A Home User’s Security Checklist for Windows Andreas Lindqvist Stefan Pettersson Linköpings universitet, Sweden Email: {andli299, stepe955}@student.liu.se Checklists like this are quite powerful because of the Abstract ability to decide which items to include, the level of The user and her desktop are widely held to be one of knowledge required and which knowledge is provided the weaker links in the security chain. By letting the user via the text and links, all depending on the audience. secure their own workstation by following a set of steps The updated version of the checklist [2] was then used put forth in a checklist it could be possible to cover both to evaluate the security settings of at least ten Internet problems at the same time. An already existing checklist users (family and friends). This can be found in was revised to become more concise. Twelve users took Appendix B. this checklist concerning the security posture of them and 2.1 The revised checklist their workstations. It turned out that the majority of users largely used the default settings provided by the operating One impression we got from reading the old checklist system. This is also an obvious trend at Microsoft, to make was that it was too big and hence the first goal became to the default settings secure. It is reasonable to believe that shrink it without losing relevance. With the vision of a this will be even truer in Windows Vista. Checklists are more user-friendly list the number of items was especially good as inspiration for interested users seeking decreased from the original checklist’s 40 items and to increase their knowledge on the subject. eleven headings to the new checklist’s 36 items and only eight headings. 1. Introduction 2.1.1 Removed items When talking about security, professionals usually refer to the weakest link in the security chain. This link changes over An example of an item that was removed is the item of time, but right now it seems to be the user and her virus hoaxes because it is nowadays not common workstation. This trend is apparent given that the number of according to the authors’ view. The password text inputs vulnerabilities reported in client side software increases. were immediately wiped from the checklist. The authors’ At a company, the user’s desktops are monitored and viewpoint is that if passwords are to be noted they should managed by administrative staff. This type of support is be written down on a paper that is kept private in the obviously not available for home users. Even a very light- wallet instead of writing them down on the checklist weight understanding of basic security configurations and which is bound to be lost. Not only were some items concepts would probably go a long way. removed such as the ones above but several items were Section 2 gives a background on the assignment and how also merged. An example of this is that the number of it was solved. Results are presented in section 3 followed by items and text fields under the anti-virus and anti- user comments in section 4. Section 5 and 6 treat work done spyware sections was successfully decreased. on similar topics and conclusions, respectively. Some items were outdated; not only because of links not functioning but also because new security 2. The checklist vulnerabilities are discovered. For example, the item concerning the wireless networking standard scheme By giving users a checklist that contains items Wired Equivalent Privacy (WEP) was removed because concerning both configurations and behaviour it should of the its broken design. be possible to improve the security of the desktop and the When it comes to headings the latter impression of user’s security awareness. having a too big checklist grew to also fix illogical order. The assignment that was given was to critically review Eleven headings became eight. The “miscellaneous” and revise the already existing “Home User’s Security headline was removed because of the authors’ view that Checklist for Windows” [1]. the item was ridiculous. The “Windows update” heading The items in the list consist of a statement and a became “Keeping up to date” because of a broader focus checkbox along with one or more links to pages that in the new checklist. Anti-virus, Anti-spyware and explain the topic in depth. Personal firewalls were grouped, because of the add-on software similarity. Last, the Windows headline became “Windows configuration” and was placed at the bottom The results are presented with the notations of the checklist. The motive for this was that “everyone”, “almost everyone”, “almost no one”, “no administrator privileges are needed to do the proposed one” and “half”. changes in the checklist, and to unburden the user to get A table displaying the results can be found in back the rights every time a change is done. appendix A. 2.1.2 Changed items 3.1 Keeping up to date. A lot of effort was given to search for good links for Almost no one has switched to Microsoft update the new checklist. With good the meaning is that they instead of Windows update, but almost everyone has should be relevant and not to difficult to the hypothetical automatic updates enabled. target group which is neither power users nor aware of Almost everyone is aware of the importance of the subject. Easy “how to” guides were linked if they keeping other software up to date, and everyone is aware could be found. One item under the Anti-virus heading that companies will not send software updates via email. was changed to not only include instant messaging, but also email, file sharing and the web. The item “I’ve 3.2 E-mail configured my Web browser securely.” was split up into Almost everyone has configured to not run scripts many items, because the need to explain the meaning of embedded in emails, but no one has disabled the preview “securely”. pane. 2.1.3 Added items Half of the users view emails in plain text format. Everyone understands that emails can be forged. Many important items were added to the checklist. No one runs attached executable files. First, the need to have an item concerning the importance Everyone is aware of why not to respond to spam, or of also keeping non windows software up to date was give up sensitive information upon request. added. Almost everyone uses secure connections when Second, the email headline now includes an item communicating with their mail server. about encrypted mail server connections. Third, an “additional reading” link was added under a 3.3 Web few headlines, giving the possibility to grip and cover Almost no one has turned off scripting by default. more than one item in one link. Almost everyone respects warning messages concerning 2.1.4 OS independence signed certificates. Everyone is aware of the dangers of ActiveX controls, fake warning dialogs telling you that One key idea was to change the checklist to be your “computer can be hacked” and advertisements of Desktop OS independent because of the authors’ free smileys, screensavers etc. relationships with people running for example BSD or Everyone makes sure that they have a secure GNU/Linux. This was not implemented because of the connection when doing online shopping. problems this adds to the task. One example is the need to have different items, text and links depending on 3.4 Anti-virus and anti-spyware which OS the user run. Also the GNU/Linux operating Almost everyone has an anti-virus program running system comes in so many flavours that it is harder to do a with automatic updates of virus definitions. Everyone is security checklist than on Windows, which much more aware of the major virus infection vectors. Half of the comes in the “one size fits all” concept. We leave this users have anti-spyware programs installed. task to other eager checklist constructors. 3.5 Personal firewall and router 3. Results Almost everyone understands why it is important to The majority of the twelve users taking the survey have a personal firewall and run one. were “casual computer users”. They use the computer for Almost everyone understands when to allow software work and entertainment, not because they enjoy working to access the Internet and when to be suspicious. with computers. Only two or three could be considered Half of the users have an external router or firewall “power users”. Only one of the tested was not studying at and have their default passwords changed and remote the university, the rest were attending a variety of access disabled. different programs, everything from computer science to health care. 3.6 Windows configuration Given the choice of dancing pigs and security, users will choose dancing pigs every single time. Given the choice Half of the users have picked a good password for between pictures of naked people frolicking on the beach Windows log on. Almost everyone has configured and security, roughly half the population will choose Windows to show file extensions. naked people frolicking on the beach. […] If a dialog Almost no one makes regular backups of important asking the user to make a security decision is the only data. thing standing between the user and the naked people Almost no one has the Data Execution Prevention frolicking the beach, security does not stand a chance. (DEP) feature enabled for all applications and almost no one runs Windows as an unprivilegied user. The idea of an malicious applet with dancing pigs was originally put forth by Ed Felten in Securing Java [6].
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-