Note: This is an historic document. We are no longer maintaining the content, but it may have value for research purposes. Pages linked to from the document may no longer be available.
Home Computer Security
Operating an Anti-Virus Program
Operating a Firewall Program
Adjusting Access Control Lists
The example provided here is a guide for how to do your task on a Microsoft Windows 2000 system. Please note that your computer might vary from the example. If so, you will still be able to do the task, but it might take some effort to get your version of Windows to do the same thing.
In the example, you’ll find the notation ABC. This means that you need to use the left mouse button to select the A menu item, then use the left mouse button again to select the B menu item, and again to select the C menu item.
In most cases, the first item listed is the Start menu. Start is part of the Windows Task Bar and is often found at the bottom of
your screen display. The Start menu is usually found at the left side of the Task Bar. So, to display general Windows 2000 help, do
StartHelp. When you do that, you ought to see a new window that looks
like the first picture, Microsoft Windows 2000 Professional, Start Here.
This section shows examples of some of the tasks you need to do when using an anti-virus program on your home computer. These examples use Norton AntiVirusTM 2002. We’ll use the DURCH tests described in Task 1 - Install and Use Anti-Virus Programs to see how Norton’s AntiVirus 2002 satisfies each of these tests.
The first window in this section shows the main window for Norton AntiVirus 2002. Through this window, you find the answers to the courthouse tests. You can get to this window through
StartProgramsNorton AntiVirusNorton AntiVirus 2002.
The first test is the demand test. Norton’s product changes the menu options for Windows Explorer File Browser so that you can check a file or folder on demand. To do this checking, first go to the folder that contains the file you wish to scan. Next, select the file and then click on that file with the right mouse button. Select the Scan with Norton AntiVirus menu item as shown in the next window.
Once selected, the Scan: Summary window shows the results of that scan. The file selected contains no virus. This feature means that Norton AntiVirus 2002 passes the on demand test.
Next, virus signatures need to be updated daily. With Norton’s product, you enable this feature by clicking the OptionsLive Update buttons. You then select both Enable automatic LiveUpdate and Apply updates without interrupting me (recommended) as the picture shows. Although you cannot schedule when the update happens, the documentation, which you can view by selecting Help, explains that updates happen when you are connected to the Internet. With this option, Norton AntiVirus 2002 passes the update test.
What happens if a virus is detected? This is the respond test. With the Norton product, you can decide what happens when a virus is detected through the Options menu item. When selected, the Auto-Protect window (shown) is displayed. Notice that the default action is to automatically repair the infected file and this action is the recommended one. You also have other options in the window.
With viruses discovered in email, you have the options that are shown in the next window, Email Scanning. These options are available when you select OptionsEmail. Again, you should select all the recommended defaults. These give the maximum amount of scanning and repair (where possible).
With these tests enabled as shown, the Norton AntiVirus meets the respond test.
Windows 2000 provides a quick way to get to patches and updates using your Internet connection. Select this “Windows Update” web site at Microsoft by selecting StartWindows Update. When you do this, you see the picture to the right. By selecting the Scan for updates button, you check the patches installed on your computer against the latest set of patches available from Microsoft. Please read the information in the Note button to learn how this update scheme works and how it maintains your home computer’s privacy.
After scanning for updates, you see what patches are available for you to install. What you will see on your computer will almost certainly differ from the window shown below, but you get the idea about what’s going on.
This example shows that there is one critical update and service pack available for the computer used in these examples. By clicking the left mouse button on the Critical Updates and Service Packs (1) button, you see what the patch does, how big it is, how to install it, and if it can be uninstalled. This is much of the information you need to fill in worksheet for Task 2. From this screen, you select the Review and install critical updates button to start the process of installing this patch on your computer.
The product shown in the examples here is the Tiny Personal Firewall (TPF) product from Tiny Software, Inc. Presently, Version 2 is free for home use, but there are newer versions that have more features, such as content filtering. At a minimum, you should install Version 2 if you plan to use it the way the license allows. These examples use version 2.0.15A.
The first task to do with TPF is to make a backup copy of its rules. To do that, you need to copy the C:\Program Files\Tiny Personal Firewall\persfw.conf to wherever your backup files are located. It is best to do this when TPF is not running so that the current rule set file is not being changed during your copying operation.
The first window in this section shows the default rules that TPF uses to control access to and from the Internet. You get to this window with StartTiny Personal FirewallPersonal Firewall AdministrationAdvanced.
Let’s try to fill in one of those rows in that checklist. To do that, we’ll run an application to learn what connections it makes. Based on what we learn, we’ll gradually configure TPF so that it allows the connections we want and need, and nothing more. The application chosen for this example is AOL’s Instant Messenger (AIM). We’ll assume that AIM and TPF are already installed. We’ll also assume that TPF is running with the default rules as noted in the window above.
According to the suggestions in Task 4 of this booklet, we don’t know the answer to either of these yet, so we’ll be conservative and deny the connection. We won’t update the rules just yet because we don’t know if we want to make that decision permanent. We’ll do both of these by selecting the Deny button. For now, we’ll just wait and see what AIM does with our decision.
So far, we’ve learned that AIM has connected to two computers – 220.127.116.11 and 18.104.22.168 – both on port 5190. A reasonable conclusion at this point is that AIM needs to connect to at least these hosts on these specific ports as part of doing its job. Let’s continue our investigation.
At this point, we’ve learned that AIM wants to connect to a series of locations in the aol.com name space. Each time, the port number of the location is 5190, so we’ll assume that that is AIM’s preferred port. Based on what we’ve learned, we’re willing to accept the fact that AIM should be allowed to connect to any host within the aol.com name space but only on port 5190. Now we can begin to add rules that allow these connections without prompting us for our approval. We will designate these connections allowed and permanent.
To do this, we’ll stop and restart AIM one more time. Instead of temporarily permitting individual connections to aol.com computers, we’ll select the Create appropriate filter rules and don’t ask me again button to make them permanent. Selecting this button turns on the Customize rule button, and we’ll click on it. We get the first of the pair of windows shown, and we’ll change it to match the second window of the pair. We are allowing AIM to connect to a specific computer at a specific port and nothing else. This is the permanent test.
What we’re doing here is to only allow AIM to connect to port 5190 of very specific computers on the Internet, and nothing else. When we restart AIM a few times to let it connect to all the available AIM servers, we’d end up with something like the Firewall Configuration window shown below. What you see on your home computer should be similar.
To reduce the likelihood of this problem, TPF maintains integrity information about each application referenced by a rule. The Application’s MD5 tab shown below lists this information. To turn on this feature, check the Check MD5 Signature box.
With an administrative password, attempts to access most of TPF’s features are first greeted by a window similar to that shown here (beginning with Personal Firewall is running on). For your firewall on your home computer, you will connect to the computer identified as Localhost. Once you’ve entered the correct password, TPF operates just as it did before.
The reason for adjusting access control lists (ACLs) on files and folders is to grant only those permissions needed for your home computer’s users to do what they need to do. Just like important papers stored in a locked file cabinet, ACLs lock access to the files and folders they guard. The examples of setting ACLs use Microsoft Windows 2000. Please note that only Windows NT, Windows 2000, and Windows XP have ACLs. If you do not use one of these systems, you can skip this section.
Where do you find the ACLs for a file or a folder? Before answering that question, let’s first create a folder and put a file in that folder. We’ll work with this test folder and file to show how ACLs work and how to adjust them to restrict access. The folder we’ll create is C:\temp\Home Computer Users. We’ll use Windows Explorer to create it. We’ll then add a file named "Restricted File" to that folder. We’ll use the Notepad application (StartProgramsAccessoriesNotepad) to create it. The window below shows the contents of this folder after we’ve created this file. If your computer does not have a C:\temp directory, you need to create it first.
To restrict access, we need to add the users who need access and remove those who don’t. In addition, those who need access also need the right type of access. These are the watchful tests from Task 9 - Install and Use a File Encryption Program and Access Controls.
The user who needs access to this file is lrr, the author of this document, and the access that he needs is Full Control. The Everyone entity should have no access. Now that we know who needs access and the type of access, we can proceed.
First, let’s add lrr to the access list. We begin by clicking Add on the window on the left. When we do, we get the window on the right. We scroll down to the user we want to add – lrr– and then click Add and then OK.
If we want all files in this folder to have the same permissions, we need to adjust its ACLs as we did above. After a while, the process may become unwieldy. Perhaps we’d even forget to adjust ACLs for some files. The confidentiality of these files might be compromised because some of the files may not be appropriately secured.
Fortunately, there is a better way to adjust all files and subfolders in a folder, including those yet to be created, so that they inherit the permissions from a parent folder. We’ll set this up next.
To verify that we’ve done what we think we’ve done, let’s create a new folder in Home Computer Users using Windows Explorer. We’ll name it Test Folder. Once created, we’ll check its permissions by right clicking it, selecting Properties, and then the Security tab.
If your home computer supports ACLs, Windows NT, Windows 2000, or Windows XP for example, then you can guard files and folders by adjusting those ACLs to satisfy the needs of the users who need access to them. Use the watchful tests described in Task 9 - Install and Use a File Encryption Program and Access Controls to set those ACLs as needed.
Certain commercial products are described in this document as examples only. Inclusion or exclusion of any product does not imply endorsement or non-endorsement by Carnegie Mellon University, the Software Engineering Institute, the General Services Agency (GSA), or any agency of the U.S. Government. Inclusion of a product name does not imply that the product is the best or only product suitable for the specified purpose.
Copyright 2002 Carnegie Mellon University