Free software finds your security flaws

Free software finds your security flaws

By Scott Dunn Computer security covers a host of areas — password policies, software patches, account restrictions, protection against malware and more. Fortunately, with the right software, you can get a complete security analysis of your system for free without hiring a costly consultant.

Get an analyst’s findings without the analyst

These days, no one who cares about their system and data can afford to be without a security plan. But most small business and home users are not in a position to hire a security expert to analyze their setup and tell them what to fix.

Fortunately, you can find a number of free tools online that will analyze your system and produce a detailed report of your security strengths and weaknesses. The best ones will even point you to a solution. I tested each of the following products:

• Microsoft Baseline Security Analyzer
• Belarc Advisor
• Securable
• AOL Active Security Monitor
• xp-AntiSpy

Bonus tip: None of the tools listed above check the patch status of all your software (Flash, Acrobat, Java, and so on). This means you should also use the Online Software Inspector at Secunia.com to learn which applications on your system need patching. I described the benefits of this free service in articles on Aug. 16 and Sept. 6.

MBSA bests Belarc for useful info

Based on my testing of the five free security-analysis tools, I recommend the Microsoft Baseline Security Analyzer as by far the best product I worked with. It covers a variety of areas important to security and provides solutions wherever a weakness is found. It’s simple enough for intermediate computer users, but sophisticated enough for professionals.

Belarc Advisor won second place in my tests. This program is most useful for highly knowledgeable IT professionals who want a summary of the minutiae of their hardware and software settings.

Microsoft Security Baseline Analyzer is tops

The free MBSA program can be downloaded from Microsoft.com or sites like File Hippo. In either case, the installation of MBSA (unfortunately, for some) requires validation via Windows Genuine Advantage.

Figure 1. Microsoft Security Baseline Analyzer comes out No. 1 in tests.

Once installed, MBSA can analyze a single computer or multiple computers on your network. It saves each scan as a report that you can print or copy to the Clipboard. Brightly colored icons make it easy to spot safe (green), questionable (yellow) or problem (red) areas, along with additional info (blue).

Each entry in the report links to HTML help text, explaining what was scanned and (in many cases) giving details on the results. If a problem is found, a “How to correct this” link is also available. The help files, in turn, often link to additional files online, such as Microsoft Knowledge Base articles.

It’s this at-a-glance approach to presenting information, combined with easy-to-access resources, that makes MBSA a winner.

Belarc Advisor provides detail without advice

Belarc Advisor is another tool chock full of information on your system — perhaps too much. On the up side, Belarc checks whether you have the latest Windows patches and virus protection and provides a highly detailed picture of your computer hardware. It also lists all your software programs and their versions, but it fails to tell you which apps need updating.

If you have Windows 2000, XP Pro, or 2003, Belarc Advisor also rates your computer using the Center for Internet Security benchmark (providing a score from 1 to 10). This is based on an exhaustive list that covers many of the same areas as MBSA, but in mind-numbing detail. Included is a lengthy list of Registry settings relating to permission levels. These are best configured using Windows’ own control panels and administrative tools, rather than dabbling in the Registry directly. Consequently, the detail level is not very helpful to the vast majority of users.

Like MBSA, Belarc Advisor’s detailed reports are linked to a help file of explanations. But, unlike MBSA, the program’s explanations are often inadequate and have no further links to online resources.

Although Belarc’s level of detail might be useful for IT pros, the free version is intended only for noncommercial use. You can find its licensed, commercial version at the Belarc site.

Other analyzers don’t match the competition

The other programs I tested didn’t match the results obtained from MBSA or Belarc Advisor.

SecurAble is a free tool from Gibson Research that doesn’t try to do very much and succeeds at that very well. Its only purpose is to check for three security features common to computer processors and tell you the status of those features on your machine. Explanatory info is provided at the SecurAble Web site. Unfortunately, the program doesn’t look at any other security aspects of your computer.

Active Security Monitor (ASM) from AOL has the most attractive interface of all the products I considered. Unfortunately, its recommendations are somewhat suspect.

ASM gives you a security score from 1 to 100 based on your firewall; virus and spyware protection; whether Windows and IE are fully patched; and more. Unlike many such scanners, it also looks at wireless security (if your system has a Wi-Fi connection) as well as file-sharing software.

The product looks for utilities, such as backup software, but it failed to detect Windows own built-in backup application. Instead, it suggested I try AOL’s backup service, suggesting that the entire utility is nothing more than a sales gimmick. Fortunately, the link to “other file backup solutions” did send me to non-AOL products, but did little more than open a search page for backup utilities at CNET’s Download.com site.

Like SecurAble, xp-AntiSpy doesn’t pretend to analyze your whole system, only those settings specific to Windows XP that may affect your security. The program presents a list of checkboxes showing the state of these settings (for example, whether Automatic Updates is on or off) and lets you change the setting immediately without opening any other control panel or Windows tool.

As you hover over each setting in the list, text in the bottom pane provides you with brief but usually helpful information. Especially useful are the modes available via the Preview menu. For example, you can choose the System Defaults profile to color-code the controls by their default setting (green for on, red for off). Or you can choose the Suggested profile to see color codes for the product’s own recommended settings for maximum security.

The nice thing about free software is that you don’t have to choose just one product. As long as you’re using tools that mainly diagnose and don’t change settings on their own (which describes all the applications here), you’re not out of pocket if you want to run several different system analyses. But if you’re short on time and serious about security, Microsoft Baseline Security Analyzer is the best tool, providing serious scanning and smart solutions.

Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine’s Here’s How section.

Microsoft is 'revisiting' warnings in OneCare

By Brian Livingston

Associate editor Scott Dunn reported on Oct. 25 that Microsoft’s OneCare security suite turns on “auto-install” without notifying users, causing some machines to unexpectedly install patches and reboot at 3:00 a.m.

Microsoft’s OneCare team has officially confirmed the behavior, saying, “We are evaluating user feedback and will be revisiting how we communicate the installation details of Windows Live OneCare as we are continually working to improve that experience.”

The statement wasn’t exactly an apology, since the team defended OneCare, stating: “we have gone to great lengths to disclose that OneCare may automatically effect changes to user settings in order to help best protect the user.” This position was based on OneCare displaying the following at the bottom of its “Select your language” dialog box during installation:

• “By using OneCare you agree to let Microsoft make changes to your system, such as enabling features that keep your system up to date and make it safer for you to browse the Internet.”

The team’s statement, including a screen shot of the dialog box, was posted on Microsoft’s Live.com site.

Many businesses and individuals have good reasons for wanting to investigate all patches and be present when any installed patches are rebooting PCs. In my opinion, the wording mentioned by the OneCare team is a long way from advising people that the Automatic Updates settings they carefully configured were going to be wiped out and reset to fully automatic.

Many other publications followed up on Scott’s story. Jabulani Leffall, writing on the Web site of Microsoft Certified Professional Magazine, an independent publication, said, “Microsoft does a poor job of informing users of the action.” Other follow-ups included those in Computerworld (on Oct. 25 and Oct. 29), VNUnet, and IT News.

Xplorer² does have a free version

Contributing editor Woody Leonhard wrote in his Oct. 25 column that Xplorer² is a free file manager “that puts Microsoft’s offering to shame.”

That article, unfortunately, linked to the home page of the software’s publisher, Zabkat.com, which prominently displays information on the U.S. $29.95 commercial version of Xplorer². A blurb on the free, “lite” version appears farther down, but it wasn’t large enough for many of our readers to notice it.

The article should have linked to Zabcat’s page describing just the Xplorer² free version. That page clearly explains that the “lite” version is free for use by individuals and educational institutions. Only commercial users (corporate, government, etc.) are required to pay the $29.95 license fee.

How can we best serve your information needs?

In our Oct. 25 newsletter, we asked you the size of the organization you work for, if any. More than 9,000 subscribers answered our poll.

It turns out that 64% of you work in companies with fewer than 100 employees, which is a common definition of “small business.” At the same time, 22% of you work in companies with more than 1,000 employees, which tend to be large corporations. The remaining 14% of subscribers work in medium-sized companies.

Voting is now closed in that poll, but you can see a breakdown of the responses on our results page.

Admittedly, asking about your company size is only a first step to help us learn your interests. I wrote that we’d ask additional questions to fill in our understanding.

Today, we’d like to know whether you’re a manager or an administrator where you work — or perhaps you have some other title, or you aren’t currently employed at all! In addition, we’d like to know whether you influence the purchase of a lot of computer equipment or only a little. Select from the options shown below.

Which best describes your job title?

IT Manager  Network Admin  Sys Admin  Other  Not Employed 

Annually, what is the dollar value of computer/network-related hardware and software you will purchase, recommend or sell?

$0 to $49,000  $50,000 to $249,999  $250,000 or more 

All of us who write for Windows Secrets are constantly looking for the most useful information — both for people in small businesses/home offices and those who work in giant enterprises. Thanks for your feedback!

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Playing with your food? Paint with it instead!

We all know that an order of fries isn’t the healthiest choice. Now this unique art video will make you think even harder before answering the question, “You want fries with that?” Clearly, Phil Hansen didn’t listen when his mother told him not to play with his food. Watch the video

Part six: schedule tasks without constant logons

By Fred Langa Today’s Housecall, in the sixth article of my eight-part series, shows how to set up Norton’s LiveUpdate to run from a password-protected user account without constantly having to log on. After finishing in Toronto, I enjoyed more views of the Great Lakes as I made my way through the night to my native New Hampshire.

Special scheduled-tasks account has own password

So far, in the recounting of my Housecalls, you’ve seen how to use some free, powerful tools to declutter a PC and speed boot times; how to resolve an address conflict on a small network; how to test the basic security of an Internet connection; how to reduce the size of areas where enormous numbers of junk files can quietly accumulate; how how some very popular software can ruin the performance of some PCs; and how to reduce fan noise in a PC. If you missed the earlier installments, you can jump to Parts One, Two, Three, Four, and Five.

Windows Secrets reader Dan Amsler, the winner of the third Housecall of the four that the newsletter awarded, had wanted me to focus mostly on hardware issues (covered in the Oct. 25 issue). But we also had time for some software work.

We started with the same basic cleanup steps listed in previous installments of this series — they’re part of what I consider routine maintenance. The only specific software issue Dan was dealing with was that his copy of the Symantec/Norton security suite wasn’t reliably updating itself. (Dan’s PC did not experience the slowdown that reader Gene Foster’s did, as described in Part Four. This is another example of the hit-or-miss problems the Symantec/Norton suite sometimes causes.)

Dan is the sole user of his XP-based home office PC. No one else has physical access to the system, so he had no pressing need for a logon password.

That’s fine, except that a Scheduled Task usually requires a password in order to work properly, and you’re asked to enter username and password as part of the scheduling process. If a user account has no password, that account may not be able to set up Scheduled Tasks. I suspected this was the root of Dan’s problems getting LiveUpdate to work.

Figure 1. The Scheduled Task Wizard (click photos to enlarge). The wizard asks for a user account name and password when you create a new task. This can be a problem if you don’t have, or want, a login password for your own account. (Note: Vista’s Task Scheduler looks a bit different, but works the same way and also wants a password.)

We could have solved the problem by setting a password for Dan’s logon, but that would have meant he’d have had to enter the password at every startup — an annoyance for him. Instead, we created a new user account with a password and called it something like “Task Runner.” Then we set Dan’s scheduled tasks to be run by the Task Runner user account; we entered that account’s password when prompted by the Task Scheduler.

This simple workaround worked fine. The Task Scheduler was happy, because it had permission from a password-protected account to run the scheduled tasks; the tasks then ran just as they should; and Dan’s own account didn’t require any modification at all. Dan could still log in without entering a password. Simple!

Endurance riding before my final Housecall

And with that fix, I was on my way, skirting the edge of Lake Ontario and riding through the night back to my native New Hampshire, which is also where the final Housecall was located.

Figure 2. The northern shores of the Great Lakes. The lakes offer many, many views like this one.

As an aside, some of you may have wondered about the sanity of the long-distance aspects of my trip — crossing Canada in three days, for example. It may sound risky or dangerous, but I participate in the sport of long-distance motorcycle riding, sometimes called “endurance riding.” (Yes, it’s a real sport. If you’re interested, the Iron Butt Association can provide information on safe and sane ways to cover long distances.)

Once you’re set up properly and know the tricks to make long-distance riding safe, it’s really not that hard or dangerous to cover a lot of real estate. In the last two years, I’ve done 1,000-mile (1,600-km) rides on four separate occasions. And my longest single ride so far covered a little more than 1,500 miles in one 36-hour push — stopping only for food, gas, calls of nature, and (twice) for roadside “power naps.”

Figure 3. Outside Ottawa. The slanting light of sunset painted the farms and fields with a reddish hue as I rode home. Note the long shadow.

I covered most of the final leg of the trip in darkness, so I don’t have many pictures. The sun set as I passed Ottawa, and I was in full night by the time I reached Montréal. I crossed the U.S.-Canada border soon after and headed home to sleep and freshen up before making my final Housecall in Hillsboro, N.H.


Figure 4. Montréal. The city was in full night when I passed through; I crossed back into the U.S. shortly thereafter.

In the next installment, I ponder my journey and begin my final Housecall!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

Lock down USB ports on your computers

By Mark Joseph Edwards USB ports offer great flexibility to let you easily add all sorts of new devices to your computer. But USB devices also pose a considerable risk, so this week I explain how you can secure your USB ports to prevent unwanted activity.

How to prevent writing to USB devices

A computer’s USB port provides a great way to connect devices such as flash drives, cameras, and MP3 players. In fact, many cameras and MP3 players can be used as pseudo-flash drives, because their storage systems usually look like a regular drive in Windows. However, allowing write access to USB devices might not be a good idea — for two basic reasons.

First of all, if someone can write to a USB-based storage device, they can easily copy untold amounts of company data onto the device and trot right out the door without you knowing about it. Second, if malware makes it onto your computers, it could potentially write files to USB devices or erase such devices completely.

If you want to allow USB devices to be readable on your computers, but you don’t want to allow write access, there’s an easy way to do that by setting a Registry flag, as outlined in the steps below:

Step 1. Click Start, Run, enter regedit, and then press Enter to launch the Registry Editor.
Step 2. Navigate the Registry tree to:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl

Step 3. Look in the tree for a key called StorageDevicePolicies. If it doesn’t exist, create it.
Step 4. Select the StorageDevicePolicies key and then click File, New, DWORD Value.
Step 5. Set the name of the value to WriteProtect.
Step 6. Set the value of WriteProtect to 1 and close the Registry Editor.

Note that this procedure will also prevent writing to external (USB-attached) hard drives and DVD burners.

If you want to completely disable the use of USB devices, head over to the Diary Products Web site and read the article. It explains several steps you must take, including the steps to ensure that Windows doesn’t re-enable USB device usage after someone installs a new USB device.

The above steps are by no means a foolproof way to prevent untrusted users from attaching and writing to external devices. There are several tricks that can get around the restrictions, as described by the Digital Inspiration blog. But if you just need a simple way to prevent writing to flash drives and DVD burners, and you can supervise the use of a PC — say, in a parent-child situation — the above procedure is a good starting point.

A great way to find a wireless hotspot

Roaming around with your laptop can bring a lot of benefits to your travels. However, one problem on the road might be how to find connectivity. Sure, many hotels and motels offer free wireless, and so do a lot of coffee shops. But what if you can’t get connectivity at places like that where you’re at?

One solution is to look up a bunch of hotspots before you head out on the road. The best site I know of to do that is the Wireless Geographic Logging Engine (WiGLE). At that site, you can use a free, map-based search that lets you drill down into cities, sort of like GoogleMaps does. If you sign up for an account, you can use their more-powerful search engine.

The search engine lets you specify an address near where you’re headed, a state, a ZIP code, latitude and longitude, and a variety of other information to help you find the type of hotspot you’re looking for. Head to WiGLE and check it out!

New type of password stealer targets Skype

If you happen to see any downloads or receive any file attachments called Skype-Defender, stay away from them. The file, targeted at Skype Internet telephony users, is actually a Trojan that steals passwords.

McAfee reported the discovery of the Trojan on Oct. 17. You can read more about Skype-Defender in the company’s Avert Labs blog.

iPhones are popular — and vulnerable

If you’ve got an iPhone, by all means make sure you keep your firmware up to date. Exploits are on the loose that will let a bad guy send arbitrary payloads into the phone to gain complete access.

If your iPhone has firmware versions 1.0 through 1.1.1, your phone is vulnerable. Apple hasn’t released updated firmware yet, but you can keep an eye out for it at Apple’s security updates page.

Hackers targeting a bug in RealPlayer versions

According to an eWeek story, Symantec reports that bad elements are targeting a bug that’s found in all versions of RealPlayer, including the latest beta version of RealPlayer 11.

There are a number of steps you can take to defend your systems. Head over to eWeek and read the relevant story, “RealPlayer Exploit Infecting Windows Machines.”

Internet Explorer 7 needs a security patch

Adobe recently released an update for Acrobat Reader, fixing a serious security problem that takes advantage of bugs in Internet Explorer 7.0. Updating your copy of Acrobat Reader closes one avenue of attack via the browser, but no patch is yet available from Microsoft to correct the flaw in IE 7 itself.

The basic problem boils down to the way IE 7 handles certain URI descriptors, such as mailto: links. Microsoft is acutely aware of the problem and intends to fix the problem, but the company hasn’t said when it will get around to doing that. Hopefully, the patch will appear in the company’s November batch of security updates.

In the meantime, unfortunately, there’s very little you can do to protect yourself other than to practice incredibly safe Web surfing habits and avoid unknown e-mail file attachments at all costs.

You can read details about the problem over at the Microsoft Security Response Center blog.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Microsoft server installs unwanted Desktop Search

By Susan Bradley The tool Microsoft provides to patch entire networks, WSUS (Windows Server Update Services) ended up causing more issues than it fixed this week. Despite the fact that many administrators had configured WSUS not to install new applications, the service silently installed Windows Desktop Search, which horribly slowed down many workstations.

WSUS (894199)
WSUS downloads search app, causing big headaches

If you’re an administrator in a firm that uses the Microsoft patching tool known as Windows Software Update Services (WSUS, as it’s commonly referred to), do me a favor and check that WSUS is set not to automatically install patches.

I’ve said before that standalone systems should have Automatic Updates set to “download patches but do not install.” Please make sure that your WSUS server is set to do the same.

The admins of servers that were set to automatically install patches woke up a week ago Wednesday to discover that the PCs on their networks were slowing to a crawl. The reason? Windows Desktop Search (WDS) had been mistakenly deployed to the workstations by WSUS.

Admins reported on the WSUS newsgroup that WDS had been installed when they didn’t intend it. It appears that if administrators had previously approved a prior update, this new revision was installed on all computers in the network if you had auto-updates enabled in WSUS.

Bobbie Harder, the WSUS program manager, apologized on the official Technet blog for the resulting mess. But commenters on that blog entry were still questioning how the patch got installed on their networks. Many suspect the deployment mechanism, insisting that they had approved neither the latest patch nor the prior one.

Here’s my recommended action for WSUS administrators: go to the Options section and deselect Automatically approve the latest version of the update. Instead, select Continue using the older revision and manually approve the new update revision. (See the bottom half of Figure 1.)

Figure 1. WSUS includes settings to turn off “surprise” updates.

In addition, ensure that Automatically approve updates for installation is not chosen (top half of Figure 1). Then, on each Patch Tuesday, browse to Knowledge Base article 894199 to review the patches that have been released and choose which to approve.

Lately, security patches are still coming out on Patch Tuesday, but nonsecurity patches have been coming out on other Tuesdays, often the 4th Tuesday of the month. If you run a server, watch for these and don’t allow WSUS to automatically install anything you haven’t tested.

WSUS (894199)
Vista Ultimate patches are glitchy on WSUS

Server admins are already overtaxed by the auto-deployment of Windows Desktop Search described above. To add even more headaches, if you selected Vista Ultimate Language Packs and Vista Ultimate Extras, you got offers of umpteen language packs plus a screensaver.

Those of you who, like myself, are running Microsoft’s Small Business Server 2003 with its built-in WSUS can’t uncheck the box to stop the syncronization of Serbian, Croation, and other languages. Doing so would cause the WSUS integration with my server to stop working. We affectionately refer to this as the “blue check of death” in various blog posts on the subject. You then have to scan for all these updates and manually decline them.

The language packs, as you may recall, were classified as Ultimate Extras. The Microsoft blog posting announcing their release says that a manual patch from KB article 942903 is first required or the installation of the language packages may fail. However, this fix is not available via WSUS. The patch must be manually downloaded from the Microsoft download site and installed.

934521
Adobe Reader needs patching against hacked PDFs

An issue with URI handling in Intenet Explorer 7 on Windows XP SP2 is described in the Microsoft Security Resource Center advisory KB 943521. I need you to check your version of Adobe Acrobat and Adobe Reader. I’m currently seeing exploits in the wild for this vulnerability, using PDFs to trigger the payload.

Securty MVP Donna Buenaventura has been tracking the PDF threat in detail. She reports in her blog that not all antivirus engines are finding the malware.

If you update Adobe Reader and Acrobat to version 8.1.1, as reported in Donna’s security advisory, you’ll be protected from the exploit affecting Adobe products. If you’re using a version prior to 8 and can’t upgrade for some reason, your only protection is to use a Registry edit to protect yourself, as documented in that same security advisory.

As an alternative, you may wish to review third-party PDF readers and writers. Foxit Software and Cute PDF are alternatives to Adobe Acrobat.

Apple Leopard OS goes through upgrading

My relatively new Mac Mini will be getting an upgrade soon, since I ordered the Leopard operating system upgrade that Apple recently released. However, I was not one of those lined up outside the Apple store on the first day to get my copy. I believe in ensuring that all of my key data is backed up first.

There are some early reports that the upgrades aren’t going smoothly for all the upgraders, as seen on the Apple forums. I’ll be doing my own upgrade sometime this weekend and will report on the experience in the next Patch Watch.

MS07-043 (943172)
OLE patch could slow down applications

If you’re running Windows Server (32-bit or 64-bit) or the 64-bit version of Windows XP, and you’ve applied MS07-043, you have have noticed application that use OLE (Object Linking and Embedding) slowing down. If so, you should review the fix in KB 943172 to see if it applies to your situation. If you’re running 32-bit Windows, as most of us are, you need no fix and should not be experiencing this issue.

Check with your application vendor to see if the fix is advisable, if an application has become slow after the install of MS07-043.

MS07-059 (934525)
SharePoint get a fix for performance

If you’ve noticed an impact on SharePoint performance after installing MS07-059, KB 943594 has been released to remedy the situation. SharePoint is a Web-based, shared-document platform from Microsoft.

The cure can be freely obtained through the online hotfix request Web page. It normally takes only a few hours or less for me to get the needed hotfix back via e-mail after filling out the form. No longer do I need to call in and explain to the support person that all I need is a hotfix. It’s now an easy and painless process to get the hotfixes that I seek.

Daylight Saving Time hassles aren’t over yet

If you live in the United States, you’ll need to watch your computers on Nov. 4 and ensure that they set their time back one hour. The last Sunday in October used to be the day that the time changed. I didn’t find that any of my systems had problems last Sunday, so I’m hoping that, like me, you’ll find that everything got patched.

Microsoft is still running a DST support Web page, should you need any help on this issue.

Please let me know via the Windows Secrets contact page how daylight saving issues went for you.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.