Windows 2000 / XP Desktop Computer Security - 2
  
 Editor's Note
 Firewall and Virtual  Networks with Linux
 Hints for Creating Web  Pages
 Windows Security - II
 To be an IT Specialist  and to be a Southerner
 Billions of Dollars Have  Been Wasted!
 Neck & Back Problems  of Office Workers
 CISN Archive
 Questionnaire
 Send Feedback
  
     
 

Following the basic and medium-level security settings mentioned in the previous issue, this article and the coming article about the security of Windows NT / 2000 / XP systems is going to focus on the security issues that concern solely the advanced users of the systems. This article aims to provide information on how to start keeping log files and how to do the settings of user accounts.

Log File Policies:

The following path should be followed to start keeping log files:

Control Panel è Administrative Tools è Local Security Policy è Local Policies è Audit Policy

You can do the following modifications on the policies provided in this section:

Audit account logon events:
You can determine whether to record the logs of the attempts when someone unsuccesfully tried to access to your computer or when someone was actually able to access to your computer. To do this, you should mark "Success" and "Failure".

Audit account managment:
You can determine whether to record the logs of the information such as opening of a new account, deleting an account and/or changing the properties of an account. To do this, you should mark "Success" and "Failure".

Audit directory service access:
You can determine whether to audit the event of a user accessing an Active Directory object, however, there is no need to set auditing when there is no domain structure.

Audit logon events:
You can determine whether to audit each instance of a user logging on to, logging off from, or making a network connection to this computer. To do this, you should mark "Success" and "Failure".

Audit object access:
To determine whether to audit each instance of an unsuccessful access attempt to objects such as files, you should mark "Failure". Since recording each instance of a successful access attempt causes the log file to grow oversize, you should not mark "Success".

Audit policy change:
To determine whether to audit incidences of a change to user rights assignment policies, audit policies, or trust policies, you should mark "Success" and "Failure".

Audit privilege use:
To determine whether to audit instances of users exercising user rights, you should mark "Failure".

Audit process tracking:
You can determine whether to record the logs of tracking information for events such as activation, pausing or shutting down of a program/process. However, recording each instance causes the log file to grow oversize; therefore there is no need to mark anything here.

Audit system events:
You can determine whether to record the logs of information for events such as when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. To do this, you should mark "Success" and "Failure".

Account Policies:

To access account policies, you should follow this path:

Control Panel è Administrative Tools è Local Security Policy è Account Policies

Account Policies include to subtopics in the console tree: Password Policy and Account Lockout Policy. You can do the following modifications on the policies provided in this section:

1. Password Policy

Enforce password history:
This can be set as "24 passwords remembered" to prevent the users to reuse the old passwords continually by selecting them from among a few previously used ones.

Maximum password age:
You can determine a period of time for a password to expire. You can, thereby, require the user to change his/her password when it expires. The number of days you can set for a password to expire is between 1 and 999. For example, it is fairly reasonable to set it for 90 days.

Minimum password age:
You can determine a period of time so that the system allows the user when he/she wishes to change the password frequently. Here, you can set the value as 1 day.

Minimum password length:
You can determine the least number of characters that a password for a user account may contain. It will be adequate to set it as "8 characters" to make it difficult for the programs to crack the passwords.

Password must meet complexity requirements:
"Complexity requirements" means that passwords must contain characters from three of the following four categories: uppercase characters, lowercase characters, base 10 digits (0 through 9) and non-alphanumeric characters. To make it difficult for the programs to decode the passwords, you should mark "Enabled".

Store password using reversible encryption for all users in the domain:
Some programs such as Microsoft ISS store passwords using reversible encryption. However, this process makes it easier to crack the passwords. Therefore, you should mark "Disabled".

2. Account Lockout Policy

Account lockout duration:
Certain number of unsuccesful logon attempts locks the account for a period of time. This policy hinders the capabilities of Brute Force type attacks. The available range is 1 to 99,999 minutes and you can reasonably set it as "60 minutes".

Account lockout threshold:
To hinder the capabilities of Brute Force type attacks, you can determine the number of failed logon attempts. If the number set for failed failed logon attempts is exceeded, then the account locks itself. You can set a value between 1 and 999 failed logon attempts and here you can reasonably set it as "5 invalid logon attempts".

Reset account lockout counter after:
You can determine the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset. Here you can reasonably set it as "60 minutes" to hinder the capabilities of Brute Force type attacks.

Arranging the user Rights:

The following path should be followed to assign user rights:

Control Panel è Administrative Tools è Local Security Policy è Local Policies è User Rights Assignment

This section covers the assignment of rights to different users among the policies mentioned here to prevent the potential vulnerabilities:

User Right Potential problem Domain user PC / Server user Professional user
Access this computer from the network The password of the Administrator account can be obtained and the computer can be accessed from the network. Domain Users (Administrator user should be omitted) Domain Users -
Act as part of the operating system Acting as a part of the operating system means that one gains all the rights to do whatever he/she wants. - - -
Add workstations to the domain The users, who own the right to add workstations to the domain, may install another Domain Controller on the network and they can access to SAM database. Administrator - -
Backup files and directories When the backup files backed up by unauthenticated users are used along with "Restore Files and Directories" this may permit unauthorised accesses. Backup Operators Backup Operators Backup Operators
Bypass traverse checking This will lead to directory accesses that conflict with user rights. Administrators, Server Operators, Backup Operators Administrators (is essential for Users ISS) Administrators
Change the system time There may be confusion with the data of log files. Administrator Administrator Administrator
Create a pagefile   Domain Administrators Administrator Administrator
Debug programs This may permit the users to control the other programs and execute harmful codes. - - -
Deny access to this computer from the network This is a precaution against the risk of someone stealing the password of an admnistrator. Administrator - -
Enable computer and user accounts to be trusted for delegation This is used on file sharing servers along with "Encrypting File System". Should not be used unless necessary. Should not be used unless necessary. Should not be used unless necessary.
Increase scheduling priority If a user increases the priority of a job, this may block the other services of the computer. Administrator Administrator Administrator
Load and unload device drivers This allows the users to load trojan horses instead of driver files. Administrator Administrator Administrator
Local pages in memory The user may block the service by using this feature. - - -
Log on as a service The connection allows the user to access with the rights of the system. There are anti-virus programs which deman these rights, however they should be monitored. Necessary programs - -
Log on locally When run from the local computers, there is the possibility of programs which increase the user rights. Administrator, Server operators, Backup operators Administrator, Server operators, Backup operators Administrator, Authenticated users
Replace a process level token There is the possibility of a user who may increase the priority of his job, which may consequently supersede the security settings. - - -
Restore files and directories A user who, at the same time, owns the right to backup, may download the backups and create a system vulnerability. Backup operators, or a user specified for this task. Backup operators, or a user specified for this task. Backup operators, or a user specified for this task.
Shut down the system An unknowing user may shut down the system while the system is performing an important job. Administrator, Server Operators Administrator Authenticated users
Take ownership of files or other objects The users may obtain the rights of the files that do not belong to them. Administrator Administrator Administrator

The next article will cover such main topics as shutting down unnecessary services, doing security settings, and managing additional security settings of the registry file. Moreover, we will talk about EFS (Encyripted File System) and SRP (Software Restriction Policies) in the next article.

Ýbrahim ÇALIÞIR

 
     
  - TOP -