may already be open).

Microsoft should also fix this crap too. One great and easy example is have a one button application that creates a CD with all patches you have downloaded. Then when doing a install/re-install, if after x amount of time after release, ask for this disc. If you don't have one, then it should configure your system such that only the Windows Update website can work. Then it will auto download/install the patches. Or...and now I may be giving them too many ideas, change Windows Update such taht it uses port knocking in this situation. WU could even use a different port every time.

Re:Use the Firewall

[Brandybuck]

It is a different culture. I'm an system software developer. For the past five years I've worked on Solaris and LynxOS. I'm used to coding the "right thing", even if it takes longer.

But now the company has been taken over by the Microsofties. One of them told me the "secret" to development in Windows: just do what Microsoft wants you to do. Everything is designed to be done in one particular way, and if you don't do it that way you'll end up working ten times as hard.

Re:Problems is Computers = Windows for most people

[Octorian]

You know, that reminds me of when I went to work at a computer camp one summer ('00) during college. When I went there, I brought my recently aquired "purple" computer. (yeah, it looked cool, and had cool-looking screensavers everyone noticed)

When looking at it, one of the counselors (ok, he was the lazy guy who ran the R/C cars stuff) asked if it was running '98 (as in Windows '98) :-)

Of course it wasn't. It was an SGI Indigo2 running IRIX 6.5, with 4Dwm as the X window manager.

I'd love to have some average person ask me about my home "computer" (probably referring to my main desktop, as I have several systems) sometime these days, if only to confuse them. At the moment it is a Sun box running Solaris 9. (and tech people assume Linux, when they see KDE and all that other OSS stuff running on the screen, hehe)

Re:Not Windows, third party apps & drivers

[Malc]

Thank you! I really would like to hear an explanation about how SP2 will fail in the presence of the registry.

As for your comment about new features in SPs: I think MSFT stopped doing that in NT4 days due a large number of complaints from big corporations. This is a return to days of old. They seem to be handling it better though - recall stories here of the details 6 or months ago.

Re:Use the Firewall

[Gilmoure]

We have a fairly locked down network and we still get viruses in the dorms. Our little darlings take their laptops (about 70% of our users) off campus and then come back home and plug them in. No matter how many times their network has gone down this year, and no matter how many times we let them know to keep their patches up to date, and to run virus softwear or linux or MacOS, each new virus knocks out a dorm or two.

Seeing as how this is our last week and students are already leaving, even I, the Mac Guy, was pressed into service, running a huge list of various virus killers, pop up blockers, and ad-ware destroyers. What a sand coated, dp pain-in-the-ass. If this is what 95% of the computer using public has to put up with, it's amazing there's even an internet. I suppose porn is the only thing keeping the average Windows user online.

Re:Uh huh!

[Wolfrider]

--Here you go:

Kernel Traffic [kerneltraffic.org]

Linux Weekly News [lwn.net]

Linux Kernel Mailing List Digest (from google, not tested by me) [iu.edu]

--Try and find a site that details the inner workings of the NT kernel, on a weekly or any regular basis -- really -- I dare ya. If you can *find* the date on the NT kernel file, compare it with the downloadable kernels that you can find here:

Kernel.Org [kernel.org]

Have you looked at managed code?

[jsburke]

> Microsoft really needs to look beyond short term remedies to solve security problems. The company has to move away from its Windows roots in order to create a secure operating system environment. Microsoft has a huge research and development budget, and it just doesn't make sense why it cannot develop a security centered OS.

I wonder, have you looked at managed code?

Five years ago, Linux-heads made fun of the BSOD; now they make fun of Windows' security. Don't underestimate Microsoft. They will get security right.

Not funny...

[Tug3]

The article behind the link was so familiar reading. Even though I nowadays try to avoid maintenance of Windows systems. The story also reminded me of my "Windows days", as well as something that happened just last night.

I happened to stop by mu ucles house where my father was setting up my uncle's computer. My uncle knows nothing about computers, but uses one for surfing and emails. My father on the other hand has fooled around computers as long as me, since 1981. He is a fan of Windows and now in his retirement helps his friends with Windows problems.

The problem was very typical. Reinstall of Windows (because of regitry problems) and upgrade from 98 to XP home (bad mistake)!

As soon as they connected to Ineternet to download patches, the computer got hit by SoBig and Sasser. And even the antivirus software on the CDs was no help - it was obsolite by the time the CD was pressed.

Luckily I happened to stop by and we could download with my secure laptop all the necessary updates and cleaners. The just move the files with USB-dongle to the sick (although fresh) PC.

All's well that ends well? - I think that my uncle will think twice if he ever buys a new computer, at least which OS he would like to have it run...

If you click on his FAQ

[tdunn]

At the bottom of the referenced page, you'll set this lovely nugget of wisdom:

Buy yourself a Mac and OS X, and you will be rid of security problems for good.

Mac OS X is a standard Unix; therefore, it is no more secure than Windows.

(Emphasis mine.)

His article and FAQ shows him to be the 'average user' - knows enough to be dangerous, more than enough to complain, but not willing to take rudimentary steps to protect himself, such as actually going out and buying some personal firewall software. (Granted, he's in Pakistan, so CompUSA is not an option.)

I agree with his underlying sentiment - a user should not be expected to have to fix known and established holes in software, especially OS. But the "unix is just as insecure as Windows" was a hoot!