Contributed by: filbert Tuesday, May 03 2005 @ 10:23 AM CST
The “Top 20” is actually two top 10 lists, one for Windows users, the other for Unix users. Obviously the Windows list has little impact on Unix and vice versa. Also, some of the Windows vulnerabilities are focused on Windows servers (which I imagine few people actually run at home).
The short recommendations for Windows users:
1. Stay current with the latest versions of operating systems and software, especially web browsers and anti-virus software.
2. Don’t use peer-to-peer software (i.e. Napster, GNUtella, KaZaa) unless you know what you’re doing (both technically and legally).
3. Implement a firewall between yourself and the Internet–either a software firewall on your computer, or a firewall on your network at the Internet connection point–preferably both (i.e. “defense in depth”).
4. Avoid using the Microsoft products Internet Explorer (the web browser), Outlook, and Outlook Express (the mail clients) if at all possible. The Bad Guys target these programs, and they have a long nasty history of serious vulnerabilities.
5. Don’t open any e-mail (the message itself or an attachment) from anybody you don’t recognize. Delete suspicious e-mails immediately. Don’t use the “preview feature” — that’s the same as opening the mail message. Turn on e-mail checking in your antivirus software. It will slow you down a bit. Getting infected will slow you down a lot more.
6. Don’t use instant message unless you know what you’re doing.
More on the SANS Top 10 for Windows: W1. Web Servers & Services.[*2] Most home users don’t need to worry too much about this, unless you’re running a web server at home. If you are, then read, understand, and implement the SANS recommendations, for pity’s sake!!!
W2 Workstation Service[*3] . Stay current with your software and use a firewall (recommendations 1 and 3 above).
W3 Windows Remote Access Services[*4] . As with the previous one, stay current and use a firewall.
W4 Microsoft SQL Server (MSSQL)[*5] . Some programs install this software for you as “MSDE” for use as an internal database for the program. If you’re using software which uses MS-SQL or MSDE, you really, really need to read and understand the SANS recommendations. Otherwise, choose software which doesn’t require MSSQL/MSDE.
W5 Windows Authentication (i.e. passwords)[*6] . Pick passwords which are difficult to guess. One of the best recommendations is to pick an easy-to-remember phrase and use the first letters of each of the words. Adding numbers makes better passwords. Some systems don’t allow them, but using “special characters” makes passwords much stronger. An example would be something like “My Dog Is 4 Years Old & Has A Black Tail” which would be the very strong password “mdi4yo&habt”. The longer your password is, the harder it is to “crack” (and of course the harder it is to remember.) Passwords should be at least 6 characters long.
W6 Web Browsers[*7] . See recommendation 4 above. All browsers are vunerable, but users of Microsoft’s Internet Explorer are at the highest risk. As SANS says, “If you are using Internet Explorer on your system, there is no current way to know if you are vulnerable, due to the large number of unpatched vulnerabilities which exist.” If you don’t have to use Internet Explorer (some sites require it), then use something else–Firefox, Opera, Mozilla.
W7 File-Sharing Applications.[*8] Just don’t, if you don’t need to. If you just simply have to run this stuff, read and understand the SANS recommendations.
W8 LSAS Exposures[*9] . This one is pretty obscure–stay patched (#1 above) and use a firewall (#3 above) will help to keep you out of trouble.
W9 Mail Client[*10] . Oh, my. This one is where people get into real problems really, really fast. See recommendations 4 and 5 above, and view all e-mail you receive with some suspicion.
W10 Instant Messaging[*11] . This one is coming on strong, and defenses are weak right now. Don’t use unless you abolutely have to.