“Hardening” your computer’s operating system makes it more resistant to viruses and attackers.

Sound like a good thing? Read on to learn how to do it!

Close all the windows; lock all the doors

First, a little explanation: Your computer talks to the rest of the world through “ports.” You can think of ports as doors and windows in your computer’s house. Open a window and talk to the neighbor. Open a door and move things in and out of the house.

Each port is useful and allows you to do things with your computer that you couldn’t otherwise do. Surf the web? Check. Email? Yup? That sweet new video game? Uh huh.

While ports are good, each one is also a potential weakness in your system. Attackers (be they people or programs) regularly scan your computers to see what ports are open. It’s the digital equivalent of a burglar walking through a neighborhood checking doors and windows to see if they’re open or unlocked.

We want to make sure our computer only has ports open that we’re using.

Whatcha doin’?

Just like how your computer has lots of ports open to talk to the world, it also has a lot of “processes” and “services”  running to do all the stuff it does.

Think of each process or service as a tiny program that does one specific thing in your computer.

Just like with ports, processes and services are a double-edged sword. They provide functionality to your computer, but they also are potential weaknesses in your armor.

Make like a hacker

How do you figure out what ports, services, and processes are running on your computers? Well, put on your hacker hat for a couple minutes and learn to scan your machines:

  • The easy way – Use Nessus. It’s a commercial product (with a limited free version) that is specifically designed to scan your network and return all kinds of information about each computer it finds. It’s a powerful product and is capable of both giving you deep insight into the state of your computers and burying you in data.
  • The free way – Use the command line and/or a script. For instance, netstat -naob > C:\baseline\openports.txt will create a list of all the open ports on your computer, the remote machine (if any) the ports are connected to, and the process or service that owns the port. In this case, the list will be in a text document called “openports.txt” created on your “C:\” drive, in a folder called “baseline.” You can do a similar thing to get a list of processes: wmic process list > C:\baseline\process.txt.

OK; So now what?

Now that you have a list of open ports and running processes and services, it’s time for some old-fashioned Google-fu. See a port that you don’t recognize? Google it. Read a description of what that port generally does, and see if it makes sense for your computer to have that port open. For instance, if you see Port 25 (TCP) open and listening, you need to ask yourself, “Am I intentionally running a mail server on this machine?”

When you find a port or service that you don’t need open or running, you need to shut it down. Services are generally controlled either by installed software or via system settings. Google is going to be your friend here again. Ports are generally controlled by services, so stopping or removing a service will usually close the associated port. You can also use the computer’s firewall to actively block the port.

Am I done yet?

If you’ve made it this far, congratulations! You’ve hardened your first computer. Now go back to the list of computers on your network that you made during the baseline step, and start working on the next one.

I won’t lie: this is a bunch of time-consuming work.

Contact me if you’d like some help with this process.