Windows Security for Mac OS X Networks

It's happened again. Another Windows computer virus, or worm, or something. As with so many that have gone before, this one is transmitted as an email attachment. Just double-click and die. They never learn. There are certain things one can do to secure a Windows host on a Mac network. Everybody benefits. Let's do it.

Recently I had some in-person banking business to do. My agent was using a Windows 2000 machine for everything. Peering over his shoulder, I saw no evidence of any firewall or anti-virus software. I had no reason to believe that anyone was handling Windows Updates either. It's a great, blissful life. No problems, no worries. Except that it's my account details that are on his screen. All one can do in such a situation is hope against hope that someone somewhere in the food chain knows what he's doing. Yikes.

Over the last couple of years, we have broached the subject of Windows security in a Mac environment a few times. (1) Most of the items given below were already treated to some extent previously. The hope is that having them all in one place will make setup a snap.

There are a few different ways to network Mac and Windows computers together. Suffice it to say that, given that you're reading this article, you have one such arrangement now. It may even be VirtualPC running on your Mac, where the same security issues arise. The very first item on the agenda is to do all of the Windows Updates. Without a doubt, take all of the critical updates, and most of the recommended ones too. Depending on your version of Windows, you may be able to set this to run automatically in a control panel, or at least get a timely reminder with Windows Critical Update Notification. As does Apple with Software Update, Microsoft often includes operating system bug fixes with these updates. It's critically important to install them.

The second item is a firewall. Now, in practice, I always install this first, even if it means risking some operating system instability. I do not want any machine, much less a Windows machine, looking onto the internet without a firewall in-between. Every computer needs a firewall to shield it from nefarious internet activity, and this goes doubly for a Windows machine. After all, Windows commands some 95% of the total number of internet hosts out there. From a hacker's point-of-view, it's all about economies of scale. In addition, Windows continues to be security-prone, though things are better than they have been. There is only one firewall to use for any version of Windows, and that's ZoneAlarm. Period. (2) Use it, even with a VirtualPC session. As always, it's free for personal use.

While we're on the subject, be sure to activate Mac OS X's built-in firewall from the Sharing system preference. Why this isn't enabled by default is beyond me. (Apple, are you listening?) Pre-Jaguar versions of OS X can make good use of BrickHouse.

Next, if possible, use a mailer that minimizes the possibility of activating a virus. I wouldn't heartily recommend most users attempt learning Pine or Mutt, but Eudora is a terrific alternative.

If you absolutely have to use Microsoft Outlook or Outlook Express, then please take the time to turn off some bells and whistles that will otherwise guarantee eventual virus infection. Netscape Mail, though better, is also prone to some of these vulnerabilities. For starters, disable Preview mode, regardless of which mailer you use. Previewing a message, from your computer's point-of-view, is the same as reading it. Then, disable all scripting for mail and news. Different mailers turn these features on and off differently, so your mileage may vary. If you use Entourage, make sure you make these same tweaks.

Outlook Express has two security options, accessible from Tools, Options. Which one to choose is obvious. While you're at it, also enable Bcc (Blind Carbon Copy) for outgoing messages. To do this, in a new message pull down View and check All Headers. Done.

One more item in the configuration list is to turn off any services you don't need, in particular telnet and ftp (Windows NT and derivatives), as well as Windows sharing itself. These should be off by default anyway. (3)

Now that you have configured lots of things, the next consideration is good email practices. Not to put too fine a point on it, do two things. Ignore junk mail completely, and treat attachments like the plague. There is plenty of source material out there on this subject.

On the slippery edge of security is privacy. AdAware is a clever product that checks your Windows machine for stealthy rogue programs that send your clicking habits to selected servers on the internet. This free program works so well that I now install it on every Windows machine I manage, as part of my security regime.

So far, nothing here has cost you a thin dime. If you do have a few bucks, the single very best investment you can make in your home network (even if it's a "network" of just one machine) is a combo NAT gateway, often called an internet gateway or router. In previous articles, I have recommended D-Link as one of several good makes. If you go for a D-Link DI-614P, for example, you'll also be able to network that parallel printer (Windows GDI printers need not apply) you have kicking around, basically for free. What a deal. And, the prices of these little boxes have dropped tremendously. Installing a combo NAT gateway not only gives you a generous handful of expansion ports, it also puts your entire network behind a cloak of invisibility, as far as the internet is concerned. For not much extra, a wireless version can be had also. Be sure to enable wireless security right away, though, or else your neighbors will happily ride your internet bandwidth for free. An Apple Airport Extreme base station, together with a good ethernet switch for expansion, might be just your ticket, especially if you also want to network a USB printer.

Finally, you will have to ante up the bucks for anti-virus software eventually. They're all good. Pick one and do it.

These are security items that come to mind immediately. There may be others. I'd be glad to hear about your standard tweaks. If everyone implemented them, most viruses and worms would stop dead in their tracks. Good practices plus some clever software, together with a little extra hardware, will get you security that will thwart all but the most determined hacker.

There is one more thing. Never let it be said that a Mac user got caught by a Windows virus. That would be an embarrassment. Ciao.


Note 1: Here is a list of some of those MacWrite articles that speak to Windows security issues in a Mac environment.

Mac OS X Security Introduction
Mac OS X Security Part One: Cable and DSL
Mac OS X Security Part Two: Firewalls
Mac OS X Security Part Four: Email Setups For Security
Mac OS X Security Part Seven: Classic Mode & VirtualPC
Mac OS X Security Part Eight: Setting Up A Gateway
Mac OS X Security Part Nine: Configuring BrickHouse & ZoneAlarm
Mac OS X Security Epilog
Coupling an Asante NAT Gateway with Mac OS X
Virtual PC for Mac OS X
A Case For Mac OS X
Bcc In Mac OS X
Mac OS X and Outlook Express for Windows
Mac OS X and Toasters
Mac Security

Note 2: Most firewalls today are stateful, that is, they relate outgoing and the expected incoming connections, and otherwise shut off access. This is a good thing. The assumption is that every outbound program has free access to the internet. ZoneAlarm does something here that no other firewall begins to do, and that is check with you first before allowing any specific program outbound access. It also does this if it detects any modification to a program you've previously allowed. This is to cover the possibility of a legitimate program being illicitly modified by a rogue program. With the proliferation of Windows viruses, you need this feature. That is why ZoneAlarm is the only firewall to consider for Windows. I wish ZoneAlarm came in a Mac version, but so far it doesn't. Pity.

Note 3: ZoneAlarm has a tab for what it calls the local or trusted zone. I always add the single host 127.0.0.1 "Localhost" right away, as some applications require this. I used to add the ranges 192.168.0.1 - 192.168.255.255 "Private Network" and 169.254.0.1 - 169-254.255.255 "Self-Assigned Network" as well, to give trusted access across my own LAN. This was fine in a wired network, but needs to be re-examined in a combined wired and wireless situation, as a wireless parasitic passerby could exploit such a loophole. In a word, only grant access you need to.