Configuring Microsoft products for safety, security and privacy

This page explains why you need to change settings in Windows but if you just want to know how to do so then visit each of these pages, starting with the first:

• How to trust a web site - when a site you trust wants to do more on your PC this is the simple procedure to 'upgrade' sites

  Please try to follow these instructions before you attempt to make ANY of the changes below because this is THE WAY to restore your ability to view specific web sites that depend upon your PC being able to run programs that they download on your behalf and without your explicit consent.

• Brief IE Internet Zone Config *¹ - essential - limits exposure when visiting any site
• IE Config for All Zones - essentially the same as the *¹ item but a different set of exposures and attack strategies
• Outlook Express Config guide - essential if you get any Spam - limits exposures if a rogue e-mail gets past your (up-to-date?!) Anti-Virus program
• How to trust an e-mail - when an e-mail is sent by someone you trust and you want to remove the restrictions on what it is able to do.
• Detailed IE Internet Zone Config - this is a detailed version of the *¹ item - if the latter was sufficient then ignore this item.

Why change e-mail and browser settings

Internet Viruses and other malware have had increasing media attention over the past 3-4 years as the cost and disruption that can be wreaked by a sole juvenile delinquent regularly breaks the billion dollar barrier. You could contribute!

What has changed for the worse in the past 6 months is that the professional criminal community have decided that there is a substantial profit to be made at relatively low risk - a dangerous cocktail for potential victims. Unlike hackers, criminals are focussed on profit rather than glory or fame - they prefer to be inconspicuous and rich. This change in perpetrator has led to a dramatic change in the objectives and behaviour of malware - software aimed at doing harm.

Trojan horses are the ultimate weapon and goal of most attacks even though they will use Worms and Viruses to propagate themselves in what is call a blended threat. Trojans take control of your PC, install methods for neutralising firewalls and Anti-Virus and typically then await instructions from their 'master' - a remote site which it regularly contacts for new malware and scripts to execute - either funded by blackmail or in their spare time they attempt to increase the size and capability of their army - your PCs!

Hackers naturally target the weakest link(s): Windows and the bundled (MS) applications that provide e-mail and Web access - Outlook (Express) and Internet Explorer.

With a small number of changes to the settings for each of these programs it allows you to instantly switch from being in the 95% that are at severe risk to the 5%. By changing the settings from the MS defaults to those more appropriate to this century the chances of being inadvertently infected are reduced.

The only consequences that result from restricting the MS products in this manner are that you need to know the simple ways to grant to those web sites and e-mail senders that you REALLY TRUST a slightly higher privilege use of your PC as described in How to trust a web site which is where you should start to ensure you are happy with the process even though it is a one-off exercise for each site that you need to promote - most people do not have more than half a dozen.

Background for the more technical reader - the root(s) of the problem(s)

PC software assumed the 'P' in PC meant 'Personal' as in 'Single User'. There was no attempt in the early days to have any security at all. That was because those PCs were not connected and programs were only installed by the owner ('P'!) of the PC. ('Real' computers (e.g. mainframes) had security systems even back in the '80s which operated independantly of even the operating system - controlling access even to those who have physical access to the hardware.

Early Viruses started to spread by 'Floppy disk' where anyone foolish enough to leave one in a PC at startup would auto-run whatever the diskette chose! When e-mail became popular this was a breakthrough for the Virus writers as this was a much faster propagating medium for them to exploit. This time programs would typically be programs hiding as benign attachments.

When Microsoft introduced a feature called 'Active-X' it was designed to provide web developers and even e-mail senders with the ability to make the recipient's experience more interactive and exciting by allowing them to directly interface with internal parts of Windows that is the core of the problem!

Whereas competitive tools such as Javascript were restricted to what is referred to as a 'Sandbox' - i.e. a play area - Active-X can do virtually anything that the user's permissions allow - read and write files being the most obvious and painful examples!

Why is Active-X such a problem when I don't use it?

The problem is that you DO! You actually don't need to click upon ANYTHING - just load a page that you might have thought was innocent or worse still click on a link in a Spam e-mail 'out of curiousity!'. Similarly - if Outlook Express isn't configured securely then it can perform irreparable damage in the sub-second that an e-mail is in front of your eyes - even in the preview pane!

By trying to capture the developers of web sites with the prospect of providing a more exciting web site MS have left open the biggest 'can of worms' that has ever been created - biggest in many respects! Just to confirm that this was such a serious mistake - the latest MS version of Internet Explorer (IE 7) actually has Active-X disabled by default - you can't get much more of an admission of error and guilt...

I hope that has been useful. Any Comments, suggestions or corrections to: Contact us please. This would be especially useful if the software environment you have is different to mine and the headings, text or prompts are different.