Original publication date: December 15, 2003

<A NAME="Introduction"></a>

<p>This Tech Tip provides guidance for users connecting a new (or
newly upgraded) computer to the Internet for the first time.  It is
intended for home users, students, small businesses, or any site with
broadband (cable modem, DSL) or dial-up connectivity and limited
Information Technology (IT) support.  Although the information in
this document may be applicable to users with formal IT support as
well, organizational IT policies should be followed.</p>


<A HREF="#Introduction">Introduction</A>

<OL type="I">
 <LI><A HREF="#I">Motivating Factors</A></li>
 <LI><A HREF="#II">Recommendations</A></li>

  <OL TYPE="A">
  <LI><A HREF="#II.A">General Guidance</A></LI>
  <LI><A HREF="#II.B">Operating System-Specific Guidance</A></LI>

    <OL TYPE="1">
    <LI><A HREF="#II.B.1">Microsoft Windows XP</A></LI>
    <LI><A HREF="#II.B.2">Apple Macintosh OSX</A></LI>
    <LI><A HREF="#II.B.3">Other Operating Systems</A></LI>
    </OL> <!-- end type 1 -->

  </OL> <!-- end type A -->

 <LI><A HREF="#III">Staying Secure</A></LI>

</OL> <!-- end type I -->

<P><A HREF="#References">References</A></P>

<P><A HREF="#history">Document revision history</A></P>


<A NAME="I"></a>
<H3>I. Motivating Factors</H3>

<p>The CERT/CC has composed this Tech Tip to address a growing risk to
Internet users without dedicated IT support.  In recent months, we
have observed a trend toward exploitation of new or otherwise
unprotected computers in increasingly shorter periods of time.  This
problem is exacerbated by a number of issues, including:</p>

<li>Many computers' default configurations are insecure.</li>

<li>New security vulnerabilities may have been discovered between the
time the computer was built and configured by the manufacturer and the
user setting up the computer for the first time.</li>

<li>When upgrading software from commercially packaged media (e.g.,
CD-ROM, DVD-ROM), new vulnerabilities may have been discovered since
the disc was manufactured.</li>

<li>Attackers know the common broadband and dial-up IP address ranges,
and scan them regularly.</li>

<li>Numerous worms are already circulating on the Internet
continuously scanning for new computers to exploit.</li>

<p>As a result, the average time-to-exploitation on some networks for an
unprotected computer is measured in minutes.  This is especially true in
the address ranges used by cable modem, DSL, and dial-up providers.</p>

<p>Standard advice to home users has been to download and install
software patches as soon as possible after connecting a new computer
to the Internet.  However, since the background intruder scanning
activity is pervasive, it may not be possible for the user to complete
the download and installation of software patches before the
vulnerabilities they are trying to fix are exploited.  This Tech Tip
offers advice on how to protect computers
<b>before</b> connecting them to the Internet so that users can
complete the patching process without incident.</p>

<A NAME="II"></a>
<h3>II. Recommendations</h3>

<p>The remainder of this document is divided into two major sections:
<a href="#II.A">General Guidance</a> and <a
href="#II.B">Operating-System-specific steps</a>.</p>


<A NAME="II.A"></a>
<H4><LI>General Guidance</LI></H4>

<p>The goal of this document is to provide sufficient protection to a
new computer so a user can complete the download and installation of
any software patches that have been released since the computer was
built or the software media (e.g., CD-ROM or DVD-ROM) being
installed was manufactured.  Note that these steps are
not intended to be a complete guide to securely maintaining a computer
once the initial download and installation of patches is completed.
Additional <a href="#III">tips</a> and <a
href="#References">references</a> about securely maintaining a computer
 are at the end of this document.</p>


<li>We recommend following the steps below when upgrading to a new
operating system from disc(s) as well as when connecting a new
computer to the Internet for the first time.</li>

<li>Perform these steps <b>before</b> connecting to the
Internet for the first time.</li>

<p>Following are the general steps we recommend:</p>

<li>If possible, connect the new computer behind a network
(hardware-based) firewall or firewall router.

<p>A network firewall or firewall router is a hardware device that
users can install between the computers on their Local Area Network
(LAN) and their broadband device (cable/DSL modem).  By blocking
inbound access to the computers on the LAN from the Internet at large
(yet still allowing the LAN computers' outbound access), a
hardware-based firewall can often provide sufficient protection for a
user to complete the downloading and installation of necessary
software patches.  A hardware-based firewall provides a high
degree of protection for new computers being brought online.</p>

<p>If you are connecting your computer behind a firewall or router
that provides Network Address Translation (NAT), and if either of the
following are true: (a) the new machine is the only computer connected
to the LAN behind the firewall, or (b) all other machines connected to
the LAN behind the firewall are up to date on patches and are known to
be free of viruses, worms, or other malicious code, you may not need
to additionally enable a software firewall.</p></li>

<li>Turn on the software firewall included with the computer, if available.

<p>If your operating system includes a built-in software firewall, we
recommend that you enable it in order to block incoming connections
from other computers on the Internet.</p>

<p>As mentioned above, if your computer is going to be connected to a
local network behind a hardware-based firewall and all other computers
(if any) on that local network are known to be fully patched and free
of malicious code, this step is optional.  However, as part of a
"defense-in-depth" strategy, we recommend enabling the built-in
firewall software included with your operating system regardless.</p>

<p>If your operating system does not include a built-in software
firewall, you may wish to install a third-party firewall application.
Many such applications are available at relatively little (or
sometimes no) cost.  However, given that the issue we're trying to
address is the relatively short lifespan of an unprotected computer on
the open Internet, we recommend that any third-party firewall
application be installed from media (CD-ROM, DVD-ROM, or floppy disc)
before connecting to a network rather than downloaded directly to the
unprotected computer.  Otherwise, it may be possible for the computer to
be exploited before the download and installation of such software is

<li>Disable nonessential services, such as file and print sharing.

<p>Most operating systems are not configured with file and print sharing
enabled by default, so this shouldn't be an issue for most users.
However, if you are upgrading a computer to a new operating system and
that computer had file or print-sharing enabled, it is likely that
the new operating system will have file and print sharing enabled as well.
Since the new operating system may have vulnerabilities that were not
present in the older version being upgraded, disable file and print
sharing in the older version before beginning the upgrade process.
After the upgrade is complete and all relevant patches have been installed, file
sharing can be re-enabled if needed.</p> </li>

<li>Download and install software patches as needed.

<p>Once the computer has been protected from imminent attack through
the use of either a hardware or software-based firewall and the
disabling of file and print sharing, it should be relatively safe to
connect to the network in order to download and install any software
patches necessary.  It is important not to skip this step since
otherwise the computer could be exposed to exploitation if the firewall
were to be disabled or file/print sharing turned back on at some later

<p>Download software patches from known, trusted sites (i.e., the
software vendors' own sites), in order to minimize the possibility of
an intruder gaining access through the use of Trojan horse
software.</p></li> </ol>

  <A NAME="II.B"></a>
  <H4><LI>Operating System-Specific Guidance</LI></H4>

<p>The previous section outlined the CERT/CC's general 
guidance for installing new computers.  However, the specific
implementation of those recommendations depends on the operating
system in use. This section contains specific guidance for users of <a
href="#II.B.1">Microsoft Windows XP</a> and <a href="#II.B.2">Apple
Macintosh OSX</a>, as well as some pointers for <a
href="#II.B.3">other operating system</a> users.</p>

    <OL TYPE="1">
    <A NAME="II.B.1"></a>
    <B><LI>Microsoft Windows XP</LI></B>

<p>In order to complete these steps, you will need to be logged into
an account with local administrator privileges.</p>

<ol type="a">
<li>Review <A HREF="#II.A">General Guidance</A> above.</li>

<li>Connect behind a hardware-based firewall if available.</li>

<p>This step is covered in the <A HREF="#II.A">General Guidance</A> section above.</p>

<li>Enable the Internet Connection Firewall.</li>

<p>Microsoft has provided both <a
and <a
instructions for enabling the built-in Internet Connection Firewall on
Windows XP.</p>

<li>Disable shares if enabled.</li>

<ol type="1">
<li>Go to Start -> Control Panel.</li>
<li>Open "Network and Internet Connections".</li>
<li>Open "Network Connections".</li>
<li>Right-click on the network connection you wish to change (e.g., "Local Area Connection").</li>
<li>Select "Properties".</li>
<li>Make sure "File and Printer Sharing for Microsoft Networking" is unchecked.</li>
</ol> <!-- end type 1 -->

<li>Connect to the network.</li>

<li>Go to <a

<li>Follow the instructions there to install all Critical Updates.</li>

<li>Review <a HREF="#III">Staying Secure</a> below.</li>


<p>Additional Windows <a href="#References">References</a> can be found at the end of this document.</p>


    <A NAME="II.B.2"></a>
    <B><LI>Apple Macintosh OSX</LI></B>

<ol type="a">
<li>Review <A HREF="#II.A">General Guidance</A> above.</li>
<li>Connect behind a hardware-based firewall if available.</li>
<li>Enable the software firewall.</li>
	<ol type="i">
	<li>Open "System Preferences".</li>
	<li>Select "Sharing".</li>
	<li>Select the "Firewall" Tab.</li>
	<li>Click "Start".</li>
	<li>Select the "Services" Tab.</li>
	<li>Verify that all services are unchecked (default).</li>

<li>Connect to the network (plug in or dial-up).</li>
<li>Update installed software.</li>

	<ol type="i">
	<li>Open "System Preferences".</li>
	<li>Select "Software Updates".</li>
	<li>Turn on automatic updates (checkbox: "Automatically check for updates when you have a network connection".)</li>
	<li>Select an appropriate update frequency (daily is recommended).</li>
	<li>Click "Check Now".</li>
	<li>Install any recommended updates.</li>

<li>Review <a HREF="#III">Staying Secure</a> below.</li>

<p>Additional OSX <a href="#References">References</a> can be found at the end of this document.</p>

    <A NAME="II.B.3"></a>
    <B><LI>Other Operating Systems</LI></B>

<p>Users of other operating systems should review the <a
href="#II.A">General Guidance</a> above, then consult their respective
software vendors' sites for specific instructions (where available).

<p>Additional Linux <a href="#References">References</a> can be found at the end of this document.</p>

</ol> <!-- end section II.B -->
</ol> <!-- end section II -->

<A NAME="III"></a>
<h3>III. Staying Secure</h3>

<ol type="A">

<A NAME="III.A"></a>
<h4><li>Read our <a
href="/tech_tips/home_networks.html">Home Network
Security</a> document.</li></h4>

<h4><li>Install and use antivirus software</li></h4>

<p>While an up-to-date antivirus software package cannot protect
against all malicious code, for most users it remains the best
first-line of defense against malicious code attacks. Many antivirus
packages support automatic updates of virus definitions. The CERT/CC
recommends using these automatic updates when available.</p>

<h4><li>Enable automatic software updates if available</li></h4>

<p>Vendors will usually release patches for their software when a
vulnerability has been discovered. Most product documentation offers a
method to get updates and patches. You should be able to obtain
updates from the vendor's web site. Read the manuals or browse the
vendor's web site for more information.</p>

<p>Some applications will automatically check for available updates,
and many vendors offer automatic notification of updates via a mailing
list. Look on your vendor's web site for information about automatic
notification. If no mailing list or other automated notification
mechanism is offered you may need to check the vendor's website
periodically for updates.</p>

<h4><li>Avoid unsafe behavior</li></h4>

<p>Additional information on this topic can be found in our <a href="/tech_tips/home_networks.html#IV">Home Network
Security</a> Tech Tip.</p>

<li>Use caution when opening email attachments or when using peer-to-peer file
sharing, instant messaging, or chatrooms.</li>

<li>Don't enable file sharing on network interfaces exposed directly
to the Internet.</li>


<h4><li>Follow the principle of least privilege — don't enable it if you
don't need it.</li></h4>

<p>Consider using an account with only 'user' privileges instead of an
'administrator' or 'root' level account for everyday tasks.  Depending
on the OS, you only need to use administrator level access when
installing new software, changing system configurations, and the like.
Many vulnerability exploits (e.g., viruses, Trojan horses) are
executed with the privileges of the user that runs them  — making it
far more risky to be logged in as an administrator all the time.</p>



<A NAME="References"></a>

<ol type="A">

<h4><li>CERT/CC References</li></h4>


<li><a href="/tech_tips/home_networks.html">Home
Network Security</a> -- http://www.cert.org/tech_tips/home_networks.html</li>

<li><a href="/incident_notes/IN-2003-01.html">IN-2003-01 Malicious
Code Propagation and Antivirus Software Updates</a> --


<h4><li>Microsoft Windows XP References</li></h4>


Your PC</a> --

the Internet Connection Firewall</a> --

<li><a href="http://www.microsoft.com/security/incident/icf.asp">How
to Enable Internet Connection Firewall (ICF) on Windows XP</a> --

Windows XP Baseline Security Checklist</a> --
http://www.microsoft.com/technet/security/chklist/xpcl.asp</li> </ul>

<h4><li>Apple Macintosh OSX References</li></h4>

<li><a href="http://docs.info.apple.com/article.html?artnum=61534">How
to Keep Network Computers Secure</a> --

<li><a href="http://www.info.apple.com/usen/security/index.html">Apple
Product Security</a> --

<li><a href="http://www.apple.com/macosx/features/security/">OSX
Security Features Overview</a> --

Security Updates</a> --


<h4><li>Linux References</li></h4>

<li><a href="http://www.debian.org/security/">Debian Security
Information</a> -- http://www.debian.org/security/</li>

<li><a href="http://www.lindows.com/">Lindows.com</a> --

-- http://www.mandrakesecure.net/en/index.php</li>

<li><a href="http://www.redhat.com/solutions/security/">RedHat
Security Resource Center</a> --

<li><a href="http://www.redhat.com/apps/support/errata/">RedHat
Security and Errata</a> --

<li><a href="http://www.slackware.com/security/">Slackware Security
Advisories</a> -- http://www.slackware.com/security/</li>

<li><a href="http://www.suse.com/us/private/support/security/">SUSE
Security (US/Canada)</a> --


</ol><!-- end type A -->


<p><!--#include virtual="/include/footer_nocopyright.html" --></p>
<p>Copyright 2003 Carnegie Mellon University.</p>


<A NAME="history"></a>

<FONT SIZE=3 FACE="Verdana">
Revision History

<FONT SIZE=2 FACE="Verdana">
December 15, 2003<BR>
<FONT SIZE=2 FACE="Verdana">
Initial Release<BR>