Windows 2000 Basics

NIST System Administration Guidance for Windows 2000 Professional:

Link to Responding To A Compromised System.

The NIST draft publication of the System Administration Guidance for Windows 2000 Professional is now available for public comment. [http://csrc.nist.gov/itsec/download_W2Kpro.html]

The document is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their hosts by providing configuration templates and security checklists. The document introduces secure configuration recommendations for setting up some popular Windows applications, such as Symantec Norton AntiVirus, Network Associates McAfee, and F-Secure Anti-Virus virus scanners, Microsoft IE and Netscape Communicator web browsers, Microsoft Outlook and Eudora e-mail clients, and Microsoft Office 2000 Professional productivity software.

Windows 98 Basics

Step 1: Use a good password

Step 2: Create a login screen

• Go to Start, Settings, Control Panel.
• Click the Passwords icon in the Control Panel window.
• On the Change Passwords tab, choose the Change Windows Password box.
• Enter the information that's requested. If you're setting a password for the first time, leave the Old Password area empty.

As mentioned earlier, the downside is that it doesn't really add much security.

Step 3: Add a screen saver password

Your computer can be used by anyone every time you step away from your it unless it is protercted. You can add a screen saver password to temporarily lock your computer. You can do so by following these steps:

• Right-click on some blank desktop.
• Select Properties.
• Choose the Screen Saver tab from the Display Properties dialog box.
• Choose a screen saver (if you haven't already) and adjust its delay value to a time period that's reasonably brief - three to five minutes for example.
• Check the box next to Password Protected, click change, and add or change your password. If you set a password length restriction earlier, it will be enforced here.

The downside is that if you don't reset the screen saver first, it tends to start up when you're in the middle of a download or an upgrade.

Step 4: Turn off file and printer sharing

There isn't much point to protecting your desktop if every user on the network has access to your files. You need to prevent general network access to your hard disk by removing file and print sharing from network properties. If you right-click a folder and choose Properties when sharing is enabled, the resulting dialog box will contain a tab called Sharing. When sharing is removed, that tab will disappear.

If a folder is shared, it will appear on the network with the name you give to it in this tab. You can specify access as read-only, full, or password protected. You have an option of specifying one password for read-only access and another password for full access. When you turn on a share, the folder icon changes. In Windows Explorer, shared folders appear to be offered by a hand with the palm up. This scheme is referred to as share-level security.

Although you may have good reasons for sharing resources on your network, there are a few drawbacks to using share-level security. First, the share information is stored on your workstation, and anyone who gains access to the computer can modify the shares. Second, shares aren't authenticated. Again, anyone on the network who obtains the password can access your resources. Third, share-level security provides only one password per folder. Put this aspect together with the lack of authentication, and there isn't any way to secure your folders at the user level. Finally, u you can't protect files - just folders.

To remove file and printer sharing, go to the Control Panel and click the Network icon. In the Configuration Tab, scroll down the network components list to File And Printer Sharing For Microsoft Networks. Highlight that option and click the Remove button. This will make your hard drive will become much more secure.

The downside is that you will lose your ability to share your resources on the network.

Exceptions - If you absolutely must share the contents of a folder with members of a workgroup or domain, opt for user-level security instead of share-level security. Although you can't protect resources down to individual files and your shares are still stored on your computer, you can authenticate users against a list of authorized accounts on a Windows NT or NetWare server. To enable user-level security, follow these steps: Make sure that you've installed file and printer sharing.

• Click on the Network icon in the Control Panel.
• Select the Access Control tab and choose User-Level Access Control.
• In the box below, fill in the name of the Windows NT domain or workstation that has user accounts (if it's not filled in already).

To share a folder, highlight it in Windows Explorer and right-click. Select Properties and click the Sharing tab. You can keep the same share name or revise it. Then, click Add. The Add Users dialog box will open. It contains a list of all of the groups and users on the Windows NT domain or workstation that you selected. Select a user or group and click one of the buttons marked Read Only, Full Access, or Custom to move the user or group to that level of access.

Custom access needs to be defined before you can save it. When you close the Add Users dialog box, the Change Access Rights dialog box will open. Check a box that corresponds to the access that you want the user or group to have. You can allow custom users to read, write, create, and delete files; change file attributes; list files; and change their own access control.

Sometimes a user who tries to log on to your shared resources may receive an Access Denied message. The user, who may have more than one workstation, may be coming in through a different domain. If a trust relationship hasn't been established between the two domains, then access isn't possible.

Step 5: Turn off remote administration

Remote administration allows specified groups or users, such as the IT department or help desk staff, to access your personal computer and make changes from a central location. Remote users can browse and manage shared resources, manage the file system, edit the registry, and monitor the performance of the remote computer. Although it's convenient for the IT staff, you may want to turn off remote administration when your computer needs to be extra secure. To do so, double-click the Passwords icon in Control Panel, click the Remote Administration tab, and uncheck Enable Remote Administration Of This Server. Please note that the change won't take effect until the next time you boot.

Step 6: Disable password caching

When you're asked for a password in Windows 98, you're given the choice of having the OS remember the password for you so that you don't have to fill it in next time. Once you check the Save Password box, your password is encrypted in a file with the extension .pwl. If someone gains access to your desktop, this person can send and receive your e-mail and access any other resources for which the passwords are cached. Password caching makes you vulnerable. On the other hand, some of us have so many passwords that we would have to possess a remarkable memory just to recall all of them.

If you can store all of your passwords in your head, then feel free turn off password caching. Doing so will protect your desktop against many threats. To turn off caching, follow these steps:

Conclusion

When it comes to security, every enhancement is a trade-off. To gain more security, you lose a certain measure of convenience. You'll want to weigh the gains in security against your losses in user-friendliness and IT administration before you make drastic changes to your machines.

Windows XP Basics

Like Windows 2000, XP uses the NT File System (NTFS). As an Administrator, you control your XP system. You can create users, who can be administrators or just normal users. Policy can be created to limit which applications can be executed by any user. For standalone XP, this is done through the Local Security Settings.

Authentication

Windows XP's standalone version lets the user choose a blank password, but then institutes certain default limitations. You cannot log in remotely to an account with no password, but rather only at the console, which is sensible. A new feature, Fast User Switching (FUS), permits you to log in as a completely different user, and then switch between multiple user contexts without backing out of any applications that are running. FUS won't work when a user hasn't chosen a password.

Defaults for passwords are located in the Local Security Settings. In the standalone version, settings such as password lengths and number of failed login attempts are found here. Except for the number of failed logins being set to 10 and passwords expiring after 42 days, all other password features are set to zero or disabled. Thus, someone can enter a blank password, or recycle their old password when it expires. Password complexity checks are also disabled.

While blank passwords sound okay for home users, there's a bit more to XP and passwords than logging in or switching between user contexts. We need to discuss some other security features before it becomes apparent that having a blank password is a really, really bad idea in XP.

Encryption

Like Windows 2000, XP professional includes the Encrypting File System (EFS). Unlike Windows 2000, EFS is enabled by default, so as soon as you begin creating files with XP, they're encrypted. This is transparent to the user, although Explorer can control this behavior on a per-file or folder level. You don't need to enter the encryption key, as XP dose this for you.

XP also encrypts Cached Files, a technique that permits you to use up to 10 percent (by default) of your hard disk space to hold files that would normally be stored on a remote file share. You can then disconnect from the network, go home (or travel), and still access these files. The Windows Mirroring system will reconcile the file changes you've made with the Windows 2000 or XP file shares when you reconnect with the network. Encrypting these cached files is a great idea, as your notebook might be stolen (or if your evil genius of a son or daughter happens upon them while using your XP system).

XP also supports file sharing with Web Developing, Authoring, and Versioning (WebDAV), which uses HTTP to access remote files through firewalls. EFS can keep your remotely stored files encrypted, and when teamed with WebDAV, has the added value of storing and transmitting the data without decrypting. (In comparison, while accessing files using regular file sharing, the data is decrypted before it's sent across the network.) While WebDAV with EFS is a powerful feature, it also sends chills up the spine of any corporate security person even remotely aware of using Web tunneling to move internal files offsite-and encrypted to boot!

Credential Management stores various credentials for you, including public key certificates. It will also manage Kerberos keys, the default authentication mechanism for Windows 2000 and XP within a domain. You can store other usernames and passwords here as well, by asking (when prompted) that the Credential Manager "remember the password." In this way, the Credential Manager becomes a single-sign-on agent.

The keys that encrypt your stored private key, other passwords, and EFS are based on two things: secrets that remain fixed for XP, and your password. If you've chosen a blank password, you've also chosen a null seed for the key that encryptsmany important things. Even choosing a weak password is a very bad idea if you plan to rely on any of these features. XP supports passwords longer than 14 characters (the old limit imposed by the user interface in Windows 95/98/NT), so you can use a passphrase instead.

XP includes a policy option of using reversible encryption for storing passwords. This is a very bad idea, as passwords are typically stored as hashes, a value based on the password that is not reversible.

Domain users can opt to use smartcards for authentication, which is a big improvement over passwords. By adding a smartcard reader to your desktop or notebook (they come in PC Card or CardBus packages), you've added something you have (the smartcard) to something you know (the PIN that unlocks it). Smartcards can often store your private key as well as any certificates, making them more secure than online storage. Smartcards do have their weaknesses: Keystroke monitors can collect your PIN, for example, but even then they still need the card.

Even if you do use a smartcard, XP unfortunately subverts it with one of its intrinsic properties: You can hibernate instead of shutting down. That means that when you restart your computer, you're right where you left off. It also means that if you hibernate, and the janitor powers on your system, he or she is also right where you left off. I tried this in the standalone version, and assume that it works the same way in domain installations.

Network Security

Windows XP (and Windows 2000) includes support for IPSec, the Internet standard for encrypting network communications. XP's IPSec support seems very complete, permitting the use of shared secrets (the most common method in many VPN products), as well as certificates and Microsoft Kerberos (the Kerberos variant where Microsoft has added proprietary extensions, so that the Key Distribution Server must reside on Windows 2000.

For home users, XP offers two useful features designed to compete with the Small Office/Home Office (SOHO) firewall vendors. The Internet Connection Sharing (ICS) feature enables your XP system to act as a Network Address Translator (NAT) for other systems in your local network. ICS includes a DHCP server that assigns addresses to members of your local network and transparently routes packets through your XP system to your ISP. ICS can bring up dial-up connections on demand, and can hang up the modem temporarily so that you can use the phone, yet resume the Internet connection afterward.

The Internet Connection Firewall (ICF) uses information collected by ICS to provide limited firewall capabilities. ICS must keep track of traffic that leaves your network in order to NAT. ICF uses this information to control which IP packets can enter your network-if a packet attempting to enter your network doesn't match at least one outgoing packet, it's blocked. ICF provides a simple form of firewall-essentially just NAT-and also won't permit you to set up a public server behind it.

Remote Control

XP sports a new feature called Remote Assistance, which allows you to send a message to a "friend" (using Windows Messenger or Outlook Express) that invites them to take remote control of your XP system. With XP's complexity, you might really need configuration help, but providing a remote control capability can be dangerous. When someone consented to let me be his or her "friend," XP actually failed to pass through the local, Linux-based firewall, while complaining about a failure to resolve the hostname (which was resolvable using nslookup under XP).

With any luck, many of XP's features that appear dangerous at first glance (just like Remote Assistance) will prove benign. Microsoft has taken strong steps to improve desktop security with XP, and we can only hope that it works.

Links

NT Security Link