Internet Connection Security for Windows Users |
by Steve Gibson, Gibson Research Corporation |
Network Discipline for Windows NT4 As we saw on the previous page, Microsoft's default binding of "everything to everything" results in very insecure networking. Once we take control of the (very few) bindings which are actually needed, the security of any Windows system can be greatly enhanced. This page provides detailed directions to help you do exactly that for Windows NT. Changing these bindings does not delete or remove anything from your system, so you'll be able to undo any changes you make and update your network bindings at any time in the future if your needs ever change. Please note that the instructions on this page only apply to Windows NT. The "Network Discipline for Windows 9x" page contains instructions specific to Windows 95 and 98.
|
What follows . . . This page is intended for NT users and presumes familiarity with the ins and outs of the computer, the user interface, and network components. It does not skip over any important details, nor does it skimp on explanation, but neither is it as deeply tutorial as the Windows 9x page.
If you plan to follow the detailed step-by-step instructions below, the "for Windows NT jocks only" summary above will give you a useful overview of the four steps that follow.
|
|
|
Let's begin by again opening the Network configuration dialog. If it's not open see "To open the Network configuration dialog box" at the top of this page. Perform the following steps to configure dialog box's display as shown below:
We're now ready to selectively bind and unbind the Adapter-Protocol pairings to deliberately configure the network's operation:
When you are presented with the question about restarting NT, this time answer "Yes" since all the work is done and you've just reconfigured your NT system for safe, closed-NetBIOS operation over the Internet!
the system for NetBIOS-Safe Internet access!
Since the Windows NT 4.0 CD is growing pretty old, don't forget to reapply whatever NT Service Pack you are running on your system. This will replace any newly installed, but obsoleted, components which you might have just loaded into your system.
|
Since you will have moved your file and printer sharing from the TCP/IP transport over to NetBEUI, all other systems participating on your local area network must also have their file and printer sharing enabled for use with the NetBEUI transport. After repeating the instructions above for every machine, local communication will be securely enabled throughout your entire network.
|
Unfortunately, my ability to help you personally or directly is hampered by this site's tremendous success and traffic. We average nearly ten thousand visitors per day so there's just no way for me to interact individually with even a fraction of all those people. I really would, if I could. But I need to be working on the next generation of really cool Internet security software that you want from me. If my days are spent answering specific questions we'll never see anything else from me. So, I've assembled a bunch of self-help material on this site that should go a long way to helping you with odd events and empowering you to find solutions to your specific dilemmas: What could go wrong? Perhaps, despite unbinding everything as described above, for some reason your port 139 is still showing as "wide open" and you're worried. Or, perhaps the "unbinding" of something has had some unexpected side-effect on your system or its Internet connectivity. The most useful bits of advice I have are:
|
Taking intelligent and deliberate control of your computer's network bindings is the single best thing you can do for your system's Internet connection security. The "second generation" guidelines presented above:
Although I'm a BIG fan of Personal Firewall products, as you'll see on page 7, "Personal Firewalls" two pages from now, the tremendous power of these straightforward "component unbinding" techniques has allowed you to disable an unwanted and unneeded capability from your system. This solution is superior to depending upon some other product or technology to "suppress" that unwanted capability. That's an important distinction in the realm of robust security. AND, if neutering your system's networking is not possible because you do still need to share files across the Internet then full security will require the suppression of unwanted networking capabilities. The following two pages, "Evil Port Monitors" and "Personal Firewalls" detail your options and discuss pitfalls.
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Dec 31, 2004 at 17:15 (7,222.42 days ago) | Viewed 3 times per day |