If you install Microsoft (MSFT)'s new Windows Server 2003, you are asked early in the process to create a password for the computer's administrator account. If you type in something lame, like "password" or a phone number, the setup program insists that a password must contain at least seven characters, including upper- and lowercase letters and symbols.
The tough password policy is part of a new approach, called "secure by default," that pervades Microsoft's latest operating system for the computers that run networks, e-mail services, and Web sites. Steps such as requiring strong passwords and preventing the Internet Explorer browser from displaying potentially sensitive Web content are a welcome change from a Microsoft philosophy that has always placed convenience ahead of security. The problem is, the earlier thinking still pervades other Microsoft products. Security is a particular problem in the standard configuration of Windows XP, installed on every new PC shipped for the past 18 months. XP is capable of solid security but has some gaping holes in its factory setup.
The biggest problem is the way XP handles accounts and passwords. When you first run a new computer, you are invited to set up an account for each individual who will use the machine, a very good idea. Unfortunately, you are not even offered a chance to set a password for each account.
Just as bad, every Windows XP desktop and laptop ships with a hidden account called Administrator that either has no password or a password common to all computers from a manufacturer -- which means the bad guys probably know what it is. Anyone with physical access to the PC has a good chance of gaining complete control of the computer.
Most people are inclined to ignore these issues, especially on home PCs, figuring their security needs are minimal. For computers that use only dial-up accounts to reach the Internet or corporate networks, the risk is indeed very small. Unprotected PCs on broadband connections are another story, however. Not only are they a security risk for the user, but they also pose a threat to the public health of the Internet. Hackers can find these computers and use open accounts as springboards for attacks on other systems. Even if you don't worry about the contents of your computer -- though you probably should -- protecting it is the socially responsible thing to do.
Unfortunately, Microsoft has no immediate plans to make it easy for individual users to secure their PCs. Windows XP lacks many security features in its default setup "because it was designed before we began our trustworthy computing initiative," says Mike Nash, vice-president in charge of Microsoft's Security Business Unit. Although revising the software supplied to computer makers could provide a more secure configuration for new systems, Nash says vendors have resisted such substantive setup changes in service packs. And a new desktop version of Windows isn't expected before 2005.
That makes defending your home or small-business PC a do-it-yourself affair. It is essential to run antivirus software that is kept up to date, though that will require you to pay $15 to $30 per year for an update subscription after the trial service that comes with a new PC runs out. You should also use a firewall to limit your vulnerability to attack from the Internet. It may either come built in with the network router you choose, or you can buy firewall software, such as Zone Labs' ZoneAlarm or Norton Personal Firewall. At a minimum, make sure to turn on Windows' Internet Connection Firewall. (Search for this term in the Help menu for detailed instructions.)
Finally, you should lock down those accounts that Microsoft sloppily left exposed. Open the User Accounts control panel and select "change account" to set a password for every account. You'll need help for the final step of finding and fixing that deeply buried Administrator account. For detailed instructions on closing the hole in Windows XP Professional, see this Flash movie (plug-in required). For Windows XP Home edition, follow these instructions.
I find Microsoft's two-steps-forward, one-step-back approach to security frustrating. The company has done a good thing with Windows Server 2003. It's time Microsoft shared the benefits of safer computing with the rest of us. By Stephen H. Wildstrom