Leaving DSL Connection On while not using the Internet?

Discussion in 'Computer Security' started by eli, Jul 26, 2006.

  1. eli

    eli Guest

    Hello:



    I recently switched from dialup to DSL.



    I use a Lynksys Befsr41 Cable/ DSL router. I run the Zone Alarm Firewall on
    my PC as well. The zone alarm Firewall is part of a Zone alarm Security
    Suite which has an antivirus as well.



    Is it advisable-for security reasons- to disable the DSL LAN Connection when
    I'm not using the PC?



    Is it safe to remain continuously online given this arrangement, or might it
    be advisable to disable the connection to the internet while not in use? I
    find it easier to simply keep the connection on, but wondering if this
    significantly increases risk of exploits, viruses, hacking, etc





    Thanks in advance:



    Eli



    Windows XP Professional Edition
     
    eli, Jul 26, 2006
    #1
    1. Advertisements

  2. eli

    Malke Guest

    You're fine. Leave it on.

    Malke
     
    Malke, Jul 26, 2006
    #2
    1. Advertisements

  3. In a default state the internet router will block traffic that is not in
    response to what was initiated by your computer known to you or not as in
    malware/spyware. Leave it on [I do] and be sure to follow other best
    practices for security such as those shown in the link below and be sure to
    try and not be logged on as an administrator account when browsing the
    internet, using chat programs, or reading email.

    Steve

    http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
     
    Steven L Umbach, Jul 26, 2006
    #3
  4. eli

    eli Guest

    Thank you, Malke and Steven.

    Steven wrote:

    "....and be sure to
    I 'm actually logged in under a user account with a user name which is
    listed as "Computer Administrator" in the Control Panel-->User Accounts.
    Not sure if this is what you're cautioning about and why. Would you
    recommend I set up another account to use for logging on? Would I be able to
    give such a new account administartive priveleges so that I could schedule
    tasks , etc ?

    Thanks in advance:

    -Eli

    *********************************************************************

     
    eli, Jul 26, 2006
    #4
  5.  
    =?Utf-8?B?YWxhZHlpaXM0dQ==?=, Jul 26, 2006
    #5
  6.  
    =?Utf-8?B?YWxhZHlpaXM0dQ==?=, Jul 26, 2006
    #6
  7. I would strongly recommend that you logon with an account that is not in the
    local administrators group for internet activity including opening email and
    using chat programs and you can create an account as administrator and name
    it what you want but be sure to give it and the built in administrator
    account strong passwords and write at least the built in administrator
    account password down in a couple safe places. One reason why is that when
    you run as an administrator any file that you execute will have
    administrator access to your computer which means anywhere. This makes it
    easy for your computer to become infested with malware and spyware which
    often require administrator access to install themselves. Use your
    administrator account only when you need to such as for installing
    software,managing users and groups, and configuring the operating system.
    You can configure Windows Updates for "automatic" which will not require
    administrator use to install critical security updates or logon as an
    administrator for the sole purpose of going to Windows Updates to check for
    and install updates and then logon with your regular account when done which
    usually requires a reboot anyhow after installing updates.

    Steve


     
    Steven L Umbach, Jul 26, 2006
    #7
  8. eli

    eli Guest

    Thanks for the advice, Steven..

    I tried setting up another user account with lmited authorizations, as you
    had recommended. However, I found that I needed to reconfigure the entire
    desktop, browser, etc.. I also found that i would have neded to download and
    install some needed browser toolbars, which might be a bit tricky using the
    non-administrative account...etc... So I deleted that new user account.

    Since. I'm the only user of this particular PC, I was hoping there was some
    direct way of simply carrying over the desktop and browser configurations of
    the Administrative Account into a newly created limited user account.

    Any ideas as to how to do this?


    TIA
    -Eli
    **********************************

     
    eli, Jul 26, 2006
    #8
  9. Basically, a router is MUCH more secure than a USB modem. It is often best to
    leave the router on, it consumes little power and causes no security problem.

    You should also look to getting a more-secure browser such as Firefox, and
    optionally a more-secure email program too.

    Running as a non-Administrator is really only viable in a domain, where
    settings are made for you by the IT guys. You've hit the nail on the head
    when you say the issue here is that you cannot change your security-level
    without losing all your settings.

    (-Well, actually you can if you promote the ordinary user to an Admin, then
    back again when you've finished making changes, but that involves such a
    tortuous rigmarole that no sane person would contemplate it.)

    Linux, OTOH, will allow you to perform most tasks as a non-root user, and to
    switch to being root on-the-fly if needed. Hence most Linux users work as
    non-root.
     
    =?Utf-8?B?SWFu?=, Jul 26, 2006
    #9
  10. eli

    eli Guest

    Thanks Ian:

    So, there isn't a way I can simply create a duplicate, limited user with the
    same desktop and browser settings?
    ..
    And even though the account I'm using is a User account, it runs the same
    risk since that user is an administrator?

    It was rather complicated configuring the current desktop since I use a
    Language Toolbar allowing it to toggle several languages with different
    alphabets. I can't even rememeber exactly how I did it in the first place.

    I do notice that when I right click on a program icon, I get the option :
    "Run As". Next to the option : "Current user..." is my user name and
    below it is a checked-in box which reads: "Protect my computer and data from
    unauthorized program activity". Does this option by any chance mitigate or
    protect against the risk spoken of in this thread about running the PC as a
    user with administrative privileges?


    TIA:

    Eli

    Windows XP Professional Edition SP2

    **************************************************

    Ian wrote:

    "Running as a non-Administrator is really only viable in a domain, where
    settings are made for you by the IT guys. You've hit the nail on the head
    when you say the issue here is that you cannot change your security-level
    without losing all your settings."


    **************************************************
     
    eli, Jul 26, 2006
    #10
  11. What you could try is the File and Settings Transfer Wizard. Go to all
    programs/accessories/system tools/File and Settings Transfer Wizard. I
    believe you can backup your settings to a file on your hard drive and then
    use the Wizard again to import into the new user profile. Another
    possibility is if your current user account is not the built in
    administrator account is to create another user account for administrator
    activities and then remove your current user account from the local
    administrators group which you could always put back in it if you need or
    want to. The link below explains in more detail.

    Another possibility for an advanced user is to leave your regular user
    account as a local administrator and then restrict it. That is what I do. I
    use Software Restriction Policies and create a path rule to c:\documents and
    settings\ with a disallow action and then change enforcement to be all
    users. Then I add my user account to the \windows and \windows\system32
    folders with deny "special" permissions for write and delete. This allows me
    to do most of what I want and greatly reduces the threat of malware and
    spyware for my computer. Then when I need full access I logon as my full
    administrator account, change the enforcement rule in SRP to be only non
    administrators, and run the command gpupdate /force. When done I change SRP
    enforcement back to all users and run gpupdate /force again and logon as my
    other restricted administrator account..

    Steve

    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/mgrtfset.mspx

     
    Steven L Umbach, Jul 27, 2006
    #11
  12. Well, I will chime in a little counter-current on this.

    There are times that less is more, and this is one of them.

    If the DSL device is off then there is no chance of invasion or
    leakage of information - while it is off. That is more secure
    (than if it is on, during which those things _might_ happen).

    Whether it really is better however depends on how well
    patched and how well configured the system is. If in fact
    it is such that nothing can happen then it is immaterial whether
    the DSL device is on or off, right? If one is in the practice of
    only having the device on while in use, then would one become
    more lax and inattentive about how well the system is patched
    and configured? If the system were compromised would it really
    matter whether things happened now, or later when the DSL
    device was repowered?

    There seem to be a lot of "if"s.
    There seems to be one thing that is not an "if".
    Namely, when the device is off there is no risk of penetration
    or info leakage, at least during that time.
     
    Roger Abell [MVP], Jul 28, 2006
    #12
  13. Steve gave you some good ideas in his reply to this, and I'd like to point
    out one as well. I'm going on the assumption that you're having issues with
    downloading and installing browser toolbars and other programs. Simply save
    the installers to your hard drive, then Right click on their names in
    Windows Explorer (My Computer) and select "Run As..." Put in your Computer
    Administrator username and password. Then it will run as that account and
    install for you. (You may have to hold the shift key down while you Right
    click to see the Run As... Option).

    If that doesn't work, then I would follow Steve's suggestion about creating
    a new account and putting it as Computer Administrator. Then, change your
    current account to a Limited User. When you need to install something, you
    simply use the Run As... option and put that other account in. (Or Log in as
    that account, if necessary).

    HTH.



    --
    Patrick Dickey.

    smile... someone out there cares deeply for you.
    http://www.microsoft.com/protect
    http://update.microsoft.com
    http://www.pats-computer-solutions.com
     
    Patrick Dickey, Jul 28, 2006
    #13
  14. eli

    Don Taylor Guest

    That is certainly true.

    Two more small contributions.

    The Linksys BEFSR41 doesn't really really REALLY have a firewall,
    if you think a firewall provides a long list of services, both
    incoming and outgoing, that you are likely to never use but that
    might be hijacked by some netscum, and that you can switch off
    and it will then block these services forever.

    The BEFSR41 has NAT and State. That tries to hide your ip
    address and tries to block unsolicited packets from the net.

    BUT if you ever were to somehow get infected the BEFSR41 will
    happily spew your bot controlled packets at the world using
    any service it cares to and never even squeak.

    And State only says that "well this is a packet returned for
    something you sent out, so that is just fine" and accepts
    literally anything back that matches the state. That doesn't
    necessarily mean it is going to start executing arbitrary
    code, but anything embedded in a web page you happen to click
    on is going to happily be accepted back. That means all sorts
    of scripting and anything else will happily be let through the door.

    (Someone told me recently that in one of the BEFSR models Linksys
    had actually dropped even part of what they had had for this,
    but I have not confirmed this)

    Now, back to the "well OFF is certainly hard to get through",
    I think I saw Radio Shack selling a little box cheaply recently.
    It has two network cable connectors on it and something like
    your kitchen timer knob on it. You crank it up to an hour,
    the switch is closed and the input connector hooks to the output
    connector until the timer runs out. Then it just disconnects
    the two cables. That's almost the "big red switch" for the
    network cable that I kept asking vendors for.

    I suppose it all comes down to "do you want the net vandals to
    be jiggling your doorknob all night long, trying to get in, and
    you don't even know it? Or not?

    There have been repeated articles about the big dsl providers
    having basically no security, having more than a million bot
    controlled customers out there spewing, and doing nothing about
    it. I've been reporting pump-n-dump stock bot spew for months,
    almost 500 this month thus far. There is no sign any of the
    big providers really do anything more than throw away the reports.

    Qwest's ActionTec dsl modem has a firewall built in. That's good.
    Unfortunately it either ONLY allows you to set a few ports
    on and off and blocks everything else including some essential
    ports OR you have to turn the firewall off completely and let
    your ass hang out there in the wind. Guess which one the
    usual customer and the usual Qwest tech support is going to
    do? And repeated explanations to Qwest about why this was very
    very very bad... resulted in a fancier html graphic setup page
    but zero changes in their firewall options.
    Sigh.
     
    Don Taylor, Jul 28, 2006
    #14
  15. Along those lines what could help is to see if the device has the ability to
    schedule access like many do. Normal people [not me and you] that keep a
    somewhat regular use schedule could configure the device to only allow
    access during that time.

    Steve
     
    Steven L Umbach, Jul 28, 2006
    #15
  16. Just out of curiousity what do you define as a few ports? I'm not trying to
    start a flame war with you by any means. I've got the Qwest ActionTech
    modem and have ports 20-21 directed to one computer, port 80 directed to the
    same computer, and ports 5004 through 65532 directed to the computer where I
    use MSN Messenger. I've also got a setup for ports specific to UltraVNC.
    (Although if I remember correctly, they fall into the ports that are set up
    for MSN Messenger also). You can also configure it in a different menu to
    allow (or block) certain services (which doesn't affect your port
    specifications to my knowledge) although you're limited to one IP address
    for the services (I believe).

    I may have a different model of ActionTech modem then you also, so our
    situations may be different. I will say that it's a million times better
    then the Arescom DSL-800 that I started out with (buggy that it is). I
    upgraded to the modem when my router went south on me, and I couldn't figure
    out how to configure something on the Arescom. And, it's definitely better
    then the Efficients SpeedStream modem that I had with Citlink/Frontier
    (which only allowed you to open a total of 48 ports).

    The end result is everyone is right... In theory, you are safe in leaving
    the DSL Modem on all the time. However, it's only based on the theory that
    you are running a good software firewall on Each of your computers (both
    physical and virtual if you run that) and a good Antivirus/Antispyware on
    each computer. And, also based on the theory that you keep everything
    patched and updated. This is irregardless of whether you decide to run
    Windows, Mac, or Linux/Unix/BSD. No matter what, you need to make sure any
    updates are applied when they are released.

    HTH



    --
    Patrick Dickey.

    smile... someone out there cares deeply for you.
    http://www.microsoft.com/protect
    http://update.microsoft.com
    http://www.pats-computer-solutions.com
     
    Patrick Dickey, Jul 29, 2006
    #16
  17. eli

    Don Taylor Guest

    In the ActionTec WG701 I think it is, I believe that is the
    current "standard" for Qwest DSL now. If you go into their
    advanced setup menus and look at all the details IF you turn
    on their firewall there are about 9 ports in their list, I
    can't reach into that at the moment to count them. IF you
    read their docs then ALL other ports than those 9 are blocked
    IF you turn on their firewall no matter how you set any of
    those 9. But their docs make this anything but obvious to me.
    Fine, fine, that's good for everyone.
    Which model? Do you have their firewall enabled or not?
    80 is certainly one in their list of 9, I don't recall whether 20,21 are.
    And there is nothing in their list about letting you choose high numbered
    ports. So if you have the WG701 then I'm guessing you don't have their
    firewall enabled or you have found something that I've never been able to
    find.
    This is sounding more and more like what you are using ports for
    and not like this has anything to do with config or firewall
    inside the ActionTek, True?
    The advanced setup for firewall lets you set it to off/low/med/high
    and under that has the list of about 9 services/ports that you can
    manually set both for incoming and for outgoing, the off/low/med/high
    really just sets each of the 9 pairs but you are free to manually
    change any one of those afterwards.

    Examples of failures with the ActionTek firewall turned on in any config:
    Tivo cannot connect through the ActionTek, it fails because
    the time service is blocked.
    AOL cannot connect through the ActionTek, some unknown port
    is blocked and the AOL software, never figured out which one.
    Trying to download drivers from www.hp.com fails and I would
    love to know exactly how to diagnose why that fails.
    All those work just fine with only turning off the ActionTek firewall
    and again fail if you turn it back on.
    I certainly wouldn't want to get into a competition for what is the
    worst product. I was only trying to get them to fix their firewall
    so that every customer would more likely have it turned on and stop
    a little more net vandalism.

    But if you can explain to me how much of what I think I have learned
    about the WG701 is all wrong and how to fix it I'd be very appreciative.
    In theory, nobody is infected, there are no net criminals, there are
    no firmware bugs, oh what a world that would be, and it isn't.

    In practice there are millions of bot-controlled dsl customers out
    there spewing net crime at 1.5 megabits a second around the clock,
    and they don't even know it, I report fifteen of those a day now
    and that is just what gets past the spam filters, I'd guess there
    is ten or a hundred times that many bouncing off the filters.

    I have a Linksys BEFSR41 between the ActionTek and the machines,
    to provide more ports and hopefully a little more protection BUT
    that doesn't REALLY have a firewall. And I've got software
    firewalls and antivirus and antispyware, but the first thing an
    infection is going to do is to turn all those off. What I'd
    REALLY like to find is a seriously fascist hardware firewall that
    won't ever let any net crap get past it, in or out. But I haven't
    found a plausibly priced one of those and I'm not to the point where
    I want to learn how to get OpenBSD running to act as a firewall for me.
     
    Don Taylor, Jul 29, 2006
    #17
  18. I removed the rest of the post because after reading this part, I realized
    that I can answer it all here. I've got the same Model (the WG701) and have
    the firewall enabled. The other ports that I have "open" are actually in
    the Port Forwarding section of the Advanced Setup. You can actually set it
    up to forward ports or port ranges by TCP/UDP/ or one other method (which
    I'm not at all familiar with) to one specific IP. As for Ports 20/21, if it
    has "FTP" in the list in the firewall, that would be these two ports.

    Under "Sevices Blocking", you can specify which services (eg ports) will be
    blocked and you can set it to allow NetMeeting. I've got "Firewall" set to
    "Basic". I haven't ventured to set it to anything higher, because with a
    software-based firewall, I don't really worry about it. So, there may be
    different options when you select a higher setting.

    HTH.



    --
    Patrick Dickey.

    smile... someone out there cares deeply for you.
    http://www.microsoft.com/protect
    http://update.microsoft.com
    http://www.pats-computer-solutions.com
     
    Patrick Dickey, Jul 29, 2006
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.