3. How to secure your programs

3.1. Securing Windows operating system

By default, Windows hides file extensions. This allows virus writers to make use of double extensions in order to trick users into executing the infected files. To properly determine the extension of a file, make sure you have file extension viewing enabled:

In Windows 95/98/NT, open Windows Explorer and select "Tools" -> "Folder Options". Click the "View" tab, and select "Show all files" and deactivate "Hide file extensions for known file types".
In Windows 2000/XP, open Windows Explorer and select "Tools" -> "Folder Options". Click the "View" tab, select "Show hidden files and folders" and deactivate "Hide file extensions for known file types".

Still, the above instructions will not display the extension for .SHS files. To display .SHS file extensions, one additional step is required: users must edit Windows Registry (using the regedit utility), and in HKEY_CLASSES_ROOT\ShellScrap, delete the value "NeverShowExt".

Be careful, as some extentions are still not shown even if you have enabled this option. Before opening a file, have a look at its file type.

Bellow you may find a partial list of file types that should be considered suspicious when received in email and should not be opened unless you requested or expected the attachment, or unless you scan them first, using your antivirus program:

- ADE Microsoft Access Project Extension
- ADP Microsoft Access Project
- BAS Visual Basic Class Module
- BAT Batch File
- CHM Compiled HTML Help File
- CMD Windows NT Command Script
- COM MS-DOS Application
- CPL Control Panel Extension
- CRT Security Certificate
- DLL Dynamic Link Library
- DO* Word Documents and Templates
- EXE Application
- HLP Windows Help File
- HTA HTML Applications
- INF Setup Information File
- INS Internet Communication Settings
- ISP Internet Communication Settings
- JS JScript File
- JSE JScript Encoded Script File
- LNK Shortcut
- MDB Microsoft Access Application
- MDE Microsoft Access MDE Database
- MSC Microsoft Common Console Document
- MSI Windows Installer Package
- MSP Windows Installer Patch
- MST Visual Test Source File
- OCX ActiveX Objects
- PCD Photo CD Image
- PIF Shortcut to MS-DOS Program
- POT PowerPoint Templates
- PPT PowerPoint Files
- REG Registration Entries
- SCR Screen Saver
- SCT Windows Script Component
- SHB Document Shortcut File
- SHS Shell Scrap Object
- SYS System Config/Driver
- URL Internet Shortcut (Uniform Resource Locator)
- VB VBScript File
- VBE VBScript Encoded Script File
- VBS VBScript Script File
- WSC Windows Script Component
- WSF Windows Script File
- WSH Windows Scripting Host Settings File
- XL* Excel Files and Templates

In addition to the information above, you should also verify user account security. This means to:

disable the Guest account, if it is not needed:
In Windows 2000/XP right-click on "My computer", choose "Manage", and go to "Local users and groups", and "Users". Here right-click on Guest, choose "Properties" and make sure "Account is disabled" is checked.
make sure all accounts are password-protected.
do not use your computer for every day activity as administrators. Create a limited account instead. Any user can employ the "Run As" feature (hold shift while right-clicking an application to see the "Run As" option) to temporarily become the Administrator, if necessary, for instance to install software.

Follow these steps for creating a limited account on your Windows 2000/XP: right-click on "My computer", choose "Manage", and go to "Local users and groups", and right-click on "Users". Here chose "New user", and choose a name and a password for that user. You may also uncheck "User must change password at next logon". Click on "Create", than on "Close". After that, right click on the new user, choose "Properties", click on the "Member of" tab and make sure that it is a member only of the "Users" group.

3.2. Securing Microsoft Internet Explorer

First and foremost, make sure you have the latest version of Internet Explorer and that all necessary patches and updates have been applied. To obtain the latest version and required updates, visit the Windows Update Center (http://windowsupdate.microsoft.com).

In addition, Internet Explorer has a built-in mechanism for controlling the Internet threats that may ruin your browsing experience. Internet Explorer divides your Internet world into zones, so that you can assign a Web site to a zone with a suitable security level.

To access the Security Zones, open Internet Explorer, choose "Tools" from the menu, select "Internet Options", and click the "Security" tab.

There are four zones:

Internet zone: By default, this zone contains anything that is not on your computer or on intranet, or assigned to any other zone.
Local intranet zone: This zone typically contains any addresses that do not require a proxy server, as defined by the system administrator.
Trusted sites zone: This zone contains sites that you believe you can download or run files from without worrying about damage to your computer or data. You can assign sites to this zone.
Restricted sites zone: This zone contains sites you do not trust - sites that you are not sure whether you can trust for downloading or running files without damage to your computer or data.

You should set Internet zone to Default Level (Medium). However, this setting will not suppress pop-ups, but it will suppress active scripting and ActiveX controls.

As you encounter sites that employ intrusive pop-ups or have other undesirable active content, you should add them to Restricted Sites zone.

In order to do so, simply make sure you have selected the Restricted Sites, and then click the Sites button. In the dialog box that appears, type in the desired site's URL and click Add. To remove a site from the list, simply select it and choose Remove.

3.3. Securing Microsoft Outlook and Outlook Express

Set the Restricted Sites security zone to disable all ActiveX and Java. Do this from Internet Explorer by going to "Tools" -> "Internet Options" -> "Security" -> "Restricted Sites" -> "Custom Level". After this, scroll through the list disabling all options for scripting of Java or ActiveX.

After making the necessary modifications to Restricted Zones, you will need to add Outlook or Outlook Express to this Zone: open Outlook Express or Outlook, and choose "Tools" -> "Options" -> "Security". Here you should select the Restricted Zone.

3.4 Windows XP Service Pack 2

We recommend installing Service Pack 2 from the Microsoft Windows Update site (http://windowsupdate.microsoft.com). This update contains all the fixes and enhancements that have been made available over the last year.

Be advised that certain software is incompatible with this Service Pack. More information at http://support.microsoft.com/default.aspx?kbid=884130 and at http://support.microsoft.com/kb/842242

After installing the Service Pack, we recommend turning on Automatic Updates, and installing an antivirus solution that integrates itself in Microsoft's Security Center (such as AntiVir Workstation).

Also, turn on the Windows Firewall if you have no firewall installed. For more information about the Windows firewall, check: http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Virus Science

<< Previous	Next >>
How to protect against malware	How to know if you are infected