Don't run unnecessary network services
last revision August 10, 2004
| Suggestions to secure your Windows PC: |
Don't run any network services on your Windows PC that you don't actually need. Every additional service you run is another possible avenue for a hacker to penetrate your system.
Problems with file sharing have been described in a previous page; the best solution is to simply disable file sharing (except for Energy Resources Engineering, which requires file sharing for department supplied computers).
Microsoft's Internet Information Services (IIS) program, which implements an ftp and web server on Windows NT, 2000, or XP, is a prime target for hackers. In fact, the SANS (Sysadmin, Audit, Network, Security) Institute has determined that IIS is the number one security vulnerability in the Windows operating system.
There have been numerous bugs in IIS that have been exploited by hackers to take control of computers on campus, including some in Earth Sciences. IIS is built-in to the Server editions of Windows NT and 2000, and can be easily installed on the workstation editions of NT, 2000, and XP. But rather than setting up your own potentially insecure ftp or web server, why not utilize the secure and professionally managed services on our School Unix server, pangea. You can host web pages on our industry standard Apache web server or distribute files to colleagues with our anonymous ftp server.
Make sure you understand the security implications of any network service before enabling it, and use accounts with strong passwords to secure it. Request help from our desktop support consultant via HelpSU if needed.
Windows XP users should disable the new Universal Plug and Play service. This is designed to allow your computer to automatically connect to network-enabled appliances. There are no practical uses for this technology yet, but severe security flaws have already been discovered (including one that prompted front-page newspaper stories about FBI warnings of Windows XP security flaws in December, 2001). Use the UnPlug and Pray utility from Gibson Research to disable Universal Plug and Play. Gibson's web site has additional information about why this is necessary.
Windows NT, 2000 and XP users should disable the built-in Messenger service, and Windows 95 and 98 users should refrain from installing the equivalent WinPopUP program (or remove it if already installed). This Messenger service is not the same thing as the MSN Messenger chat program. Instead, it is a service intended to allow server managers to send messages to all PCs on the network, such as "server going down in 10 minutes." Messages sent to this service appear as a pop-up box on top of your screen. No password is needed to send messages. We have seen an increasing number of cases where "spammers" are using this service to pop up advertisements on random computers.
To disable this Messenger service on Windows NT, 2000 or XP, follow these steps:
- Open the Control Panels window from the Start menu (under Settings in Windows NT and 2000). Double-click on Administrative Tools (inside Performance and Maintenance in Windows XP), and then double-click on Services.
- Scroll down the list of services on the right until you find Messenger. Double-click Messenger; a Messenger Properties window will open. The General tab window should be selected.
- Click the Stop button under Service Status if the service is currently running.
- In the center of the window, there is a Startup Type drop-down menu. By default, the menu is set to Automatic. Select Disabled instead so the service will never start again.
- Click the OK button in the Messenger Properties window.
- Then close the Services window.
In Windows 95/98, use the Add/Remove programs Control Panel to see if WinPopUp is installed; if so, remove it.