Safe Network Computing
Windows Desktop


Frank da Cruz
Columbia University Academic Information Systems

September 2001

As seen in Newsday :-)

This page was written for the Columbia University community but might be useful to a wider audience. It does not represent current Columbia University Academic Information Systems (AcIS) policy or mainstream AcIS directions, nor indeed mainstream thinking. It describes a way of using your Windows PC in combination with central Unix servers and the Internet that keeps your PC safe from hostile attack as well as from data loss due to natural disaster or accident, and is offered as an example of one relatively experienced person's working environment. All opinions herein are mine alone.

Most recent update: Mon Jun 28 12:44:43 2004

Contents . . .

  1. How Bad Is It?
  2. Is All of This Inevitable?
  3. How to Ignore Viruses and Get Your Work Done
  4. The Junk Mail Plague

1. How Bad Is It?

Iloveyou, Melissa, Anna Kournikova, SirCam, Code Red, Nimda, FunLove, BadTrans, Goner, UPnP Buffer Overflows, Hybris, Klez, Bugbear, SQL Slammer, Sobig.E, DCOM-RPC, Mimail, Blaster, Sobig.F, Welchia, Beagle, MyDoom, Netsky, Download.Ject, . . . What next?

In this age of viruses, worms, hackers, crackers, swindlers, and actual terrorists, computer security has taken on an unprecedented urgency. Although every platform (and the network itself) has its security holes, the current rash of incidents is primarily due to the following facts:

  1. A single platform -- Microsoft Windows on Intel-based PCs -- dominates the computer market and the Internet;
  2. This platform is enormously complex and full of bugs;
  3. In many cases, it is open by default to incoming connections;
  4. Dangerous features are enabled by default (e.g. in the mail, office, and web clients);
  5. Its users tend to not to be "computer experts", nor do they want to be.

The Internet is the ideal transmission vector for viruses. Unlike biological viruses, whose spread is limited by all sorts of factors, an Internet virus can cover the entire planet almost instantaneously, affecting millions of Internet-attached PCs before countermeasures can be taken. When your PC is infected with a virus, not only can it suffer damage, but it can also be transformed into a weapon to launch new attacks in your name or your company's name against your friends, relatives, colleagues, business partners, customers, and the world at large. System and network administration, once the province of highly trained professionals, is suddenly the responsibility of all people who have an Internet-attached PC.

Microsoft Windows comes in two basic varieties (leaving aside the palmtops, set-tops, etc): Windows 95 and its descendents (Windows 98 and ME), and Windows NT and its descendents (Windows 2000 and XP). PCs preloaded with these operating systems attract customers by a combination of low cost, cute graphics, ease of learning, and market pressure ("it's what everybody uses"). Ease of learning requires that all features be enabled by default so people don't have to go through confusing technical configuration dialogs, or indeed know or learn anything at all. Such features include:

Each of these is an entry point for attacks. Windows 9x/ME adds to this list a complete and utter lack of security in the local disk file system. There is no concept of file ownership, group membership, access control, protection or read / write / execute / delete permissions. All files are wide open to anyone who can access your computer, for example in their "Network Neighborhood". This includes your confidential files, personal information, financial information, Web browsing history, security keys, and anything else you might wish to keep private.

In Windows 98, ME, and NT, Personal Web Server (PWS) is installed by default, and this is carried forward automatically when upgrading to Windows 2000, where PWS is converted to Internet Information Server (IIS); this, plus the inevitable bugs in these services, is the basis for buffer overflow attacks like Code Red.

Every few weeks a new worm or virus plunges the planet into another panic. Often these viruses can be removed from your PC only by reformatting your hard disk, reinstalling the operating system from trusted media, reinstalling all of your applications, and then patching and upgrading everything before you reconnect your PC to the network. You can not restore your own data files (even if you had backed them up) without danger of reintroducing the virus. Meanwhile, you are expected to constantly patch and upgrade Windows and your applications, install virus protection and intrusion alert software, and patch and update that software too, on AT LEAST A DAILY BASIS, to guard against known viruses. But of course this is no defense against new viruses exploiting as-yet unknown bugs and loopholes, and even if your own PC is fully patched and the patches are effective, you might still be vulnerable if your neighbor's is not (see Robert Graham's analysis of the January 2003 SQL Slammer worm).

Windows started out as a convenience, but now keeping up with all the patches and security alerts and recovering from attacks can be a full-time job. The constant struggle against worms and viruses makes every person and organization that uses Windows PCs less efficient and often a burden to others. People lose their work, often great amounts of it. Companies lose vital business information. Credit card info is stolen, altered, or published. Critical web sites and servers are compromised. Organizations must install switched networks, firewalls, and filters and hire new security staff at great expense, driving up costs and prices and/or causing layoffs, and this still does not solve the fundamental problem.

There is no "last bug" in Windows, no "last patch" to make Windows safe. (In September 2002 -- a year after this document was first written -- you could find THIS freshly posted at the Microsoft website: "Because of the nature of hacking, there is almost no way to fully certify a computer as 'clean' of all malicious software or changes that are made during the hack.") [Note: The Microsoft Knowledge Base article was later altered at the source to remove this sentence.] A senior Microsoft executive said, "We really haven't done everything we could to protect our customers... Our products just aren't engineered for security" (Infoworld 5 Sep 2002). Craig Mundie, Microsoft chief technical officer, said in an address at the company's campus in Mountain View, Calif. [that] it's impossible to retrofit earlier versions of Windows to make them secure (Internet Week, 15 Nov 2002).

The worldwide Internet opens your PC up to a virtually limitless number of hackers who, by the very Law of Large Numbers coupled with the low price and universality of PCs and the vast complexity of Windows, will find the next bug or hole, and the next, and the next. The process will only intensify as time goes on, as long as Windows and Intel dominate the market and the Internet. (In fairness, the same thing might happen with any other dominant platform, such as Linux, but at least Unix-based operating systems are designed from the beginning to be secure if properly administered, so attacks on them are based more on bugs than on fundamental design deficiencies. In any case, a better defense against planet-crippling viruses would be the diversity of platforms we enjoyed prior to the mid-1990s.)

During the Code Red and Nimda onslaught of September and October of 2001, the following document was researched and written by Jeff Altman of the Kermit Project, who was also Columbia's resident security expert and Windows expert, on what it takes to actually use Windows and its applications as your primary computing environment:

Personally, I find the prospects laid out there both horrifying and sickening. The amount of time and labor that goes into securing your Windows PC on a continuing basis plus that required to recover from the inevitable successful attack is staggering, especially considering that these devices were bought in the first place to save us time and labor, and even then there can be no guarantees of safety. And if you noticed that Jeff's article is somewhat dated... Of course it is. Nobody has time to keep it up to date. Constantly patching Windows and all its applications, not to mention writing about how to do this and updating the document on a continuing basis, is far too labor intensive to be an effective approach to security.

2. Is All of This Inevitable?

No. As anyone who used computers before the Windows-and-Web explosion can tell you, it is quite possible to get all your work done in a perfectly safe environment without bothering one bit about viruses, worms, and hackers, even if you have an Internet-attached Windows PC on your desk, even if it is up and running 24 hours a day. Begin by closing the open doors and windows:
Disable File and Printer Sharing
Control PanelNetworkFile and Print Sharing. If "I want to be able to give others access to my files" and "I want to be able to allow others to print to my printers" are checked, uncheck them. In every version of Windows the dialog is a bit different; in XP it's Control PanelNetwork ConnectionsLocal Area ConnectionGeneralProperties, then uncheck the File and Printer Sharing for Microsoft Networks box.

The initial configuration of a PC that was preloaded with Windows depends on the PC vendor. We must assume that every vendor enables everything by default in order to make their products more attractive, but we do not know this for a fact.

Disable Other Services
StartRun services.msc. This shows a list of services that run on your PC, many of which open it up to entry from the outside. Click once on a service name to see a description of the service. Right-click on the service name and then choose Properties to modify the service (e.g. change it from Automatic to Manual or Disabled). Two such services are especially in need of attention: Remote Registry (allows other computers to change your computer's Registry) and Server (file, printer, and named pipe sharing): these should be disabled. Why file and printer sharing are still enabled in this list after disabling them in the previous step is another Windows mystery.

Don't Use Internet Explorer
Use some other browser, such as Mozilla and its followon, Firefox, or Netscape, instead. You might be able to make your browser safe by going through all sorts of incomprehensible dialogs and applying many patches, but you'll never really know. Anyway, since most Web-based attacks are aimed at IE, it's better not to make yourself a target. In Netscape, EditPreferencesApplications to disable automatic launching of any Microsoft applications (e.g. .XLS files launching Excel, .DOC files launching Word, etc) -- change each of these to "Save to file" (go through the whole list, one by one). Similarly in Mozilla (Helper Applications, Save to Disk).

Be Careful with JavaScript
JavaScript is required to access most business-oriented or interactive websites (such as However some versions of some browsers (notably IE) have bugs and/or vulnerabilities accessible through JavaScript. To be safe, disable it (e.g. in Netscape, Mozilla, or Firefox, EditPreferencesAdvanced). If you need to use JavaScript at a particular trusted site, enable it while you visit the site, then re-disable it. This is especially important if you use a GUI email client, since people can send you HTML-format mail with embedded JavaScript.

Don't Use a Microsoft E-Mail Client
Same deal as with IE, but moreso. Originally, Microsoft e-mail clients such as Outlook had "everything" enabled, up to and including letting anybody who sends you mail to RUN PROGRAMS ON YOUR COMPUTER (in a belated attempt to appear more security-conscious, more recent versions are blocking more and more types of enclosures; reportedly Outlook 11 even blocks HTML). Anyway, as with IE, even if you disable "everything", the program is still potentially full of bugs that present inviting targets to hackers. But worse, it's your Microsoft Outlook Address Book that is most often used as the basis for further attacks (at first the attacks were directed against addresses in your address book; more recently with Klez and Sobig, the addresses are used in forged e-mail bombs, so it appears that not only you, but everybody in your address book, is spamming and attacking the world). If you must use a GUI mail client, make it CubMail (Columbia only) or Netscape or Mozilla Messenger. Better yet, use a host-based mail client, explained below. Avoid "free" Web-based e-mail systems (other than CubMail) for any number of reasons: they transmit passwords in the clear, they violate your privacy and/or author rights, etc.

Ditto for Other Microsoft Office Applications
Microsoft Word is not the only package with the macro language problem. It's the entire Microsoft Office suite. Office XP is supposed to be more secure but who knows (and if it is secure, you probably won't use it because security = inconvenience). Use them for working on your own files, but watch out when importing other people's data files.

Watch Out for Applications that Use Helper Applications
If you use a PC-based email client, Web browser, or other application that is not from Microsoft, it might still use Microsoft applications as helpers or viewers for e-mail attachments, Web pages, or other documents. For example, if a document is tagged as "Content-Type: application/msword;" or has a name that ends with ".doc", your application software might feed it to Word. For each application that you use or install, you must go through its setup configuration to replace all dangerous associations with harmless ones (you can -- and should -- do this Windows-wide but many applications override the Windows-wide associations).

Don't Use Microsoft Word as the Helper for DOC Files
Any time Microsoft Word opens a document your computer can catch a virus. This can happen if you open the document in Word's File menu, or if you clicked on the document on your desktop or in a file list, or because Word is registered as the "helper" application for .DOC files and can be triggered by visiting a web page or opening an e-mail enclosure. If you need to read Word files, use WordPad and register it as the helper application for .DOC files (or else read them on a Unix-based platform with Antiword, Star Office, or Open Office). If you need to create plain-text files, use Notepad, Wordpad, or (better yet) a text editor on the central servers (discussed below) instead of Word. To create or edit "rich" files of your own, you can use anything you like, including Word, since the chances of giving yourself a virus by editing your own file are pretty slim.

Disable Internet Services
You probably do not need to have Web servers, FTP servers, and the like running on your desktop PC. Inviting connections from the outside world to your own PC is like leaving your house open and posting a big "rob me" sign on it. If you want to have a Website, put it in your ~/public_html/ directory on Cunix. Departments that are running production Web servers on Windows (not to mention organizations outside Columbia that do so) are in constant danger and are guaranteed to be continuously probed and attacked from all over the world. Columbia departments should move their websites to secure platforms in secure locations. On 19 September 2001, the Gartner Group recommended that "enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache."

Don't Run Peer-to-Peer Software
If you are serious about computer safety, you won't use your PC as an entertainment center. Running Internet "peer-to-peer" software -- Napster, Aimster, Madster, Gnutella, Kazaa -- to share commercial music and videos might or might not be legal or ethical, but it is dangerous because it opens your computer up to incoming Internet connections and you don't know what the software is doing (click on the Kazaa link to see what I mean). You probably don't have the source code, and if you do, you probably didn't read and understand every line of it, and anyway since there is no business relationship between you and its authors, you can't hold them responsible for what happens to your PC. Using this software is also dangerous because it exposes you and/or your school or employer to possible criminal prosecution and lawsuits. It's not worth the risk. Support the artists you like by purchasing their CDs or DVDs.

Disable Windows Messenger
In Fall 2002, direct marketing software companies discovered it was possible to make ads pop up on the screens of Windows users by sending NETBIOS messages on the local network or across the Internet. Who knows what other vulnerabilities are exposed through this path into your PC. For Windows XP, Microsoft explains how to disable this feature HERE. For other Windows OS's, who knows. Also see other documents on this topic from:

Anyway, the July 2003 DCOM RPC episode caused most sites to block TCP/UDP traffic on ports 135, 139, and 445, so you won't be seeing the annoying popups any more. Microsoft says, the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface "allows a program running on one computer to seamlessly execute code on a remote system", which strikes me as an odd feature to put on mass-market Internet-connected computers.

Disable Automatic Windows Update
This is not exactly a security issue, but you might feel better if you are more in control of your computer. Furthermore, it sometimes happens that a site blocks the messages Windows sends back to home base to check for updates; once that happens, Windows retries the message once per second. The local network can bog (or melt) down quickly with all the signs of a Denial Of Service attack, and the network police might well come crashing through your door to see what "you" are up to. In Windows XP, Automatic Windows Update can be disabled in:

Control Panel → System → Automatic Updates

Most security experts will tell you that it is essential to apply updates constantly, continuously, and instantly, to avoid falling prey to the latest attacks, and if you use Windows as Microsoft intended (i.e. for everything), that's good advice. Personally, I don't bother with updates, antivirus software, or Zone Alarm. The way I use Windows, I don't need to.

Don't use Public/Private Key Pairs
Some people think that SSH connections are better than clear-text Telnet connections because SSH doesn't send passwords over the network in the clear. When they discover that they can use SSH to log in without a password by setting up public/private key pairs, and that this opens up other possibilities like remote execution of commands, tunneling, etc, they can't resist. The trouble is, your key files are on your PC disk in a well-known location. Given the infinite variety security holes in Windows, it's just a matter of time before someone gets your key files and (if you have encrypted them) cracks them offline, thus stealing your identity and gaining access to all the computers that you have access to. Once this happens, there is no straightforward method of recovery. Therefore, if you must use SSH, it is better to use it only for encryption, typing your password every time you make a connection to another computer. Better still, choose a manageable form of security such as Kerberos (supported at Columbia), SSL/TLS, etc. More about this HERE (see, especially, Section 3.2). (If you have to use SSH with public/private key pairs, you can keep your secret material (keys etc.) on a floppy disk or USB mounted memory stick, and insert the disk/stick into the machine only when you attempt a connection to a remote host with SSH; keep it locked up at other times.)

Enable Internet Connection Firewall
Windows XP and later have their own built-in Internet Connection Firewall (ICF), but you have to "enable" it, and I suppose this can't hurt (Control PanelNetwork Connections(Choose your network type)PropertiesAdvancedInternet Connection FirewallProtect My Computer and Network). I also can't say that it's necessary if you follow all the other recommendations given here. So far, it hasn't been necessary for me. I confess, I do have Norton Antivirus installed, mainly just to satisfy myself that my PC remains virus-free, and so far it has. But you never know... Windows has so many secret entrances from the outside world, I don't think ANYBODY could tell you how to close them all -- and even if they did, you'd spend an entire day groveling through obscure menus that are different in every Windows version, with no record of what you'd done, and no guarantee that your menu selections actually did anything, or that whatever holes you closed wouldn't open up again all by themselves, in the interest of user-friendliness.

In summary, don't use Microsoft applications, don't use any other applications that automatically execute embedded programs or scripts or macros in their data files (this can include PostScript viewers and even PDF utilities), disable all services that open your PC to incoming network connections, including disk or printer shares and "content sharing" or any kind, as well as automated updates.

While you're at it, learn to be a good network citizen. Software vendors don't make this easy for you because they want you to become hooked on their products and force others to use them. Some points to keep in mind:

3. How to Ignore Viruses and Get Your Work Done

If you can type reasonably well and are willing to give up automatic opening of e-mail attachments you can work with complete safety and a great deal more efficiently in a "world of text", just as virtually everyone did prior to 1995 (so how hard can it be?). Consider that AcIS maintains a vast armada of fast, secure Unix-based Sun servers, known collectively as Cunix, that you can access with a terminal emulator. These servers let you:

In fact, this is how everybody at Columbia -- students, faculty, and staff -- used computers in the decades prior to Windows and the Web. It takes a little time to learn text editing with EMACS, but the time is well invested, since EMACS is extremely powerful. Not only can it do anything you can think of, but it is far less labor intensive than a GUI point-and-click editor, which requires constant hand movement between keyboard and mouse, endless grovelling through menus, and so forth (favoring the novice or casual user over the experienced or heavy user). Whereas with EMACS, if you're a touch-typist, your hands need never leave the home position. To get started with EMACS, just type "emacs" at the Cunix shell prompt, then type Ctrl-h (hold down the Ctrl key and press the "h" key, then let go of the Ctrl key) and then press the "t" key for a tutorial.

If you need to use Microsoft applications like Outlook, Access, Excel, Powerpoint, or Word on your PC, you can still do so, but do it with your eyes open. Don't allow incoming network material (e-mail, web pages) to launch these applications automatically. Launch them yourself by hand only on trusted material, and then only after disabling all forms of macro execution and other dangerous features in these applications (and reading all the latest CERT security alerts about macro viruses and vulnerabilities).

But what is trusted material? Good question. You have no way of knowing in advance that a data file for an MS Office component -- Word, Excel, Access, etc -- does not contain a virus, even if the file comes from a trusted friend or colleague or family member, because they might be passing along a virus without knowing it. You can test the file in advance with a virus scanner, but the virus might be a new one that the virus scanner doesn't know about.

Here are some of the benefits of a host-based, text-based work environment:

You can access the central Unix servers securely from Windows by using Kermit 95:

Columbia students, faculty, and staff can download Kermit 95 from the AcIS Software Distribution Center; other universities can get low-cost ACADEMIC SITE LICENSES; individuals anywhere can download it from HERE. Kermit 95 is a product of AcIS's own Kermit Project and is therefore naturally in tune with the Columbia computing and security environment. Like EMACS, it has a bit of a learning curve because it has a lot to offer. It's not just a terminal emulator; it also lets you:

And lots more. CLICK HERE for a tutorial. The Kermit 95 command prompt can even be a more powerful and friendly alternative to the Windows shell.

My time-tested Windows setup is simple: one Mozilla window plus several Kermit 95 windows acting as Kerberized (i.e. secure) Telnet clients to Columbia hosts, SSH connections to other hosts, and when this document was originally written I also had a copy of Kermit 95 accepting incoming connections on the HTTP port so I could harmlessly absorb, log, and automatically report Code Red and Nimda attacks via a Kermit script. In the Kermit 95 terminal windows:

When reading e-mail:

This setup is not necessarily for everybody, but I recommend it for people who:

(The last point might be stated better as, "don't mind investing a little time to learn tools that improve their productivity for years to come.") If you fall into this category, perhaps the tradeoffs -- learning curve and certain limitations, versus time and work lost due to viruses, not to mention the damage they can do to others -- are worth it.

Remember: if you have a Windows PC connected to the Internet, then even if you update and patch the OS and applications and antivirus and intrusion-detection software every day, you're still not safe. Attacks come first, the patches against them follow later. While you are sleeping, your PC and/or files could be damaged and your PC could be used as a launchpad for attacks against thousands of other computers, most likely including those of your colleagues, friends, family, and business contacts -- the ones in your Windows address book.

4. The Junk Mail Plague

U-Mail (n). Unwanted e-mail. A term to encompass not only spam (unsolicited e-mail of a promotional or otherwise undesirable nature) and viruses, but also responses sent to you when your e-mail address was forged as the sender of a spam or virus message sent from somebody else's computer. Such responses might include delivery status reports (e.g. no such user), virus warnings, spam rejections, disk-full notifications, subscription confirmations, inquiry acknowledgements, and vacation notices.
By mid-2002, the Klez worm had done a fair job of reducing the signal-to-noise ratio of Internet mail by yet another order of magnitude. Every morning when I arrive at work and read my e-mail, not only do I have preposterous messages from all over the world, full of worms, viruses, get-rich schemes, scams, pornography, and who knows what else (even virus-laden ads for anti-virus products!), but it seems that I also have been busy sending these messages myself while I slept since much of my new mail is bounce notifications for e-mail from me to random addresses all over the planet containing the same assortment of viruses, worms, get-rich-quick schemes, etc.

Of course I did not send these messages, Klez did. Nor did the messages come from my computer. Klez puts my address, which it picked out of other peoples' address books, in the message's From: header; if you look at the message's Received: headers, you'll see the true origin of the message -- the person's computer where my address was found (or another one subsequently infected from there, and so on).

E-mail that is forged in this way can be quite effective. Chances are high that you will "open" a message if it is from someone you know, and chances are also high that people who have your address in their address book also have the addresses of people you know.

A few months after Klez debuted, I began to notice that some people were not receiving email from me. It seems that "well-known spammer" lists accumulate source addresses from Klez-generated (i.e. forged) massages, and some sites use these lists as criteria for blocking spam. Here we see the seeds of the breakdown of email itself. People who have never sent spam in their life are branded as spammers and blocked from using email; the antibodies are more lethal than the disease.

Anyway, now it seems "I" am sending tech-support requests to companies all over the globe and subscribing to every conceivable mailing list, further clogging my mailbox with automated responses and unwanted mass mailings. In August 2002 only about 1 in 100 e-mail messages I received was legitimate, and Columbia University as a whole received about a quarter million Klez messages each day. It only gets worse. The entire Internet is now engaged in a massive (but piecemeal, per-site) spam-filtering crusade that is increasingly likely to block legitimate messages. Spam and virus mail will adjust itself to pass through the filters, while the mere human beings responsible for the filters won't be able to keep up. So you can expect that no legitimate message will be immune from filtering. Since filtering policies are unique to each site, it won't be easy to predict how to tailor your mail to get through. (But if you can do it, spammers can do it too!)

At least by using a text-based email client, I don't propogate this avalanche of letter bombs and junk mail. My mailbox is a Klez "sink" and my PC never becomes another Klez source. I have a full view of each message so I can easily tell whether it's forged by comparing the sender's address with the source address accumulated along the route.

August 19-20, 2003: The Sobig.F virus raised the stakes by orders of magnitude. Like Klez, Sobig.F reads email addresses from the infected machine's address book and picks one for the From: address and another for the To: address. If your e-mail address is in the address books of lots of Windows users, massive amounts of virus mail will be sent "from you" and of course you will also receive lots of it, as well as all the bounce messages, virus warnings, vacation notifications, subscription confirmations, and other responses generated by this mail.

In a single 24-hour period, I received 16237 U-mail messages, 73MB worth, compared to no more than 100 that were legitimate. This is with all sorts of filtering already going on at the central mail server. At least 75 percent of this traffic consisted of error or virus notifications from mail servers so it can't be filtered without the danger of also discarding legitimate warnings. Yet the volume is so massive it must be filtered, and this means it will become increasingly impossible to know whether mail that you sent was delivered (or had a virus!).

Perhaps MIME (Multimedia E-mail) was not such a great idea after all. It is the source and carrier of most of today's worms and viruses. The idea that e-mail should contain enclosures and attachments that can be associated by the sender with a particular application that will be run on the receiver's computer is such a flagrant, gaping security risk it's almost inconceivable the IETF could have approved it. (In fact, there was heated debate about this, but the design was evidently "pre-approved" and discussions were purely pro forma.)

[ Top ] [ CERT ] [ UNIX ] [ EMACS ] [ Pine ] [ MM ] [ Kermit ] [ AcIS Documentation ] [ CU Computing History ]

Safe Computing / / Sep 2001 - Jan 2004