1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the testing of the configuration of a computer system.
2. Description of the Prior Art
Computer systems typically run many different application programs. Each of these application programs can have a large number of user configurable settings associated with it. This enables users to adapt the operation of the computer programs they are using to suit their personal needs. Such flexibility is highly desirable and is a significant advantage of computer systems.
As computer systems become increasingly critical within the activity of users, problems with the security of the computer systems which render them vulnerable to malicious actions that can interfere with their normal operation become more harmful. As an example, in an office environment it is common for almost the entire work output of a user to involve the use of their computer system and accordingly security problems which allow the malicious interruption of the normal availability of the computer system have a significant economic cost. One example of malicious interference with computer systems is computer viruses that may produce minor abnormal behavior if the virus is relatively benign, but may also produce significant damage in the case of a computer virus that, for example, deletes valuable data.
The ability of users to change configuration settings creates the possibility that such changes may open vulnerabilities in the security of the computer systems concerned. This coupled with the significant economic consequences of computer security breaches renders measures that are able to improve security strongly desirable. Also, as new security threats develop, computer settings may need to be changed from those originally thought to be suitable.
Viewed from one aspect the present invention provides a method of testing a computer, said method comprising executing a computer program to perform the steps of:
detecting a plurality of user configurable security settings of said computer;
comparing said user configurable security settings with respective recommended security settings; and
initiating action to alter any user configurable security settings detected as differing from respective recommended security settings.
Conventional anti-virus computer programs are outward looking and seek to detect harmful computer files as they arrive, whereas the present invention is inward looking in that it seeks to identify configuration settings of a computer system that make it vulnerable to attacks before those attacks occur.
The invention also recognises that individuals seeking to exploit security weaknesses in the security systems of others generally need to rely upon what are the common application programs and computer configurations to give them a starting point for a malicious attack. Exploiting a potential security problem with a very widely used computer program or hardware platform is a very much more common form of malicious attack than seeking to find a security problem with an obscure computer program or hardware platform with very few users. Having recognised that a large proportion of potential security attacks concentrate upon relatively few of the user configurable security settings and application programs of a computer system, the invention provides a computer program tool that examines these user configurable security settings and compares them with recommended security settings in order to initiate potential corrective action. Adopting the recommended security settings for a comparatively manageable number of parameters can dramatically reduce the likelihood of malicious attack on a computer system without degrading the user""s ability to configure a computer to suit their own preferences to any significant degree. Many of the parameters that open vulnerabilities to a malicious attack are ones that a user will not care significantly about such that a system that pushes these towards safer settings will be acceptable.
In some embodiments of the invention it is possible for the computer program to initiate corrective action by generating a report of recommended changes to be made with short cuts to enable these changes to be carried out whilst in other embodiments it may be appropriate that the computer program automatically makes such changes in an enforced way without requiring user input.
Whilst the collection of user configurable security settings that may be examined and manipulated by the technique of the present invention is not limited and is advantageously extensible by regular upgrades to the computer program, a preferred set of settings considered by the computer program includes:
an e-mail program setting which automatically runs scripts embedded within e-mails when said e-mails are previewed;
an internet browser version identifier indicating whether or not predetermined security patches are applied;
an internet browser setting indicating selection of a group of parameters associated with operation of said internet browser that corresponded to at least a predetermined level of security;
an internet browser setting indicating that a user is prompted as to whether or not files downloaded via an internet link should be saved;
an application program setting indicating that whether or not any macro associated with a computer file manipulated by said application program is automatically run upon opening said computer file;
an application program setting indicating that whether or not macro security features associated with said application program are activated;
a file setting indicating whether or not a template file for computer files created by an application program is set as a read only file;
a setting indicating whether or not script programs with files manipulated by said computer should be executed;
a setting indicating that a file local to said computer is available for sharing via a network without any user authentication;
a setting indicating that a file upon a network accessible to said computer is available for sharing via said network without any user authentication;
a setting indicating whether or not file type extension are hidden when view computer file names using said computer; and
a setting indicating that said computer should attempted to boot from removable disk prior to attempting to boot from fixed disk.
A security checking computer program may be an on-demand computer program run on an occasional basis to produce recommendations or it may be a memory resident computer program that is continuously run to continuously monitor the security sensitive parameters on a computer to ensure that no vulnerabilities are allowed to arise.
Viewed from another aspect the present invention provides apparatus for testing a computer, said apparatus comprising:
detection logic operable to detect a plurality of user configurable security settings of said computer;
comparison logic operable to compare said user configurable security settings with respective recommended security settings; and
initiation logic operable to initiate action to alter any user configurable security settings detected as differing from respective recommended security settings.
Viewed from a further aspect the invention provides a computer program product carrying a computer program for controlling a computer to testing a computer, said computer program comprising:
detection code operable to detect a plurality of user configurable security settings of said computer;
comparison code operable to compare said user configurable security settings with respective recommended security settings; and
initiation code operable to initiate action to alter any user configurable security settings detected as differing from respective recommended security settings.
Viewed from another aspect the invention also provides a method of protecting a computer system against security problems, said method including the steps of:
downloading data identifying recommended user configurable security settings from a remote source; and
updating a set of recommended user configurable security held at said computer system.
The above, and other objects, features and advantages of this invention will be apparent from the following detailed description of illustrative embodiments which is to be read in connection with the accompanying drawings.