Digital Security and Privacy for Human Rights Defenders

2.1 Windows Security

Abstract

Regularly update your operating system
Know the locations of different files and documents on your computer
Use a BIOS password to protect the computer at start up
Use a lock screen function or password-protected screen saver to prevent immediate access to your computer
Do not use an empty password or reveal your password to others
Be careful when installing new software or buying a computer with pre-installed software. Use only the software that is necessary for your function and delete everything else.

We have discussed the security of your working environment and the importance of awareness of your computer operations. This chapter introduces a more technical aspect. The stability of your computer’s operating system is integral to its operation. Different software and hardware could have a negative impact on its functionality and security, if you do not possess the ability to monitor and control it. Your operating system gives you the opportunity to increase (or decrease) the security of your computer by adjusting various settings. It is like your computer headquarters. Whilst security does not depend solely on the operating system, it is important to know the vulnerabilities and the critical administration points of your operating system.

The Windows operating system (OS) is well-known for its many security vulnerabilities, but if you do not change to a different OS (e.g. a distribution of Linux), you should at least be aware of the best methodology for securing what you have. This section is divided into different categories and sorted by versions of the Windows OS. It is worth noting that specific versions of Windows, like XP Professional have numerous security features, yet they are not switched on by default. You have to activate them yourself.

Updates

Windows updates are additions to the OS which were not included in the initial release. They are usually upgrades and patches to resolve discovered vulnerabilities. The large releases are called service packs. Microsoft has stopped releasing these updates for Windows 95, 98 and NT. You can find and download all the updates from the previous years, but you will not receive the continuous support. The Security updates and fixes for Windows 2000 and XP will run through to June 2010. (see http://support.microsoft.com/lifecycle/).

If you do not have Internet access, you are less vulnerable to many of the electronic attacks. It is still advisable that you find upgrades for your OS on disk or CD. You can always write or email to Microsoft and request the latest service pack (bear in mind that you will need to include licence details of your original product).
If you are connected to the Internet, you can visit http://update.microsoft.com and follow the process on the website to discover your current Windows version and updates, and to install all the necessary ones. If you are running Windows XP on your computer, then the website will first check that your Windows software licence is valid. Even if your Internet connection is slow and expensive, I would strongly advise you to install these updates. If Internet connectivity is an issue, I suggest you install just the ‘Critical Updates’.

Users of Windows ME, 2000 & XP, who have a constant connection to the Internet, can specify Windows to periodically check for updates and install them upon their release. Go to the Control Panel and select (in 2000 - Automatic Updates, in XP – Security Centre). Choose the options that will automatically download and install the updates.

File Allocations

This section describes some of the locations used by Windows to store specific user and temporary files on your computer. These are important for deciding what files to delete, detecting system intrusion and keeping a well-organised and secure file system.

User Documents

These files relate to the My Documents folder where many users store their personal files. Also this category collects information that is unique to your Windows profile. Since Windows gives you the opportunity of a number of users for the same computer, it keeps all the files particular to a user’s session in one location. This includes your Internet browsing history and favourites, cookies, desktop files and your specific program settings (e.g. all your emails from Outlook)

Windows 95, 98, ME
The default (first) users will have their personal files stored in the following locations:

Documents C:\My Documents
Desktop files – C:\Windows\Desktop
Program specific settings – C:\Windows\Application Data
Internet favourites – C:\Windows\Favourites
Internet history – C:\Windows\History

All additional users (you can add them from Control Panel > User Accounts) will have their personal files located at C:\Windows\Profiles\User

There is not much security built into this system, as any user can have full access to all files of others.

Windows NT, 2000, XP
Windows has a dedicated user profile folder structure. User files and settings can be found in C:\Documents and Settings\User

Depending on the permissions granted to the user, they normally cannot see other users’ files. There is an exception for an Administrator account, which should have access to all files on a computer. You should not be using an Administrator account or an account with administrator’s permissions.

Temporary files

These are files collected by a computer as you go on about your work. They include unfinished or unsaved documents, Internet pictures and graphics (also known as cache) and a myriad of other files, which reveal your past activities on the computer. You should delete the contents of these folders periodically. To do this, go to: Start > Programs > Accessories > System Tools > Disk Clean UpVMicrosoft Windows – cleaning temporary files

Microsoft Windows – cleaning temporary files

Select which temporary files you want to delete. For a secure, unrecoverable deletion of temporary files, use the BCwipe software utility (see Digital Security Toolkit ). It is also useful to delete these temporary files as they take up a lot of space on your computer.
For a thorough clean-up of temporary files with more options, use software like BCWipe and CCleaner.¹⁵

Lock Screens

Every Windows computer gives you an option to password-protect immediate access once the computer has powered on. This could either be a lock screen, or a password-protected screen saver.

Lock Screen – Windows NT, 2000

Make sure that your user account is password-enabled.
Press the CRTL + ALT + DEL key simultaneously
Press: Enter

Lock Screen – Windows XP

Option 1 Press the Windows key (if you have one) + L

Option 2 You must switch to the ‘Classic’ Windows theme to activate the lock screen function.

Select: Start > Settings > Control Panel
Double click: User Accounts
Click: Change the way users log on or off
Untick: Use the Welcome Screen

Now you can use the Ctrl + Alt + Del key combination.

Option 3 Right-click on an empty space on your Desktop

Select: New > Short cut
Type: rundll32.exe user32.dll, LockWorkStation
Press: Next
Type: a name for the new icon (example: Lock Computer)
Press: OK

This will create an icon on your desktop. Double-click it to lock your computer screen. You will need to enter your password to unlock it.

Windows 95, 98, ME
Unfortunately, there is no separate lock-screen function in these Windows versions, so you will need to create a password-protected screen saver and put an icon or a time limit to activate it.

Screen Saver – (all Windows versions)

On your Desktop, right-click the mouse button and choose Properties from the menu that appears. Go to the SCREEN SAVER tab and select a screen saver. Tick the Password Protect box and enter the desired password. Set the time limit to 5 minutes. Now make a shortcut to activate the screen saver upon request. Then you won’t have to wait for 5 minutes before it is launched.

Go to: Start > Search (for files & folders)
Type: *.scr
Press: Enter

The results will show up all the screensavers on your computer. Choose any screensaver and right-click on them.

Select: Send to -> Desktop (Create ShortCut)

Now you can activate the screen saver by clicking on the shortcut on your desktop screen. However, we can make it even simpler:
Right-click on the shortcut and select Properties
Click in the textbox called short cut key and press Ctrl Alt S

Press: OK Now your screen saver will launch every time you press that key combination.

This is not an advanced security measure, yet it is still better then just leaving your computer open.

BIOS

Every computer has a BIOS – Basic Input/Output System. Its purpose is to give your computer initial instructions to begin with. BIOS is a set of essential software routines that execute when you switch on the computer’s power. They test the hardware devices, start the hard drive and operating system. The BIOS instructions are stored in a place called ROM – Read Only Memory, and are usually invisible to the user. However, most computers give you the option to inspect and configure the BIOS settings. These include password protection.

To enter the computer’s BIOS, you are usually requested to press a certain key on your keyboard at the initial power-on screen. This is often the F1 or F2 or F10 or F12 key, depending on the type of BIOS you have. Sometimes, this can also be the ESC or DEL key. Some computers skip through this screen very quickly and you may have to press the ‘Pause’ button on your keyboard to read it properly. We will only discuss the password settings here. Do not change other standard BIOS settings, if you do not know their purpose. Not all BIOS are the same, but you will find either two or all of these passwords in yours.

Power On password – This will protect the BIOS from starting without a valid password. No devices will be loaded, and your computer will not start.
Hard-drive password – This will protect the BIOS from initiating and launching your computer’s hard drive. This is a useful option for your laptop that is often left in ‘standby’ mode.
Supervisor password (BIOS password) – This is the main password that can overwrite the previous two passwords. You do not need to set it, but if you forget or want to change either the power-on or hard-disk password, you will need the supervisor password.

Setting these passwords will prevent immediate access to your computer, if it is switched off. It is a quick deterrent for a less ambitious intruder. The security is far from foolproof as there are several ways to bypass the BIOS password. Almost all of them include physically opening your computer. When you have done this, you can reset the BIOS or simply take out the hard drive and put it into a different computer that does not have BIOS password protection. Hence, if you have a lock on your well-built and strong computer case, you are again increasing the security of access to your information. If you forget your BIOS password, you will have to resort to the methods described above to reset it.

Software Installation

Most computers come pre-installed with software. At least, that is what you should normally request. Bear in mind that this may not be the best security option. If you have unlimited or cheap access to the Internet, all you will need is your Windows CD. You can find all other necessary software on the Internet and all of it free¹⁶. When I buy a new computer, the first thing I do is format it, i.e. delete everything on it, including the operating system itself. It allows to start ‘afresh’ and build my system from scratch. Pre-installed software usually has many trial versions of virus cleaners, graphics packages and what nots. Sometimes, it will have lots of pre-installed spyware. By starting from scratch, I can gain full knowledge of all of my Windows’ security settings, installed software and hardware. If you implement the security settings for Windows included in the Secure NGO in a Box, update it from the Internet, install a virus cleaner and a firewall, you will be a lot more secure when connecting to the Internet for the first time¹⁷.

When installing new software, imagine yourself eating. You could poison yourself, if you consume the wrong food or a products that is past its use-by date. With software, you could poison your computer that sometimes will not recover. Investigate the software publishers and make a decision about their status and trustworthiness. Like keeping a healthy diet by staying away from junk food, do not install unnecessary software that may decorate your computer monitor or make filling in Internet forms easier. It is usually this very software that carries many of the bugs we describe in this Manual. Do not think that a computer can handle every piece of software you choose to install. If all you need a computer for is checking email and writing documents, all you will require are OpenOffice and Mozilla Thunderbird. Don’t install anything else. It’s that simple.

14
http://v4.windowsupdate.microsoft.com/catalog/
Windows 95 users should go to http://www.microsoft.com/windows95/

15
These tools can be found in the Digital Security Toolkit , and on the website https://security.ngoinabox.org/en/

16
You could also order a free copy from the NGO in a Box range of CDs (including Security, Base, Audio/Visual) – see www.tacticaltech.org for more details

17
See the Markus Johansson Guide on installing Windows 2000/XP on the Secure NGO in a Box project CD

top of this page

Front Line 2007. Please contact Front Line with any comments or suggestions.