Editor's Note
 IT Purchases
 Linux, But Which One?
 Virtual LANs
 Free Software - II
 Database Components
 Windows Security - I
 CISN Archive
 Send Feedback

Computing & Information Services Newsletter
Windows 2000 / XP Desktop Computer Security - 1

The progressive advance of the information technologies equip the authorized users with the tools that enable him/her to access the veritable information in lesser time. Today, however, as well as providing access, it is equally important to maintain the genuineness, certitude and integrity of the information that is accessed. The information should be protected from threat of incognizant users, malicious attackers, and viruses. So much widespread are the activities that threaten the means to access information as next to the firsthand attacks on information which are started in 2000 by "W32.Nimda" virus.

The great majority of the attacks are against computers that use Windows NT/2000/XP operating systems. The system administrators and users are to implement some specific precautionary measures to maintain the secure and uniterrupted use of the systems.

In this article we will look into two of the 4 main measures that must be taken on computers with Windows NT/2000/XP operating systems. The "Basic Security Settings" topic covers the settings that can be implemented by almost every user on any of the operating systems whereas "Medium Level Security Settings" section covers the settings that can be implemented by Windows NT/2000/XP users or these settings can be implemented by consulting the system admnistrators.

Basic security settings

Most of the administrators pay attention only to security concerns at the level of network environment and take measures specifically against them. However, they should not forget that they may experience seriously dangereous attacks in other real environments.

Provide physical security
It is of paramount importance to provide the following two criteria for physical security; no one else other than those users who have access right should be able to access the computer physically and the likelihood that the users may cause damage on the computer should be prevented. The strategic position of the organization should determine the level of security settings to be employed. The settings should be implemented in such a way that they do not disturb the users and at the same time the level of the settings should be appropriate to the significance of the information kept on the computer and the signşficance of the services provided. The required security level is achieved by various methods. For example, there are biometrical devices or cameras at the entrance of the system rooms to watch the room, at many public offices and private organizations that carry out critical tasks.

Boot the computer from hard disc
Another threat to system security is by means of physical ways. It poses a security vulnerability, if a computer, which has an operating system and which does not require maintenance, is booting from the diskette driver or CD-ROM instead of hard disc. People with malicious intentions may use your CD-ROM to install another operating system over the currently used system or they may insert a boot diskette that may delete all the information you have saved on your computer.

Disc configuration must be NTFS
In Windows operating systems, disc configuration is either FAT32 or NTFS. FAT32 disc configurations are used by Windows 9x versions. Windows 2000/XP is capable of using both; Windows NT, however, is only capable of using NTFS. One of the advantage of hard discs configured with NTFS is that that it allows access to files and directories at the user level and this prevents the damages on system files or personal files that may be done unintentionally or intentionally by the users.

Install Service Pack and Hotfixes
The essential precondition in developing a safe operating sytem is to take measures against the threats emerged after the its last version. Because of the fact that the precautionary measures were not included at the installation stage, "Service Pack" files, which include security patches and cumulative patches are released for each operating system. Every user should update his/her own system with these files. METU users can access to Service Pack files at ftp://ftp.cc.metu.edu.tr/Security/Updates/Windows Windows 2000/XP operating systems automatically download the critical update files from http://www.windowsupdate.com. Windows 9x/NT users should download it manually.

Remove the Simple File Sharing option
Simple File Sharing, which is a feature of Windows XP, allow everybody on the network to easily access shared files. The file access rights of the shared files cannot be changed. To be able to set the file access rights of the users, "Simple File Sharing" should be cancelled. To do this;

  • Open one of the directories and select "Folder Options" from the "Tools" menu.
  • "Use simple file sharing" option under "View" tab should be cancelled.
  • Click "Apply to All Folders" button.

    Use password
    The user must use a password when establishing local connection to a computer. When installation is completed, many system administrators prefer to use blank password and likewise, when a computer is provided to many users, they prefer to use blank password. If the users leave the password field blank, any person who is capable of accessing the computer physically, can also gain access to all the information available on the system. Moreover, a person with malicious intent, who has gained access to the system over the network, may obtain the user names on the computer and gain user rights to perform applicaitons on the computer. In spite of the fact that network access to computers of those users who use blank password is prohibited on Windows XP Professional operating systems, physical access to the computer still constitutes a serious security vulnerability if the user is not using a password.

    Cancel the "Guest" account
    "Guest" user account allows access to shared resources on the network without using a password. Windows NT/2000/XP operating systems, except Windows XP Home Edition, allows the user to disable this account.

    To change the name of the "Guest" user;
    You should double click "Rename Guest Account" under the following path; Control Panel | Administrative Tools | Local Security Settings | Local Policies | Security Options and a name other than "Guest" should be given.

    To disable the "Guest" user account;
    Right click the "Guest" account under the following path; Control Panel | Administrative Tools | Computer Management | System Tools | Local Users and Groups | Users then select "Properties" in the menu displayed, click the "Account is disabled" option under "General" tab.

    Since Windows XP Home Edition does not allow the user to disable "Guest" account, this account should be secured by using a strong password.

    Install anti-virus software program
    Viruses, which is a perilous concern for most of the users today, exhaust the system resources by way of creating network traffic and sending mass e-mail messages. For nearly every organisation, it is an indispensible security measure to keep updated anti-virus software on desktop computers. Though this is not the only solution for the organisations to ward off viruses, it is the most fundemental measure to take for the users of desktop Windows operating system.

    If the user leaves the anti-virus program that he/she installed not updated, it constitutes a security vulnerablity rather than a security measure. If your sole defense against the viruses is placing your trust in your ant-virus software, it is a very high probability in the world of today's Internet that one of the programs you are downloading from Internet contain one of those newly emerged harmful viruses which may infect your system. For this very reason, it is extremely important to keep your virus scanning program up-to-date.

    McAfee VirusScan 4.5.1, which is a software licensed to METU campus, can be found at ftp://ftp.cc.metu.edu.tr/Security/McAfee. Users can download the Service Pack files of the virus scanning software from the same address. The last update files can be found at ftp://ftp.metu.edu.tr/popular/virus-updates/McAfee. Programın insatallation, updating and general information about viruses can be found at www.antivirus.metu.edu.tr.

    Medium-level security settings

    Use password protected screen saver
    An ignorant person or a person with malicious intent may sit at your computer when you are on a coffee or tea break. This perpson may interrupt the programs that are running on your computer meanwhile or may intentionally try to give harm to your system. To prevent this, a password protected screen saver should be used. (The user must use a well-thought, strong password). Password protected screen saver indicates that the computer is still running; therefore it cannot be shut down unintentionally.

    Change "Administrator" account name
    Most of the attacks on a computer concentrate on the fact that a user named as "administrator" should have more extended rights than any other user on the computer. If the user account that is to have more extended rights than any other user on the computer is named something else than a name like "administrator" the attack would be unsuccessful since there is no user named as "administrator".

    To change this name you should first;
    Double click "Rename Administrator Account" under the following path; Control Panel | Administrative Tools | Local Security Settings | Local Policies | Security Options and then, write another name instead of "Administrator".

    Then you should right click "Administrator" under the following path; Control Panel | Administrative Tools | Computer Management | System Tools | Local Users and Groups | Users and then, select "Rename" from the menu displayed and wirte another name instead of "Administrator".

    Limit the number of user accounts
    The presence many user accounts that belong to users who do not use the system resources anymore is a nuisance for the system. To prevent unauthorised use of the acccounts, the computer coordinator should spot the disused accounts and delete or arcihve them as soon as possible.

    Organize the sharing rights
    If a file is shared on Windows NT/2000/XP operating sytems, group "Everyone" is automatically provided with all rights by default. For this reason, once a file is shared, the rights should be reorganised. While performing file sharing, you should click the "Permission" button and remove "Everyone" from among the list of the users that are to access the file. However, the users who have the right to access the local disc, can be included in the list.

    Close the Remote Desktop connection
    Although Remote Desktop Connection feature provides a flexibility for the administrators to access other computers from their own systems, it is obvious that unless the network security is fully guaranteed in every respect or essential security updates have been completed, it provides a better tool for people with malicious intentions since the vulnerabilities it produces exceeds its benefits.

    To make sure that Remote Desktop Connection is disabled;
    "Do not allow new client connection" line under the following path Start | Run | gpedit.msc | Computer Configuration | Administrative Templates | Windows Components | Terminal Services should be enabled.

    Clean the "Page" file before shutdown
    Much of the essential information such as the Administrator Password is kept within the "Page" file during the use of the computer. Users or those people who gained system access illegitimately can obtain that information from this file secretly. The user may evade this hazard by deleting the information available in this file before shutting down the system.

    In Windows 2000/XP operating system, if you enable "Clear virtual memory page file" option under the following path; Control Panel | Administrative Tools | Local Security Policy | Security Settings | Local Policies | Security Options, the task will be carried out automatically by the computer before it is shut down.

    Disable the default sharings
    In Windows 2000/XP operating systems, the partitions of the hard disc are shared secretly as default for the use of the administrators. However, people with malicious intentions may turn this feature into a vulnerability and use it to access your computer easily.

    To prevent it happen, do the following in the "regedit" registry file;
    The Dword value of "AutoShareWks" line under the following path; HKLM / SYSTEM / CurrentControlSet / LanManServer / Parameters should be changed as "0" and it should be created. After doing that, the computer should be restarted.

    Prevent automatic CD running
    The best method for people with harmful intent to steal private information and to access private resources is to use programs such as "Trojan Horse" which are executed on CDs that automatically run when the system is restarted.

    To overcome this threat;
    The Dword value of "AutoRun" line under the following path; HKLM / System / CurrentControlSet / Services / CDRom should be changed as "0" and it should be created.

    In the next issue, the topics such as shutting down the unnecessary services, keeping log files, user account settings, security settings, additional security arrangements within the registry file will be covered under "Advanced Security Settings" title and additional features such as EFS (Encyripted File System) and SRP (Software Restriction Policies) will be talked about.

    İbrahim Çalışır

      - TOP -  
    © 2002 METU CC
    Design: CC - INFO