Install for Dummies?

From: Johnson, Greg (JohnsonG@missouri.edu)
Date: 01/16/02


From: "Johnson, Greg" <JohnsonG@missouri.edu>
To: focus-ms@securityfocus.com
Date: Wed, 16 Jan 2002 09:05:22 -0600

Has anyone seen an effective one-page or two-page document that guides naive
users through a secure installation? Outline:

(1) Physically unplug from the net!
(2) Really, unplug!
(3) Install OS and applications from vendor media.
(4) Don't plug in yet.
(5) Apply any patches from other media.
(6) Keep your hands off that cable.

(7) Disable services such as UPnP and IIS via these steps ...

(8) OK, now you can plug in and finish network connection.
(9) Download and install patches.
(10) Download, install, update anti-virus, personal firewall, etc.
(11) Download and run this program to check and set security.
(12) A backup might be in order now.

(13) Turn on just those services you need...
(14) Watch your logs.
(15) Keep up to date on patches.
(16) To further prevent unauthorized network access to your computer, to
test its security status against ever-emerging threats, and to ask best
practices questions about security, see this web page ...

Item (7) is the meat. What's the minimum secure, fool-proof instructions
you advise? There may be a version for each popular OS including MS Windows
98, ME, 2000, NT, XP, Red Hat Linux & Apple Mac.

I wish to distribute something like this to our university's thousands of
students and staff. So these guidelines must be enticing and inexpensive!
Our people connect on campus and with machines they own via DSL, cable, or
other access. No surprise, many people, even those who know better, are
NIMDA'd or worse before they finish downloading MS patches, enterprise
templates, etc.

Over a year ago I discovered vulnerable shares on dozens of campus Windows
98 systems. My boss thought that because of this vulnerability we should
consider officially dropping support for '98. I pointed out that only
systems for which Microsoft disclaims security--Windows 95 and 98--are
secure out of the box. This UPnP mess and IIS defaults have affirmed that
cynical observation.

-- Greg Johnson, Security Office, IAT Services, University of Missouri -
Columbia



Relevant Pages

  • Re: Sick machine, dont know what to do
    ... The machine didn't ship with an XP install and restore disk. ... It was quite a hassle and then it seemed like it took days to download all the service packs and patches and such. ... Regarding downloading of the patches, you can save yourself some time by ignoring most of the early patches and going straight for major updates. ... They take a basic XP install CD and add a whole bunch of newer drivers and/or service packs and roll-up patches. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: WinXP SP3 Issues
    ... you can't download or run the windows update from safe mode.... ... documentation prior to clicking on a button that says "download and install ... patches prior to just throwing it out. ...
    (microsoft.public.windowsxp.general)
  • Re: This is Why Consoles are More Popular than PCs for Gaming
    ... Just remembering you needed that faithful floppy disk to install SATA ... > patch downloaded, well the patch took *forever* to install. ... You download patches every time? ... still have patches for games I have uninstalled on CD. ...
    (comp.sys.ibm.pc.games.action)
  • Re: WindowsXPSP2
    ... Microsoft is currently doing a large amount of work in making Patch ... future patches will only include information about the parts of the ... They do and they don't - it depends on the download mechanism. ... size of the Network install. ...
    (microsoft.public.windowsxp.general)
  • Re: There is no .NET in Vista Code?
    ... I might be overly harsh but it does seem to me that a group of developers who really don't intend to develop for the .NET market seize on the runtime download "problem" to rationalize their decision. ... my potential customers would have to install the runtime. ... Corporate customers, on the other hand, actively shut off Automatic Updates for a number of "reasons", but don't ever deploy the patches. ...
    (borland.public.delphi.non-technical)