Windows Security Primer
Summary: This document addresses potential
security risks that exist in the Microsoft desktop operating system environment
and makes recommendations on how to protect the system and data on your desktop
computer. Many of these recommendations can be applied to your home computer
so that it will be protected while connected to the Internet via your Internet
Service Provider (ISP). Please be sure to read all three sections for the Windows
platform you are using.
Table of Contents
Windows 9x (Windows 95 and 98)
Problems that Can Occur
Establishing Good Security
Practices
Protecting Your
Computer on the Network
Windows NT Workstation
Problems that Can Occur
Establishing
Good Security Practices
Protecting
Your Computer on the Network
Windows 2000 Professional
Problems that Can Occur
Establishing Good Security Practices
Protecting Your Computer on the Network
Windows XP Professional
Problems that Can Occur
Establishing Good Security Practices
Protecting Your Computer on the Network
Additional URLs on Windows Security
Problems
that Can Occur
A workstation that is unprotected may
be subject to accidental or hostile intrusion. This intrusion could result
in the loss or compromise of data stored on the hard disk subsystem. Specific
potential problems for unprotected workstations include copying or destruction
of applications, masquerading as an authorized user in order to gain access
to privileged data and performing malicious acts aimed at destroying the functionality
of the computer. These problems can be exacerbated when your computer is connected
to a network.
Establishing
Good Security Practices for Windows 9x
Windows 9x's security system is not
foolproof and does not provide the same level of security as Windows NT Workstation.
Windows 9x's security system is designed to keep users out of resources they
are not intended to use; it does not offer much protection against those who
are determined to break in.
Share Level and User Level Security
There are two types of security in Windows
9x – share level and user level. With share level security each shared
resource has a particular set of access rights which apply only to the resource
regardless of which user tries to access the resource. If you set up your hard
disk as a shared resource and give it a share level password, all users who
know this password may access your hard drive. With this kind of security each
resource is protected by a password, and you can use passwords for read-only
access and for read/write access. Passwords should not be easily guessed. See
these guidelines for strong
passwords.
With user level security, you create
a list of users who have access to a particular resource. In order for a user
to gain access to this resource, he must be on the list. You can require a
password and can use user level security for a variety of services including
file and print sharing, backup agent, network management and dial-up networking.
Password Security and Physical
Access
Windows 9x is not designed to be secure
and is not protected from unauthorized use. Even if a username and password
are set to protect the desktop, anyone with physical access to the computer
can log on using a new name and password or bypass the logon box entirely by
pressing the Escape key.
For a higher level of security, add-on
utilities are needed. There are many shareware utilities at www.windows98.com .
If you don't control physical access to your computer, you should consider
using one of these utilities. If you have enabled user profiles, you can modify
Windows 9x to be more secure. See www.conitech.com/windows/secure.html for
more information. You can also download CLASP95 from www.cyberenet.net/~ryan or
the killer security application StopLight 95 ELS at www.safe.net/security/default.asp.
If you are storing data on your Windows
9x computer that you do not want other people to access, you should save it
to a file server where access controls are in place, or you can encrypt it
with a program such as PGP or one of the many file encrypters that are available.
Service Packs and Fixes
One of the best protections against
any security vulnerability is to make sure that the latest version of all the
software running on the computer is installed including the latest operating
system patches. Regularly check the Microsoft web site ( www.microsoft.com )
for patches and fixes plus many links to other information on security issues
related to their products.
Top of Page
Protecting
Windows 9x Computers on the Network
Sharing Resources
File sharing is a feature that allows
access to directories and printers connected to your computer. Quite often
people turn on this feature and inadvertently allow remote access to the contents
of their entire hard drive. Indiscrete access to printers can allow malicious
people to waste resources by sending very large print jobs to your printer.
If you need the functionality of multiple
users having access to the same files on a computer, you should consider installing
a file server which provides much greater control over access to shared files
and protects against individual PCs being compromised.
If file sharing must be turned on, be
certain that username and passwords are required to access the share and that
the passwords are strong. See these guidelines for
strong passwords.
Hacker Attacks
Windows 9x does not have strong native
security and is vulnerable to security problems when connected to a TCP/IP
network. It has been the target of many hacker intrusions such as Black Orifice
that allows full control and manipulation of a Windows PC over the network.
Microsoft has suggested some safe computing practices that you can follow in
order to prevent this kind of intrusion such as not downloading software from
sources you do not know and not installing software that is not digitally signed.
Your computer will be safer if you do not share any resources, do not enable
remote administration, do not enable Windows 9x Dial Up Server, require a logon
password to your computer and do not allow others physical access to your computer.
It is also important that you install
and always have running a virus scanner. New viruses appear constantly, and
for a virus scanner to be effective it must be constantly updated to counteract
these new viruses. It is best to install a scanner program that automates the
download of the new virus signatures.
If you suspect that your computer is
being hacked, please notify your local CSC or NACS for help. NACS Response
Center is at extension 46116.
Top of Page
Establishing
Good Security Practices for Windows NT Workstation
Windows NT was designed with security
as one of its principal foundations, and the security subsystem is built into
the core of the operating system. Windows NT is not, however, secure immediately
after it is installed. It can be made secure and administrators/users must
take the time to utilize the security provided by the operating system architecture.
Services and Protocols
NT by default runs some services that
are not needed and are potential security risks. Go to the Services icon in
the Control Panel and disable services that aren't essential to the work you're
doing. Be careful with this since some services may be needed by your system
even when you don't think they are being used. Generally, disable them one-by-one
and keep notes on which services you disable so that you can reactivate them
if a problem develops later. It is generally recommended that for security
reasons you disable the following services: NetBIOS Interface, RPC and Server.
Also be sure to remove any networking protocols you are not using; each one
consumes memory even when not being used. Generally, NetBEUI is not needed
and should be removed; TCP/IP is necessary for Internet connectivity and NWLink
is used for connecting to a NetWare environment.
Service Packs and Fixes
One of the best protections against
any security vulnerability is to make sure that the latest version of all the
software running on the computer is installed including the latest operating
system patches. Regularly check the Microsoft web site ( www.microsoft.com )
for patches and fixes plus many links to other information on security issues
related to their products.
Password Security and Physical
Access
Windows NT Workstation requires a log
into the local machine as well as a log into the network if the workstation/user
is a member of an NT Domain or a NetWare network. It is recommended that you
use different passwords for the local workstation login and the network login.
Although it may be inconvenient to have to remember two passwords, it does
increase security. If you have synchronized your passwords, and someone discovers
your workstation password, they will now also have access to the network via
your account. It is also recommended that you follow these guidelines for
the establishment of strong passwords.
Login and user identification for Windows
NT Workstation is much more sophisticated and secure than that for Windows
9x where the login process is not secure. A Security Accounts Manager (SAM)
database containing username and password data is stored on the local machine,
and during login process the security manager verifies the username and password
that is entered against the data in this database. If a user does not have
an account on the local machine or does not enter his username and password
correctly, access is denied and he cannot use the workstation.
There are two workstation default user
accounts that need to be protected. The Administrator account has full, unrestricted
system access and cannot be deleted, disabled or locked out. However, this
account can be renamed. This account should have a strong password in order
to protect the local machine. The Guest account cannot be deleted, but it can
be disabled, locked out and renamed. This account does not save user preferences
or configuration changes and has a default blank password. It is important
to rename and assign a password for both the Administrator and Guest accounts
to maximize security. It is recommended to use strong passwords that are outlined
in the password guidelines .
Top of Page
Protecting
Windows NT Workstation Computers on the Network
Remote Access Services
Remote Access Services (RAS) is the
capability of connecting to Windows NT via dial up modem lines. Windows NT
Workstation supports a single RAS connection. While Windows NT RAS does have
several built in security features to protect access and ensure authentication,
it is a favorite target of hackers trying to infiltrate a network. There are
many programs readily available on the Internet that hackers can use to gain
access via RAS. One such tool is a daemon dial program that dials every number
in an exchange looking for those that answer by modem. If proper security settings
have not been set up on the RAS host, the intruder can easily gain access to
the network via this hole. Because of the possibility of significant security
breaches with RAS on Windows NT Workstation, it is recommended that you do not
enable this service. RAS is more effective on a Windows NT server that provides
more connections and a centralized approach to access control and security configurations.
Hacker Attacks
It is important to remove all sample
software from your workstation. Sample software is a favorite target of hackers.
There are often specific hacks designed to exploit sample software.
It is also important that you install
and always have running a virus scanner. New viruses appear constantly, and
for a virus scanner to be effective it must be constantly updated to counteract
these new viruses. It is best to install a scanner program that automates the
download of the new virus signatures.
The security of strong passwords is
the first step in preventing an intrusion by a hacker. There are many tools
available on the Internet that hackers can use in an attempt to discover passwords
on Windows NT systems. It is very important to setup your workstation system
with strong passwords and proper access control to the data contained on the
hard disk subsystem. See the section on Additional
URLs on Windows Security for more information on establishing secure
configurations.
If you suspect that your computer is
being hacked, please notify your local CSC or NACS for help. NACS Response
Center is at extension 46116.
Top of Page
Establishing
Good Security Practices for Windows 2000 Professional
Windows 2000 has more security features than any of the previous versions
of Windows. Many of the default settings of Windows NT that proved to cause
problems have been corrected in Windows 2000; however, it is still necessary
to make certain adjustments to harden the system in order to have a safe machine
while connected to the network. The following are several steps that
should be taken to make Windows 2000 Professional more secure:
Verify that all disk partitions
are formatted with NTFS
NTFS partitions offer access controls and protections that aren't available
with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions
on your computer are formatted using NTFS. If necessary, use the convert utility
to non-destructively convert your FAT partitions to NTFS. Warning: If
you use the convert utility, it will set the ACLs for the converted drive to
Everyone: Full Control. Use the fixacls.exe utility from the Windows NT Server
Resource Kit to reset them to more reasonable values.
Verify that the Administrator
account has a strong password
Windows 2000 allows passwords of up to 127 characters. In general, longer passwords
are stronger than shorter ones, and passwords with several character types
(letters, numbers, punctuation marks, and non printing ASCII
characters generated by using the ALT key and three-digit key codes on the
numeric keypad) are stronger than alphabetic or alphanumeric-only passwords.
For maximum protection, make sure the Administrator account password is at
least nine characters long and that it includes at least one punctuation
mark or non printing ASCII character in the first seven characters. In addition,
the Administrator account password should not be synchronized across multiple
computers. Different passwords should be used on each computer to raise the
level of security in the workgroup or domain.
It is not recommend that
you synchronize your local Windows 2000 Pro password with your network password
because that would allow an intruder who was successful in obtaining your
local password to also have access to the network.
Disable or delete unnecessary
accounts
You should review the list of active accounts periodically (for both users
and applications) on the system in the Administrative Tools/Computer Management/Local
Users snap-in and disable any non-active accounts and delete accounts which
are no longer required.
Set strong password policies
Use the Local Security Policy snap-in in Control Panel/Administrative
Tools to strengthen the system policies for password acceptance. Microsoft
suggests that you make the following changes:
- Set the minimum password length to at least 8 characters
- Set a minimum password age appropriate to your network (typically between
1 and 7 days)
- Set a maximum password age appropriate to your network (typically no more
than 42 days)
- Set a password history maintenance (using the "Remember passwords" option)
of at least 6
Install antivirus software and updates
It is imperative to install antivirus software and keep up-to-date on the latest
virus signatures on
all Internet and intranet systems. More security antivirus
information is available on the Microsoft TechNet Security Web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/tech
Restrict Physical Access
Be sure that your Windows 2000 Professional workstation cannot be accessed
when you are away from your desk. Either shut down the machine or use
a password on your screen saver in order to protect your machine. Physical
access to a machine enables a hacker to run programs that reveal or manipulate
your local password.
Top of Page
Protecting
Windows 2000 Professional Computers on the Network
Disable unnecessary services
After installing Windows 2000, you should disable any network services not
required for the computer. In particular, you should consider whether your
computer needs any IIS 5.1 Web services.
Protect files and directories
Refer to Default Access Control Settings in Windows 2000 document on the Microsoft
TechNet Security Web site for details on the default Windows 2000 file
system ACLs and how to make any necessary modifications.
Make sure the Guest account
is disabled
By default, the Guest account is disabled on systems running Windows
2000. If the Guest account is enabled, disable it. Set account lockout policy
Windows 2000 includes an account lockout feature that will disable an account
after an administrator-specified number of logon failures. For maximum security,
enable lockout after 3 to 5
failed attempts, reset the count after not less than 30 minutes, and set
the lockout duration to "Forever (until admin unlocks)".
Configure the Administrator account
Because the Administrator account is built in to every copy
of Windows 2000, it presents a well-known objective for attackers. To
make it more difficult to attack the Administrator account, do the following
both for the local Administrator account on each computer:
- Rename the account to a non obvious name (e.g., not "admin," "root," etc.)
- Establish a decoy account named "Administrator" with no privileges. Scan
the event log regularly looking for attempts to use this account.
- Enable account lockout on the real Administrator accounts by using the
passprop utility.
- Disable the local computer's Administrator account.
Remove all unnecessary file shares
All unnecessary file shares on the system should be removed to prevent possible
information disclosure and to prevent malicious users from leveraging the
shares as an entry to the local system. Set the appropriate ACLs on
all necessary file shares
By default all users have Full Control permissions on newly created file
shares. All shares that are required on the system should be ACL'd such
that users have the appropriate share-level access (e.g., Everyone
= Read). Note: The NTFS file system must be used
to set ACLs on individual files in addition to share-level permissions .
Install the latest Service Pack
Each Service Pack for Windows includes all security fixes from previous
Service Packs. Microsoft recommends that you keep up-to-date on Service
Pack releases and install the correct Service Pack as soon as your operational
circumstances allow. The current Service Pack for Windows 2000 is available
at http://www.microsoft.com/windows2000/downloads/servicepacks/
Install the appropriate post-Service
Pack security hotfixes
Microsoft issues security bulletins through its Security Notification Service.
When these bulletins recommend installation of a security hotfix, you should
immediately download and install the hotfix on your computer .
Top of Page
Establishing
Good Security Practices for Windows XP Professional
If you are already familiar with the security model in Microsoft® Windows
NT® 4.0 and Microsoft®Windows® 2000, you will recognize many of
the features in Windows XP Professional. At the same time, you will also find
a number of familiar features that have changed significantly, and new features
that will improve your ability to manage system security.
Remember: When you're working with Windows XP Professional as part of a workgroup
or in a stand-alone environment, and you have administrator rights to your
computer, you'll have access to all of the operating system's security features.
If your Windows XP Professional-equipped computer is part of a domain, your
options will be determined by the policies set by the IT administrator.
Verify that all disk partitions
are formatted with NTFS
NTFS partitions offer access controls and protections that aren't available
with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions
on your computer are formatted using NTFS. If necessary, use the convert utility
to non-destructively convert your FAT partitions to NTFS. Warning: If
you use the convert utility, it will set the ACLs for the converted drive to
Everyone: Full Control. Use the fixacls.exe utility from the Windows NT Server
Resource Kit to reset them to more reasonable values.
Verify that the Administrator
account has a strong password
In general, longer passwords are stronger than shorter ones, and passwords
with several character types (letters, numbers, punctuation marks,
and non printing ASCII characters generated by using the ALT key and three-digit
key codes on the numeric keypad) are stronger than alphabetic or alphanumeric-only
passwords. For maximum protection, make sure the Administrator account password
is at least nine characters long and that it includes at least one punctuation
mark or non printing ASCII character in the first seven characters. In addition,
the Administrator account password should not be synchronized across multiple
computers. Different passwords should be used on each computer to raise the
level of security in the workgroup or domain.
It is not recommend that
you synchronize your local Windows XP Pro password with your network password
because that would allow an intruder who was successful in obtaining your
local password to also have access to the network.
Disable or delete unnecessary
accounts
You should review the list of active accounts periodically (for both users
and applications) on the system in the Control Panel/Performance and Maintenance/Administrative
Tools/Computer Management/Local Users snap-in and disable any non-active
accounts and delete accounts which are no longer required. Install antivirus software and
updates
It is imperative to install antivirus software and keep up-to-date on the latest
virus signatures on
all Internet and intranet systems. More security antivirus
information is available on the Microsoft TechNet Security Web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/tech Restrict Physical Access
Be sure that your Windows XP Professional workstation cannot be accessed
when you are away from your desk. Either shut down the machine or use a
password on your screen saver in order to protect your machine. Physical
access to a machine enables a hacker to run programs that reveal or manipulate
your local password.
Protecting
Windows XP Professional Computers on the Network
Controlled Network Access
Windows XP provides built-in security to keep intruders out. It does this
by limiting anyone trying to gain access to your computer from a network to "guest"-level
privileges. If intruders attempt to break into your computer and gain unauthorized
privileges by guessing passwords, they will be unsuccessful—or obtain
only limited, guest-level access.
Managing Network Authentication
An increasing number of Windows XP Professional–based systems are connected
directly to the Internet rather than to domains. This makes proper management
of access control (including strong passwords and permissions associated
with different accounts) more critical than ever. To ensure security, the relatively
anonymous access control settings commonly associated with open Internet
environments need to be curtailed. As a result, the default in Windows XP Professional
requires all users logging on over the network to use the Guest account. This
change is designed to prevent hackers attempting to access a system across
the Internet from logging on by using a local Administrator account that has
no password.
Force Guest
The sharing and security model for local accounts allows you to choose between
the Guest-only security model or the Classic security model. In the Guest-only
model, all attempts to log on to the local computer from across the network
will be forced to use the Guest account. In the Classic security model, users
who attempt to log on to the local computer from across the network authenticate
as themselves. This policy does not apply to computers that are joined to
a domain. Otherwise, Guest-only is enabled by default. If a guest account
is enabled and has a blank password, it will be permitted to log on and access
any resource authorized for access by the Guest account. If the “force
network logons using local accounts to authenticate as Guest” policy
is enabled, local accounts must authenticate as a Guest. This policy determines
whether a local account that connects directly to a computer on the network
must authenticate as a Guest user. You can use this policy to limit the permissions
of a local account that is attempting to access system resources on the target
computer. If you enable this policy, all local accounts that attempt to connect
directly are limited to Guest permissions, which are usually severely restricted.
Blank Password Restriction
To protect users who do not password-protect their accounts, Windows XP Professional
accounts without passwords can only be used to log on at the physical computer
console. By default, accounts with blank passwords can no longer be used
to log on to the computer remotely over the network, or for any other logon
activity except at the main physical console logon screen. For example, you
cannot use the secondary logon service (RunAs) to start a program as a local
user with a blank password.
Assigning a password to a local account removes the restriction that prevents
logging on over a network. It also permits that account to access any resources
it is authorized to access, even over a network connection.
Caution: If your computer is not in a
physically secured location, it is recommended that you assign
passwords to all local user accounts. Failure to do so allows anyone with
physical access to the computer to log on using an account that does not
have a password. This is especially important for portable computers,
which should always have strong passwords on all local user accounts.
Note: This restriction does not apply to domain
accounts. It also does not apply to the local guest account.
If the guest account is enabled and has a blank password, it will be permitted
to log on and access any resource authorized for access by the
guest account. If you want to disable the restriction against logging on
to the network without a password, you can do so through Local
Security Policy.
Encrypting File System
The increased functionality of Encrypting File System (EFS) has significantly
enhanced the power of Windows® XP Professional by providing additional
flexibility for users when they deploy security solutions based on encrypted
data files. EFS is based on public-key encryption and takes advantage of
the CryptoAPI architecture in Windows XP. The default configuration of EFS
requires no administrative effort—you can begin encrypting files immediately.
EFS automatically generates an encryption key pair and a certificate for
a user if one does not exist already. EFS can use either the expanded Data
Encryption Standard (DESX) or Triple-DES (3DES) as the encryption algorithm.
Both the RSA Base and RSA Enhanced software that cryptographic service providers
(CSPs) included in the operating system may be used for EFS certificates,
and for encryption of the symmetric encryption keys. If you encrypt a folder,
all files and subfolders created in, or added to, the encrypted folder are
automatically encrypted. It is recommended that you encrypt at the folder
level to prevent plain-text temporary files from being created on the hard
disk during file conversion. Encrypting File System (EFS) protects sensitive
data in files that are stored on disk using the NTFS file system. EFS is
the core technology for encrypting and decrypting files stored on NTFS volumes.
Only the user who encrypts a protected file can open the file and work with
it. This is especially useful for mobile computer users.
Install
the latest Service Pack
Each Service Pack for Windows includes all security fixes from previous Service
Packs. Microsoft recommends that you keep up-to-date on Service Pack
releases and install the correct Service Pack as soon as your operational circumstances
allow. Information on the current service packs for Windows XP is available
at http://www.microsoft.com/windowsxp/default.asp.
Install the appropriate post-Service
Pack security hotfixes
Microsoft issues security bulletins through its Security Notification Service.
When these bulletins recommend installation of a security hotfix, you should
immediately download and install the hotfix on your computer .
Disable unnecessary services
After installing Windows XP Professional, you should disable any network services
not required for the computer. In particular, you should consider whether
your computer needs any IIS Web services.
Smart Card Support
A smart card is an integrated circuit card (ICC) approximately the size
of a credit card. You can use it to store certificates and private keys and
to perform public key cryptography operations, such as authentication, digital
signing, and key exchange. Smart cards can be used only by workstations
that log into a Windows domain. If you are not a member of a Windows
domain, you cannot use smart card technology.
A smart card enhances security as follows:
- It provides tamper-resistant storage for private keys and other forms of
personal identification.
- It isolates critical security computations involving authentication, digital
signatures, and key exchange from parts of the system that do not require
this data.
- It enables moving credentials and other private information from one computer
to another (for example, from a workplace computer to a home or remote computer).
Top of Page
Additional
URLs on Windows Security
Guidelines
for Establishing Strong Passwords
Password security is one of the most
important steps you can take to protect your system and the network. Although
many users may think that the information on their system is not very important
and they don't need to be cautious, many break-ins into the network begin with
a hacker first gaining access to a user account. Then the door is open for
that hacker to attempt to gain access to the network. Hackers are often clever
and have tools that enable them to infiltrate the network, sometimes without
being detected until it is too late.
Although a determined hacker given enough time and opportunity
can usually discover most passwords, it is important to make it as difficult
as possible by using strong passwords. Strong passwords should have the following
characteristics:
- 6 or more characters
- do not use common names, words that are searchable from a dictionary or
words associated with your personal life which can be easily guessed
- do not use publicly accessible personal information such as your license
plate number, SSN, birthday, etc.
- A combination of letters and numbers is a good choice
- An acronym for a common phrase is a good choice since it is difficult to
crack yet easy for you to remember
- Change your password periodically if you are not forced to do so on your
network
Top of Page
