How safe is your PC? What score out of 10?

Download from this link, and try out Belarc Advisor.
http://www.majorgeeks.com/Belarc_Advisor_d1385.html

I’d like to think my PC was pretty secure against nasties invading it.
Delving deeper and clicking on Belarc Advisor CIS benchmark score, I see that I only score 3.13 out of a possible 10.

A PC is rated on 12 categories, or sub-categories, as follows:

Service Packs and Hotfixes
Current Service Pack
Critical and Security Hotfixes
Account and Audit Policies
Password policies
Audit and Account Policies
Event Log Policies
Anonymous Account Restrictions
Security Options
Additional Security Settings
Available Services and Other Requirements
Available Services
User Rights
Other System Requirements
File and registry Permissions

Within those headings a PC is rated on 156 different points.
My PC passes only 72 out of the 156 points.

As I have a single user, non networked, dialup PC, I think I am hardly done by in some categories.
Obviously there are lots of links to the Belarc Advisor explaining their recommendations, and cures, and it will need a lot of my research to consider adopting their recommendations.

For example. I fail the Minimum Password Length, although my password is Alpha and numeric and 11 characters long. I have no idea what they recommend, as yet, but will visit their site to check this, and other points out.

I’d be very interested in the score, out of 10, and out of the 156 points, that your PC rates according to Belarc Advisor, particularly from single user PC’s, when compared to Home networked PC’s, or Company networked PC’s.

Bazza

 

hi, i just downloaded and ran belarc, it says i have a score of 3.75.
it also says in the virus protection box 'unknown' - very odd, i have AVGpro

 

Does Belarc sell software to fix the problems it finds?
abri

 

Try using the Microsoft Baseline Security Analyzer. This lists the vulnerabilities in your system, and provides articles on how to correct them. For network administrators, you can also remotely scan your users computers (or even groups of computers), and your servers.

 

Belarc's security check is not available for XP Home users. You need Pro or MCE.

 

Sorry folks, I did not realise that.
I have XP Pro.
The MG link says "Win ALL", but I guess some features are specific to XP Pro, as you say. Bazza

===

 

Thanks, Mada_Milty. Yet another program to try. Bazza

===

 

But that refers to the MG's motto, doesn't it?
abri
haha
Don't worry, I'll be gone soon ... I'm one of those problems that goes away by itself lol

 

Kinda bursts your bubble, doesn't it, when you ( me ) think your / mine PC is well protected.

Anyone beat 3.75 out of 10.0?

Bazza

===

 

i have w2k for my os

 

I got a 3.13 like others though I think they doth protest too much. I have Telnet disabled yet it gives me an x for not configuring that service! Nah, I'll give this a pass. This may be usefull to an IT manager, I don't think it's for someone like me with just a couple of networked rigs. MSBA gave me a clean bill of health but I still run all the free security apps that I need to that MS 'forgot' to include.

 

My Belarc score was terrible 2.5, and no matter how many steps I take to secure it and change from red crosses to green ticks, the score does not increase. Hmmmm....

The Microsoft Baseline results was a lot less bleak, probably because a lot of the audit stuff picked up on in Belarc is not applicable to me and not registered in Baseline (running this all on my laptop).

I have Telnet disabled too, but it sees it as just "stopped".

So, I'm now trying to convert by Recovery drive from a FAT32 to a NTFS. It looks easy, but slightly concerned as I have never done this before. Is this an accurate instruction to follow?

Standard Windows utility that is called CONVERT serves this purpose

Just go to the Command Prompt and execute the command:

C:\> CONVERT C: /fs:ntfs

Where C: is a name of the drive you want to convert. (In my case D

After machine re-boot conversion process will start and you'll have your FAT32 converted to NTFS without data loss.


BTW...neat call Bazza

 

One will never get a really high score in belarc, unless you start setting local policies within group policy manager and setting auditing.

 

<warm fuzzy>

 

Thanks theefool and others.
Your comments put my mind at rest. I should investigate further to see if if single user PC owners can bump up the score.

One advantage I did get was to prod me into loading MS updates since SP2 came out. Most of us are satisfied with SP2 and have never bothered to get MS updates since then. There has been lots, and XP users should visit www.windowsupdate.com to update their PC's. Bazza

===

 

going to have a play to see if i can get a higher score

 

7.29! (at first it was 3 something but I changed a lot of the "problems", if they are actually problems). So, yes you can make your score higher . Odd thing happened, after changing the recommended settings and restarted I did another check with Belarc and Virus Protection is unknown, when before the restart it was up to date (I use Avast! Antivirus). Some settings I'm having trouble with right now are: Interactive Logon: Number of Previous Logons to Cache (this has been set to the recommended zero setting but is still x-ed), some service permissions (all xed are disabled, do services have permissions too like in the registry?), some user rights (Belarc doesn't specify very well what the recommended settings are on most of these), and some file and registry permissions.

 

Abri it's good to be objectionable just as long as your constuctive in the approach and you shouldn't GO

 

When I changed some settings that Belarc said I needed to change I had some problems with Microsoft Update and Spy Sweeper. Anyways, I found a link when viewing the Security Bulletin report which gave me more detailed information on how to configure each security setting. After I restarted my computer after fixing the settings I no longer had any problems with Microsoft Update or Spy Sweeper (of course this could also be due to looking at what to do on Microsoft.com for the error code I received when using Microsoft Update which was provided by none other then Major Geeks! ). Anyways after doing all of this I ran Belarc Advisor and now have a 9.37 score! (my virus-protection also says up-to-date again ). All you have to do to find this link is go to details under CIS Benchmark Score and click on whatever it says by Benchmark: at the top (it's under Score. The details are a bit old (2004) but they're still a huge help. Hope this helps! =o).

 

Also, does anyone know how to set the items at the bottom to Everyone: Failures? (its under "File and Registry Auditing")

 

Congrats on your score, up to 9+. I'm still on 3.13 with my Virus Protection and MS Updates both up-to-date. I really should investigate all my crosses if I want to score higher. Better put it on my todo list I guess. Bazza

PS:
I wonder how many of these missing items are really necessary on a single user Home PC? Baz

===

 

I finally did this and don't get a score because I don't have pro, however, I found it a useful way to see which Microsoft security updates I was missing and get them. Is this a lot of information to be giving a company? Everything about your computer?
abri

 

Hi Twistid,

Excellent! It looks like you've found most of what's needed to secure your computer according to the "legacy" guidance from the Center for Internet Security (we at Belarc are only participants in the consensus group that specifies the CIS benchmarks). We can't provide help in how to secure your system with our free Belarc Advisor, as we only do that for customers of our professional products.

You may have already read that these are the security settings that professional security folks in Corporations, US Government and Military use to secure their computers. Kudos to folks like you who read up on this and help out others on this forum with it.

 

Hi TxTazDad,

We're not aware of any errors in the benchmark results and would appreciate your letting us know of any that you've found.

 

abri, yes, it certainly prods you (me) to get the M$ updates as your score plummets if you are not up to date.

@BelarcGuy.
Welcome to Major Geeks.
This is one of the few times, since I have been a member, that I have noticed a representative of a software program joining our forum.

Bazza

===

 

I remember setting CIS (or was a c2, can't remember) configurations on a workstation. What a PITA, a huge book of security settings, on certain folders, files, and registry keys.

But, after one machine, clone, then newsid, everything was a breeze.

This was back in the NT4 days.

 

Hi TxTazDad,

What you're describing should have nothing to do with the security benchmarking feature of the Advisor that this thread is about. We really should take it to another thread.

I'm guessing that what you saw was that after uninstalling some software the Advisor still showed the software's license but didn't show the software in it's Software Versions section (that's where the actual executable files are show and you can click the * to see where those files are).

This is only possible with software that's not Windows Logo qualified, as logoed software is required to remove all of its files and registry entries upon uninstalling. So you must have found some software with a rather broken uninstaller... fairly rare for high quality software.

Let me know whether this is similar to what you saw, and if you can say what the software was we can see what's going on.

 

Hi TxTazDad,

Thanks for your kinds words.

It's pretty rare for a MS product to leave behind it's software licenses in the registry after uninstalling. Our products audit millions of computers and in virtually all cases I'm aware of the problem is related to something being pretty broken on the computer in question (virus, spyware, crashes, damaged registry or filesystem).

Could you please PM me with name of the person at Belarc or the licensing agent who told you that "according to belarc" info?

 

Just a note, #112:

BelarcGuy DID NOT STATE removing all registry entries.

Just the MS product licenses, which belarc typically checks within a number a registry entries.

Such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

But the word RARE means:

Infrequently occurring; uncommon: a rare event; a plant that is rare in this region.

Which means it COULD happen.

Side note +1: I'm not taking any sides with this.

 

Hi BelarcGuy!
Nice to read your comments. I would like to say that it may be rare for an MS product to leave behind its software licenses in an undamaged computer, but it is NOT rare for people to have damaged computers with viruses, spyware, crashes, damaged registry and filesystems. Therefore, the chances of it leaving behind software licenses could be quite high from probability alone.

I wanted to ask you what Belarc does with the information it scans from computers which run advisor.exe?

Thanks!
abri

 

Hi abri,

"The Belarc Advisor keeps your PC profile on your PC and does not send it to a web server, including Belarc's server." That's directly from this "privacy" page

http://www.belarc.com/privacy.html

that's linked to from the top of every Advisor profile report, where a similar statement is made.

 

Thanks BelarcGuy

 

Hi TxTazDad,

Sorry to hear that you're not willing to provide some back-up to your previous postings.

From the viewpoint of someone reading these forums, or the many friendly tech support folks who help out here, it must look like virtually every computer out there has serious troubles. The reality is that serious computer problems (e.g. requiring a reg cleaner to be used) are pretty rare. Even more rare in most business or government networks where computers are frequently well maintained.

 

Hi theefool,

Cool! You must be one of the Windows security pioneers.

Windows security tools have improved a lot since NT4. The biggest win is that security templates can be built (with the mmc security template editor) and then deployed with Active Directory. (Templates can also be applied on a per-machine basis with the mmc snap-in if needed.) Another is the CIS consensus benchmark templates that allow most security folks to just use those templates with little, if any, tweaking of the individual settings. Those templates are available at the CIS web site, but pay careful attention to their guidance that the template first be tested on a nonoperational computer or one that's fully backed up.

 

Score= 3.13 I looked at some of problems and they realy were not important

 

Tourangh, I'm a bit that way inclined, also.
I've a single user, standalone home PC and tend to agree with you.

@belarcguy@

Maybe you'd like to comment on what is the average score for a single user, standalone PC, that you have observed. I guess you don't work with single user PC's, but concentrate mainly on business installed machines. Bazza

===

 

We had a template. But, unfortunately, it really restricted the machine to the point of usablity = nil. But, later found out through going over the template it had a flaw. (For us, that is). Though, all this was done on are lab network, not are "live" network.

Anyway, MS server products have changed greatly. Looking forward to Longhorn.

 

Hi Bazza,

There's no average that can be "acheived" with the CIS benchmarks. Everyone can get a 10, especially with the Legacy benchmark that you get for free with the Advisor. (There are also Enterprise and Specialized High Security benchmarks that are typically used in businesses) The only reason to not get a 10 is if a specific setting is inappropriate for the way you use your computer. One example of that is the two or three settings that disable the IIS web server. If you want to run a web server from your computer then you won't get a 10 on the benchmark. That's due to the extra vulnerability of having IIS running.

All of the settings in the Legacy benchmark are designed by the CIS to not interfere even with "legacy" applications, meaning those that aren't written to Windows 2000 standards. My experience is that applying the CIS legacy template to a typical desktop computer has no impact on usability, but as I said before you need to test it to see if you've got an application that has special needs.

 

Hi theefool,

Ha! Sounds like it was a milnet computer. I've heard that they used to try to lock some of those down pretty tight (probably c2 level).

 

Or use apache or coldfusion as a web server. Then again, either of these could have issues with a secure machine.

 

There's a separate application-level benchmark, for configuring apache, from the CIS.

 

When did belarc start? As a company? Does it do other security ratings, besides apache?

 

5.0

But some of the readings are false. Such as "Message Title for Users Attempting to Log On" which my networked work computer does have set up with a legal message.

It is thru Novel. And Novell is set up to take care of a lot of things that Belarc isn't seeing.

 

Hi Cipher,

In the Belarc Advisor, the settings check for message, and message title only require that there be something specified. In our BelSecure product, the "approved" message and title for the organization are configured on the server and each client then checks that those are set correctly on the local system.

Is "a lot of things that Belarc isn't seeing" your preferred security setting beyond what the CIS legacy benchmark checks?

 

Hi theefool,

You can read a bit more about our BelSecure product at

http://www.belarc.com/belsecure.html​

Belarc started in the mid 1990s.

 

Thanks, BelarcGuy for your info. I should try to get to 5.0 at least. Bazza

===

 

Group policy is set thru Novell, not Microsoft.