Network and Internet Problems: Fixing Wired and Wireless Networking and Problems – Page 2

	SEARCH THIS SITE:
	Web www.pcbuyerbeware.co.uk

NETWORK AND INTERNET PROBLEMS - Page 2

Visit the Networking section of this site for information on wired and wireless networks.

Click the relevant link below to go to that Q&A article. Use your browser's Back button to backtrack.

1. - What is the best way to install a wireless home network?

2. - How can a wireless network be made secure?

3. - Infected with password-stealing software: How can a computer be made secure against other such ActiveX vulnerabilities?

4. - Why is my @~#* ADSL modem NOT always on? AND Is it a security risk for a PC to have an ADSL connection always on?

5. - What do I need in a laptop/notebook computer to be able to have a wireless connection to the Internet?

6. - DHCP fails when connecting with a wireless adapter

7. - Sharing a broadband Internet connection: I tried using ICS and then a router and still can't make it work

8. - Is a second DSL connection possible on the same line?

9. - Worm infection: A "Remote Call Procedure" (RCP) error keeps Windows XP shut down

10. - A security alert prevents access to sites on the Internet AND Why can't I access secure websites?

11. - Why can't my wireless network work all over my house?

12. - Two dial-up disconection problems: Dial-up modem disconnects intermittently AND Dial-up connection gets dropped after a few minutes online

13. - An modem with a V.92 Intel chipset runs slowly

14. - Addressing the "A website has hijacked Internet Explorer's Home page setting" issue - AND other infections

15. - Two problems: Dial-up modem won't hang up in Windows XP, PLUS "You have just ignored an incoming call" message comes up when the modem disconnects

16. - Various problems with Outlook Express

17. - I don't want to use Internet Explorer but I can't get rid of it

18. - Proxy server problem: The 127.0.0.1 localhost address keeps coming up and blocking the download of an update from a particular site

19. - Is there any way of using two PCs with one monitor, keyboard, and mouse without using a KVM switch? - Using Remote Desktop in Windows XP Professional

20. - How can I remove the Apropos virus/spyware from my PC?

21. - How can I limit the bandwidth used by a computer sharing a wired Internet connection?

22. - A problem with the Norton Personal Firewall of the Norton Internet Security suite

23. - SMART enabled in the BIOS can cause reboots or crashes on a networked computer

24. - Problems with the Norton Internet Security suite

What is the best way to install a wireless home network?

The problem and questions

You have a four-bedroomed house. Three of the bedrooms are upstairs. You use one of them as a study, and you have a desktop computer in there that uses an ADSL broadband Internet connection via a wired router. It is networked by cable to a computer in one of the other upstairs bedrooms that shares the Internet connection. You want to install a wireless network connection in the computer in the bedroom downstairs, set up so that a laptop can be used to connect to the network from anywhere in the house. From reading up on the subject, you have identified several potential problems that you would like clarified. Would the speed of the wireless part of the network be significantly slower than the wired network? Would the use of mobile phones cause serious interference to the wireless network. Would there be interference from the microwave oven in the kitchen? And, finally, some articles you've read state that if the antenna of the wireless adapter is not in the line of sight of the wireless Access Point, the performance is reduced to an unacceptable level.

Answers

Note that if you don't use a broadband connection, you can network two or more computers together as an Ad Hoc network by using only PCI network cards or USB adapters in the computers and use the software called Internet Connection Sharing (ICS) that is built into Windows 98, Me, and XP, but not into Windows 95. The network cards/adapters don't require an Access Point (AP) in order to communicate with one another. However, you should use a router that has built in security options that protect the network from being hacked into or accidentally logged on to by neighbours that are using wireless equipment.

For more information on security read How can a wireless network be made secure? on this page.

The microwave frequencies used in wireless networking - the 2.4GHz and 5.0GHz bands - can travel for miles if they have clear line of sight, but they are bounced off buildings. The signal can pass through walls, but doesn't pass with the same strength through all of the different types of wall. Wood-framed plasterboard walls are easier to pass through than solid brick or walls containing metal reinforcements. The signal will also be reflected by objects, particularly from metal surfaces such as filing cabinets. These reflections could help the signal reach other parts of the building, but could cause problems if the receiving equipment is plagued with multiple reflected signals.

802.11a wireless networks (used in the US not Europe) operate using the 5.0GHz band. The disadvantage of using this band (only in the USA where it does not conflict with reserved usage) is brought about by its reduced wavelength, which is less than half that of the 2.4GHz band used by 802.11b equipment. This means that walls and other obstacles are much more of a problem for 802.11a devices, because they appear twice a thick to the shorter waves of the 5GHz frequency. (The higher the frequency, the shorter the wavelength.) Therefore 5GHz equipment will be far more adversely affected by obstacles and distance than equipment that uses the 2.4GHz band. This is the main reason for thinking that equipment using the 2.4GHz band will remain the more popular of the two types of equipment, even though the 5GHz band is much more free of interference and has many more channels than the 2.4GHz band. A latest available standard is called 802.11g. It uses the 2.4 GHz band, and is compatible with the original 802.11b standard, which means it has a more promising future.

The 2.4GHz band is also used by microwave ovens and the cordless phones that connect to an ordinary phone line. However, mobile phones use different frequencies, which, in theory, could still cause interference with a wireless network, but mobile phones are unlikely to present much of a problem.

802.11g isn't perfect; interference in the home can sharply degrade performance. Hence the move to 802.11n, which hasn't been approved as a standard yet, but is supposed to address the interference problems, provide backward compatibility with 802.11g, and become the new, "perfect" standard. Unfortunately, we probably won't see much of 802.11n until 2006/2007. Read the information on the Networking3.htm page of this site for the latest information on the 802.11n wireless standard.

Some routers have a turbo mode that is supposed to improve wireless data transfers, but using it can be problematic, because the turbo mode only works with network adapters made by the same manufacturer that supports that mode. In other words, if you have a laptop PC that uses Intel Centrino Mobile Technology and you have a Linksys router that supports turbo mode, you will have to buy a Linksys wireless adapter PC card for the laptop instead of using the laptop's built-in wireless adapter.

That said, you shouldn't have any difficulty obtaining an adequate signal anywhere in a house of average size - if you don't have a lot of metal in the walls, which could be the cause of multiple reflections.

To obtain the strongest signal throughout the house, place the wireless Access Point unit in a central location that is clear of large metal objects such as major appliances and radiators. Placing the wireless Access Point in the attic usually gives a strong signal throughout the house, but that position would be a hassle if the equipment needs to be reset.

You shouldn't pay any attention to the speed of the equipment quoted in its literature. At best, with the computer with wireless network adapter having a clear line of sight to the Access Point, you'll only be able to achieve about half the claimed speed of connection. In the most remote areas of the house the connection speed will drop to between 1Mbit/s and 500Kbit/s, which is very slow compared to the speed of a wired Ethernet connection, but it should be more than adequate for an Internet connection, because most broadband connection only operate at about 500Kbit/s or less.

You should keep your wired network, and add the wireless elements as you planned. Wired connections are always going to be quicker and more reliable. Remember that the available bandwidth for the wireless connection is shared among all of the wireless devices, so it is best to use a wireless connection only for places that are difficult to reach by cable, such as to the downstairs bedroom.

If you live in the US, in order to avoid the interference of the 2.4GHz band used by 802.11b and 802.11g equipment, you can use 802.11a equipment, which uses the 5.0GHz band. In the UK, you should buy 802.11g equipment, because 802.11a equipment isn't allowed to use the reserved 5.0GHz band, and it's the latest and fastest available. Linksys, 3Com, US Robotics, and Netgear wireless equipment is probably the best you can get.

You just have to install a wireless 802.11g adapter in each desktop computer, and obtain a wireless 802.11g PCMCIA network card for the laptop if it doesn't already have an inbuilt network card, and buy a wireless 802.11g Access Point. Almost every wireless 802.11g router (that you can use to share an Internet connection with the desktop and laptop computers) has three or four Ethernet ports that can be connected by cable to desktop computers. Alternatively, you can obtain a basic wireless 802.11g Access Point that can be plugged into your existing router. Just remember that to avoid compliance problems it's always best to buy the equipment made by the same manufacturer.

Once the equipment is set up and installed, the easy configuration is mostly an automatic process. Just follow the instructions that come with the wireless Access Point or wireless router.

How can a wireless network be made secure?

Question

I have a wireless Linksys router. I want to know how to configure its setup to make it secure from my neighbours (US: neighbors) and hackers.

Answer

A wireless router broadcasts a signal that can be picked up by a scanner or another suitably equipped computer that is within its range. Spammers can make use of unsecure networks to send spam all over the Internet from your network and hackers can infiltrate and make use of hundreds unsecure computers to launch Denial of Service attacks on websites. Therefore, it's crucial that the proper measures are taken to prevent unauthorised access to the network and/or Internet connection even if you don't have any data worth protecting yourself.

The only totally secure system is one that is not plugged in, or is turned off completely all of the time, neither of which is a realistic option for a network or an Internet connection. By its very nature, even with the best security measures employed, wireless networking is still an insecure means of transferring information. A determined and able hacker could find a way into your home network, even if gaining entrance has to involve going as far as breaking into your home to search for documents containing passwords, etc.

Complete security from hackers is nearly impossible, but the vast majority of wireless routers and wireless Access Points (WAPs) are set up with no security measures implemented at all. I have come across situations, both residential and commercial, where a wireless Access Point has been left wide open to any outside user who happens to be within its range. The main reason for this is that the person who set up the router or Access Point has ignorantly left the settings at the factory defaults.

Here are the security precautions listed in the user manual for a Linksys router:

"The following is a complete list of security precautions to take (at least steps 1 through 5 should be followed): 1. Change the default SSID. 2. Disable SSID Broadcast. 3. Change the default password for the Administrator account. 4. Enable MAC Address Filtering. 5. Change the SSID periodically. 6. Use the highest encryption algorithm possible. Use WPA or WPA2 if it is available. Please note that this may reduce your network performance. [There is more information on WEP, WPA, and WPA2 encryption in this Q&A.] 7. Change the WEP encryption keys periodically."

It is not advisable to use WEP encryption. Read the following articles to find out why that is the case

[WEP] Wi-fi security system is 'broken' - http://news.bbc.co.uk/1/hi/technology/7052223.stm

"Don't use WEP for Wi-Fi security" researchers say - German researchers got into a 'protected' network in 60 seconds -

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015559&intsrc=hm_list

Tutorial: How to set up WPA2 on your wireless network - "It's worth the extra steps to keep your communications secure." -

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=15&articleId=9002706

The router's or wireless Access Point's user manual provides all of the information you need in order to be able to enable or disable any of the settings.

WPA stands for Wi-Fi (WiFi) Protected Access, and SSID stands for Service Set Identifier (a changeable password).

Episode 1 - Wireless router security [WEP and WPA and WPA-PSK] -

Shows you how to set up the security options in a wireless router.

http://www.veoh.com/videos/v228005fD2HxAkq&source=embedVideo

Visiting someone who was having problems with a wireless network, I discovered that there were several other wireless networks in the vicinity that were completely open to access by his computer from within his house. Every one of the Access Points was left at the default name or SSID, the default channel (6), and the default security level (NONE). Believe it or not, many of these networks were installed and configured by the technicians of major broadband Internet Service Providers.

The first step in making a wireless router secure is to change the SSID from linksys (the default for a Linksys router) to something else. Use a combination of numbers and letters (capital and low case) to make it more difficult to guess or crack with password cracking tools. Definitely don't use your last name, because using that would just make it easy to guess and for an unscrupulous neighbour to know exactly who it is whose network he has successfully broken into. Most people use something like their child's name or pet's name. Don't do that! The most effective passwords are long and composed of alphanumeric characters (both letters and numbers). Some routers are even case sensitive. So a capital "P" or lowercase "p" would make a telling difference to its crackability.

There are ways to create a clever password that you can remember. For example, by using the first letters (capital letters and lower case letters) in each of the words and the number in full in these two sentences - "I was born in Plymouth. My son is 25 years of age" - you get the password IwbiPMsi25yoa, which is made up of lower case and capital letters and contains a number, making it impossible to guess. It doesn't appear in a dictionary so software that uses the words in a dictionary to gain access won't be able to crack it. The more imaginative the sentences you use are, the more uncrackable the password they create is. "The screwy British parliament contains 650 mostly useless MPs," gives the excellent password TsBpc650muMPs.

To secure a wireless network, you should use suitable passwords for the router/wireless Access Point and for the computers on the network, which should be running Windows XP, Windows 2000, or Windows NT, all of which are based on the same basic architecture, for the best levels of security. You can also use password techniques when creating secure keys for Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) encryption.

Encryption levels vary among the router manufacturers. Most WEP-enabled routers support encryption levels of 40-bit to 128-bit. However some routers, such as those made by D-link can support 256-bit encryption. For maximum protection, you should always be using the highest encryption level that your router supports. Remember, the higher the encryption level and the more complex the SSID is, the longer it's going to take a hacker to crack it.

Change the administrator password, and turn off the SSID broadcast option, which means that the router will no longer be screaming, "Here I am, and this is my name!" Even though a site-survey program would be able to pick up the presence of a wireless network, the name of the network can't be identified, making it much more difficult for intruders to gain access to files on that network.

Note that you must use an encryption method that is supported by all of the wireless equipment on the network. For example, if all of the computers (desktops and laptops) support WPA encryption, but you need to connect to a PDA (Personal Digital Assistant) that can only make use of 64-bit WEP encryption, you have to use 64-bit WEP encryption for the whole network.

Some routers allow you to type in a word or a phrase for the WEP/WPA encryption key, which they use to create a key that they encrypt, but other routers require you to enter a series of hexadecimal digits, which is the base 16 number system that uses the first ten decimal numbers from 0 to 9 (the base 10 number system), plus the letters A,B,C,D,E, and F for the other six numbers from 11 to 16. An example is 0A DB 4C. 0A is 11 in the hexadecimal number system, because 0 is zero, and A is worth 11. 0F is worth 16, etc. DB is worth 14 + 12 = 26. Therefore, to generate the key you can only make use of the digits 0 to 9 and the letters A to F.

A 128-bit encryption requires a 26-digit key, which can be tedious to create, so there are sites that can generate a key for you, such as:

WEP Key Generator - http://www.andrewscompanies.com/tools/wep.asp

There is also a password generator on the site here:

Secure Password Generator - http://www.andrewscompanies.com/tools/passwords.asp

Of the wireless equipment manufacturers, Buffalo has done the best job of simplifying the encryption process with its AOSS system. The current Buffalo routers and wireless equipment that supports it have an AOSS button. You just have to have the wireless equipment set up on the computers in the network and then press the AOSS button on each bit of equipment that has it, and the device transfers all of the settings across the network automatically.

Every authorized user of a wireless connection should have a unique user name and password that should be a mixture of alphanumeric (letters of the alphabet and numbers) and punctuation characters, chosen as randomly as possible, that is at least six characters long. A wireless Access Point's administrator's account (a router has one) is especially sensitive and should have a particularly strong password in order that a hacker can't guess his way into that account and take over the entire wireless connection. The following article has some good advice:

Langa Letter: How To Build Better Passwords: http://www.informationweek.com/story/showArticle.jhtml?articleID=164303537

As a security tool, WEP, or Wired Equivalent Privacy, is much maligned, but it does create another barrier to overcome, which helps to diminish the chances of being innocently hacked into by someone driving past your house, or someone deliberately on the lookout for an insecure network and Internet connection to make use of anonymously.

Look at the Wireless Security section of the router's setup screens (which its user manual shows you how to access) and turn on the WEP option. If all of the wireless components are from the same manufacturer, use the highest possible setting, which is probably 128-bit encryption. If the equipment is made by several manufacturers, a lower setting, such as 64-bit encryption, may have to be used in order for the devices to be able to communicate with each other. Use the more secure WPA encryption if it's available.

Unfortunately, even with a fast broadband connection you may experience noticeable network and Internet performance degradation. Some website servers may time out before they finish loading pages. Network file sharing also slows down.

The security mechanics of WPA are substantially different from WEP. In WEP, the same static encryption key is used all the time, but the encryption process used by WPA, called Temporal Key Integrity Protocol (TKIP), addresses all of WEP's known vulnerabilities. It uses the original master key merely as a starting point, and derives its encryption keys mathematically from this master key, and then regularly changes and rotates the encryption keys so that the same encryption key is never used twice. This all happens automatically in the background. However, it takes time to implement and therefore slows the connection down compared to how fast the connection would be if it wasn't being used. But, apart from that downside, WPA is a far stronger security solution than WEP. While no security mechanism can be considered absolutely secure, the protection provided by WPA is strong enough to prevent most hacker attacks — even the most sophisticated ones that require the hacker to have a high level of networking knowledge.

Finally, MAC Address Filtering can be added, which only allows networked computers that have been cleared via their Media Access Control (MAC) address (a unique identifier for each network card) to connect to the router. MAC filtering is a process in which the MAC addresses of every network adapter in use on a network on its router's Access Control List (ACL). By enabling it, router is instructed not let any network adapter gain access to this network if it has not previously been given authorization.

MAC Address Filtering is found on most firewall routers. This is also not a completely secure option, but it adds yet another barrier, which requires a hacker to have a fairly high level of knowledge in order to be able to get round it by spoofing the address (MAC address spoofing). However, using it will no doubt prevent your average neighborhood broadband freeloader from logging on to your network.

MAC address spoofing is far too involved a subject to go into here. It might be more accurately described as MAC address impersonating or masquerading. To find some of the plentiful information about it on the web just enter the term enclosed in double quotation marks in the Google search box provided at the top of this page. A good article on the subject in the PDF format can be found by entering this search term, as is, in that Google search box: "detecting wireless lan mac address spoofing" + "joshua wright".

After you've enabled MAC Address Filtering, as an extra precaution, you should find out what all of the MAC addresses on the network are and list them in order to be able to check if an intruder's computer has added its MAC Address to the network.

Begin by listing all of the MAC addresses on your network. A MAC address is a unique identifier stored in the firmware of every network adapter, including wired network interface cards (NICs), wireless network cards, and the network circuitry built into some motherboards. No two network adapters have the same MAC address. 00-11-09-14-43-6E is an example of a MAC address. Some computers may have two MAC addresses - one for an RJ-45 Ethernet network card and one for a wireless network card. An easy way to make a list of your MAC addresses is to make use of the logging features in the control software of your firewall router called the Access Control List (ACL).

Turn on all the computers on your network and enable all of their network adapters. Your firewall router, if it's being used to assign IP addresses dynamically, should provide a list of all the computers on your network and display the MAC addresses of each of them. Double check that the MAC addresses listed correspond with the MAC addresses of your actual hardware. Many mobile network devices have their MAC addresses on the bottom of the case. Look under its Network heading and open Windows Network. The Hardware Address is the MAC address. Note that if a computer contains two network adapters, a utility that provides information on the hardware installed on a system may only show the MAC address of the one that is active. If the number of computers on your network is constant, it's a good idea to make sure that the DHCP IP Address assignment feature of the router can't assign any extra IP addresses than those already on your network. Another option is to use static IP addresses, although that isn't a suitable option for networks where new computers can log in, even if only occasionally. Another good idea is lengthen the "lease time" on your IP address assignment to a week in the beginning so that you have a longer-lasting record of any unauthorized MAC addresses. Then you can change that to three days or less.

Note that this security measure requires constant monitoring. You need to check the DHCP area of your router's control software at least three times a week to to find out if unauthorized MAC addresses have been assigned IP addresses. If you discover unauthorized access, you have to block those MAC addresses from accessing your network. Thereafter, any broadband-stealing neighbours and drive-by opportunists with notebook computers will have to use different network hardware in order to be able to attempt to log on to your network.

You should never take the security of a wireless network lightly, because if you do, you could be compromised in all kinds of distressing ways, such as having someone make illicit use your identity, depending, of course on the data you have on the network and how it has been set up.

There are some good articles and Q&As on wireless-network security on http://www.practicallynetworked.com/.

Beware of phoney laptop hotspots

For those of you who don't know, a hotspot is a place that allows a user equipped with a laptop computer that is itself equipped with a wireless network adapter to log on to the Internet, either as a free or as a paid-for service.

It can be difficult to determine if you have logged on to to genuine hotspot or not. All a con artist has to do is give the wireless connection installed on a laptop a plausible name or SSID (Service Set Identifier), and set it to be connected to on an Ad Hoc basis that connects computers equipped with wireless adapters directly to each other instead of via a wireless access point (a wireless switch). Then, when someone comes along to the bar or pub, etc., who is under the impression that it offers a hotspot to its customers, that person's wireless-equipped laptop will identify all of the open networks in the area. If the person decides to network with the con artist's computer instead of make use of the genuine hotspot, he or she won't be connected to the web. If the genuine hotspot requires users to enter a credit-card number before it allows them to use it, the con artist can create a phoney web page that allows those details to be stolen. If the unsuspecting person is able to make use of websites, such as the sites of banks, etc., they have been cached on the con artist's laptop computer. Any logon or account details that the person enters will also be made known to the thief.

Anyone who makes use of a hotspot is best advised to make use of them to access public websites only, but if you have to access a private account of any kind, you should make sure that the site address starts with https:// instead of just the http:// and that the secure yellow padlock icon appears on the bottom bar of the browser that means that the connection to the site is securely encrypted. You should also make sure that your wireless network settings are set so that you have to connect manually instead of automatically to wireless networks or hotspots.

To disable the ability of Windows XP to connect automatically to any available network or hotspot, double-click the wireless network's icon in the System Tray (Notification Area) in the bottom left corner of the screen. In the window that presents itself, click Change the order of preferred networks, and then click the Advanced button that appears under the Wireless Networks tab. Enable the Access point only option and disable the the Automatically connect option, and click on Close.

Interesting articles on network security

How to protect your wireless network - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9037321

Practice 'safe surfing' with public Wi-Fi signals -

"You see them everywhere your Wi-Fi laptop goes: unprotected wireless signals offering "Free Internet Access" or "Free Public Wi-Fi." But connect to them and you'll be disappointed. In a few cases, you may even have your computer hacked. Here's the scoop on how to protect yourself..." -

http://windowssecrets.com/comp/070614#story1

Wi-Finally: wireless security that actually works -

"The security of Wi-Fi has largely been a joke. Wireless vendors have routinely shipped their products with all of their security features turned off, rather than take support calls from end users when things didn't work. Fortunately, the pieces are now in place for you to have safe and secure Wi-Fi networking, wherever you may roam..." - http://windowssecrets.com/comp/050526/#story1

Infected with password-stealing software: How can a computer be made secure against other such ActiveX vulnerabilities?

Problem

My computer running Windows XP was infected with password-stealing software via the security exploitation known as Download.Ject or Scob. I had to restore a master image of the system made before the infection, and change all of my passwords. To avoid having to do that again, I'd therefore like to know how I can make my computer secure from such security violations.

Answer

Many thousands of computers were infected by the Download.Ject exploit in June 2004. Although the computer server that hosted the attack was soon shut down, the computers were infected when their users did nothing more than access well-known websites.

Current websites are no longer just HTML pages that download images to a computer browser, they almost always run program code such as harmless JavaScript code and the potentially dangerous ActiveX code.

Most websites have JavaScript code within their HTML code that runs Google ads, forms, etc. JavaScript is safe because its designers limited the ways in which it can interact with a computer. It cannot read files or write to files on a hard disk drive.

However, as the Internet evolved, interactive sites such as Microsoft Update and online virus scanners had to be able to access files on the computer. Microsoft's ActiveX controls, which are Windows programs that are downloaded from such a site and run automatically, can be programmed to do anything that Windows itself can do, such as erase a hard disk drive. An ActiveX control can be programmed to run as a virus or Trojan that is capable of sending information back to its creator. It can be distributed and activated from a webpage without the computer's user being aware of it. An ActiveX control could scan the system for specific records such as tax records or password files and e-mail them to any e-mail address.

Obviously Microsoft wouldn't unleash something that has such power without building some kind of security feature into it that governs how it can be used. Java (which is a compiled object-orientated computer language, not a script computer language that a web browser runs, such as JavaScript) uses a concept called 'sandboxing', which limits what a Java program is allowed to do on a computer. ActiveX controls use digital certificates that are supposed to identify the control's creator. When a new ActiveX control is downloaded from a website for the first time, a warning message pops up, which most users allow to run by clicking its Yes button without reading the message. It is then incorporated into the system and will run whenever it's called to run without producing another warning message.

Richard Smith has created the following website that explains the problems to do with ActiveX and allows a user to test a system for the security weaknesses that allow rogue ActiveX code to do mischief: http://www.computerbytesman.com/acctroj

The following actions can be taken to improve the security of a system against the misuse of ActiveX controls:

At Microsoft Update, you can choose the latest security updates to install. This one addresses the vulnerability that allows the Download.Ject exploitation of ActiveX: http://support.microsoft.com/?kbid=870669

Windows XP Service Pack 2 (SP2) is now available. It introduces many new security features and updates, so, if you're running Windows XP, you should install it, but make sure that you can restore your system to its previous state, just in case the installation goes awry, or there are bugs in it that don't agree with your particular system.

You should examine the following area of Internet Explorer to check who is registered as a trusted author of ActiveX controls: Tools => Internet Options => Content => Publishers. Most users shouldn't find any entries there. It should be examined because an application can add its author to the list in order to avoid a prompt coming up to warn the user that a new ActiveX control wants to be incorporated into the system.

You can strengthen the security of Outlook Express by opening Tools => Options => Security and enabling the Restricted Sites Zone setting instead of the less secure but more functional Internet zone setting. If you can't use any facility that you used to be able to use, revert to using the Internet zone setting.

It's also a good idea to use an e-mail program, such as the free Mozilla Thunderbird from http://www.mozilla.org/, instead of Outlook Express, which the virus writers and hackers concentrate their endeavours on. If you want to keep using Outlook Express, you should consider setting it to read messages as text instead of as HTML, because HTML code can be used to launch other malicious code. You would do that under its Tools => Options => Read tab, where you would enable the Read all messages in plain text option.

You can disable the use of ActiveX, Scripting, and Java by disabling the relevant settings in Internet Explorer under its Tools => Internet Options => Security => Restricted Sites => Custom Level button, or choose to have a prompt come up every time a restricted site wants to make use of one or more of them. The Spybot Search & Destroy anti-spyware utility places the addresses of many sites in this zone.

All of the zones under the Security tab - Internet, Local intranet, Trusted sites, and Restricted sites - have their own Custom Level settings. You should check Trusted Sites zone from time to time, because the security level is much lower by default for sites that are listed under it. However, each of the zones can have their security settings set from Low to High, with the Medium low and Medium settings between them. I would set Restricted sites to High, and the others to Medium low.

The level of security you set creates the balance you want to achieve between the level of security and the inconvenience of having some sites not working properly when accessed, because if the security level is set too high for some sites, you won't be able to access them, or they won't work properly.

If you set the security level to High under the Internet zone, you'll have to add the web address of sites that run ActiveX controls, such as Microsoft Update, to the Trusted Zone, and have its security setting level set to Medium or Medium low, or Low, otherwise the site won't be able to run ActiveX controls, and probably won't function properly as a result.

For an approach that isn't annoying and also maintains an adequate level of security, set the Internet zone's security level to Medium, and then select the Prompt option for the individual settings not already set to use the Disable option for that level of security.

Setting the Active Scripting setting in the Internet zone to Prompt, will probably drive you crazy with the amount of messages requiring you to click OK to run a script, because JavaScript and VBScript is used on so many sites. Therefore, I would set Active Scripting to Enable under the Internet zone, which has its security setting set to Medium. If you don't run an intranet network (a network that shares an Internet connection), set the security level of the Local intranet zone to High, just in case a malicious script adds its site to that zone.

You can strengthen the security settings for the Local Machine, but there is no way to do it from the Security settings tab of Internet Options. You have to make changes to the Windows Registry. This MS Knowledge Base article tells you how to do it:

http://support.microsoft.com/?kbid=833633

Remember that new security features in the Windows XP SP2 update include improvements to the Windows Firewall, and add a pop-up blocker to Internet Explorer, etc. If you're using Windows 98, you should add a pop-up blocker, or use a browser such as Opera, that has one built into it that can be enabled or disabled. Good pop-up blockers are made available free as part of the Google, MSN, and Yahoo! toolbars.

Why is my @~#* ADSL modem NOT always on?

Problem

By unsuccessfully attempting to access my home computer from work, I've discovered that my D-Link ADSL broadband connection is constantly dropping instead of being on all the time. When I get home and check the modem's status, it's disconnected, and nothing I do has been able to change this state of affairs.

The modem's manual clearly states that if the Idle Time is set to zero it will maintain an always-on connection. But when I phoned D-Link's support, I was told that the manual was wrong and that my modem isn't designed to maintain an always-on connection. I asked if this was also a problem with the latest D-Link 300T ADSL modem. He told me that it was, and that to keep the connection alive I should schedule a ping command to run every few minutes.

I need my connection to be on all the time because I run an e-mail server. I don't understand why I can have this happen out of the box, so to speak, because ADSL broadband is marketed as an always-on connection.

Answer

Unfortunately, always-on simply means that the connection gives the impression of always being on because it turns on almost instantly when the computer activates it on demand. This situation works if the computer only uses an outward connection, but it is problematic for anyone who wants to access the computer from a remote location. D-Link ADSL modems are not alone in this respect. The situation is the same with modems made by Netgear and Linksys, including the provision of erroneous manual information.

"Keep alive" or "stay alive" software simulates human activity on a connection to fool the ISP's monitoring software into thinking that the connection is active. There are paid-for and free programs available.

Keep It Up - $15 - http://www.geocities.com/pbsftwr/Keepitup.html

Free alternatives can be found by entering a search phrase such as keepalive + free + utility in the Google search box at the top of this page, or by clicking this link: http://www.google.com/search?q=stay+keep+alive+connection.

The only other way to keep the connection alive is to schedule a ping command to run at regular intervals. It doesn't matter which website you ping. You can use Notepad to enter the ping command, which can take this form: ping www.computershopper.co.uk. Save the command as a .bat file, such as ping.bat. Then all you have to do is use the Windows Task Scheduler to run the command periodically just before you go online. Don't schedule it to run while offline or it will attempt to access the web every few minutes, depending on the period you set for it to run.

Is it a security risk for a PC to have an ADSL connection always on?

Question

When ADSL became available in my area, I switched from my old slow 56K dial-up to 1Mbit ADSL connection, which is very much faster. However, I am worried about the security of my PC now that it has an "always on" connection, because it is usually turned on for several hours a day. If the connection is not currently in use, the logon screen is available so that can member of my family can log on. I think that I have good security measures in place, but I'm wondering if the connection is open to the Internet when it's sitting at the logon screen. I know I could turn the firewall's Internet lock on, or switch the modem off, but my family would probably complain about the inconvenience. The PC runs Windows XP Home Edition, the Zone Alarm firewall, AVG Anti-Virus, Spybot S&D, and all the latest security updates etc. but it doesn't have a hardware firewall.

Answer

Here are two security tools that you could add to your system to make it more secure:

Microsoft's Windows Defender - http://microsoft.com/athome/security/spyware/software/default.mspx

Mike Lin's Start-up Monitor informs you if a program or Trojan wants to make itself a start-up program that loads at boot-up. This is a valuable line of defence that is well worth installing. You can obtain the program free of charge. If you find it useful you can give Mike a donation from his site - http://www.mlin.net/.

Security tools, such as many of the major virus scanners, run as "services", and are not just tied to one User account; they load with Windows and therefore provide basic protection even when there is no one logged in. When you log in to a User account, what you see being loaded is the software that allows you to access and modify these services; it is not the services themselves, which are already running. Thus, your PC does have some level of protection even when all of the users are logged off. Moreover, when a PC has all of its users logged off and is just sitting idle, not much can happen to it from a security point of view. For viruses, worms, etc., to be a danger, they have to get into your PC in the first place and then install themselves as start-up programs, or they can't do anything, because they won't be running the next time you start up the PC. With nothing running on your PC to allow malicious files to get in, it's not going to happen, because there is also no e-mail program, such as Outlook Express, running that could deliver them, and no FTP utility (file-transfer program) running to accept or send files, etc.

However, a hacker could still attempt to log on to your PC from a remote site. But if you use good security measures your PC won't allow one to get in. Good security measures are: 1. - Log on to the web via a User account, which doesn't allow software to be downloaded and installed by default, instead of via the Administrator account, which does. 2. - Make sure that all passwords are very difficult to crack and are changed regularly. See the Security pages on this site for information on creating secure passwords. 3. Open Network Connections in the Control Panel, right-click on the entry for Internet Service Provider (ISP), click on Properties, click on the Networking tab, and make sure the File and Printer Sharing option is not enabled by removing any check mark in its box with you mouse. Do that for each ISP that you use. 4. Disable a feature, such as Remote Assistance, or any other program on the PC that allows it to be connected to from a remote location. To prevent someone from using Remote Assistance to take control of this computer open System in the Control Panel. On the Remote tab, click Advanced. Clear the check box labelled Allow this computer to be controlled remotely. Reverse the procedure if you want to enable Remote Assistance.

If you want to make absolutely sure that your PC is secure, then block access to it by engaging Zone Alarm's lock, or simply disconnect the ADSL modem from the phone line. Some ADSL and cable modems have a connection switch or toggle on them that allows you to do that without disconnecting the cable. An external hardware firewall, which can be provided by connecting the PC and modem to a router, will add an additional layer of protection. If you use a wireless router and install a wireless adapter in each of them, you can also connect up any other PCs in your home to a network and share an Internet connection, instead of using User accounts in Windows fro each member of your family.

Shared Computer Toolkit for Windows XP

If you don't use a router, you should have a look at what this free toolkit from Microsoft has to offer for shared computer users:

"Shared Computer Toolkit for windows XP - Microsoft created the Shared Computer Toolkit to help make shared computers more reliable and less time-consuming to maintain. Unlike personal computers, shared computers are: • Used by many different people who generally don't know or trust each other • Used in public places where personal privacy and security are big concerns • Subjected to greater wear and tear due to their frequent use and public availability.

"The Shared Computer Toolkit is ideal for computers in schools, public libraries, community technology centers, and Internet cafés. It allows those who manage shared computers in these environments to easily: • Defend shared computers from unauthorized changes to their hard disks. • Restrict users from accessing system settings and data. • Enhance the user experience on shared computers." -

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

What do I need in a laptop/notebook computer to be able to have a wireless connection to the Internet?

Question

I want to buy a laptop computer that allows me to be able to connect to the web wirelessly or to which a wireless connection can be added. But I am confused by what I have read on the subject. What I've 'understood' so far is that some laptops come with a specification called HSDPA, a faster version of 3G that 3G mobile phones use to access the web. I take it that I don't have to add anything to a laptop with HSDPA. I know that you can insert a data card into a laptop that has the correct slot that provides wireless web access. Is that an HSDPA data card?

I have also noticed from reading the specifications of different laptops that some of them have a PCMCIA adapter card slot, others have an ExpressCard adapter slot, and some laptops have both types of slot. Apparently, the ExpressCard cards are smaller than the PCMCIA cards, so can an ExpressCard adapter fit into the slot for a PCMCIA card, or must you only buy specific cards for specific slots?

Answer

HSDPA stands for High-Speed Downlink Packet Access. It is one of several technologies that are collectively referred to as 3G. Another is called Universal Mobile Telecommunications System (UMTS).

3G - http://en.wikipedia.org/wiki/3G

High-Speed Downlink Packet Access - http://en.wikipedia.org/wiki/HSDPA

Universal Mobile Telecommunications System - http://en.wikipedia.org/wiki/Universal_Mobile_Telecommunications_System

If a particular area is covered by a 3G network, with a 3G mobile phone or a suitably equipped computer, you can access the Internet at broadband speeds. However, you must check the 3G reception in your area, because within a relatively small area, at different points, or at different times of the day, you can have no reception to excellent reception. If the reception is weak, the equipment will probably fall back to using a relatively slow GPRS (General Packet Radio Service)connection, which is about as fast as a dial-up connection.

General Packet Radio Service [GPRS] - http://en.wikipedia.org/wiki/General_Packet_Radio_Service

The mobile phone service provider you intend to use should provide a service on its website that provides reception strengths for 2G and 3G reception on a post/zip-code basis. You enter your post/zip code and a map is delivered showing the reception in that area. In my experience, some areas have a constantly strong 3G reception, while other areas nearby can have variable reception that wavers from strong to weak. There are also areas that don't have any reception, which is why you must check the reception at your post/zip code. T-Mobile's site in the UK provides you with the reception at home and at work.

A 3G data adapter card can be added to almost any notebook that doesn't come with built-in 3G support, but it will make use of an adapter card slot or a USB port.

Most of the HSDPA data cards have an aerial that protrudes from the computer, but some data cards use UMTS, which doesn't use an aerial. An example in the UK is the data card that T-Mobile provides for its Web 'n' Walk service. The data card requires a PCMCIA CardBus card slot in a laptop. Use in a desktop PC using a PCMCIA adapter is not supported because of the variation in reception from even different areas in the same house or building. Another service is provided via a Vodaphone3G Datacard, which also uses a PCMCIA CardBus slot.

Most computers purchased within the last five years have a 32-bit PCMCIA CardBus slot, but new computers often only come with an ExpressCard slot, which is not compatible with the PCMCIA standard. As you said, some laptops have both types of slot. You wouldn't be able to use T-Mobile's or Vodaphone's 3G data cards in a ExpressCard slot.

Laptops that have built-in HSDPA, will just have a slot for a SIM card. You will have to subscribe to a mobile phone provider that will provide you with a SIM card that you could also use in a mobile phone. In fact, you might find that you have to install the SIM card in a mobile phone to get it registered with the network the first time that you use it.

DHCP fails when connecting with a wireless adapter

Problem

You are running a wireless network, consisting of three desktop computers and a laptop, using Windows XP Pro and a Netgear WGR614 router. The problem involves the TCP/IP addresses assigned by the DHCP [Dynamic Host Configuration Protocol]. When you first installed a wireless adapter in one of the desktop computers, it obtained a DHCP-assigned address automatically. This happy state of affairs exists for a week or two, when, for no apparent reason, the adapter loses its network connection and reconnects with an IP address reserved for private connections that begins with 169.254.x.x - the default alternative address if DHCP address-assignment fails. From then on, there's nothing you can do to make the network adapter obtain a DHCP-assigned address.

Solution

Automatic IP address configuration was introduced so that small peer-to-peer networks could use dynamic IP addressing without a DCHP server having to issue those addresses.

If TCP/IP => Properties (under Network in the Control Panel) is set to "Obtain an IP address automatically" in Windows 98, Me, 2000, and XP, the computer will first attempt to find and use a DHCP server on the network to obtain a dynamically-assigned IP address. If a DHCP service can't be found, Windows assigns an auto-configuration address, which starts with 169.254.x.x - where x stands for a block of three figures that are assigned to the IP address.

However, doing this seldom produces the correct result, because most small networks use IP addresses that are in the range of 192.168.x.x. This means that the computer with an auto-configured IP address won't have one that is in the same range or block of addresses assigned to the other computers, and so direct connections between it and the other computers will fail.

Even if the small network had adapters that were all configured to use auto-configured IP addresses, the initial delay before the IP address was assigned would make booting a computer very slow.

Note that, unlike Windows 2000 and Windows XP, Windows 98 was not designed for wireless networking.

Windows 98 doesn't have a way of detecting if there is a network connection established before it asks for an IP address, and wireless adapters often take some time to search for and establish a wireless connection. When a wireless adapter is first installed, everything seems to go well. The adapter waits for the network connection to be established, and then it looks for an IP address. But when the computer is switched off and started up again, the adapter takes some time to set up the network connection. During this time, it tires of waiting for Windows 98 to look for a DHCP-assigned IP address. To begin with, it may use the previously assigned IP address, provided that its lease is still valid, but, once the lease expires, it defaults to using the auto-configured IP address. After that happens, in practice, it never looks for a DHCP server if one becomes available, even though the documentation claims that it will do so.

Therefore, for Windows 98, you should disable the auto-configuration IP address feature. You can do this by entering regedit in the Start => Run box. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE => System => CurrentControlSet => Services => VXD => DHCP. In the right-hand window, click IPAutoconfigurationEnabled, and set its value to zero. If there is no entry for IPAutoconfigurationEnabled, right-click in the right hand window, and select New => Dword Value, then enter IPAutoconfigurationEnabled, and set its value to zero.

For Windows 2000 or Windows XP, this value has to be inserted under HKEY_LOCAL_MACHINE => System => CurrentControlSet => Services => tcpip => Parameters even though it's not usually a problem with those versions of Windows, because they don't start up asking for an IP address until the hardware indicates that there's a network connection.

DHCP should then work properly.

How to force a computer to obtain a new IP address

If things go wrong with a LAN (or Internet connection), you sometimes have to force a computer to obtain a new IP address.

In Windows 9.x, you can use a tool called Winipcfg. Enter winipcfg in the Start => Run box. Then select the Ethernet, wireless, or dial-up adapter from the list, and click Release, followed by Renew.

If you have a laptop connected to a network using Windows 98, you'll be aware that Windows often remembers the dynamic IP address that was assigned to it during the previous session. This address probably won't work if you connect the laptop to a different network, so you can used Winipcfg to release and renew it.

Windows 2000 and Windows XP don't have the Winipcfg tool. Instead, to do the same, enter cmd in the Start => Run box to bring up a command line prompt, and enter the text command ipconfig /release followed by ipconfig /renew.

For your information, a tool similar to Winipcfg called Wntipcfg works with Windows 2000 and Windows XP. It is included in the Windows 2000 Resource Kit, and it can be downloaded from:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/wntipcfg-o.asp.

You can use it to release and renew IP addresses in Windows XP instead of using the commands ipconfig /release and ipconfig /renew at the command-line that you bring up by entering cmd in the Start => Run box.

Sharing a broadband Internet connection: I tried using ICS and then a router and still can't make it work

Problem

My Internet desktop computer uses a cable modem. I discovered that Windows has Internet Connection Sharing (ICS) software that allows an Internet connection to be shared, so I tried networking the computer with a laptop, both of which are running Windows XP Professional. The desktop computer is the host machine. But I couldn't get ICS to work, so I took some advice and purchased a router. I connected the router to the network according to the instructions. The cable modem is connected to the router's WAN port, and the computers to two of the router's LAN ports.

I tried running Microsoft's Network Setup Wizard. But when I did this, an error message came up saying, "Cannot complete the Network setup wizard: Other computers cannot connect to the Internet through this computer." I double-checked the connections and everything looked all right.

Answer

I take it that when you tried using ICS that the desktop computer being used as the host machine was equipped with two network cards, with one of them being used for the cable modem and the other for networking the laptop to the host machine. After you obtained the broadband router, you didn't need the host computer to have the network cards or use ICS to share an Internet connection. I also take it that you have provided both computers with the same Workgroup name, and that each of them has a unique Computer name.

Go to Troubleshooting a wireless network consisting of a notebook and a desktop computer on Page 1 if you need to know how to enter those names in Windows 95, 98, Me, and XP.

It looks as if the host machine is still running Internet Connection Sharing. Having ICS installed and running is undoubtedly the cause of the problem, so you have to disable it. To do this, open the Control Panel and select Network Connections, right-click on the network adapter, click Properties, click the Advanced tab, and uncheck the Internet Connection Sharing option.

With ICS disabled, you must now verify the router settings and configure the two computers to obtain IP addresses automatically.

If you haven't done so already, you need to configure the router to work with your Internet connection. This is usually done by using a web browser, such as Internet Explorer, to run the router's web-based setup program. The log-on information is provided in the router's user manual. Enter the provided IP address in the browser's address bar, as is (usually 192.168.0.1), and enter the provided password.

Once that has been completed, verify that your router's Dynamic Host Configuration Protocol (DHCP) service is enabled. The DHCP service automatically assigns a valid IP address to any TCP/IP device that it locates on the network.

Read How can a wireless network be made secure? on this page to find out how to enable the security settings, which you should do after you've got the shared connection to work properly.

With the router properly configured, you have to make sure that both computers are set to Obtain an IP address automatically. This setting allows a computer to accept the IP address that the router's DHCP service assigns to it.

To do this, open the Control Panel and select Network Connections, right-click on the network adapter, select Properties and double-click on the option Internet Protocol (TCP/IP). If it isn't already selected, enable the Obtain an IP address automatically option, and click OK. Other than a reboot, this should be all that is necessary to get the two computers to share an Internet connection.

Note that just as it's not necessary to use the Windows Internet connection wizard to establish a connection with an ISP, it's not necessary to use the Windows Network Setup Wizard. I don't use it because it has a tendency to make the setup unnecessarily complicated. It's best just to use the router's own web-based setup program.

Is a second DSL connection possible on the same line?

Question

You have a 512Kbit/s BT ADSL Internet connection, and you would also like to have a 1Mbit/s AOL connection. However, you don't know if a connection to both ISP's can be run simultaneously across a single telephone line, or if it's possible somehow to switch between the two, or if a second telephone line has to be installed, or, for that matter, if the idea of two ADSL connections from the same house is possible at all.

Answer

ADSL (Asymmetric Digital Subscriber Line, aka DSL) is an always-on technology that piggybacks a normal telephone connection by running at a much higher frequency.

Unfortunately, it isn't possible to have two DSL connections running on the same line simultaneously, because a single DSL Internet connection for each line is permanently routed to a specific Internet Service Provider (ISP), so it's not even possible to log off from one broadband ISP and then log on to the other, as you could with a DialUp connection.

It's not even possible to have two DSL connections running in the same bundle of telephone wires under the street, because they would cause interference with each other. So, if you were adamant that you wanted two DSL connections, not only would you have to have a second telephone line installed, you would have to make sure that the installers routed the second line through a different bundle of cables, and that the line came into the house well apart from the first line.

That said, you shouldn't need two DSL connections, because it's possible to connect to AOL over another ISP's Internet connection, and a network of computers can share a DSL connection by using a cheap wired or wireless router that has Ethernet NIC ports, such as the WRT54G router.

Unfortunately, such routers cannot be used with an AOL broadband connection, which connects you to a private network, not to the Internet. As with an AOL DialUp connection, you can only access the Internet once AOL's software is running.

But when AOL's software is running on a computer connected to the AOL DSL modem, you should be able to run an Internet-sharing program, such as Windows' own Internet Connection Sharing (ICS), to allow the other networked computers to access the web. However, the other computers would not be able to use AOL's software in order to access any of AOL's web content.

Worm infection: A "Remote Call Procedure" (RCP) error keeps Windows XP shut down

Problem

You're experiencing a very frustrating problem when connecting a Windows XP Home system to the Internet. The connection is successful to begin with, but after about five minutes an error message appears that says: "Windows must now restart because the Remote Call Procedure was terminated unexpectedly." You've tried unsuccessfully to restore the system by using its Restore CD, and removing and reinstalling your DSL ISP's software achieved nothing.

Solution

The MS-blast or a similar worm has infected your computer.

MS-blast started infecting systems in August 2003. At one time, the worm was so omnipresent that computers were being infected within a few minutes of going online. The infection rate subsequently died down, but there has been a noticeable resurgence of infections since then.

Worms are viruses that travel the Internet seeking out vulnerable computers, which they then infect. So, unless a computer is well protected from them, they can infect it without the user having to do anything other than go online and have the worm locate the connection. Therefore, in order to be protected from them, it's essential to install Microsoft's security updates as soon as they become available.

Unfortunately, the Remote Call Procedure (RCP) error makes the system restart before you can do anything to remove the worm. Here is how to get rid of it. Disconnect your broadband connection and start the computer. Enter services.msc in the Start => Run box and click OK. The Services Control Panel comes up. Select the entry for the RCP service, then right-click on it and click Properties. Open the Recovery tab. There are boxes there with options on what actions can be taken should the service fail. These are set by default to Restart. You must set all three actions to Take No Action.

You had to do that because even after you used the Restore CD to restore the system, the computer was reinfected with the worm, so there's no point in removing it until you've blocked the holes that allow it to keep reinfecting the system. That action will prevent the computer from restarting, thereby enabling you to go online. You must now run Microsoft Update on the Start menu and download all of the security updates for your system that are marked as Critical. It's the Critical updates that fill the gaping security holes that allow worms to invade your system.

There will probably be plenty of them. It's not unusual for brand new systems that have just been delivered to their owners requiring 50MB of updates, which can be painful to download over a dial-up connection. Many users don't update because of this, so a security update CD for the older Windows systems (that Microsoft still supports, namely Windows 98, 98 SE, and ME, for which support ends after 30 June 2006) is set to begin testing early in 2004. Microsoft wants to allow users of older Windows systems with dial-up connections to bring their PCs up to date easily as a major tactic in its long-term strategy to defeat the virus and worm writers.

Windows XP has far too many services running, and these open many of the 65,000+ available ports that are available on such a connection, and it is opened, unprotected ports that worms are programmed to seek out as they travel the web. Of course it's possible in theory to close all of these ports, but it's much too difficult for the average user to do.

If you have a broadband connection you should be using a better firewall than the one that Windows XP uses - its Internet Connection Firewall (ICF).

A broadband router that uses Network Address Translation (NAT) to route Internet traffic to networked computers (with private LAN IP addresses) via a single public Internet IP address, acts as a firewall that provides reasonable protection, because hackers or worms can only locate the router, not the Windows system behind it.

Computer Shopper recommends these software firewalls:

ZoneAlarm - one of the best firewalls - free but a paid-for Pro version is also available.-

http://www.zonelabs.com/

The "Anti-Hacker" firewall from Kaspersky Labs UK site - given five stars by Computer Shopper for passing all the tests with flying colours. - http://www.kaspersky.co.uk/

otherwise http://www.kaspersky.com/buyonline.html?info=967571

With the security updates installed, you should use a special tool designed to remove the worm. Symantec provides free tools to remove many worms plus tutorials on how to remove them here: http://securityresponse.symantec.com/avcenter/tools.list.html

Click the link named W32.Blaster.Worm.

A security alert prevents access to sites on the Internet AND Why can't I access secure websites?

Problem 1: A security alert prevents access to sites on the Internet

Because of a worm infection, I had to format my hard disk drive and reinstall a master image of the system. But when I try to access the Internet with Internet Explorer, a Security Alert notice keeps appearing that says: "The security certificate has expired or is not yet valid. loginnet, passport.com valid from 11/06/03 to 11/06/04." I've tried to activate this certificate, but without success.

Solution

You should always state the versions of Windows and the software involved when asking a question. You didn't provide the versions of Windows and Internet Explorer.

Your computer probably has the wrong date set. It's a simple matter to correct the date, just open Date/Time in the Control Panel, or click the time shown in the System Tray and correct the date. You can also do it via MS DOS mode in Windows 9x systems. Just enter the word command in the Start => Run box, and enter the word date.

If the problem returns after the computer has been switched off for some time, you will probably have to replace the BIOS battery, which is usually a coin-shaped battery of about 20mm diameter on the motherboard. Take the old battery to any good computer shop to buy a replacement. This webpage has an article on it on how to remove the battery. -

http://www.monster-hardware.com/modules.php?name=Content&pa=showpage&pid=6

If it's not the date, then you're probably using an old version of Internet Explorer, such as version 5, which only has 40-bit data encryption. Most secure sites require the use of browser's with 128-bit encryption or they don't allow access. Versions 4.x and 5.x of Netscape Navigator and Internet Explorer have had 128-bit encryption upgrades available for them for some time, and that level of encryption is provided by Internet Explorer 6.0 by default.

To check the level of encryption, open Internet Explorer and click on its Help => About menu item. The second line should say "Cipher Strength: 128-bit".

Problem 2: Why can't I access secure web sites?

A secure site is one that has https:// in the URL of the web address. A standard insecure site just has http:// in its URL. Only a secure site can place the yellow padlock icon on Internet Explorer's bottom taskbar.

Even if the computer's date and time are correct, and the latest 128-bit encryption and the browser's security settings are correct, there is another possible reason for a browser not being able to access secure websites.

1. - Having two active firewalls can be the cause of the problem. A firewall such as ZoneAlarm switches the Windows Firewall off in Windows XP, but the third-party firewall you have installed might not do so. You can check if the Windows Firewall is enabled or disabled by accessing it in the Control Panel. You can check the firewall information under the Security Center that is opened by clicking Start=> All Programs => Accessories => System Tools => Security Center. Also make sure that any antivirus scanner you're using isn't running a firewall of its own.

2. - Enter services.msc in the Start => Run box. For the Cryptomatic Services, make sure that Started appears under the Status column. If not, click on the service to bring up its Properties window. Its Startup type should be Automatic. If not, open the drop-down menu and select that option.

3. - If you don't have it already, download and install the FireFox browser from http://www.mozilla.org/. Try using it to access secure sites. Some secure sites are designed to work only with Internet Explorer, but you should be able to connect to secure sites with Firefox, even if the features of the sites themselves don't function. If Firefox works, the problem lies with Internet Explorer and toy can try the next steps.

4. - Open Internet Options in the Control Panel to bring up the Internet Properties window, or do it from the Tools menu in Internet Explorer. Note that for security reasons Spybot S&D has a setting that disables access to Internet Properties via the Tools menu in IE. It has to be disabled before you can access it that way.

On the General tab under Temporary Internet Files, remove the cookies and the files. Open the Security tab, click on Trusted sites and click on the Default Level button. Open the Content tab and click the Clear SSL State button under Certificates. Doing that clears any temporary files that are corrupt. Open the Advanced tab and scroll down to the Security section. The Use SSL 2.0 and Use SSL 3.0 options should be enabled and make sure that the Check for server certificate revocation option is disable (remove any check mark in the box beside it by clicking on it with your mouse's pointer).

5. - You can run the System File Checker (SFC) that has a graphical user interface in Windows 9x and is still present in Windows XP, but must be run from the command prompt. To run it, enter cmd in the Start => Run box, and then enter sfc /scannow at the command prompt. Click here! to go to more information on this site about the SFC. You have to be careful how you use it.

6. Re-registering certain DLL files can solve the problem. To do this; open the command prompt. Type in the following lines exactly as they appear and press the Enter key after each line. After each entry a message saying DllRegisterServer succeeded should come up. Click OK.

regsvr32 softpub32.dll

regsvr32 wintrust.dll

regsvr32 initpki.dll

regsvr32 dssenh.dll

regsvr32 rsaenh.dll

regsvr32 gpkcsp.dll

regsvr32 sccbase.dll

regsvr32 slbcsp.dll

regsvr32 cryptdlg.dll

7. - A corrupt user profile in the Registry can also be the cause of this problem. If you have more than one User that was set up under User Accounts in the Control Panel, log on as a different user and see if you can access secure sites. If you can, then the problem lies with the user profile that doesn't allow access to secure sites. You can create a new user profile under User Accounts and then follow the information provide in this MS Knowledge Base article to transfer the settings from the old user account to the new one: http://support.microsoft.com/?kbid=811151.

After you have transferred the user settings, you can remove the old user profile. Right-click with the mouse pointer on My Computer, click Properties, followed by the Advanced tab. Click the Settings button under User Profiles. All of the available User Profiles are listed there. Click on the profile that you want to remove, and click the Delete button.

8. - The maximum transfer unit (MTU) value could be set incorrectly, as is explained in the article here: http://www.isaserver.org/tutorials/onlinebanking.html.

If the TCP/IP packet size is too small, a secure server's operating system could be programmed to regard the the information in the packets as malicious, and, if so, would drop them. Then the requesting computer waits for a response until the connection itself is timed-out and dropped.

Apparently, this problem can also be caused by a router, a firewall, or another computer in the path between the affected computer and the server that is blocking ICMP Code 3 Type 4 packets, which prevents the sending computer or firewall from discovering the MTU information.

The solution is simply to increase the MTU value. There is a maximum permissible MTU value, which differs for dial-up and ADSL connections.

The article to which the link is given above, provides a Registry patch for Windows XP and Windows 2000, but not one for Windows 98 and Windows ME.

But there is no need to mess about with the Windows Registry, because many utilities, such as DrTCP from http://www.dslreports.com/drtcp or System Mechanic from http://www.iolo.com/sm, allow the MTU value to be changed very easily from within them.

Just setting the MTU to 1,492 - the maximum allowed for an ADSL connection - has allowed many ADSL users to access secure sites who were previously unable to do so. However, even this value can be optimised to speed up an ADSL connection. See further down this article for information on how that is done.

This peculiarity has resulted because Microsoft-based web servers have departed from Internet standards. The problem usually only occurs when Windows 2000 and Windows XP systems are run behind particular makes of routers and firewalls on a broadband connection. A misconfigured server set to filter out ICMP packets and for Path-MTU-Detection, can also produce the problem, which are likely to be the default parameters on servers running Windows 2000 or Windows Server 2003. The problem can also occur if a utility has been used to tweak the MTU value by making it too large.

The problem with secure sites is not that the starting size of data packets is too small, it happens because they're too large. The oversized packets are split up on the way to the secure server, usually because a router is set to use a lower maximum packet size than Windows wants to use.

The maximum transfer unit is the maximum amount of data that a single TCP/IP packet can contain. For maximum speed of transmission, the ideal is to have it set as large as possible while being small enough to pass through all of the Internet routers along its path without being broken up (fragmented).

Depending on which version is being used, Windows can set the MTU value to 1,500 by default, but many Internet routers use a default value of 1,492, since that is the maximum MTU size allowed by many implementations of the Point-to-Point Protocol over Ethernet (PPPoE) used by many ADSL and some cable providers. Consequently, each 1,500-byte packet is split in two, with the second packet containing only 8 bytes of data - the difference between the two maximum packet sizes. PPPoE uses a lower MTU value because it has to add a few extra bytes of header information to each packet.

The connection should be able to solve the problem itself and set the correct MTU value automatically by using a process called Path-MTU-Discovery. Unfortunately, although Microsoft has set its servers to use Path-MTU-Discovery by default, another part of its programming team chose to set its defaults to filter out the incoming ICMP packets that tell Windows that it is using an MTU value that is too high. This amounts to the server sending out packets with a flag attached to each one saying: "Tell me if this packet is too large," and then ignoring the reply.

To correct this state of affairs, if the broadband provider doesn't use PPPoP, the MTU value use by the router could be increased. Alternatively, the MTU value being used by client computers can be reduced.

The correct MTU value for a connection can be determined for Windows by using the ping command with parameters to prevent fragmentation (-f) and to set the size of the packet (-l).

From a command prompt enter: ping -f -1 1500 allproblems.com

If the reply says something like "Packet needs to be fragmented but DF set", it means that the packet size is too large and that you have to experiment with lower values until the error message no longer appears.

After the largest packet size that can be sent without fragmentation has been determined, add 28 to the value. This is the MTU value to use, because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header.

But, as already mentioned, there is no need to mess about with the Windows Registry, because many utilities, such as DrTCP from http://www.dslreports.com/drtcp or System Mechanic from http://www.iolo.com/sm, allow the MTU value to be changed very easily from within them.

Optimising an ADSL Connection

If a ping test for an ADSL connection determined 1,492 as the maximum MTU size, calculate a multiple of 48 that is equal to or below 1,492, because ADSL lines in the UK use asynchronous transfer mode (ATM) networks to carry the data between the telephone exchange and the broadband service provider, and these ATM networks use small packet sizes, which have 48 bytes of data plus a header of 5 bytes.

For example, if the maximum MTU is determined to be 1,492, then 1,488 (31X48) is the largest multiple of 48 that is equal or just under it. Subtracting 8 bytes for the PPPoP header gives an MTU size of 1,480, which will give better performance than 1,492.

Note that the built-in PPPoP client for Windows XP already uses an MTU of 1,480, which cannot easily be changed or set manually, and most cable service providers don't use either PPPoP or ATM networks. If so, it is safe to use an MTU value of 1,500 - or the largest MTU value that your router can handle.

Why can't my wireless network work all over my house?

Problem

I installed an 802.11b wireless network consisting of two desktop and two laptop computers in my old Victorian house that has three floors. The wireless 802.11b Wi-Fi router is placed in my first-floor study, which contains the host desktop machine that uses an unproblematic ADSL connection. I wanted to be able to use the laptop computers anywhere in the house, but the signal barely reaches everywhere on the first floor. No signal is available at all on the ground floor, and there are several dead areas in the top floor. Moreover, I can't even use a laptop to connect to the network in the garden. Will I have to forget about using a wireless network and install a wired network instead?

Answer

If your neighbours are also using wireless networks, they could be interfering with each other. Moreover, devices such as cordless phones, closed-circuit cameras, baby monitors, and some microwave ovens operate at 2.4GHz (the frequency used by 802.11b wireless networks and can therefore also be a cause of interference.

Once a wireless router or Access Point experiences interference, it's usually unable to perform properly until it's powered off and powered on again. And it's not uncommon to have to do this regularly.

There are a number of things that you can try to reduce interference. First, find out if one or more of your neighbours have a wireless network. If any of them do, try asking them to turn off their equipment to find out if doing so allows yours to perform properly.

The general range of a wireless router or Access Point is about 30 to 150 metres in a normal residential setting, but it can extend two or three times further than that if there are no obstructions, such as walls or second floors. A survey of the effective range of most 802.11b wireless adapters has suggested that even outdoors with no obstructions between nodes, about 300 meters is the maximum range with the standard adapters and antennas.

However, you have an old Victorian house. They usually have very thick walls that the signal probably can't pass through properly or not at all.

In a standard modern house of one or two floors, changing the location of the wireless router or Access Point can sometimes help by avoiding the interference. Lowering the speed at which the network is operating, is another option worth trying.

The first thing you should do in your Victorian house is perform a site survey, which just involves walking around the house with a laptop equipped with a wireless network adapter that is running a free program called NetStumbler from http://www.netstumbler.com/. It shows you how strong a Wi-Fi signal is at any given position, and therefore enables you to locate dead spots. It can also tell you if there are any other wireless networks in the vicinity.

Wi-Fi networks can operate on any one of thirteen channels. If possible, neighbouring networks should use different channels in order to minimise interference between them. If NetStumbler locates any neighbouring networks it should tell you which channels they're using. Then, all you have to do is visit the applicable neighbours to negotiate which channels you and they should use in order to avoid interference.

The best channels to use are 1, 6, and 11, because they have the least overlap with neighbouring channels.

This isn't applicable in your case, but if anyone is using 802.11g equipment, disable its 802.11b support, which can negatively affect 802.11g performance. Doing that will also prevent any 802.11b networks from interfering with your 802.11g equipment.

802.11b wireless networks operate under two schemes called Frequency Hopping and Direct Sequence. The higher speeds (5.5Mbit/s and 11Mbit/s) use Direct Sequence, which is much more susceptible to interference than Frequency Hopping, which does what it implies - it can change frequencies, but can only operate at a maximum speed of 2.0Mbit/s. However, Frequency Hopping can detect interference on certain channels, which it can therefore avoid by not using those channels.

The most effective solution to the problem of unreliable or non-existent connections in your case is first to extend your wireless network, and then, if necessary, boost the signal from the router.

To extend your network, you would merely add wireless Access Points where required. These connect wirelessly to your router via their own external antennas, which are much more sensitive than the built-in antennas that most laptop computers have. A wireless-equipped laptop can then connect to an Access Point's stronger signal instead of to the router. However, note that not all routers support connecting to an Access Point. Moreover, not all router manufacturers produce Access Points. Since it is best to use wireless equipment made by the same manufacturer, if the make and model of the router that you have doesn't support Access Points, or you have to use one made by another manufacturer, it would be best to buy an 802.11g router made by a manufacturer, such as Linksys, that supports Access Points and makes them.

The so-called pre-N routers (half way between the 802.11g standard and the 802.11n standard that is still in development) use multiple antennas and have features that overcome many of the signal problems that occur with 802.11b and 802.11g equipment. They can only be used with other pre-N equipment that is usually also made by the same manufacturer. Moreover, note that there is no guarantee that pre-N equipment will support the new 802.11n standard that is still under development.

In you case, I would try installing an 802.11b or 802.11g Access Point (802.11g equipment is compatible with 802.11b equipment) on each floor first. But if that isn't good enough, there are several types of antennas that can be purchased that make it possible to boost the signal of your router.

A high-gain antenna can boost wireless coverage on a single floor.

With most wireless routers you can unscrew the antenna and replace it with one that produces a stronger signal.

An omni-directional antenna provides all-round coverage, and a directional antenna aims the signal in a specific direction, such as out into the garden.

Some router manufacturers provide these kinds of signal-boosting antennas, but, if not, generic signal-boosting antennas are made available from sources in the UK such as Maplin Electronics - http://www.maplin.co.uk/.

You can also try building you own antennas. Visit http://www.freeantennas.com/ for information on how to make simple card and foil antennas that slip over a router's existing antenna(s) in order to improve signal