The CERT/CC recommends the following
practices to home users:
Further discussion on each of these
points is given below.
Recommendations
Consult your system support personnel if you work
from home
If you use your broadband access to connect to your
employer's network via a Virtual Private Network (VPN)
or other means, your employer may have policies or
procedures relating to the security of your home network.
Be sure to consult with your employer's support personnel,
as appropriate, before following any of the steps
outlined in this document.
Use virus protection software
The CERT/CC recommends the use of anti-virus software
on all Internet-connected computers. Be sure to keep
your anti-virus software up-to-date. Many anti-virus
packages support automatic updates of virus definitions.
We recommend the use of these automatic updates when
available.
See http://www.cert.org/other_sources/viruses.html#VI
for more information.
Use a firewall
We strongly recommend the use of some type of firewall
product, such as a network appliance or a personal
firewall software package. Intruders are constantly
scanning home user systems for known vulnerabilities.
Network firewalls (whether software or hardware-based)
can provide some degree of protection against these
attacks. However, no firewall can detect or stop all
attacks, so it's not sufficient to install a firewall
and then ignore all other security measures.
Don't open unknown email attachments
Before opening any email attachments, be sure you
know the source of the attachment. It is not enough
that the mail originated from an address you recognize.
The Melissa virus spread precisely because it originated
from a familiar address. Malicious code might be distributed
in amusing or enticing programs.
If you must open an attachment before you can verify
the source, we suggest the following procedure:
- be sure your virus definitions are up-to-date
(see "Use virus protection software" above)
- save the file to your hard disk
- scan the file using your antivirus software
- open the file
For additional protection, you can
disconnect your computer's network connection before
opening the file.
Following these steps will reduce, but not wholly
eliminate, the chance that any malicious code contained
in the attachment might spread from your computer
to others.
Don't run programs of unknown origin
Never run a program unless you know it to be authored
by a person or company that you trust. Also, don't
send programs of unknown origin to your friends or
coworkers simply because they are amusing -- they
might contain a Trojan horse program.
Disable hidden filename extensions
Windows operating systems contain an option to "Hide
file extensions for known file types". The option
is enabled by default, but you can disable this option
in order to have file extensions displayed by Windows.
After disabling this option, there are still some
file extensions that, by default, will continue to
remain hidden.
There is a registry value which, if set, will cause
Windows to hide certain file extensions regardless
of user configuration choices elsewhere in the operating
system. The "NeverShowExt" registry value is used
to hide the extensions for basic Windows file types.
For example, the ".LNK" extension associated with
Windows shortcuts remains hidden even after a user
has turned off the option to hide extensions.
Specific instructions for disabling hidden file name
extensions are given in http://www.cert.org/incident_notes/IN-2000-07.html
Keep all applications, including
your operating system, patched
Vendors will usually release patches for their software
when a vulnerability has been discovered. Most product
documentation offers a method to get updates and patches.
You should be able to obtain updates from the vendor's
web site. Read the manuals or browse the vendor's
web site for more information.
Some applications will automatically check for available
updates, and many vendors offer automatic notification
of updates via a mailing list. Look on your vendor's
web site for information about automatic notification.
If no mailing list or other automated notification
mechanism is offered you may need to check periodically
for updates.
Turn off your computer or disconnect
from the network when not in use Turn off your
computer or disconnect its Ethernet interface when
you are not using it. An intruder cannot attack your
computer if it is powered off or otherwise completely
disconnected from the network.
Disable Java, JavaScript, and ActiveX
if possible
Be aware of the risks involved in the use of "mobile
code" such as ActiveX, Java, and JavaScript. A malicious
web developer may attach a script to something sent
to a web site, such as a URL, an element in a form,
or a database inquiry. Later, when the web site responds
to you, the malicious script is transferred to your
browser.
The most significant impact of this vulnerability
can be avoided by disabling all scripting languages.
Turning off these options will keep you from being
vulnerable to malicious scripts. However, it will
limit the interaction you can have with some web sites.
Many legitimate sites use scripts running within the
browser to add useful features. Disabling scripting
may degrade the functionality of these sites.
Detailed instructions for disabling browser scripting
languages are available in http://www.cert.org/tech_tips/malicious_code_FAQ.html
More information on ActiveX security, including recommendations
for users who administer their own computers, is available
in http://www.cert.org/archive/pdf/activeX_report.pdf
More information regarding the risks posed by malicious
code in web links can be found in CA-2000-02 Malicious
HTML Tags Embedded in Client Web Requests.
Disable scripting features in email
programs
Because many email programs use the same code as web
browsers to display HTML, vulnerabilities that affect
ActiveX, Java, and JavaScript are often applicable
to email as well as web pages. Therefore, in addition
to disabling scripting features in web browsers (see
"Disable Java, JavaScript, and ActiveX if possible",
above), we recommend that users also disable these
features in their email programs.
Make regular backups of critical
data
Keep a copy of important files on removable media
such as ZIP disks or recordable CD-ROM disks (CD-R
or CD-RW disks). Use software backup tools if available,
and store the backup disks somewhere away from the
computer.
Make a boot disk in case your computer
is damaged or compromised
To aid in recovering from a security breach or hard
disk failure, create a boot disk on a floppy disk
which will help when recovering a computer after such
an event has occurred. Remember, however, you must
create this disk before you have a security event.