How to Apply Risk Management

This is a tech's whistle-stop "how to", for the risk management strategies I currently use for Windows 95 to Windows 98 Second Edition.   They can be applied to Windows Millennium as well, but there's extra work to do there because System File Protection tends to get in the way.

In particular, the steps are grouped as you would do them, and not grouped logically by risk:

CMOS boot order
NoDriveTypeAutoRun
Don't hide file name extensions
Get rid of "View as Web Page"
Get rid of Active Desktop
Reversibly disable WSH
Reversibly disable .shs/.shb files
Reversibly disable .hta files
Stop auto-ScanDisk killing your data
Make "Restricted Zone" restrictive
Stop email apps auto-running "message" scripts
Protect Word somewhat
Don't share data to the Internet
Don't expose the startup axis to the network

But before you start on all the above, you need to make sure Internet Explorer is upgraded or patched against MIME-spoofing exploits - even if you aren't using MSware to read email or browse the web.

CMOS setup

On first power up, press whatever key is used to access CMOS setup on that system - it's usually Del, Ctl-Alt-Esc or Ctl-Alt-S on generic systems and laptops, or F2 (Acer, Intel), F1 or F10 on many brand-name systems.  Go into the Standard menu and make sure the A: drive is defined appropriately (suspect certain boot sector viruses if unexpectedly set to None, and do a formal virus check if so).

Then, go into the menu that controls boot order.   Often the "BIOS Features Setup" is second on the left; other systems may have an explicit Boot menu, or file this under a Security tab.  You will either see options like "A:, C:" or a list of "First boot device", "Second boot device" etc.  Make sure C: is set to boot before A: or CD, i.e. either "C:, A:" or similar, or first boot device is IDE0 (typically IDE devices are enumerated 0..3, not 1..4).

Having done this, save settings and exit.  This step avoids exposure to boot viruses from CDs or diskettes, and means you can safely disable the irritating, leaky, and shutdown-failure-prone "scan diskettes on shutdown" antivirus facility.

RegEdit

The usual RegEdit precautions apply.  Start at the top and use the cursor arrows to navigate; right arrow to enter a deeper level, left arrow to back out, Tab to swap panes and Enter to edit stuff.  You can check HKEY_CLASSES_ROOT\exefile and the Runxxx keys in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USERS if checking the startup axis at the same time, but the only risk management step here will be to wall out AutoRun.inf attacks on hard drive volumes.  The key to this is:

HKEY_CURRENT_USER
   Software
      Microsoft
         Windows
            CurrentVersion
               Policies
                  Explorer
                     NoDriveTypeAutoRun

Chances are, this will be set to 95 00 00 00, which facilitates AutoRun.inf interpretation for both hard drive volumes and CDs.  Only the first byte is used at the moment, and each bit will disable AutoRun for a particular device class if it is set.  A value of 9D will disable HD AutoRun while allowing CD AutoRun, whereas BD will suppress both.  This value has no effect on the ability to autoplay audio CDs, unlike the Auto-Insert Notification setting that is usually inappropriately used instead.

As this setting is at the user profile level, you have to set it for each profile in HKEY_USERS - and remember that "roving profiles" and remote registries may mean that certain profiles remain beyond your reach unless you successfully log in as those users.  Note also that some piggy CD software may revert this setting when it runs.

De-lamer Windows Explorer

Part of risk management is to give the user good information about what they are about to click on, so they can more effectively assess risk.  In this respect, you need to reverse several of Microsoft's dumb-ass duh-fault settings.   The sequence of mouse clicks may vary between versions of Win9x (I'll describe it as per the Win95 SR2 that I use), but briefly:

View, Options..., View tab
   Select "Show All Files"
   Display full path in title bar:  Check
   Hide extensions for registered file types:  UNCheck !!

There are other things you can do for aesthetic reasons, such as have the View option stay in a single window, use List or Detail views that don't bloat up the registry with pointless (x,y) icon position info, and set the default Folder action to Explore rather than Open to say goodbye to the "My Computer" half-view forever.

In Windows 98 and later, or if MSIE 4.xx has been installed, you have an additional risk to get rid of; namely, "View as Web Page".   This can be killed in Windows Millennium by choosing Classic Folder View, but in Windows 98, this risk just keeps coming back.  The best way to try and get rid of it is:

Clear the option to remember settings for different folders
Set the Custom folder settings to use Web View only where you choose it, not for all HTML content
Set the current view to NOT be "Web Page"
Do something so you can Apply changes, then make all folders like the current one
Set the option to remember settings for different folders again

While you are up, you can disable the Active Desktop as well.   For one thing, this will prevent calls about what "active desktop recovery" means!

Note that you may find some of these settings spontaneously revert (e.g. "show full paths" and Windows 98's Web View), or get re-enabled implicitly when an HTML or JPEG wallpaper is selected.

Start, Find

There are several Windows and associated components that facilitate functionalities that may be more useful to malware than the user.  These include Windows Scripting Host, which runs stand-alone script files with various extensions (most famously .vbs, as used by LoveLetter and a host of me-toos); .shs/.shb scrap files (used by LifeStages; significant in that these extensions are never displayed in Windows), and .hta ("HyperText Application") files.

To fix these, do this:

Start, Find, Files or Folders, searching all of C:, for...
   ?SCRIPT.EX?  SHSCRAP.DL?   MSHTA.EX?
Highlight each of these found...
   WSCRIPT.EXE  (WSH Windows interpreter)
   CSCRIPT.EXE  (WSH command line interpreter)
   SHSCRAP.DLL  (.shs/.shb processor)
   MSHTA.EXE  (.hta processor)
   Note:  Leave LMSCRIPT.EXE alone!
F2 to rename
Change the last character to "!", ideally keeping names in ALLCAPS

This allows your risk management to be reversed, should you want to use these functionalities.  Note that you will first have to tame Windows Millennium's SFP via FILELIST.XML and optimally sfpdb.sfp from DOS mode, before these strategies will be effective.  Note also that you should check the fix "takes" via a Find for .EX! in RegEdit, i.e. that the renamed files are not still being used via their new names! 

While there, you may also want to peruse the startup axis; if so, add these files to those to be searched:

Config.sys  Autoexec.bat
Scandisk.ini  WinStart.bat  Wininit.ini
System.ini  Win.ini  "STARTUP"

As it is, you really had better check Scandisk.ini, because this has natural-risk significance especially in Windows 98.  Double-click it to edit, and it explains itself; you should change all "Fix" settings (except for "Free space info") to Prompt, and both Delete settings to Prompt (or Prompt and Save).  Check also that the log is being appended, not overwritten or lost.  See the page on the startup axis for more on this, and how to manage this risk in Millennium Edition.

MS Internet Explorer

Microsoft's duh-fault settings for "Restricted Zone" aren't restrictive enough for comfort; there are three settings to fix:

MS Internet Explorer; Tools, Internet Options..., Security tab
Select the "Restricted Zone", click Custom, then fix these...
   DISable ActiveX controls marked "safe" for scripting
   DISable Java (if present)
   DISable Active scripting (is disabled by default in Windows ME)
Yes, you really do want to change the default settings, duh

Next, chances are the Tools, Mail and News menu will lead you to...

Outlook Express, etc.

By default, allowing an HTML message to be previewed in OE, Outlook 2000, and recent versions of Netscape Communicator will cause embedded scripts to be run without prompts or notice.  A fuller description of this risk management appears in a page on fixing the Kak virus.  In Outlook 2000 and later and Outlook Express, go Tools, Options, Security tab and set these to operate in "Restricted Zone".  In Netscape, go Edit, Preferences and UNcheck JavaScript in mail and news, and consider disabling Java and scripting generally.  In Outlook 97, there's no risk management possible (HTML mail will appear as a clickable HTML file attachment) but you can speed up Office slightly by UNchecking all the boxes in Tools, Options, Journalling.

Word

Settings and dialog boxes vary between versions, but basically, you want to run Office apps in High Security where this is offered (2000 and later), as well as fix a couple of other settings in Word:

Run Word, then go Tools, Options...
   General; Warn on macros - Check
   Save; Warn on saving changes to Normal template - Check
OK

The first setting is checked by default, and if unchecked, usually means the system has suffered an active Word malware infection in the past.   The second setting is unchecked by default.  You'd have to explain to the user that unexpected "Do you want to save changes to Normal template" should be answered No, as this may be a malware that is attempting to persist into the next Word session.  See this page on Word malware for more details.

Networking

You generally don't want to kick over the applecart where networking goes, so it's often prudent to document what should be done rather than change things here.  The page on data management has more on the "big picture" here, but at the very least, you want to make sure that TCP/IP bound to dial-up networking (as used for Internet access) does not have File Sharing bound to it.   Changes here may prompt for CD (so set your SourcePath in HKLM\...\Setup first) and will almost certainly prompt for a reboot - so leave this until this is a bit less of a nuisance, and make sure you know whatever passwords are needed to get back in on the next startup.

You should warn about the idiocy of write-sharing C:\ and the Windows base directory, as this exposes the startup axis to dropper attack.   Your previous changes to NoDriveTypeAutoRun will have protected the roots of other drive volumes, and if you can suppress "View as Web Page", that helps for all write-shared directories.

Data locations

This is an even bigger can of worms, but if you can rename the sitting-duck "My Documents" and keep data within the backup scope and off vulnerable locations such as the desktop, then so much the better.  Generally, it's better to tackle this as part of a bigger LAN/risk/backup strategy as covered in the data management page, but the end-point you want is:

Data subtree; for small, clean, backup-able user-unique data
BigData subtree; for larger clean user-unique data that's too big to auto-backup
Suspect subtree; for risky stuff like downloads, messaging/email attachments, etc.
Storage subtree; for "cold storage" and resource-sharing of known-clean archives etc.
Backup subtree; for cross- and self-backup

You'd then auto-backup the first, and point a one-click virus killer at the third.

Part of your broader risk/data strategy may involve your choice of applications.  For example, it's possible to spare smart users with slow systems the agonies of resident av, if you combine "Suspect" tactics with an emailler like Eudora that creates incoming attachments as files as they are downloaded ("after getting mail, before reading it, click this icon").  You can also avoid Office malware (and keep your data backups safer to restore) by using the viewers rather than applications as default actions for those file types, or of course avoid using Office altogether.

Perspective

When discussing risk management with the client, it's important to contextualise this with respect to antivirus utilities in particular.   Just as no goalie is impenetrable and so soccer teams deploy additional players as defenders, so it is that no antivirus is 100% reliable and so it's wise to deploy additional risk management.  An antivirus has wide scope but will miss new or modified threats, whereas these tactics have narrow scope but are more solid where they apply.

There's still a need to keep the antivirus protection in place and up to date - and something that is clearly hi-risk should be avoided, no matter whether the av says it's "OK" or not.  The risk management measures described here are often effective against the kinds of script malware that are easiest to edit, and thus most likely to get past the usual "mugshot-recognition" approach that is the cornerstone of nearly all antivirus software.  So risk management and traditional av compliment each other pretty well.
 
 

(C) Chris Quirke, all rights reserved - September 2001, updated June 2002

Back to index