Defragmenting your data will not make it more secure, but it will improve per- formance and increase the speed of your computer. Slow computer performance is one of the primary indicators of malware infection or computer compromise, so anything that helps keep your hard drive humming along is a good thing and keeps you from being overly paranoid about security. Disk cleanup may not seem like it has anything to do with security either. However, this general PC maintenance task can help protect your computer system and your personal information. Part of the process of performing Disk Cleanup on a Microsoft Windows XP system is to clean out temporary files and Internet cache files and other data remnants that might be lurking on your computer harboring sensitive or confidential information that an attacker could potentially gain access to. Disk Cleanup As you use your computer each day, there are a variety of files that get used or written to your computer that can contain sensitive information. Most of these files are not meant to be kept long term. In fact, they can’t even be viewed or accessed like normal files. But, the information is still there and a knowledgeable attacker may be able to locate it and decipher the contents to learn valuable information about you or your computer system. Files like the temporary Internet files or the temporary files within Windows are two common areas where sensitive information might be lingering.The Recycle Bin may also hold data that you thought you had gotten rid of, but is still hanging around on your hard drive. To clear out this data and keep your hard drive uncluttered by useless, unneces- sary, and possibly damaging data, you should perform Disk Cleanup once a week.To begin Disk Cleanup, click Start | All Programs | Accessories | System Tools | Disk Cleanup.You will see a window like the one in Figure 10.1. When you first start Disk Cleanup, you must choose the drive you want to clean. www.syngress.com Keeping Things Secure • Chapter 10 155 413_Sec101_10.qxd 10/9/06 5:02 PM Page 155 Figure 10.1 Selecting the Drive You Want to Clean Disk Cleanup works only on hard drives, and it only cleans up one drive at a time. If you have more than one hard drive, or your hard drive is partitioned into multiple drives, you will have to run Disk Cleanup separately for each drive that you want to clean. After you select the drive you want to clean and click OK, Windows will ana- lyze the drive.This can take a minute as Windows checks all the files on the drive to determine which ones should be compressed or deleted. While it is thinking, you will see a window with a progress bar so you can see that things are moving along. After the analysis is completed, Disk Cleanup will display the results and let you know how much space you can potentially free up on your hard drive by com- pleting Disk Cleanup.The display (see Figure 10.2) begins with statement about the total disk space that can be freed up and lists the different types or areas of data that can be removed along with the total space that you can potentially free up by removing them. Figure 10.2 Results of Analysis with Disk Cleanup 156 Chapter 10 • Keeping Things Secure www.syngress.com 413_Sec101_10.qxd 10/9/06 5:02 PM Page 156 Check or uncheck the different boxes to choose which data you want to get rid of and which you want to hang on to.You can click on each one to view a short description of it to help you determine what you want to do. After you finish selecting, click OK to begin the Disk Cleanup process.This can take some time, par- ticularly if you have selected to compress old files. Erase the PageFile Windows uses part of your hard drive space as “virtual memory.” It loads what it needs to load into the much faster RAM (random access memory), but creates a swap, or page, file on the hard drive that it uses to swap data in and out of RAM. The pagefile is typically on the root of your C: drive and is called pagefile.sys. Pagefile.sys is a hidden system file, so you won’t see it unless you have changed your file viewing settings to show hidden and system files. Virtual memory enables Windows to open more windows and run more pro- grams simultaneously while keeping only the one being actively used in RAM.The pagefile can be a security risk as well, though.The issue is the fact that information remains in the pagefile even after the program or window is shut down.As you use different programs and perform different functions on your computer, the pagefile may end up containing all sorts of potentially sensitive or confidential information for an attacker to discover. To reduce the risk presented by storing information in the pagefile, you can configure Windows XP to erase the pagefile each time you shut down Windows. Click Start | Control Panel. From the Control Panel, select Administrative Tools | Local Security Policy to open the Local Security Settings window (see Figure 10.3).The Local Security Settings window enables you to customize the local security policy settings, including clearing the pagefile on system shutdown. Double-click Shutdown: Clear Virtual Memory Pagefile, and then select the Enabled radio button. Click OK and close the Local Security Settings window. From now on, when you shut down Windows, the pagefile will automatically be cleared as well. www.syngress.com Keeping Things Secure • Chapter 10 157 413_Sec101_10.qxd 10/9/06 5:02 PM Page 157 Figure 10.3 The Local Security Settings Window Disk Defragmenter When you first write a file to your hard drive, your computer does its best to keep all the data together on the disk. However, as data is read, deleted, rewritten, copied, and moved, a single file may end up scattered across the entire drive with a few kilo- bytes of data here and a sector or two there. This file fragmentation can degrade performance and reduce the overall longevity of the hard drive. When you access a fragmented file, the hard drive has to work double-time to bounce all over the place and put the pieces of data back together instead of just reading the data in order in one place.To cure this, you should periodically defragment your hard drive. The Windows Disk Defragmenter utility can be found in System Tools. Click Start | All Programs | Accessories | System Tools | Disk Defragmenter (see Figure 10.4). At the top of the Disk Defragmenter console is a list of the drives available for defragmentation. Initially, you have only two choices for what to do with those drives.After you select a drive, you can simply dive right in and start defragmenting by clicking Defragment, or you can click Analyze to have Disk Defragmenter take a look and let you know just how fragmented your disk is.The Windows Disk www.syngress.com 158 Chapter 10 • Keeping Things Secure 413_Sec101_10.qxd 10/9/06 5:02 PM Page 158 Defragmenter uses a color-coded representation to illustrate how fragmented the selected drive is. Figure 10.4 The Windows Disk Defragmenter Utility If you do select Analyze, the Disk Defragmenter will take a look and let you know if it is worth your while to defragment the drive at this time. Before you actu- ally start a defragmentation, you should be aware that the process takes a toll on system resources.You can still use your computer, but the drive will be chugging away as fast as it can, moving and juggling pieces of files to get them back in order on the drive.You will probably notice that your computer is much slower and less responsive while it is in the process of defragmenting. It is best to start the defrag- menting utility when you are done using the computer for the day or stepping away for a lunch break or something. Scheduled Tasks If you leave your computer on overnight, it may be best to simply create a Scheduled Task in Windows to run the Disk Defragmenter automatically while you sleep. Using a Scheduled Task will not only execute the defragmenting when you aren’t busy using the computer but also ensure that your hard drive is defragmented on a regular basis without you having to manually initiate it. To create a scheduled task, click Start | All Programs | Accessories | System Tools | Scheduled Tasks. In the Scheduled Tasks console, click Add Scheduled Task.You can then follow the wizard to create your task (see Figure www.syngress.com Keeping Things Secure • Chapter 10 159 413_Sec101_10.qxd 10/9/06 5:02 PM Page 159 10.5).The wizard displays a list of programs to choose from, but you can also browse and select virtually any executable to use for your scheduled task. Disk Defragmenter does not typically show up on the list of programs to choose from in the wizard.You will need to click the Browse button and find the file manually.The file is called defrag.exe and is located in the System32 directory under Windows on your hard drive. After you select the file to execute, you can provide a name for your scheduled task and choose the frequency for performing it. I recommend that you schedule Disk Defragmenter to run at least monthly, or possibly even weekly.You will need to supply a username and password for an account that has permission to run Disk Defragmenter. Figure 10.5 The Add Scheduled Task Wizard If you click Finish on the next final screen of the wizard, the Disk Defragmenter utility will run at the scheduled time, but it will just open the utility rather than actually initiating drive defragmentation.You must specify the drive you want to defragment in the command line for the scheduled task. If you have multiple drives or partitions, you will need to create a separate scheduled task to defragment each one. On the final screen, make sure you check the box next to Open advanced properties for this task when I click Finish, then click Finish. In the Run field of the Advanced Settings, type a space at the end of the command and then add the drive letter you wish to defragment, such as C: (see Figure 10.6). Click OK to close Advanced Settings and you are done creating the Scheduled Task to defragment your drive(s). www.syngress.com 160 Chapter 10 • Keeping Things Secure 413_Sec101_10.qxd 10/9/06 5:02 PM Page 160 Figure 10.6 The Run Field of Advanced Settings Patches and Updates When it comes to keeping your computer secure, keeping it patched and updated is arguably the most important thing you can do. Antivirus, anti-spyware, and personal firewall software all contribute to the security of your computer system, but malware and exploits typically take advantage of known vulnerabilities. If your computer was patched so that the vulnerabilities no longer exist, the malware would not be able to function in most cases. Microsoft provides a number of ways for you to stay informed about the latest vul- nerabilities and patches so that you can protect your computer: ■ Automatic Updates Windows has a feature called Automatic Updates which, as its name implies, automatically checks for new patches that affect the security of your computer system.You can configure Automatic Updates to download and install new updates, just download them, but leave the installation to you, or to simply notify you when new updates are available. ■ Windows Update Site Automatic updates only works for critical patches or updates that affect security. For patches that affect simple functionality, or updates to device drivers and such, you have to periodically visit the www.syngress.com Keeping Things Secure • Chapter 10 161 413_Sec101_10.qxd 10/9/06 5:02 PM Page 161 Windows Update site. Click Start | All Programs | Windows Update. Follow the prompts on the site to let Windows Update scan your system and identify the patches or updates that affect your computer.You can choose whether to use Express, and let Windows Update patch your system automatically, or use Custom, which lets you pick and choose which patches you want to apply. ■ Microsoft Security Bulletins The second Tuesday of each month is Microsoft’s “Patch Tuesday.”This is the day they release all their Security Bulletins, and related patches, for the month. On rare occasions, if a new vulnerability is discovered and actively being exploited in the wild, Microsoft will release a Security Bulletin out of cycle. But, to stay informed you should mark your calendar or subscribe to receive the notifications from Microsoft when new Security Bulletins are released. Microsoft offers a Microsoft Security Newsletter for Home Users (www.microsoft.com/athome/security/secnews/default.mspx), or you can stay informed using Really Simple Syndication by adding the Security At Home RSS Feed (www.microsoft.com/athome/security/rss/rssfeed.aspx) to your RSS reader. ■ Updating Other Applications There are far too many vendors and applications for us to cover them all. Many vendors have built-in methods to automatically check for current updates. Where possible, I recommend that you use these features.You can also sign up with vendors to receive notices or alerts when patches or updates are available.You can also use security sites such as Secunia (http://secunia.com) to stay informed of vul- nerabilities that affect your operating system or applications. For more in-depth information, see Chapter 4, “Patching.” Windows XP Security Center The Windows XP Security Center provides a sort of one-stop shopping information dashboard for the security status of your computer. Using a standard Green/Yellow/Red system, you can tell at a glance if your personal firewall, auto- matic updates, and antivirus software are up-to-date (see Figure 10.7).To get more information on the status of your computer, click the options in the Windows XP Center. The Security Center recognizes most personal firewall and antivirus applications, so status will still be reported as Green as long as you have something installed.The www.syngress.com 162 Chapter 10 • Keeping Things Secure 413_Sec101_10.qxd 10/9/06 5:02 PM Page 162 Security Center will report status as Yellow or Red on your antivirus software, though, if the software has not been updated recently. When the Windows XP Security Center detects an issue that affects the security of your computer, it will also notify you with a pop-up alert from the systray at the lower-right corner of your screen. If your personal firewall or antivirus software is not green, you should check the software to make sure it is running properly and has current information for detecting the latest threats from the vendor. You can use the links on the left of the screen to access more security informa- tion and resources from Microsoft.There is a link to get the latest virus and security information and also a link to access the Windows Update site to get the latest patches and updates for your computer. Figure 10.7 Options in the Windows XP Security Center www.syngress.com Keeping Things Secure • Chapter 10 163 413_Sec101_10.qxd 10/9/06 5:02 PM Page 163 Summary Installing security software and configuring your computer to be more secure are both valuable accomplishments. However, security is a process, not an event, and it requires ongoing awareness and maintenance to keep your computer secure. In this chapter you learned about some basic computer maintenance tasks such as Disk Cleanup and Disk Defragmenter and how to erase your pagefile. Some of these tasks are not directly related to security, but they do keep your system running smoothly, which stops you from falsely believing your computer has been infected by malware. We also talked about ensuring that you keep your computer patched and updated.This applies not only to the operating system, but also to the other applica- tions that you use.You learned that most malware and other malicious attacks use exploits of known vulnerabilities and that by patching your computer you can pro- tect it from those attacks. Lastly, we had a short overview of the Windows XP Security Center. We dis- cussed how the Security Center is a dashboard for monitoring the current state of security on your computer and that it provides useful information and links to resources that you can use to keep your system secure. Additional Resources The following resources provide more information on how to keep your computer secure: ■ Bradley,Tony. Automatically Erase Your Page File. About.com (http://netsecu- rity.about.com/od/windowsxp/qt/aa071004.htm). ■ Description of the Disk Cleanup Tool in Windows XP. Microsoft.com (http://support.microsoft.com/kb/310312/). ■ How to Defragment Your Disk Drive Volumes in Windows XP. Microsoft.com (http://support.microsoft.com/kb/314848/). ■ How to Schedule Tasks in Windows XP. Microsoft.com (http://support.microsoft.com/?kbid=308569). ■ Manage Your Computer’s Security Settings in One Place. Microsoft.com.August 4, 2004 (www.microsoft.com/windowsxp/using/security/internet/sp2_ wscintro.mspx ). www.syngress.com 164 Chapter 10 • Keeping Things Secure 413_Sec101_10.qxd 10/9/06 5:02 PM Page 164 [...]... Tools | Local Security Policy In the left www.syngress.com 1 67 413_Sec101_11.qxd 168 10/9/06 4: 17 PM Page 168 Chapter 11 • When Disaster Strikes pane of the Local Security Settings console, click the plus sign (+) next to Local Policies, then click Audit Policy (see Figure 11.2).The Local Security Settings Console allows you to specify various security policy options, including which security events... change is causing the problem and get back to using the computer www.syngress.com 175 413_Sec101_11.qxd 176 10/9/06 4:18 PM Page 176 Chapter 11 • When Disaster Strikes Figure 11 .7 The Built-in Backup Utility in Windows XP For businesses however, there may be other legal implications involved Businesses may be governed by a variety of computer security regulatory requirements, which dictate how customer... the Security events shown in Table 11.1 Table 11.1 Security Events Audit Policy Audit Audit Audit Audit Audit Audit Audit Audit Audit account logon events account management directory service access logon events object access policy change privilege use process tracking system events No Auditing Success Failure X X X X X X X X X X X www.syngress.com 169 413_Sec101_11.qxd 170 10/9/06 4: 17 PM Page 170 ... 4:18 PM Page 173 When Disaster Strikes • Chapter 11 Restore Your System Windows XP does provide a very useful feature when it comes to troubleshooting and repairing issues with the computer system.The System Restore feature lets you essentially go back in time to when the computer was still running smooth and happy If you know approximately when you started noticing issues with your computer or when... & Traps… Security Event Log in Windows XP Home Unlike Windows XP Professional, Windows XP Home does not let you configure what events to monitor for the Security Event logs Windows XP Home does audit and log security events, and you can view them in the Event Viewer just as in Windows XP Professional You just can’t customize which events to monitor and log Enable Security Auditing To enable Security. .. even with the best of security, it is entirely possible that your computer may someday become infected or compromised by malware or an attack of some sort This chapter walked you through some of the steps you can take to identify and remove any threats from your computer when an attack or security breach occurs You learned how to configure and use the Windows Event Viewer to review Security logs and how... (http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;309340) ■ To Start the Computer in Safe Mode Microsoft’s Windows XP Professional Product Documentation (www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true) ■ WinBackup Uniblue Systems Ltd (www.liutilities.com/products/winbackup/) www.syngress.com 177 413_Sec101_11.qxd 10/9/06 4:18 PM Page 178 413_Sec101_12.qxd 10/9/06 4:40 PM Page 179 Chapter 12 Microsoft... your computer became infected or compromised Scan Your Computer Scanning through firewall logs or reviewing entries in the Windows Event Viewer may both be too technical for an average user If analyzing log data seems more involved or complex than you would like, you probably should start by scanning your system using your antivirus and/or antispyware software www.syngress.com 171 413_Sec101_11.qxd 172 ... particularly when it comes to events in the Security category, is that Windows will capture log data only for the events it is configured to monitor By default, none of the security event auditing is enabled in Windows XP Professional, but Windows XP Professional provides control over how event logging is done www.syngress.com 413_Sec101_11.qxd 10/9/06 4: 17 PM Page 1 67 When Disaster Strikes • Chapter 11 Figure... System Restore Console If you click Restore my computer to an earlier time and then click Next, the System Restore utility will display a calendar.The days that have system restore points saved will be bold.You can click a date, then select the system restore point you want to use and click Next www.syngress.com 173 413_Sec101_11.qxd 174 10/9/06 4:18 PM Page 174 Chapter 11 • When Disaster Strikes The final . 1 67 413_Sec101_11.qxd 10/9/06 4: 17 PM Page 1 67 pane of the Local Security Settings console, click the plus sign (+) next to Local Policies, then click Audit Policy (see Figure 11.2).The Local Security. 4, “Patching.” Windows XP Security Center The Windows XP Security Center provides a sort of one-stop shopping information dashboard for the security status of your computer. Using a standard Green/Yellow/Red. your computer. Figure 10 .7 Options in the Windows XP Security Center www.syngress.com Keeping Things Secure • Chapter 10 163 413_Sec101_10.qxd 10/9/06 5:02 PM Page 163 Summary Installing security