If you access the Internet using a broadband—cable
modem or DSL—service, chances are that you have an always-on
connection, which means there’s a much greater chance that a malicious
hacker could find your computer and have his way with it. You might
think that with millions of people connected to the Internet at any
given moment, there would be little chance of a “script kiddy” finding
you in the herd. Unfortunately, one of the most common weapons in a
black-hat hacker’s arsenal is a program that runs through millions of
IP addresses automatically, looking for live connections. The fact that
many cable systems and some DSL systems use IP addresses in a narrow
range compounds the problem by making it easier to find always-on
connections.
When
a cracker finds your address, he has many avenues from which to access
your computer. Specifically, your connection uses many different ports
for sending and receiving data. For example, the File Transfer Protocol
(FTP) uses ports 20 and 21, web data and commands typically use port
80, email uses ports 25 and 110, the domain name system (DNS) uses port
53, and so on. In all, there are dozens of these ports, and each one is
an opening through which a clever cracker can gain access to your
computer.
As if
that weren’t enough, attackers can check your system for the
installation of some kind of Trojan horse or virus. (Malicious email
attachments sometimes install these programs on your machine.) If the
hacker finds one, he can effectively take control of your machine
(turning it into a zombie computer) and either wreck its contents or use your computer to attack other systems.
Again,
if you think your computer is too obscure or worthless for someone else
to bother with, think again. For a typical computer connected to the
Internet all day long, hackers probe for vulnerable ports or installed
Trojan horses at least a few times every day.
Making Sure the Firewall Is Up to Snuff
If you want to see just how vulnerable your computer is, several good sites on the Web will test your security:
The
good news is that Windows includes the Windows Firewall tool, which is
a personal firewall that can lock down your ports and prevent
unauthorized access to your machine. In effect, your computer becomes
invisible to the Internet (although you can still surf the Web and work
with email normally). Other firewall programs exist out there, but
Windows Firewall does a good job. For example, Figure 1
shows the output of the Shields Up tool from Gibson Research after
probing a typical Windows 7 computer. As you can see, Windows Firewall
held its own.
Creating a Windows Firewall Exception
I
just told you how important a firewall is for a secure computer, so it
may seem more than a little strange that I’m now going to show you how
to poke holes in that firewall. Actually, this kind of thing is fairly
routine, at least behind the scenes, where programs such
as Microsoft Office Outlook and iTunes often configure Windows Firewall
to allow them to access the Internet. That’s fine, but why would you
want to do something like this? There are many reasons, but they mostly
boil down to needing some sort of data to get though the firewall. For
example, if you want to perform administrative duties on a computer on
your network, that computer’s firewall needs to be configured to allow
the Remote Assistance service through. Similarly, if you activate
Windows 7’s built-in web server, you need to configure that PC to allow
data through port 80.
These are examples of firewall exceptions, and there are actually three types of exceptions you can set up:
Enable an existing exception— Windows maintains a list of programs and services that are often used as exceptions, and you can toggle these on and off.
Add a program or as a new exception— If the program you want to use isn’t in the list, you can add it yourself.
Add a port as a new exception— You can also configure a port as an exception, and the firewall will allow data to pass back and forth through the port.
The next three sections show you how to create the three types of firewall exceptions.
Activating an Existing Exception
Windows
Firewall maintains a list of programs, services, and sometimes ports
that are currently enabled as exceptions, or that are commonly enabled
but currently are not. This is the easiest way to set up an exception
because all you have to do is activate a check box or two:
1. | Select Start, type firewall, and then click Allow a Program Through Windows Firewall in the search results. The Allowed Programs window appears.
|
2. | Click Change Settings. Windows Firewall enables the exceptions, as shown in Figure 2.
|
3. | Activate the Home/Work (Private) check box beside the exception you want to enable.
|
4. | If
you also connect to public networks (such as wireless hotspots) and you
also want the exception enabled on those networks, activate the Public
check box beside the exception you want to enable
|
5. | Click OK to put the exception into effect.
|