' Simply And Enjoy's : How (and why) to secure your / Windows PC Menjadi Aman ...


Selasa, 14 Agustus 2012

How (and why) to secure your / Windows PC Menjadi Aman ...

Thanks mechbgon ...

Use a layered defense.
Layered defense means that you don't rely on just one type of defense (such as antivirus software). Instead, you use multiple overlapping layers of defense. Some of the most powerful layers of defense are already built into Windows (or even built into your hardware!). You don't need to download them, buy them, or even install them... you just need to start using them.
Bye-bye, Windows XP You can adapt most of this info to WinXP, but I'm now writing this page on the assumption you've got Windows Vista or Windows 7. Both of them are far more practical to run securely than WinXP was.
Shortcuts to the suggested layers (or just scroll down the page)
  1. Use non-Administrator user accounts
  2. Use a firewall and a router
  3. Enable Automatic Updates and upgrade to the Microsoft Update engine
  4. Uninstall software you don't use
  5. Use Secunia's checkup to fix vulnerable software
  6. NEW! Use the free Microsoft EMET security enhancement kit
  7. Win7 and Vista users: update Internet Explorer to version 9
  8. Win7 and Vista users: keep UAC enabled
  9. Use antivirus software
  10. Disable or restrict AutoPlay
  11. Recognize trojan-horse programs
  12. Recognize phishing scams
  13. Recognize scareware scams
  14. Back up your important data
  15. Advanced users: try Software Restriction Policy or Parental Controls

Is all this proactive computer security that important? Yes. For example, if the bad guys infect your computer and steal your bank log-in credentials, they can empty your bank account and ruin your credit rating. Or they can do the same thing in your virtual life, stealing your World Of Warcraft stuff. Deleting the malware that stole your credentials won't undo the damage, so don't wait for the bad guys to make the first move. This stuff's happening right now. Get your computer hardened up.
Suggested defense strategy for home computers
  1. Don't use an Administrator user account when you don't need to
    Use a non-Administrator user account whenever possible. This limits the damage that a malware attack can accomplish. This is a cakewalk on Windows 7 or Windows Vista, compared to previous versions of Windows where it was a hassle, so create a new Administrator-level account and then switch your own account(s) to Standard Users, and this step is done.
    If you allow other people to use your computer, I suggest making a separate non-Administrator account just for visitors to use, so they're not logging onto one of your own user accounts with access to your own stuff. Don't let them use the Administrator account.

  2. Use firewalls
    Firewalls prevent other computers from making unauthorized network contact with your computer. These unwanted probes could come from worm-infected computers that are trying to infect your computer, or from human or automated hacking attacks that attempt to access your computer.
    When possible, use a router as a perimeter firewall to shield your whole network from outside intrusion. Then use the Windows Firewall (or another software firewall) as your computer's own firewall, to protect your computer from other computers that might be on the local network, or that might attempt an ad hoc connection using wireless networking.
    If you use a dial-up connection to the Internet, then you can't use a router, but you can still use a software firewall. Your software firewall can also protect your computer when you're on someone else's network (such as public wireless, or at a LAN party or hotel); in those situations, use the "No exceptions" or "Block all incoming connections" checkbox as shown below for Windows XP, or the "Public" setting on Windows Vista and Windows 7:
    Note: a hardware firewall and a software firewall work great together, but don't try to use more than one software firewall at the same time, since they may clash. Also, see my router page for important tips on preventing your router or modem from being subverted, because that does happen.

  3. Upgrade to the Microsoft Update engine, instead of just Windows Update
    Enable Automatic Updates (click Start > All Programs > Windows Update).
    Also, upgrade your Automatic Updates software to the full Microsoft Update engine, by going to the Microsoft Update website to get the upgrade. This keeps all your Microsoft software updated, not just Windows itself.
    Microsoft Update will update more stuff than Windows Update does

  4. Eliminate unnecessary "attack surface" by uninstalling software you don't need
    The bad guys can't exploit something that isn't there, so uninstall software you don't use, by going to Start > Control Panel > Programs. Sun Java is heavily exploited, so remove all instances of Java unless you absolutely have to have it for something. Media players such as QuickTime and RealPlayer, instant-messaging and VOIP programs, email programs, web browsers, and other widely-used software are often exploited by the bad guys as well. If you don't need it, uninstall it.

  5. Keep your other software up-to-date
    Use Secunia's free Personal Software Inspector at least once a month. By default, the PSI software starts up with Windows, but you can disable that behavior if you just want to use it for periodic checkups... open PSI and click Configuration > Settings, where you can disable automatic startup.
    Statistically, less than 2% of Secunia's users are already fully up-to-date on the first try. How about you?

  6. Install Microsoft's mitigation toolkit, called EMET
    Microsoft created a free easy-to-use utility that has two functions: it lets you easily enable all the protective features on your version of Windows, and it lets you apply enhanced protective techniques to any programs you choose. Whether you've got Windows XP, Windows Vista or Windows 7, EMET provides extra protection.
    Run EMET, click the "Configure System" button, and I recommend using the settings shown in the picture below. This tip replaces two of the tips formerly listed here (enabling DEP and enabling SEHOP) because EMET does both at once.
    Now click the "Configure Apps" button at the bottom of the window, and use EMET to provide extra protection to these types of programs, which you can find by browsing your Program Files and Program Files (x86) directories:
    • All your Web browsers: Internet Explorer, FireFox, Opera, Chrome, Safari, etc. Protect IE even if you usually browse with something else yourself. On 64-bit systems, note that there's an Internet Explorer in both Program Files and Program Files (x86), so add them both.
    • All your media players: VLC, Windows Media Player, RealPlayer, QuickTime, DiVX Player, etc
    • All your Instant Messaging programs
    • All your PDF readers: Adobe Reader, Foxit Reader, etc
    • All your productivity software: find the executable files for your office software, such as Works, Word, Excel, PowerPoint, Publisher, or the OpenOffice equivalents, and add them.
    • Sun Java, now Oracle Java due to a change of ownership (and if you don't really need Java, just uninstall it)
    • P2P programs
    • VoIP programs: Skype, etc
    • Email programs: Outlook Express, Thunderbird, etc
    • Any other programs you'd like to add. It won't hurt to add extras; for example, you can add all the executables in Adobe Reader's folder, not just AcroRd32.exe.
    If legitimate programs consistently cause Data Execution Prevention errors, use your Administrator account to make exceptions when necessary. In the picture above, you see that I added some "problem" programs to the exception list using the Add... button. You can't do this if you set DEP to Always On in EMET, which is why I suggested using Opt Out for DEP.

  1. Upgrade to Internet Explorer 9
    You might use a different web browser if you prefer, but you should still update your system by installing Internet Explorer 9 in place of Internet Explorer 7 or 8. You can download it from this page.

  2. Windows Vista and Windows 7 users: don't disable UAC (User Account Control)
    Some of the best security enhancements in Windows Vista and Windows 7 depend on the User Account Control (UAC) system. If you disable UAC, you lose more than just the Continue / Cancel prompts that some people find bothersome; you're also losing file-system & Registry virtualization and Protected Mode. On Windows 7, I recommend changing UAC to Always notify as shown in the picture above.

  3. Use antivirus software
    Do install a current-generation antivirus program and keep it up-to-date. Run a full system scan every week or so. If you want a good free one, try Microsoft's own Microsoft Security Essentials. Update: Dude! Microsoft Security Essentials is now free for small businesses to use up to ten copies, not just home users!
    Don't assume that your antivirus software makes you invincible! Nothing could be further from the truth! Use the other steps in this guide to protect your computer from attacks that your antivirus software doesn't recognize.

  4. Disable or restrict AutoPlay
    Your computer might be attacked automatically if someone connects an infected portable device to it. For example:
    • USB thumb drives / flash drives
    • memory cards
    • CD or DVD discs
    • external hard drives
    • digital picture frames
    • MP3 players
    • other USB and Firewire devices that can store data
    • ...or even a network share on another computer!
    To eliminate this method of attack, simply disable AutoPlay.

  5. Don't be fooled into running a Trojan Horse program on your computer
    When you download and install software, you are lowering your own defenses and putting yourself at the mercy of the software's author. Don't do this lightly, because the bad guys will be happy to bypass all your security measures with a Trojan Horse attack, targeting you as the weak point in the computer's defenses. Do not expect your antivirus software to detect all Trojan Horse programs; that is not realistic thinking.
    One common Trojan Horse attack is a web page that claims you need to download something before you can watch a video or view a picture (see the example picture below). They might claim you need a codec, a Flash Player update, an ActiveX update, etc. The bad guys keep using this simple tactic because people keep falling for it.

    This is a trap!
    Absolutely do not mess around with warez (illegal software), key generators, cracks, or any executable files you got from a P2P / file-sharing network; these are extreme risks. Also avoid websites that feature warez, serials, cracks or pornography, because those categories of websites are most likely to have malicious exploits built into them.

  6. Phish: recognize fake emails and websites that try to steal your information
    User education is the best defense against phishing. One common phishing technique is to send you an email claiming to be from a website like PayPal or EBay, Facebook, MySpace, or perhaps the IRS, Steam, or World Of Warcraft. The email contains a link to a faked version of the real website, where they hope you'll enter your log-in credentials or other private information, before you discover it's not the real website.
    • Be skeptical Don't take any email at face value, no matter how official it looks. You should fully expect the scammers to send you authentic-looking emails posing as the Better Business Bureau, World Of Warcraft, Steam, MySpace, Facebook, the FBI, the IRS, PayPal, EBay, your bank, your credit-card company, your Internet provider, your retirement fund, etc.
    • Don't click links in emails If you get an email containing a clickable link, don't click the link. Open a new Web browser and manually type in the real address of any site you need to visit.
    • Don't be flustered by an urgent "call to action" Phishing emails often contain some sort of urgent language, to get an immediate reaction. For example, they might claim that your account has been suspended. Again, be skeptical, and don't take them at face value. If there's any doubt, then open a separate web browser, go to the real website by manually typing the address, and verify any claims for yourself.
    • Display email as plain text If you use an email program like Outlook Express, Outlook, Thunderbird or Windows Mail to view email, set it to display email as plain text (see the program's Help file if necessary). Email won't look as pretty, but it unmasks faked links and content.

  7. Scareware: recognize fraudulent "security" websites and fake "security scanner" rip-offs
    Sooner or later, you'll encounter a scam website that makes hysterical claims that your computer is infected, and that you need to run their "scanner" to fix it. These scams are often accompanied by a slick-looking animated "scanner" that reports fictional "infections." Invariably, the victim is asked to pay money to register the bogus "scanner," so it can remove the fictional "infections."
    The bad guys create new versions of these scams every day, and they're cleverly made. Don't freak out. Press CTRL ALT DEL, start Task Manager, go to the Processes tab, click on your web browser's process, and click END TASK to terminate the browser. The picture below shows why: it's a web page designed to look like your own My Computer window. Closing your browser ensures you're not being fooled by these types of tactics.
    Above: one example of a fake "security scanner" website that is designed to fool, alarm, and defraud people. There are endless variants of these. This particular scam website is cleverly designed to look like your "My Computer" window, but it's all just an animated picture. I recorded a live demonstration of that site on YouTube, too. Check it out : )
    These frauds may also make a special effort to look like a genuine Microsoft Security Center (check out this blog post at Microsoft for some pictures of a faked Security Center), or they borrow color schemes, wording, icons and logos from well-recognized brands like Symantec and Microsoft. Expect these tactics. Don't be alarmed, just close the web browser using Task Manager... do you remember how, without looking up the page for the instructions?

  8. Back up your data!
    If your computer died RIGHT NOW, or malware deleted important files, do you have a backup copy of your important stuff?
    Well, do you? Be wise. Establish a backup system, such as an external hard drive, and use it.
    What's a suggested backup software?
    1. The simplest option is to copy your important files to a backup drive manually, using Windows Explorer.
      • For Windows Vista or Windows 7, go to C:\Users\ and copy the folder that belongs to your user account.
      • For Windows XP or Windows 2000, go to C:\Documents and Settings and copy the folder that belongs to your user account.
      These "profile" folders contain the Documents, Pictures, Videos, Favorites, Downloads and Desktop folders for each individual user account. If you have additional files in other locations, don't forget to back them up too.
    2. The free Microsoft SyncToy is another option. First install the .NET 2.0 Framework, then install SyncToy. You tell SyncToy what folders you want to back up, and it can create and maintain a copy of them on another drive.
    3. Many versions of Windows have a built-in Backup utility (Windows XP Home Edition does not have it, however). Go to Start > All Programs > Accessories > System Tools > Backup.
    4. Acronis TrueImage Home is a good commercial backup program, if you're looking for something deluxe.

  9. Advanced users: use Software Restriction Policy or Parental Controls
    Software Restriction Policy works great when combined with a non-Administrator account. You can use Software Restriction Policy if you have any of these Windows versions:
    • Windows Vista Business, Ultimate, or Enterprise
    • Windows XP Professional, or Media Center Edition
    • Windows 7 Professional, Ultimate, or Enterprise
    The Home or Starter versions of Windows Vista and Windows 7 can use Parental Controls to accomplish a similar effect.
    Software Restriction Policy is only suggested for advanced users because it does introduce some complications, and can require troubleshooting to overcome them.

Browser security: what about alternate Web browsers?
Use an alternate browser instead of Internet Explorer if you prefer, but don't make it your answer to security. All web browsers, and their add-ons and plug-ins, will always have exploitable security vulnerabilities. The first step in browser security is not to trade one set of browser vulnerabilities for another set, but rather to put ALL of them into a cage, by depriving the browser of Administrator-level privileges at a minimum.
The second step to browser security is still not to trade one set of browser vulnerabilities for another set... it's to make sure your browser add-ons / plug-ins are up-to-date. A perfectly-secure browser can still be used to exploit a vulnerable version of Java, Flash Player, QuickTime Player, etc. Browser extensions are the big "attack surface" today, not the browser itself. This was brilliantly demonstrated by Flash-driven "clipboard hijacking" attacks in 2008 that worked on Linux, Mac and Windows, regardless of the web browser. And for the third time, uninstall Sun Java completely unless you really need it for something, it's a real exploit magnet.
On Windows Vista and Windows 7, I'd stick with Internet Explorer 9. Protected Mode, best-in-class detection rates on malicious sites, Tracking Protection options, centrally manageable and enforcable... it's pretty solid, this isn't your father's Oldsmobile ;) Use EMET to make it even tougher.

Internet Explorer runs in Protected Mode by default on Windows Vista and Windows 7. For more information on Protected Mode, try this moderately-technical TechNet article.
Windows Vista and Windows 7 run Internet Explorer at the lowest Integrity level available, as an additional proactive damage-containment countermeasure. If you're interested in Windows Integrity Control, see this 2-page article at SecurityFocus.
Advanced countermeasures: preventing malicious scripts, Java applets, and ActiveX controls from running Security-oriented users of the FireFox web browser like the NoScript extension to limit script execution to just "approved" websites. That's definitely a meaningful reduction in "attack surface," and Internet Explorer has actually had that capability since IE 5.01, released about ten years ago. If you'd like to try it out, here's a narrated YouTube video showing how to implement that restriction by using Internet Explorer's security Zones. It's not without its hassles, but that's true of any type of "whitelisting."
In addition to selectively disabling Javascript / active scripting as shown in the video, you can also use the Zones to selectively disable ActiveX and Java applets (Java is different than Javascript). If you have Internet Explorer 7 or 8, ActiveX is already disabled for all ActiveX controls except the ones you've "opted in" yourself. more information on ActiveX opt-in
Remember that legitimate mainstream websites are routinely hacked, so don't assume that these techniques protect you from all scripted attacks. But whether you prefer Internet Explorer or some other browser, restricting Javascript, Java applets and ActiveX controls to just a whitelist of trusted sites is certainly a security enhancement, if you can live with the maintenance of it.
Why don't you don't list any antispyware programs? Every other security guide seems to list three or four!
If you use the layered defense I've shown above, starting with a non-Administrator user account, then it's extremely unlikely that you'd need antispyware programs. If you want to install some anyway, here are some reputable free ones. Do note that the techniques used to "immunize" web browsers can cause them to be slower.
Eliminating tracking cookies Anti-spyware software and some antivirus software will detect "tracking cookies." They're not dangerous, but you can almost completely eliminate tracking cookies by disabling third-party cookies in your Web browser. In Internet Explorer, click Tools > Internet Options, set the slider to Medium-high, and then click the Advanced button on the Privacy tab. FireFox and other browsers can also block third-party cookies. The only drawback I've experienced is that Hotmail won't let you log out without closing your browser window.
Get a Tracking Protection List Internet Explorer 9 lets you add a Tracking Protection List. In IE9, click the gear symbol at the upper-right, choose Internet Options, and click the Manage Add-Ons button on the Programs tab. Click on Tracking Protection and you'll see what to do from there.
I heard the Windows Firewall isn't very good For the purpose of keeping other computers (even those sharing your router) from attacking your own computer, it's fine. Windows won't let your non-Administrator account (or something exploiting your non-Administrator account) mess with the Windows Firewall settings either, making it especially tamper-resistant.
Some people want a "two-way" firewall that'll ask them before letting a program use the Internet connection, but these historically have been easy to fool, so I wouldn't place too much confidence in that capability. I use the Windows Firewall and simply maintain tight control of what's on the computer in the first place.
OK, I admit it... I browse risky websites. Any tips? In addition to the other steps listed above, create a separate non-Administrator user account just for high-risk usage. Edit the file-system security on your storage drives so this account doesn't have access to them. If something does get control of the account, it won't be able to get at your important files to delete them, encrypt them to hold for ransom, or steal copies of them. When I hunt malware in the wild, I do so from a separate non-Administrator account named "Malware Research." Again, if you have Windows Vista or Windows 7, this is a great use for Internet Explorer in Protected Mode (which is the default setting).
Anything else? Since this is a guide to building a new computer, I strongly suggest getting a 64-bit version of Windows, preferably Windows 7. My personal pick would be Windows 7 Professional Edition, because it has Shadow Copy, better Backup features, and is capable of Software Restriction Policy. See the previous page for more information on Windows variants.

Download Software PPOB Interlink 2014

Artikel Terkait or related articles:

Kode Smiley Untuk Komentar

:a   :b   :c   :d   :e   :f   :g   :h   :i   :j   :k   :l   :m   :n   :o   :p   :q   :r   :s   :t  
Posting Komentar