This Tech Tip provides guidance for users connecting a new (or newly upgraded) computer to the Internet for the first time. It is intended for home users, students, small businesses, or any site with broadband (cable modem, DSL) or dial-up connectivity and limited Information Technology (IT) support. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should be followed.
I. Motivating Factors
The CERT/CC has composed this Tech Tip to address a growing risk to Internet users without dedicated IT support. In recent months, we have observed a trend toward exploitation of new or otherwise unprotected computers in increasingly shorter periods of time. This problem is exacerbated by a number of issues, including:
- Many computers' default configurations are insecure.
- New security vulnerabilities may have been discovered between the time the computer was built and configured by the manufacturer and the user setting up the computer for the first time.
- When upgrading software from commercially packaged media (e.g., CD-ROM, DVD-ROM), new vulnerabilities may have been discovered since the disc was manufactured.
- Attackers know the common broadband and dial-up IP address ranges, and scan them regularly.
- Numerous worms are already circulating on the Internet continuously scanning for new computers to exploit.
As a result, the average time-to-exploitation on some networks for an unprotected computer is measured in minutes. This is especially true in the address ranges used by cable modem, DSL, and dial-up providers.
Standard advice to home users has been to download and install software patches as soon as possible after connecting a new computer to the Internet. However, since the background intruder scanning activity is pervasive, it may not be possible for the user to complete the download and installation of software patches before the vulnerabilities they are trying to fix are exploited. This Tech Tip offers advice on how to protect computers before connecting them to the Internet so that users can complete the patching process without incident.
The remainder of this document is divided into two major sections: General Guidance and Operating-System-specific steps.
The goal of this document is to provide sufficient protection to a new computer so a user can complete the download and installation of any software patches that have been released since the computer was built or the software media (e.g., CD-ROM or DVD-ROM) being installed was manufactured. Note that these steps are not intended to be a complete guide to securely maintaining a computer once the initial download and installation of patches is completed. Additional tips and references about securely maintaining a computer are at the end of this document.
- If possible, connect the new computer behind a network (hardware-based) firewall or firewall router.
A network firewall or firewall router is a hardware device that users can install between the computers on their Local Area Network (LAN) and their broadband device (cable/DSL modem). By blocking inbound access to the computers on the LAN from the Internet at large (yet still allowing the LAN computers' outbound access), a hardware-based firewall can often provide sufficient protection for a user to complete the downloading and installation of necessary software patches. A hardware-based firewall provides a high degree of protection for new computers being brought online.
If you are connecting your computer behind a firewall or router that provides Network Address Translation (NAT), and if either of the following are true: (a) the new machine is the only computer connected to the LAN behind the firewall, or (b) all other machines connected to the LAN behind the firewall are up to date on patches and are known to be free of viruses, worms, or other malicious code, you may not need to additionally enable a software firewall.
- Turn on the software firewall included with the computer, if available.
If your operating system includes a built-in software firewall, we recommend that you enable it in order to block incoming connections from other computers on the Internet.
As mentioned above, if your computer is going to be connected to a local network behind a hardware-based firewall and all other computers (if any) on that local network are known to be fully patched and free of malicious code, this step is optional. However, as part of a "defense-in-depth" strategy, we recommend enabling the built-in firewall software included with your operating system regardless.
If your operating system does not include a built-in software firewall, you may wish to install a third-party firewall application. Many such applications are available at relatively little (or sometimes no) cost. However, given that the issue we're trying to address is the relatively short lifespan of an unprotected computer on the open Internet, we recommend that any third-party firewall application be installed from media (CD-ROM, DVD-ROM, or floppy disc) before connecting to a network rather than downloaded directly to the unprotected computer. Otherwise, it may be possible for the computer to be exploited before the download and installation of such software is complete.
- Disable nonessential services, such as file and print sharing.
Most operating systems are not configured with file and print sharing enabled by default, so this shouldn't be an issue for most users. However, if you are upgrading a computer to a new operating system and that computer had file or print-sharing enabled, it is likely that the new operating system will have file and print sharing enabled as well. Since the new operating system may have vulnerabilities that were not present in the older version being upgraded, disable file and print sharing in the older version before beginning the upgrade process. After the upgrade is complete and all relevant patches have been installed, file sharing can be re-enabled if needed.
- Download and install software patches as needed.
Once the computer has been protected from imminent attack through the use of either a hardware or software-based firewall and the disabling of file and print sharing, it should be relatively safe to connect to the network in order to download and install any software patches necessary. It is important not to skip this step since otherwise the computer could be exposed to exploitation if the firewall were to be disabled or file/print sharing turned back on at some later date.
Download software patches from known, trusted sites (i.e., the software vendors' own sites), in order to minimize the possibility of an intruder gaining access through the use of Trojan horse software. <Read more>
This Tech Tip is brought to you by the Business and Technology Section ... IT solutions for today's CPAs. For more information and to view an archive of previous Tech Tips, please visit us here.
Do you have specific topics you would like to see covered in Tech Tips? E-mail any suggestions to firstname.lastname@example.org.
LAST UPDATED 12/17/2009