Tie up some loose ends
A. General Stuff - Here are a few general things that can help you use Windows more safely. Namely, it involves setting Windows to show file extensions and also to show hidden files. That way, you will be better informed about what kind of files are on your system. Simply select Start/Settings/Folder Options, and then the View tab. Select Show all files. Uncheck Hide file extensions. Click Apply then Ok.
B. Windows Media Player (also some info of RealPlaye/RealJukebox/RealOne) - starting with Version 6.4 of Windows Media Player, two controversial features have been included. One store a record of everything you play, and the other allows your computer to be uniquely identified by websites, even if you have cookies turned off. These are known as "Supercookies", and they've causes quite a bit of controversy. This can be used to track you about the Internet and work even if you have regular cookies disabled or otherwise managed. While few sites actually presently actually use them, that's likely to change. Only versions after 7.1 give you the option of turning this feature off. If you have Windows Me, Ce, 2000, or XP, you should already have this option. None give you the option of disabling the database of what you play. You can start WMP and find out the version by clicking it in your Desktop or in your Programs menu. (If you don't see it in either one, try Start/Programs/Accessories/Entertainment/Media Player). Click the Help item on the menu along the top and select About. If it's 7.1 or above, then continue. Otherwise, you'll have to download verson 7.1 here, and then come back here.
If you have already installed my firewall rulesets and you get a pop-up saying you can't connect to Microsoft, just skip the step below.
First, we're going to delete the database file. Even if you are unconcerned about what it may contain, it presents a tempting target for marketing and spam-related spyware, because the type of music you play says a lot about your interests.
You must have followed Step A above in order to see hidden files. Once that's done, go into Windows Explorer and look for a file called WMP*.DB. The * means it may have a different name here. Write it down. Find a small or empty file on your hard disk, that's about 0 or 1 bytes in size, something that is not sensitive. If you followed the cookie cleanup instructions in Step 6, you'll have a file called C1 in your root folder, just above your Windows folder. Whatever you use, copy it or drag it into your Windows folder. Now, right-click the file and select Rename. Enter the exact name of the database file you wrote down and hit Enter. Right-click it again and select Properties. Check the box called Read-Only. Congratulations! You've now prevented anything from being saved in this file.
Now, we're going to go back and nail the Supercookie problem. There are two ways you can go here: if you just want to disable the identifier (which should work, but there are ways to get it anyway, so it's not totally safe), then start WMP. Click the Menu item called Tools. Select Options. Look for a tab across the top called Player. Click it and find an item called Allow Sites to Uniquely Identify my Player". It may be on a different tab on different versions of WMP. Anyway, uncheck this. Click Apply then click Ok. Should you ever subscribe to a pay-per-view or pay-per-listen music service, you'll probably have to re-enable this. Otherwise, the problem is fixed.
By the way, if you have any RealNetworks product installed on your system, like RealPlayer, RealJukebox, or RealOne, you should also go into those program(s) Options menu and disable a similar feature. Also disable features called "Send GUID" and Enable Cookies.
Anyway, back to Windows Media Player. The other route is to change you unique ID number. I feel that's safer on the whole. It might prevent pay-per-listen sites from working (or they may run fine, I don't know), but if you're willing to try, go here. If you do this, also download my configuration file for maximum protection and to save yourself the trouble of setting ID-Blaster up yourself. Save it in your ID-Blaster folder (usually in Program Files) with the name DEFAULT.INI. (Make sure, in the box below the filename, called Files of Type or something, to select All Files.) Let it overwrite any existing file with that name. Then, run it, and along the top of the program, click Options, then General Options, and click the Enable box on all three items. Click Ok when done.
C. IE fixup - Okay, we're getting close to the finish line. Now, let's disable ActiveX downloads and active scripting. If you already did this in Step 4, skip this step. This will reduce the chance of a program being installed on your system without your permission. Go into your Internet Options or Internet Settings panel by Start/Settings/Control Panel/Internet Options. (You can also do this by firing up Internet Explorer and clicking Tools/Internet Options.) Select the tab called Security. If you use don't plan on Internet Explorer to surf the web, you can select High Security. On some versions of Windows, you may not see this here. Either way, you need to set some custom settings so click Custom Settings. Whether or not you plan on using IE, go into Custom Settings and click Disable on any item saying anything about "ActiveX" or scripting, from top to bottom of the menu. (If you are not planning on using IE, you can even disable everything.) You might want to repeat this for the other zones called LAN, Trusted Sites, and Restricted Sites. The latter two have big green and red icons, respectively. Click Apply. Now, click the tab called Advanced. Find items called Enable Install on Demand and Check of Internet Explorer Updates automatically and uncheck them. Click Apply then Ok. You can leave the Internet Options screen. It is stongly recommended that all users enter the following into the Trusted Sites zone: *.windowsupdate.microsoft.com You may have to uncheck the box called Require Server Verification (https).
D. Windows patches - there is one particular Windows patch that you need to use, if you don't have it already. It concerns an extremely severe flaw in Microsoft's Java (Java Virtual Machine, as MS calls it.) It is important that this patch be used, even if you do not run Internet Explorer, because, like a few other Internet Explorer flaws, this can affect the entire system. Patches are available from Microsoft's site. (If you installed the Kerio Type 2 or Type 3 list, you may need to go into the Kerio's rule list and uncheck the boxes next to Microsoft 1-4. Make sure to re-check these when you are done.) This patch is specific to your version of Internet Explorer, and you can find out the version of IE on your system by running it and then clicking on the Help menu along the top. Select About Internet Explorer, and make a note of the version number (5.something or 6.something). Under "Update versions", look to see if you have SP1 or SP something listed. Select the appropriate version and SP (service pack) from the list a Microsoft's site. then download the patch and run it.
Tighten Up Your Firewall's Security
Finally, there are a few MAJOR privacy/security improvements you can make in order to make your computer virtually immune to various kinds of hacking and viruses, if you are patient. If you think you'll get lost, then you're better off not following these steps. Otherwise, I'll walk you through it. It assumes you already have installed Kerio Personal Firewall and one of my Kerio files from Step 1. If you did't do this, make sure you go back and follow all the instructions now.
Let me give you a quick explanation of why this is a good idea. Most end users (that is, people not on a corporate network) require certain setup information be supplied by your ISP when you log on. This tells your computer it's IP address, which gives your computer a place on the Internet. This set-up service is called DHCP. Also, your computer needs to be able to translate the domain names you type in (or links you click) into IP addresses so your browser can find out where other sites are on the Internet. This is what DNS servers are for, and both DHCP and DNS is specific to each Internet Service Provider and, in some cases, your geographic location.
Unfortunately, since there are literally hundreds of ISPs and geographic locations, no firewall manufacturer can know ahead of time what your DHCP and DNS servers will be. It would cost a fortune to research that. So, they set up their products to talk to any DHCP, DNS, email, and other service. Unfortunately, that can allow a hacker to imitate one of these services and compromise your security.
Fortunately, you can customize your firewall so that your computer only talks to known-good services. That almost completely prevents the possibility of your system being hacked in this manner.
Before we begin fixing these things up, you need to do two things: first, make a backup copy of your firewall rules. Right-click Kerio, select Miscellaneous, and click the Save button. Type in a name for your backup and save it somewhere where you'll remember, preferably NOT in the same folder as Kerio.
Next, find out the IP address of your ISP's DHCP and DNS servers (and, while you're at it, your email and news servers too, so you can secure those as well - more on that later.) You can usually do this by emailing or calling your ISP's customer support. Some ISP's give this information over the web -- try checking the Customer Support section, and look for "Frequently-Asked Questions" (FAQ) or a "Knowledge Base". If you need to email your ISP, there's usually an email contact address in this section as well.
Note to AOL users: click here for AOL-specific instructions.
Ask your ISP for the following infomation: Your DHCP server(s), your DNS servers, SMTP and POP servers for email, and your news server. Also give your nearest city and state. A pre-written form letter is located right here and all you need to do is copy it into an email and put in your city and state. Once you find out the information you need, proceed to the steps below.
Configuring DNS
Go into Kerio by right clicking it's icon at the bottom right. Select Administration, then click the Advanced button to see a list of all the rules in your firewall. Look for a rule called Permit DNS to 127.0.0.1 and check the box next to it to enable it if it is not already enabled. It is about five rules or so down from the top.
1. Next, Look for a rule called Permit DNS to DNS Server 1. It should be gray because it's not active. Click it to highlight it and then click the Edit button.
2. In the box called Remote Endpoint, type the address given to you by your ISP. Click Okay when done. Then click the checkbox next to it to activate it and the text will turn black.
3. Repeat Steps 1 and 2 for any other DNS server IP addresses your ISP gave you, using the Permit DNS to DNS Server 2 through 6 rules. I have made enough blank rules for 6 entries. I seriously doubt you will need more than this. Any that are unneeded should not have check mark next to them. In the event you do need additional rules, highlight one of the 6 existing rules when you're in the rule list, click Insert, and enter the same basic information from the other rules and use a Remote Endpoint supplied by your ISP.
4. After you have entered in a separate rule for each DNS server IP address, above, look in your rule list for a rule called Block All DNS and check the box next to it so it is enabled. Look for a rule above this rule called Permit DNS and uncheck the box next to a it. If you installed DNSKong, also enable the rule called Allow DNSKong, if present.
5. Click Apply, then Ok. You're done.
6. Now, right-click DNSKong and select Proxy DNS... Enter up to five of those DNS server addresses into this menu. Click Ok when done. If you need to enter more than five, click here. Now, let's move on to securing DHCP.
Configuring DHCP
1. Go into Kerio's rule list by right-clicking it's icon, select Administration, then click the Advanced button.
2. Find a rule called Allow DHCP. Click it to highlight it and click the Edit button down near the bottom of the list.
3. At the Remote Endpoint box, click it and select from the drop-down list Single Address. In the box below, type in the IP address of your DHCP server you got from your ISP. Make sure you don't have any spaces, hyphens, or slashes in there, just numbers and dots.
4. Click Ok, then Apply in the next menu.
5. Now, save this page in your Bookmarks or Favorites. Also, you may want to print this out, because we need to log off the Internet and log back on. Usually, you can keep your browser open, but just in case you can't, make sure you can come back here. Now, log off the Internet and try logging back on. If you got on successfully, skip down to the section called Configuring DNS.
If you were unable to connect, consider the following:
1. If your ISP gave an IP address for your modem (mostly applies to cable modems made by 3COM corporation), you need to create a duplicate Allow DHCP rule, but this time, use the IP address of your cable modem. Go into Kerio's rule list and find the Allow DHCP rule. Click it to highlight it, but this time, click the button near the bottom called Insert. You will be presented with a blank rule form. Fill it out as follows:
Rule Name: Allow DHCP for Cable Modem
Protocol: UDP
Local Port: Single Port then put 68 in for Port Number
Application: ANY
Remote Endpoint: Single Address (put IP address of cable modem in the box below this)
Remote Port: Single Port then put 67 in for Port Number
Action: PERMIT
Now, try logging off again completely and logging back on. If you still cannot connect, this won't work and either reload the backup copy of the ruleset you made using the Miscellaneous menu, or edit one of the rules you just worked with and in the Remote Endpoint field, select ANY. Continue to the Configure DNS procedure, below.
1. Visit Samspade. In the top box, enter the name of your ISP as you see it on your emails. So, if you are JoeBlow@aol.com, put aol.com in the top box. (You may have to put in an equals sign (=) in front of this for AOL.
2. Look towards the middle of the page for an item called Domain Servers. It will be a number with three periods in the middle, which looks like this: 152.163.159.232. This number is called an IP address. Write each set of the numbers down exactly as they appear. Move on to the next step.
If you don't see IP addresses associated with the domain names, click the domain names and you will be taken back to the opening screen with that name in the top box. Click the button called Do Stuff and, on the next page, you'll get an IP address. It will be called (whatever) resolves to 152.163.159.232 or something like that.
PLEASE GO BACK OVER THE 8-STEPS OR THE CHECKLIST TO MAKE SURE YOU'VE FOLLOWED EVERY STEP!
This is just some general advice from someone who has dealt with the ugly side of the Internet for many years. You do not have have to follow everything I recommend or even any of it. It's just stuff I've learned from personal experience or that of others. Some of it you may have heard before but I will give examples and explanations if you care to read further.
1. Don't give out any personally-identifiable information on the Internet, especially a credit card number or social security number. Don't fill out an order form. If you want to buy something, shop around and use the 800 number or contact the seller directly. The security proceedures here in the 8-Step plan are designed to protect what information you have alredy given out. There are still a handful of extremely severe security problems out there such as 'Proxy Hijacking', DNS Hijacking (like what Lop.com uses), and some that are entirely beyond your control, such as 'Server-Side DNS Hijacking', also known as DNS Spoofing.
2. Avoid giving out screen names and passwords (especially AOL users). There are too many scams out there, and this relates closely to rule #1. You should NEVER give out your screen or username and password except for initial log on. AOL users are especially at risk because AOL users tend to be less experienced, and since AOL is the largest ISP, scam artists abound targeting AOL users. Recently, I shut down several services -- posing as "personal ads" and "greeting cards" which asked people for their screen name and password. This, in effect, is low-tech hacking, because once a screen name and password is given out, the recipient has full access to that account. From here, they can send spam or conduct illegal activity, while you the poor victim is left holding the bag. Also, never fall for emails claiming "Your Account is Going to be Shut Down" or similar. These are almost always scam designed to get you to pony up a credit card number.
3. Never open an email from somebody you do not know.
4. If any email has an attachment, even if it IS from somebody you know, do not open it unless they've previously arranged the matter with you. Many worms, trojans, and virii work by literally stealing names and email addresses out of people's "address books" and can create a realistic-looking subject line.
5. Update your anti-Spyware, Anti-Virus, and Spyware Blocklists occasionally. Don't forget to run the anti-Spyware and Anti-Virus scanners every once in awhile too.