PCs running Microsoft Windows - for consumers -

BSI recommendations on cyber security: BSI-E CS-001 | Version 1.0, 02/01/2012

  PCs running Microsoft Windows - Home v1.0 (pdf, 264.34  KB )

Background

Many useful and important services - such as online banking , e-commerce , e-government etc. - Are now used on the Internet. In the future, is the number of offered online services continue to increase. Then there is the increased use of new mobile devices ( smartphones and tablets ), with which these services can be used. Currently, however, still mainly personal computers (PCs) are used with different operating systems like Microsoft Windows, Apple Mac OS X or a Linux variant.

Target

This BSI recommendation on cyber-security provides assistance for the configuration of a Windows PC for private use. This is seen in the following sections of the life cycle of a PC:

Purchase of the system
Installation and commissioning
Regular operation
Disposal of the system.
With a few measures, PCs can be protected under the current Microsoft Windows, that a largely safe use of services over the Internet.

Purchase of the system

Hardware and operating system

When buying a PC in the most current hardware with the latest version of the operating system (currently Microsoft Windows 7).

To use the security mechanisms provided by Microsoft, should the new device has a 64-bit CPU feature.

In addition to the Windows operating system on new systems most other software products are installed. These should be tested for their license period, which is time-limited circumstances. Unused software products should be uninstalled.

Anti-virus program

The choice of a suitable anti-virus program for Windows-based systems are particularly important. To assure adequate protection of the system against computer viruses, malicious programs for five other home come both free and paid versions of antivirus software question. The latter may have more ease.

If additional features of fee-based solutions such as

Child Protection Filter
Monitoring of browsers and e-mail activities for malicious programs
advanced behavior-based detection of malicious software
are not needed, free virus protection programs are adequate. These include, for example

Microsoft Security Essentials
Avira Free Antivirus
avast! Free Antivirus
(A behavior-based detection of malicious software is already integrated in this solution)
This anti-virus programs have a German-language user interface. They can be easily integrated into the Windows operating system, use automatic updates and have a very good detection rate.

The above-mentioned additional functions can be found at most convenient to-use, fee-based solutions to the major manufacturers of anti-virus programs.

If necessary, you can also cover some of these additional functions using free solutions, eg

Browser filters with " phishing - and malware protection "in Google Chrome or Mozilla Firefox, or with the SmartScreen Filter in Microsoft Internet Explorer enabled.
Child protection filters Wed t OpenDNS Family Shield (English)
advanced behavior-based detection of malicious software Wed t Threatfire (English) , which can be operated easily with one another antivirus program.
If you opt for a paid solution to a virus protection program, be sure to observe the necessary renewal of the license (usually after 12 months).

Do not operate your system without current virus protection program.

The simultaneous operation of multiple anti-virus solutions on a system can lead to unpredictable behavior. Therefore: Do you have at any one time only installed an antivirus program or activated!

Backups

For backups, so backup copies of both the system and your data, you can use the built-in Windows 7 backup-and-restore functionality to use.

Obtain the purchase of computers for creating backups of these additional external storage media (eg CD , DVD , external hard disk, USB stick, etc.).

The purchase of a separate backup - software is not required under Windows 7.

Internet Provider

The selection of a suitable internet provider should not only of the price of Internet access to be dependent, but also consider other criteria. For example, you should make sure that your Internet service provider you are actively trying to protect against Internet crime. In particular, your ISP, the defense against botnets - operates an effective action on the same level as providers, in which - even for your own protection, anti-botnet initiative have joined forces.

E-mail provider

Apart from the use of quotations in the World Wide Web ( WWW ) is one of the main tasks of the Internet PCs sending and receiving e-mails. For this purpose you need a qualified e-mail provider.

The minimum requirements for your e-mail providers are:

Provision of an e-mail virus filter
Protection from spam e-mails
through an encrypted connection, regardless of whether you are accessing via Internet browser or e-mail program on your mailbox. Specifically, this means a protocol support https, pop3s, imaps and smtps.
These security features and provides encrypted access points such as Google in Gmail for free. In the paid versions of GMX and Web.de the above functions are also available.

Applications

Based on your individual needs, you will get it with time, various application programs. Pay attention to products with automatic upgrade (auto-update). For the below-exemplified in the office software products there are some auto-updates that are enabled by default after installing already:

free: OpenOffice
Payable documents: Microsoft Office
The same applies, for the free Adobe Reader to display PDF files. Use this version of the Adobe Reader X, as these additional security measures as a " sandbox "(engl. translation: sandbox, that this software is shielded from the rest of the system) has.

For all application programs - which you use for example for editing photos or composing and playing music - you should make sure that security updates from the software vendors are also actually installed automatically, without you being active in the individual updates have to.

New ID card

For the use of the eID function (eID = electronic identity) of the new ID card , you need the software AusweisApp. These can be downloaded on the AusweisApp Directory . Similarly, you need a certified reader. References to the corresponding devices are also available on the portal of AusweisApp.

Information about new ID card (BSI for citizens) can be found at BSI for citizens and the identity card portal .

Installation and commissioning

Install all available security updates

Depending on the delivery status of you have purchased PCs with Microsoft Windows, you need to reinstall either Windows 7 or Windows 7 is already installed.

When you reinstall Windows 7, you should download during the install all available updates.

For the first time, a pre-installed Windows 7 operating system, you should connect your PC to the Internet and the services provided by Microsoft software updates, and install it. Please take care not only for Windows updates, but also potentially for other installed Microsoft products (eg Microsoft Office ) to download. Select this course, the auto-update feature, so that in future more updates can be downloaded and installed automatically.

Personal Firewall

Windows 7 has a built-in personal firewall that is enabled when delivered already. Ensure that this firewall off in the system settings accidentally. The installation of an additional firewall is not necessary because the system through the supplied Windows 7 firewall is sufficiently protected against attacks via the network.

Hard disk encryption

F f you own a laptop, should you enable a disk encryption to protect data from loss or theft of your notebook. If you own a desktop PC, you should consider whether the performance loss due to encryption of your system in relation to the protection of your data is from access by unauthorized third parties.

You can use to encrypt a password that you remember them well. Write down this password in addition to and absolutely to a spatial separation of the password list and PC. If you lose this password, you can not access your data. Information on password security can be found at BSI for citizens.

The operating system Windows 7 features in the Ultimate and Enterprise editions of the built-in hard disk encryption, BitLocker Drive Encryption that uses a key management of a TPM ( Trusted Platform Module ) can perform. In this case, the purchase of a PC with a TPM version 1.2 is recommended. After you create a restore disk encryption key.

A similar level of protection you can use the freely available solution TrueCrypt reach. Make sure during the encryption process, a " TrueCrypt Rescue Disk . " This helps if you have problems while decrypting the disk.

Java Runtime Environment

E ome applications need the Java Runtime Environment . To reduce the attack surface of your system, you should install java but only if your software actually requires this runtime environment.

If you have installed Java, you also pay attention here to the activation of the automatic update feature. It is recommended to change the default to a daily check.

Check for Security Updates

To keep the safety level of the PC high, it is imperative that you install all security updates immediately on its appearance. The easiest way is through the use of both the operating system (Microsoft Update) and in the most popular application programs existing auto-update feature.

To never miss any updates and so may make your PC vulnerable, we recommend the installation of a special monitoring program like the free Secunia Personal Software Inspector (PSI) . This software alerts you if an update is missed or failed.

Browser

During installation and initial operation of Windows 7, you are prompted to select an Internet browser.

Your internet browser is the key component for the use of services on the Web and thus represents the main target for cyber-attacks, so use dar. possible with a browser sandbox technology. This protection is implemented consistently present example of Google Chrome . Similar mechanisms in other browsers currently implemented either weaker or not present.

By using Google Chrome in conjunction with the other measures outlined above, you can reduce the risk of a successful IT reduce attack strongly.

Equally beneficial in Google Chrome is the auto-update feature, which also integrated the Adobe Flash Player covers. As a result of the Adobe Flash Player is kept up to date.

E-mail

For the largely safe use of e-mails, it is not necessary to install additional software. E-mail providers offer webmail access, you can use the Internet access with your browser. It is important to pay attention to an encrypted connection (https) to access webmail to benefit from the protections of your browser. Make sure that the encrypted connection, not only for the login process, but throughout the webmail usage is enabled.

If you have advanced requirements for comfort and functionality when working with e-mails, you should have a modern email client, such as

Windows Live Mail
Thunderbird
install and configure secure.

An aid to configuration can be found at:

configuration of Windows Live Mail
configuration of Thunderbird
Pay particular attention to the use of encrypted communication protocols (pop3s, imaps, smtps) must be ensured.

Avoid also the presentation and production of e-mails in HTML format. The display external content such as images in HTML e-mails, you should definitely turn off, since the existence of such content, an additional opportunity for the execution of malicious code.

Producing a data carrier system repairs

Most new systems are now supplied without installation media such as CD program. If this is the case with your new PC, you should first start after a system repair disc (" Rescue Disk produce "). In the event of a failure or crash you can restore your disk with this Windows 7 operating system. For details, can under Create a system repair disc to be read.

User Accounts

If the PC can be shared by multiple users, you should create for each user their own account. Make sure that only those users who are permitted to perform administrative tasks on the system that require this functionality and control.

Malicious programs are now benefiting from increased vulnerabilities that allow faulty within the user's account activity. Therefore, use in addition to your normal user account for everyday work a second user account to transaction-related online activities such as online banking or perform in order to send sensitive information online.

Routers and Wireless

For Internet access, you should always use a router. Unlike DSL modems are from routers integrated firewall and encryption features you need to adjust or activate. Make sure you change the default password of the router.

Many routers now have the ability to connect your PC wirelessly to the Internet ( WLAN ). Disable the wireless function, if you do not need them.

If you want to use wireless, the connection must be securely encrypted. The current standard is WPA2 encryption. Change the default wireless after startup password on your router. The wireless password you must enter only rarely (in each case the first connection of a new device to the router) so you can choose without loss of comfort a random, complex and lengthy password. Write down this password and keep it in a safe place and not in the immediate physical environment of the PC on.

Regular operation

Backups

With a broken system, the danger of irreparable loss of your data is very high. Regular backups (backups) to external storage media (eg DVD or external hard disk) as a workaround.

The included features of Windows 7 can be used for regular backups. See: backup-and-restore

You should at least once a week, make a backup of your data. A complete system image is rarely necessary, as after any major updates or installations of the operating system or application software, at least once a year.

Security updates

If you have taken during the installation, ensure that both the system and perform all the applications installed an auto-update, you need to do this during the ongoing operation, nothing more.

In some cases, you will be prompted to confirm the installation of an update. Other software products, such as the Google Chrome browser , install the updates without further demand.

If the Secunia Personal Software Inspector is installed (PSI), make the fly regularly on the news. An application should be out of date, install a current version.

Overview of the general IT security situation

Get a regular overview of the current IT security situation, for example through a free subscription to the BSI reports of citizen-Cert newsletter .

To be informed about current or new methods of attack, such as scams when purchasing goods or the procuring of fraudulent credit card information sent through e-mails formulated.

Online Banking

Place an online banking session, type a strong and modern process for approval of transfers. Currently this is the chipTAN process in which the release occurs by the transfer of a special reader in conjunction with your bank card. But at least you should use the mTAN procedure. Here is the transaction number ( TAN) for approval of transfer by SMS sent to your mobile phone. The important thing is that SMS is not received with your phone, from which also performed the banking wird.Dies would break down the divisions of the Internet and mobile telephony channels connecting. If your bank offers one of the methods mentioned, you should use paper-based TAN procedure (eg TAN and iTA N) without.

Communication

Communication over the Internet takes place in most cases by e-mail. At present, however, over 95 percent of all e-mails sent unencrypted and may therefore be intercepted like a postcard from any unauthorized person, be read and modified. With higher requirements on the security and confidentiality of e-mails in the future it is possible to de-mail use.

The En-mail mailbox and shipping services to ensure a reliable and confidential communications. By special delivery and receipt of confirmations, the communication is detectable and traceable. In addition, the messages according to the chosen shipping options by the De-mail service provider to change the message content and the so-called metadata (eg sender address, shipping time, shipping options) are protected.

If you do not want to de-mail, you can encrypt your e-mails using additional software and sign themselves in order to achieve protection of individual privacy and the authenticity and integrity to ensure your e-mail. The necessary applications, such as Gpg4win ( GNU Privacy Guard for Windows ) are available free of charge.

Passwords

Access to online services on the Internet is often via user name and password. If you use various online services, use different passwords for each. To use complex passwords not guessable, use memory aids, note about the first letter of a longer sentence, or your passwords and store them in a safe place. Information on password security can be found at BSI for citizens.

In addition, free technical solutions for creating and managing complex passwords are available (eg Keepass ).

Behavior on the Internet and social networks

L They ate in the online world, always exercise a healthy suspicion. If you appear a little odd on the Internet, you stop and you would rather break off a process. If in doubt, give any personal data or even your credit card number.

In social networks like Facebook or Google +, you should always behave the way you would do in the real world. Share only information that you otherwise would in any other report.

Adjust the privacy settings on social networking sites according to your needs as restrictive as possible. Ask friends and family members on a regular basis, as they appear from their visibility in the virtual social network. Inadvertently shared personal information is usually first and others do not even notice. Ask those around you to point out, if your profile in the virtual social network seems somewhat incongruous or online communications is unusual, suggesting that under certain circumstances spam messages from your profile.

Emergency measures

Prepare yourself to potential emergencies before and you think your response in the following situations:

The anti-virus program reports a malicious software, but is not able to remove them automatically and independently
The computer will not boot
You notice it has been made not by you transfer from your account
You can no longer log into your e-mail inbox
You can no longer connect to the Internet
Microsoft gives you for such situations under -recovery-repair system different support.

If you feel that you are responding in these uncertain situations or find any reasonable answers you seek are already a trusted partner who can assist in addressing.

PC Disposal

If you want to discard your computer one day, then you should ensure that all data is destroyed on the hard disk. Simply deleting the "trash" or Windows Explorer is not sufficient.

To make your drive unusable, you can remove it and physically destroy it. A sale of used hard drive is worth it in most cases, if you put the proceeds in proportion to the value of your data.

Do you want to get the hard drive anyway, you should restart your PC from a inserted into the CD-ROM drive Live CD (eg Ubuntu LiveCD ), then integrate the drive into the started live system and eventually into the command line by entering the command

dd if = / dev / urandom of = / dev / DEVICE NAME

. delete This is the DEVICE NAME for the first hard disk, which is usually referred to as "hda" or "sda". You should pay attention to the details of the command line.

You can make your hard drive with BitLocker Drive Encryption or TrueCrypt, see encrypt the hard drive, Encrypt and destroy only the keying material.
With the "BSI recommendations on cyber security," published by the Federal Office for Security in Information Technology solutions and recommendations on cyber security. The content is carefully researched and to the best knowledge and belief, and compiled. Your comments should be directed to: cs-info@bsi.bund.de .

Please note that there is at system configurations, the possibility of data loss. Therefore, before any system changes should be made a backup.