Security Self-Help Tool for Windows, v. 2 - Help Page
Don't Panic!
If you came to this page because you ran the Security Self-Help Tool and it discovered some problems, you should be able to find the information below that you need to address those problems. (See below for a helpful table of contents.) There is information specific to the utility, covering its use and limitations, as well as links to security best-practices documents for different Windows platforms, which provide step-by-step instructions for securing your Windows PC based on the Self-Help Tool's suggestions. If you still need help, there is also a link at the bottom of this web page to the HelpSU web form, where you can request assistance from ITSS technical support.
Please try your best to apply security fixes using the information available on the Secure Computing web site; but if you find yourself having difficulty, feel free to call for help. Be aware that some of the tests survey advanced areas of Windows for which we cannot provide support. See the note on the types of tests below.
Once you've made the suggested changes, you can run the tool again to confirm your success. If you use more than one computer, please run the tool on all of them.
This documentation is for the Security Self-Help Tool version 2. The documentation for the earlier version, which supports older versions of Windows, is available here.
Note: If your computer belongs to a Windows domain, or if you have a local Windows system administrator, some of the advice below won't necessarily apply to you. If you have local computer support, you should talk first to your support technician before attempting any changes other than setting a strong password for your own Windows account, which is very important!
On this page:
Working with the Security Self-Help Tool
System Requirements
Downloading and Installing
Removing
How to Check for New Versions
Help
Important Note on Privacy
Starting the Tool the First Time - Choosing a Group
The Main Window
Secure Password Test
Red Box, Yellow Box, Box with Locks, This Test Rocks!
Fixing and "Unfixing" Problems
Getting a Full Report
Concerning Windows XP Home Edition
Help for Individual Security Tests of the Self-Help Tool
Basic, Advanced and Local Tests
Basic Tests
Administrator Account Passwords
Logged-in User Account Privileges
The "Guest" Account
The "Guest" Account Name
Distributed Component Object Model (DCOM)
Is Symantec AntiVirus Installed
Is Symantec LiveUpdate Enabled
Internet Explorer Version
PC-Leland Installation Status
Install the BigFix Client
Advanced Tests
Restrict Anonymous Remote Connections
NTFS Drives
Check the XP Firewall
Domain Membership
High Risk Services
Auto-Logon
Is Fast User Switching Disabled
Windows Update
Internet Information Server Status
Outlook Security Status
Registry Settings
Office Macro Security
Set Symantec AntiVirus to Check Daily
Set Windows Update to Automatically Update
Set Windows Update to Check for Updates Daily
Set Windows Script Security
Do Not Allow Automatic Completion of Web Forms
Disable Internet Explorer Password Caching
Internet Connection Sharing
Do Not Allow Automatic Completion of Passwords
Show All File Extensions
Remove File Extension Visibility Extensions
Local Tests
Working with the Security Self-Help Tool
System Requirements for the Security Self-Help Tool 2
Windows 2000, or XP. [This utility is not intended for use on servers.]
Version 1.0 of this tool provides some support for Windows 95, 98, NT and ME. You can download that tool from the ESS web site (see next section below).
Downloading and Installing the Self-Help Tool
To download the software, go to the Essential Stanford Software (ESS) for Windows page.
When you start the download, your web browser will display a dialog box asking if you want to "Save" or to "Open" the Self-Help Tool's installer. Choose the option to "Open" if you are given it: the installer will launch automatically and guide you through the installation process.
If you are given only the option to "Save," then save the installer to a convenient location, such as your computer's desktop. To begin the installation process, simply double-click the file that you saved.
Once the software is installed, an icon labeled "Security Self-Help Tool" will appear on your desktop. You run the Security Self-Help Tool by double-clicking its desktop icon. If you saved the installer file, you may now throw it away.
You may also run it by going to your Start menu > Programs > Stanford > Security Self Help.
Removing the Security Self-Help Tool
There is no reason you should have to remove the tool - it does nothing unless you launch it and use it - but it's nonetheless easy to remove: Open the Windows Add/Remove Programs control panel, select Stanford Security Self Help, and click the "Remove" button.
How to Check for New Versions of the Tool
The Security Self-Help Tool has the capability to check for new versions of itself on the network. By default it will do this automatically each time you start it. It will attempt to go on the network and look for an update. This process takes a few seconds, unless no network connection is present, in which case it might take a little longer before it gives up.
The Self-Help Tool's Preferences menu (in the View menu) lets you adjust the auto-update feature - you can set it so that it doesn't look for an update each time you use it, but it will always check every 30 days anyway, regardless of the setting here. Anyway, if you do have auto-update turned-off, you can "Check for Update Now" in the Preferences window whenever you like.
Help for the Security Self-Help Tool
The Security Self-Help Tool's Help button (or the Security Self-Help Tool Help command in the Help menu) launches your default web browser and takes you to this page.
If you need more help than this page and its links provide, please use the links at the bottom of this page to contact HelpSU for assistance. Keep in mind that ITSS cannot provide support for fixing problems discovered by the advanced tests other than what assistance we provide here.
Important Note on Privacy
The Security Self-Help Tool is a simple, self-contained utility that performs a set of basic security checks appropriate to the kind of computer you run it on. The tool is non-intrusive, and is provided as an educational aid in your efforts to keep your computer more secure.
In support of our efforts to evaluate the usefulness of the tool to the Stanford community, when the tool or a full upgrade is first installed on a machine, we do collect the machine's Ethernet address (aka hardware or MAC address), the version number of the Self-Help tool (and the previous version, if it's an upgrade) and the date/time - the tool sends this data to ITSS over the Internet. Its purpose is to give us some basic statistical feedback about how many computers on campus are installing the tool, giving us a rough idea of how many may be using the tool to help ensure their security. The tool neither collects nor sends any information about your computer's contents nor your use of the tool nor the results of any of the tool's tests.
The tool does not save information about test results on your computer. However, if you choose to use the tool's "fix it wizard" to fix problems, the tool internally keeps information about the changes it makes. That allows the tool to undo the changes later if you choose. Again, this information is kept internally on your computer and is not sent to anyone.
Starting the Tool the First Time - Choosing a Group
The first time you run the Security Self-Help Tool, you'll be asked whether you are a member of a listed group. If so, you should select the group. If you are not, just click one of the other two buttons. You can change your setting (to join or leave a group) later via the Preferences (View menu).
This setting is to support groups (your department, for instance) that may have custom security settings that should be verified or set. Group leaders who want to create customizations should see the special documentation here (a Microsoft Word document).
The Main Window
Four easy choices:
- Run the Test... - The main collection of security tests. Clicking the button starts the tests, and the Tests and Repair window opens, showing the progress of the tests (they usually take only a few seconds to a minute to run) and then the results. A description of the window and the tests appears below.
- Secure Password Test - a pair of tests that try to guess the password of each Windows account on the machine (or selected accounts - your choice) using a list of 900 or 3,000 possibilities respectively. This test is available only to administrators of the PC. The Secure Password Test is described further below.
- Help - opens your default browser to this web page
- Quit - ends the program
Secure Password Test
Choosing strong, hard-to-guess passwords for all of your computer accounts is extremely important. The Self-Help Tool is only concerned with the various Windows user accounts on the computer on which it is run. It has nothing to say about other computer accounts you may have, such as your SUNet ID.
The Secure Password Test tries to determine the password set for each active (i.e., not disabled) account on the PC (or selected ones - your choice). The test is available only to administrators of the PC, and is "grayed out" to others.
How it works: The Secure Password Test is not a real password "cracker" but rather a password "guesser." It makes no attempt to decipher any user passwords on your computer, which are stored in an encrypted form. It simply tries to log in to one or more user accounts by working its way through a dictionary of common passwords. Password "guessing" is usually how hackers break in. Many people use very common passwords, often without realizing they are doing so. The test's guesses include common, insecure password formulas (e.g., using the username as the password).
You can choose whether you want the Secure Password Test to use the smaller dictionary of more than 900 common passwords, or the larger one containing over 3,500 common passwords.
Warning: On some computers the test will run quite slowly, and - depending on the options you select, as well as the number of accounts being tested - it could take hours or even days to finish (it usually takes less than a minute per account, however). If this test runs too slowly to suit you, you can always click "Cancel" to stop it immediately.
There is a counter at the bottom of the Full Password Check window that shows how the test is progressing. As soon as the test discovers a weak password, it displays a warning, and continues on to the next account to be tested, if there is one.
If any of the user accounts on your computer have weak passwords, it is very important that you change them. It is critically important that you set strong passwords for all user accounts, especially for user accounts with Administrator privileges!
If this test finds a problem, it is imperative that you take action as soon as possible. For specific help with choosing and setting passwords, click on one of these links. You can then use your web browser's "back" button to return to this page.
How to Choose a Strong Password
Red Box, Yellow Box, Box with Locks, This Test Rocks!
When you click the "Run the Test" button on the main window, the Test and Repair window opens and shows you the progress of the tests being run. Next, the result summary appears in text at the top of the window, with detailed information below it:
The tabbed pane shows All Fixable Problems (the default, if the tests find fixable problems), All Problems, or All Tests. Each test listed in the pane will have a color-coded box to indicate the result of the test:
- Red box - a serious problem that should be fixed as soon as possible
- Yellow box - a caution - this is a problem that you should consider fixing but it is not generally considered serious
- Red or Yellow box without a lock - the tool itself can fix the problem; see below
- Red or Yellow box with a lock - the tool cannot fix the problem - Note: These won't show up on the All Fixable Problems tab.
- White box with a green checkmark - your computer passed this test - Note: These will show up only on the All Tests tab
- Yellow box with a red exclamation mark - a problem occurred during the test - this is rare, but we don't usually have any other information to give you about it, unfortunately
- Yellow box with a red exclamation mark and a lock - a problem occurred trying to fix the problem (this can occur only when the Fix Marked Items or Run the Undo Wizard button is used)
The icons are shown and described in the Icon Legend, available in the View menu of the Test and Repair window.
If you select one of the test items by clicking on it (not on the checkbox, but on the text itself), the text pane at the bottom of the window changes to provide information about the test and its result, including suggestions for how to fix the problem if a problem was found. In the above example window, the first failed test, Distributed Component Object Model, is selected, and a description of the problem shows up in the pane below. The same help information you see there is provided in the Full Report if you request it - that lets you get all the help at once. And, if you want still more information, some of the tests have more on this web page - see below.
Here's the breakdown of the 3 tabs:
- All Fixable Problems - This is a list of problems found by the tool that also can be fixed by the tool. The small checkboxes on the far left determine which problems will be fixed when you press the Fix Marked Items button. By default, they are all checked since we hope you'll want the tool to fix all of them. This is the only tab that lets you use the Fix Marked Items button since this is the only tab that includes the checkboxes.
- All Problems - The Self-Help Tool can't fix some of the problems it finds.This tab includes all the problems, not just the ones the tool can fix. Again, for information about how you would fix the other problems, you can select them individually to read the help in the bottom pane, or you can "Show Full Report", which includes that information.
- All Tests - This tab lists all the tests, including the ones your computer passed. They are divided into two or three sections: Basic Tests, Advanced Tests and (optionally) Local Tests. These are described about half a page down.
Fixing and "Un-Fixing" Problems
Many of the problems uncovered by the Security Self-Help Tool can be fixed by the tool itself. Those are the tests listed on the All Fixable Problems tab. The easiest way to fix them is to simply click on the Fix Marked Problems button, and usually within a few seconds, the problems are repaired. (You can re-run the tests to verify, if you want.) The display gets updated to show that the problems that were fixed are no longer problems.
In rare cases, you may discover later that a repair made by the tool is causing some problem that is worse for you, in your estimation, than the security it provides. If you need to "undo" a change you made by using the Fix Marked Problems button, you can return to the tool, re-run the tests, and then click the Run the Undo Wizard button. It will let you choose which of the problems (all or selected ones) that the tool previously fixed which you would now like to undo. (Of course, if that does not fix the problem you thought it was causing, you probably should re-apply the tool's repair.)
The Undo Wizard can only undo the fixes made by the tool. For problems that the tool finds but cannot fix, you must fix them, and hence, if necessary, unfix them, yourself.
Getting A Full Report
Once you have run the security tests (perhaps after fixing any problems), you can request a full report of the final results using the Show Full Report button. This opens the report in a window of your default browser. You can then print or save it using the browser's facilities.
The report includes (in this order) basic information about your computer, the problems found (along with the "help" suggestions of how to fix each problem), the tests the PC passed, and the full listing for all the tests.
One way to use the report is to email a copy to your local technical support person.
Concerning Windows XP Home Edition
If you use your PC to conduct Stanford business, even if it's a home computer that isn't connected directly to the Stanford network, you are strongly encouraged not to use Windows XP Home Edition, because it cannot be made as secure as XP Professional.
- Here are some specific concerns (though not all of these will necessarily apply to you):
- XP Home cannot join a Windows domain, so centralized administration is not possible. Without centralized administration, security-related group policies and templates cannot be applied.
- XP Home does not allow users to encrypt files.
- XP Home only supports "Simple File Sharing." To access an XP machine's resources over the network, a user must access the insecure Guest account, which cannot be disabled without breaking all file sharing.
- In the default configuration of XP Home, all users are granted Administrator privileges, and are not required to set any password.
- XP Home doesn't support Remote Desktop, which can be very useful for sharing files and other resources between home and office, though its use also increases one's exposure to security threats from the Internet. (The use of Remote Desktop isn't recommended, unless you really need it.)
- XP Home doesn't support multiple languages. While this is not a security problem, it limits XP Home's usefulness to some people.
Help for Individual Security Tests of the Self-Help Tool
The tests in the Security Self-Help Tool concern themselves with the most significant vulnerabilities found in default installations of Windows platforms.
If the Security Self-Help Tool finds no problems, that does not mean that your computer is perfectly secure. And if it does find a few problems, depending on their nature and severity, that doesn't necessarily mean that your computer is insecure.
Some tests are more important than others - the help for the tests conveys the relative seriousness of each finding. More specific information is below.
After setting a good password, and keeping your antivirus software properly configured and up-to-date, probably the single most important security measure you can take is to visit the Microsoft Windows Update page on a regular basis, to check for security patches and other fixes both for Windows and Internet Explorer. The Self-Help Tool isn't able to test whether or not your system has been patched to a current level. It's up to you to go to the Windows Update site. Using BigFix, which helps you stay current with patches, is recommended - its presence is tested by this tool.
Basic, Advanced and Local Tests
The Self-Help Tool includes three categories of tests, which show up on the "All Tests" tab:
- Basic Tests - the most basic and often most important tests. ITSS provides support for fixing these if you have questions or problems.
- Advanced Tests - because of the complexity of the issues involved, ITSS cannot provide technical support for advanced tests, which are intended for expert users of Windows.
- Local Tests - selected and implemented by someone in your "group", these customized tests are not supported by ITSS; if you need help with them, contact your Local Network Administrator or Expert Partner. People who do not choose a group when they first use the tool will not see this category.
Here's specific information on each of the tests in the Self-Help Tool:
Basic Tests
Administrator Account Passwords
This test is very limited - it checks only user accounts that have Administrator privileges (see "Logged-in User Account Privileges" below for further explanation), and then it only looks for "blank" or "null" passwords. In other words, it only looks for privileged accounts for which no password at all has been set. If it finds any such accounts, it will list them as having "no password set" in the utility's message pane, and display a red box for this test.
It is critically important that you set strong passwords for all user accounts, especially for user accounts with Administrator privileges!
If this test finds a problem, it is imperative that you take action as soon as possible. For specific help with choosing and setting passwords, click on one of these links. You can then use your web browser's "back" button to return to this page.
Important "But" for XP Home users: Although your machine does have an administrator account that the self-help tool finds, it will not show up in the Users control panel unless you are in Safe Mode. We believe that account cannot be exploited remotely and that you do not need to worry about this warning. You might want to read more about the account in this Microsoft document.
How to Choose a Strong Password
You are strongly encouraged also to use the Self-Test Tool's Secure Password Test.
Logged-in User Account Privileges
A "yellow box" rather than a "green checkmark" for this test isn't something to worry about, but it is something to think about. Please read on...
Computer operating systems designed to accommodate multiple users have long depended on the concept of user privilege. Most users are quite limited in what they can do, and are only permitted access to those computing resources they need for particular tasks. Only a very few users are permitted to have complete control over the entire operating system, because such privilege brings with it great responsibility. An administrative user has the power to make or break the entire system.
With the advent of personal computers, the assumption no longer held that computing power was always a scarce and expensive resource that could only be cost-effective if shared by many users. People who gained their first exposure to computers as small, personal desktop machines never learned to think about privileged access - beyond, perhaps, keeping the computer in a locked office.
Windows NT and the other Windows operating systems that it spawned have returned to a multiple-user model, and the concept of privileged access is once again important. An Administrator account on a Windows 2000 or XP computer has complete control over the operating system.
So long as you're careful about what you do, it generally doesn't matter that if you're an Administrator, you have sufficient privileges to wreck your computer. The potential for trouble arises when an interloper gains access to your computer through your account - they also assume your administrative privileges, and then have full control over your operating system.
While that interloper could be a person who physically walks up to your computer when you've left your desk without locking your screen, it's much likelier to be a computer virus or other malicious program that uses administrative privileges to wreak havoc on your machine, and spread to other systems.
If you inadvertently open a virus program, for example, while logged in as an Administrator, that virus has a much easier time making trouble for you (and probably others as well). If you're logged in as a non-privileged user, the risk of system compromise is much smaller.
In an ideal world, Windows users would log in as an Administrator only when system-wide privileges were required for a particular task. Unfortunately, as is so often the case, reality is different from theory. You may be using software that requires Administrator privileges to run. Or you may need to install or update software, which requires privileged access. It is a hassle to keep logging in and out with different user accounts, just to perform routine maintenance on your own PC.
Windows 2000 and XP do permit users who are logged in without Administrator privileges to become Administrator temporarily in order to run a specific program. Hold down the shift key while right-clicking an application, select "Run as..." and then supply an Administrator password. But this trick will seem a little complicated to many people.
So consider using an account in the "Power Users" group, rather than "Administrators" group, for your usual activities, if it's possible for you to do so.
For more information, please see the appropriate section of the Windows best-practices document specific to your operating system.
The "Guest" Account
The Windows Guest account is used to provide temporary anonymous access to a computer's resources, typically over a network, and it has limited privileges.
The Guest account in Windows 2000 and XP Professional is disabled by default, because it poses a significant security risk in a networked environment. The Guest account in Windows XP Home Edition cannot be disabled - and this is one of the main reasons XP Home should be avoided.
If you use XP Home, then set a good password for your Guest account. Note, however, that this will break all file sharing. (Again, we strongly discourage using XP Home.)
You'll find instructions for disabling the Guest account in the appropriate Windows best-practices document.
The "Guest" Account Name
The Windows Guest account is used to provide temporary anonymous access to a computer's resources, typically over a network, it has limited privileges.
The Guest account in Windows 2000 and XP Professional is disabled by default because it poses a significant security risk in a networked environment. Since the account name is always "Guest", it is easy for a hacker to try to gain access to a system by using the name "Guest". To avoid this vulnerability, the guest account should be renamed to something other than "Guest".
The Security Self-Help Tool can rename it for you, setting it to a random name it chooses. Alternatively, you can rename it yourself by going to the Control Panel in Windows, selecting User Accounts and changing the Properties for the Guest Account.
Distributed Component Object Model
The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Unless you have a specific and understood use for it, it should be disabled. That's because it has little if any use here, it attracts Internet worms, and it permits your PC to be remotely compromised by malicious hackers.
An easy way to turn it off is to click on the DCOM item to mark it (in the All Fixable Problems tab) and then click the Fix Marked Items button.
Is Symantec AntiVirus Installed
One of the most important steps you can take to secure your computer is to install and use a good virus protection program. Stanford has a site-license for one of the better products on the market, Symantec AntiVirus, and you are entitled to install it on all of your computers.
Virus protection software has to be maintained, and requires regular updating. Symantec AntiVirus makes it easy to automate these updates. You should periodically schedule a full virus scan on all of your hard drives.
For more information go to the Essential Stanford Software, where you can download Symantec AntiVirus and find details on configuring Symantec AntiVirus on Windows.
Is Symantec LiveUpdate Enabled
Symantec AntiVirus has a feature that allows it to automatically download and install new virus definitions as soon as they become available. Since hackers are continually developing new viruses and worms, it is important to keep current with new virus definitions.
You should enable LiveUpdate as soon as possible to automatically download and install new virus definitions as soon as they become available. If Symantec AntiVirus is installed, the easiest way to enable LiveUpdate is to use the Fixed Marked Items in the Test and Repair window of the Security Self-Help Tool. However, it can also be enabled by opening Symantec AntiVirus and selecting LiveUpdate from the File menu.
Internet Explorer Version
Internet Explorer is an integral component of the Windows operating system, and has long been a target for various hacker exploits. Keeping Internet Explorer up-to-date is as important as keeping Windows itself up-to-date, and fortunately you only have to visit one web site to update both of them:
http://windowsupdate.microsoft.com
Be a frequent visitor to the Windows Update site!
Note that on some Windows systems, updates are automated. If your computer tells you a Windows update is available, you should go ahead and install it.
Also note: If you're running Windows on older hardware, with limited memory, it might not be a good idea to upgrade to the latest version of Internet Explorer. Stick with version 5.5, but be sure you've applied all available security patches.
PC-Leland Installation Status
PC-Leland is a Stanford-specific software package that provides secure authentication, for access to university computing resources that are restricted for Stanford affiliates' exclusive use - such as Stanford electronic mail, some electronic journals and databases on the Library's web site, and so forth - as well as the ability to store and share files very easily on the Leland system.
For more information go to the PC-Leland web site. You might also want to consult the appropriate best-practices document.
Install the BigFix Client
BigFix is a patch management system that can run on your PC. Its purpose is to check for and apply patches to the Windows operating system as they are released for Stanford users. BigFix is recommended for all Stanford PCs.
The Security Self-Help Tool can install BigFix for you, as part of the Fix Marked Items process. Look to the BigFix web site for more information on its installation and use.
Advanced Tests
Keep in mind that ITSS cannot provide additional support for handling problems uncovered by these advanced tests. Please do the best you can using the information here, and with any help that Microsoft can provide.
Restrict Anonymous Remote Connections
The "restrict anonymous" registry setting controls whether or not an anonymous user can connect to your PC and get a complete list of all the user accounts that are on it. Once a hacker knows all your user account names, it's that much easier to start trying to break in.
If your PC fails this test, then the "restrict anonymous logon" registry entry is set to "0", which means that a hacker can easily discover the names of all of your user accounts over the network, and attempt to gain entry with a password-guessing utility. You should change this setting to "1"; but to do so, the Windows registry must be edited.
You can set the "restrict anonymous logon" registry entry to "1" manually, or you can have the Self-Help Tool do it by clicking on the "Fix Marked Items" button. For more information, please see the appropriate section of the Windows best-practices document specific to your operating system.
NTFS Drives
This test checks whether or not your hard drive has been formatted with NTFS (New Technology File System, first introduced with Windows NT) instead of FAT (File Allocation Table). NTFS permits you a great deal more control over users' access privileges for specific files and folders.
Anyone with a DOS boot diskette can walk up to a PC formatted with FAT and read everything on the drive that isn't encrypted.
If your PC fails this test, one or more drives, as listed in the message, is not formatted with NTFS.
If you choose to convert a drive from FAT to NTFS, first make a complete back-up of all user data. The following documents may be useful:
How to convert for Windows NT and 2000
How to Convert for Windows XP
File Permissions in Windows XP
Check the XP Firewall
A firewall is a security system that acts as a protective boundary between a network and the outside world. Windows XP includes Internet Connection Firewall (ICF) software you can use to restrict what information is communicated between the Internet and the network.
ICF also protects a single computer connected to the Internet with a cable modem, a DSL modem, or a dial-up modem.
The XP Firewall should be enabled if possible. However, if your PC failed this test, the firewall is not enabled. This setting cannot be changed by this program. You can change firewall settings in the Control Panel in Windows, selecting Network Connections.
Domain Membership
Membership in a centrally managed Windows domain lessens the burden on individual users to maintain their computers' security. Some schools and other groups at Stanford already have well-established domains, and there is an effort underway to provide the advantages of domain membership to a broader segment of the university community.
For more information, go to the Stanford Windows Infrastructure web site.
High Risk Services
If your computer is part of a Windows domain or workgroup, or if you have a local Windows system administrator, you should talk to your support technician before making any changes to your Windows services. Services that are clearly unnecessary or dangerous in some environments might be required in others.
If your PC "fails" this test, it simply means that some high-risk services are enabled (and they are listed in the message pane), and you should consider disabling them with the Self-Help Tool. You can get more information about those services, and, in fact, all the services currently running on your PC, in the Services Test Details window, available from the Services Detail command in the View menu.
If disabling a service causes problems, simply enable it again. For instructions on configuring services, see the appropriate best-practices document.
Auto-Logon
Auto-logon permits a user to log into Windows without manually entering a password. If you always have physical control of your PC, this isn't necessarily a terrible thing; but with auto-logon enabled, anyone with physical access can get right into your Windows account. Worse still, the password for an account with auto-logon enabled may be saved in the Windows registry in an unencrypted form. If the Self-Help Tool finds your password in the registry, it will alert you to this fact, and tell you how to fix the problem.
It's very easy to enable auto-logon in Windows 2000, and you can do it - but you have to work a little harder in Windows XP.
You are strongly encouraged not to use auto-logon. To learn how to disable this feature, see the appropriate best-practices document.
Is Fast User Switching Disabled
Fast User Switching allows you to have more than one user logged on to a computer at the same time with the ability to switch between them quickly.
Although this may be convenient in some cases, it prevents the computer from joining a domain, and is not considered as secure as single-use login.
The Security Self-Help tool cannot disable Fast User Switching for you if you decide you don't want it. Contact your local computer support for assistance if you need it.
Windows Update
The most important thing that you can do to keep your computer safe is to apply Windows security updates as soon as they are available. Windows allows to you set your computer to automatically download and install security patches.
If your PC failed this test, then Windows Update is NOT enabled and active. You should enable Windows Update as soon as possible.
You can have the Security Self-Help Tool enable Windows Update by clicking on the "Fix Marked Items" button.
Internet Information Server Status
Desktop computers should not be running web servers of any sort, IIS or otherwise. Web servers are the most frequently exploited systems on the Internet, and they represent a huge security risk.
If you must use IIS, keeping it secure is a full-time job, requiring constant vigilance - but this is true of any web server.
For more information on IIS, visit the Microsoft IIS Community Center. To learn how to disable services, see the appropriate best-practices document.
Outlook Security Status
Some viruses can infect your system when you read email. This is done by executing an ActiveX control within an email message. Theoretically, it could also exploit bugs in Java.
To prevent such problems with the mail program Outlook or Outlook Express, you should immediately move that program to the Restricted Zone.
You can have the Self-Help Tool set the Outlook or Outlook Express security zone to the Restricted Zone by clicking on the "Fix Marked Items" button.
Registry Settings
If your PC "fails" this test, then one or more registry entries needs to be changed, as listed in the message pane in the Test and Repair window. You can have this program make all of the necessary registry changes by clicking on the "Fix Marked Items" button.
For more information, see the appropriate best-practices document.
Office Macro Security
In general, the term macro refers to a small program that automates commonly performed tasks within an operating system or an application. All members of the Office family of products support the use of macros. This allows companies to develop macros that perform as sophisticated productivity tools running within Word, Excel, or other programs.
Like any computer program, though, macros can be misused. Because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to.
Set Symantec AntiVirus to Check Daily
LiveUpdate should be configured to check for virus definitions daily during a time when it is likely that the computer is on.
Set Windows Update to Automatically Update
Even though it is a best practices requirement that BigFix be installed for patch management, Windows Update should also be used. Using both methods will not interfere with either, and will provide a backup for both. Windows Update should be configured to automatically download and install critical patches and to check for new patches daily.
Set Windows Update to Check for Daily Updates
Even though it is a best practices requirement that BigFix be installed for patch management, Windows Update should also be used. Using both methods will not interfere with either, and will provide a backup for both. Windows Update should be configured to automatically download and install critical patches, and should be configured to check for new patches daily.
Set Windows Script Security
This setting defines whether trusted and un-trusted scripts should be executed when using signature verification. Requiring a signature will cause the system to execute scripts only from verified authors.
This should be set to direct the system to display a warning dialog showing the status of the script. Users will still be able to execute unsigned scripts if they choose to.
Do Not Allow Automatic Completion of Web Forms
The auto-complete feature will store words that you have previously put into search boxes and forms at web sites such as search strings, names, email addresses, web site passwords and even credit card numbers.
Auto complete should not be used for web forms.
Disable Internet Explorer Password Caching
Password caching is the method that Internet Explorer (IE) and Internet applications use to store the user password on the computer so the user does not need to enter the password every time they visit the site. The problem with this approach is that the password is either stored in an unencrypted form or in an encrypted form that is easily decrypted.
Caching IE and Internet passwords should be disabled.
Internet Connection Sharing
Internet connection sharing allows other computers to access the network using your computer as a host. It should never be used on campus because it could allow other individuals to access your personal information (such as your email) without your knowledge.
Internet connection sharing should be turned off if it is on.
Do Not Allow Auto Completion of Passwords
The auto-complete feature will store words that you have previously put into search boxes and forms at web sites such as search strings, names, email addresses, web site passwords and even credit card numbers.
Auto complete should not allow passwords to be saved.
Show All File Extensions
By default, Windows hides the file extensions for known file types. This has been used by viruses to disguise malicious code as documents. For example, the file "read me.txt.exe" would be displayed as "read me.txt" if file extensions for known types are being hidden.
To reduce this danger, the full file name, including the extension, should be shown.
Remove File Extension Visibility Exceptions
By default, Windows hides the file extensions for known file types. This has been used by viruses to disguise malicious code as documents. For example, the file "read me.txt.exe" would be displayed as "read me.txt" if file extensions for known types are being hidden.
To reduce this danger, the full file name, including the extension, should be shown. Even after instructing Windows to show file extensions, some file extensions will remain hidden because specific exclusions have been applied to those files. This will remove those exclusions.
Local Tests
If you are a member of a group that has established some tests of its own, they will appear in the Local Tests category. You will need to contact your group's administrator for help with any of those tests.