Chapter 8: Securing Microsoft Windows

The latest versions of highly successful Microsoft Windows operating system, Windows XP and Windows Server 2003, are the successor to the Windows 95, 98 and ME Operating Systems offering a cleaner look, customization for multiple users, new audio and video capabilities, more integration with the Internet, and a steadier, less crash-prone structure. Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. Windows Server 2003 offers improved security and faster file and web server performance compared with Windows 2000. In Windows 2003, basic security is improved because most server features, including the IIS web server, are disabled when the operating system is installed. This reduces the impact of automated attacks such as the Nimda and Code Red worms.

The earlier version of Windows was Windows 2000. Originally named as Windows NT 5.0, this version was later renamed Windows 2000 due to marketing reasons. It is believed by many that Windows 2000 is a better and enhanced version of Windows 98, which is not true. Contrary to Windows 95 and 98, both of which have virtually no meaningful security mechanisms, Windows 2000 is an upgrade to Windows NT 4.0. Windows NT 4.0 was designed with a security model in mind; Windows 2000 modifies and extends that model. And Windows XP is built on the Windows 2000 code base and technology.

The newer version of Windows, Windows XP, is the most dependable version of Windows ever, with the best security and privacy features Windows has ever provided. Windows XP Home Edition comes with built-in (and now on as default) Internet Connection Firewall software that provides a resilient defense to security threats when the computer is connected to the Internet, especially always-on connections such as cable modems and DSL. The other version of Windows XP, Windows XP Professional includes all of the security capabilities of Windows XP Home Edition, plus other security management features. Below is a checklist of some security measures that are recommended while installing Windows XP.

Windows security underlies all the security considerations in applications that run on Windows. In Windows many security features have been implemented to aid in securing computers and the network with use of policies and tighter security protocols. Security is enforced on Windows systems through a number of different mechanisms.

Window 2000 security technologies span a much greater distance than the NT 4.0 platform and any previous versions of Windows. The Windows 2000 platform has introduced: single sign-on, integrated security, secure administration, better authentication methods, interoperability standards and very in depth auditing of your systems and access of those systems. With the advent of Active Directory Windows 2000, directory services can now use a domain policy that can be distributed over the whole organization. Using domain policies, Windows 2000 environment can be harden, both on the hardware side as well as the application/software side. These policies in effect can "harden" a computer to the point that it would be very difficult to be compromise via outside attack. Only a person with proper rights would have access to a system under such a restrictive policy.

Kerberos is an open standard protocol that had been introduced for authentication between Windows 2000 machines on a network. In a Windows 2000 domain the user should have an account to access the system. The account information entered by the user is checked against the database, which holds the information. The information is then verified using the Active directory and the Kerberos. The settings define whether the user can be granted certain privileges. They also tell whether a person belongs to a specified group that has rights to perform certain operations in the 2000 domain.

Winlogon and Graphical Identification and Authentication (GINA) are important elements in the logon process. These are the elements that handle the authentication from the user's perspective. GINA is called upon by using three keys CLTR ALT DELETE together. It is used to send information from the logon to the Local Security Authority. LSA validates the user. Winlogon manages the logon and logoff process of the users. It loads the user's profile. It also protects the machine screensaver and handles the remote performance monitor requests. GINA and Winlogon are used to authenticate the user. They are also to start the windows.

Kerberos ver5 used to authenticate the user by using standard shared secret key but in 2000, the authentication can be done by using public key certificates. This allows interactive logons to use Smart Cards. Kerberos supports four authentication systems. Those are Windows NT LAN Manager (NTLM), Distributed Password Authentication (DPA), Extensible Authentication Protocol (EAP) and Secure Channel (SChannel). NTLM is used to authenticate users in Windows NT environment. DPA, EAP and Schannel are used to authenticate Dial up networks and Internet.

Schannel, which is designed to provide secure communication over the Internet, includes four protocols:

Windows 2000 has moved from proprietary mechanisms to open standard mechanisms for authentication. This allows it to support a wider range of clients and access a wider range of environments.

Windows System Security Tools

There is a possibility that in spite of all the security measures there is a weakness in the system. Hackers can use this security lapse to enter the system. It is also sometimes difficult to keep track of every machine located at different geographical locations. There are some applications that can be used to check system security vulnerabilities. Tools such as Internet Security Scanner can be used for determining the security level of a computer. A user that has domain administrator privileges can run these tools from his computer.

System Scanner

System Scanner for Windows is a security-assessment solution for Windows XP, Windows 2000, Microsoft Windows NT 4.0, Microsoft Windows 95 and Microsoft Windows 98. It performs approximately 300 vulnerability checks. These include scanning for the registry, Java, Microsoft Office projects and other vulnerabilities. It generates HTML reports to provide detailed descriptions of vulnerabilities detected on the computer and information needed to correct them. There are seven types of scans and the configuration options that System Scanner offers. They are:

Registry Scan: This tracks changes made to registry keys and values.

File Scan: File Scan tracks changes to files. By default, System Scanner scans .bas,. class, .cpl, .dll, .drv, .exe, .ocx, .pl, .scr, and .vxd files.

Services: By selecting the Services check box, System Scanner can be configured to track application and driver services.

Processes: System Scanner can be used to detect changes to programs that have been configured to start automatically. This is necessary because intruders who install back doors and Trojan horses often configure the system to automatically start the malicious attack during start up.

User Scan: User Scan checks new, deleted and modified user accounts. User Scan also catches other changes, such as disabled user accounts that have been re-enabled.

Group Scan: Group Scan detects any user-right assignment changes to groups and any group-membership changes.

Share Scan: System Scanner can track changes to hidden shares, share permissions, and the NTFS permissions on shared folders and shared printers.

System Scanner 2000 is available for free and can be downloaded from here.

Microsoft Baseline Security Analyzer (MBSA)

MBSA is a tool that allows a user to scan one or more Windows-based computers for common security problems. The MBSA can be executed from any machine that is running Windows 2000 Professional, Windows 2000 Server, Windows XP Home or Windows XP Professional. After scanning MBSA generates a report based on its findings, which is divided into categories based on installations on the system.

Key areas that are scanned are:

IIS & SQL
The number and permissions of the administrator accounts
Status of the guest account
Password analysis which measures strength of the passwords
Auditing
Available published shares
Performs an Microsoft Office check
Analyzes Internet Explorer's security features
OS and application HotFix and service pack levels

MBSA uses the HFNetChk tool to identify if security updates have been applied to a system. HFNetChk does this by referring to an XML security hotfix database that's constantly updated by Microsoft. This XML database contains information about the hotfixes that are available for each Microsoft product.

MBSA Version 1.1.1 is available for download at the Microsoft website.

Security Configuration Templates

Windows 2000 Server has Security Templates tool that makes it easier to set up and manage the security settings for an organization's network. A security template is a physical representation of a security configuration; in other words, it is a file where a group of security settings may be stored. Microsoft Management Console (MMC) snap-in lets administrators define standard templates and apply them uniformly to multiple computers or users. The templates range from security settings for low security domain clients to highly secure domain controllers. These templates can be modified or serve as a basis for creating custom security templates. The Security Configuration and Analysis tool is a companion to the Security Templates snap-in. It is used to apply the restrictions defined in a security template to actual systems. It can also be used to analyze a system's security and to compare the settings on computers.

Windows Security Tips

	Do not secure computer equipment in publicly accessible areas. The physical security should not be compromised and equipment should be secured against access, tampering, or removal.
	If you run Windows, select Windows 2000 Professional and Windows XP Professional both of which offer features such as secure logon, file level security, and the ability to encrypt data.
	Install software security packages that use passwords to ensure only authorized users have access to the computers and servers.
	Only the system administration group should have the rights to implement any of the security policies that are part of the User Manager for Domains utility.
	Choose passwords that are difficult or impossible to guess. Give different passwords to different accounts and change the passwords from time to time.
	Encrypt sensitive and confidential information wherever appropriate.
	Do not use pirated, hacked, or otherwise illegal copies of programs.
	If others use your computer, carry out regular audits of the software on it and check any software that you discover that you haven't installed yourself.
	Do not keep computers online when not in use.
	Use anti-virus software and keep it up to date. Also regularly download security patches from the software vendors.
	Do not open e-mail attachments from strangers.
	Use firewall and proxy servers to restrict the unauthorized users from entering and using network resources.
	Take regular backups of the systems and servers.
	Raise the security awareness among users, friends and other people.

Windows 2000 and Windows XP include a number of improved security features and options, and when properly configured it can be a very secure Operating System. Microsoft includes a Security Configuration Toolkit, security analyzer, and a number of default security templates with Windows 2000 that can help user in picking the level of security he needs. Below is a checklist of recommended security practices while installing Windows 2000 Professional or Server, or Windows XP Home or Professional.

Limit the number of unnecessary accounts: Eliminate any duplicate user accounts, test accounts, shared accounts, general department accounts, etc., Use group policies to assign permissions as needed, and audit the accounts regularly.

Use the Security Configuration Toolset: Microsoft provides a Security Configuration Toolset, which provides plug in templates for the MMC that allows an easy configuration of the policies based on the level of security required.

Shut down unnecessary ports: Workstations aren't normally at risk behind a firewall, but not always the servers are safe. A hackers' first attempt at rattling the doors and windows usually involves using a port scanner. The list of open ports on a local system can be obtained by opening the file located at %systemroot%\drivers\etc\services. To allow only TCP and ICMP connections, configure the UDP and IP Protocol check boxes to "Permit Only" and leave the fields blank.

Enable Auditing: The most basic form of Intrusion Detection for Windows 2000 is to enable auditing. This will alert whenever any changes are made in account policies, attempted password hacks, unauthorized file access, etc.

Set permissions on the security event log: The event log files are not protected by default, so permissions should be set on the event log files to allow access to Administrator and System accounts only.

Lock down the Registry: In Windows 2000, only Administrators and Backup Operators have default network access to the registry, however this may be tightened down even further.

Disable the default shares: Windows NT and Windows 2000 open hidden shares on each installation for use by the system account. Default Administrative shares can be disabled in two ways.

Enable EFS (Encrypting File System): Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing the files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder would be encrypted.

Consider using SmartCard or Biometric devices instead of passwords: The more stringent the password policy is, the more likely the users would begin keeping paper password lists in their desk drawers, or taped to the bottom of their keyboard. Windows 2000 supports these devices Smart Cards and Biometric devices.

Replace the "Everyone" Group with "Authenticated Users" on file shares: Never assign the "Everyone" Group to have access to a file share on the network, use "Authenticated Users" instead. This is especially important for printers that have the "Everyone" Group assigned by default.

Disable Dump File Creation: A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. The dump file can be disabled by going to the Control Panel > System Properties > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None.

Check Microsoft's web site for the latest hotfixes: Nobody writes 30 million lines of code and is going to have it perfect the first time, so updating service packs and hotfixes can go a long way to plug security holes.

Use passwords on all user accounts: Both Windows XP Professional and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Professional, accounts with blank passwords can no longer be used to log on to the computer remotely over the network. In Windows XP Home Edition, all user accounts have administrative privileges and with no password by default. So while installing one should make sure to provide passwords and appropriate privileges to all user accounts.

Use the Administrator Group with care: It's very common for home users and small business administrators to simply give all local accounts full Administrator privileges in order eliminate the inconvenience of logging into another account. However this practice gives a hacker the opportunity to try to crack a greater number of administrator level accounts and increases his/her chance for success. It also increases the odds that malicious code executed via an e-mail attachment or other vector can do more damage to your files. In a workgroup consider placing local users with a greater need for control in the local Power Users group, instead of the Administrators group. And avoid the temptation of using the local administrator account as the default login account.

Use NTFS on all your partitions: The FAT16/FAT32 file systems that were shipped with Windows 95/98/ME offered no security for the data leaving system wide open for intrusions and attacks. The NTFS file system is faster than FAT32 and allows setting permissions down to the file level. In addition, using NTFS on Windows XP Professional allows encrypting files and folders using the Encrypting File System (EFS).

Replace the "Everyone" Group with "Authenticated Users" on file shares: In Windows XP, "Everyone" means anyone who gains access to the network can access the data. Never assign the "Everyone" Group to have access to a file share on the network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.

Disable default shares: Windows XP automatically creates a number hidden administrative shares that the operating system uses to manage the computer environment on the network. These default shares can be disabled via the Computer Management console in the Control Panel, but they are re-enabled by the system after restarting the computer.

	Intelligentedu.com Home -> Learn About Computers, Software Development & Information Technology -> Table of Contents