Windows XP Security I

1
Windows XP Security I

• Laurie Walters
• lwalters_at_psu.edu

2
Introduction and Overview

• Signing In
• Overview of Seminar
• About Laurie
• About You

3
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• Social Security
• Physical Security
• System Security
• Additional Security Protection
• Incident Response and Disaster Recovery

4
XP Security I Seminar Objectives

• Why Worry About Security?
• Why Do We Need Security?
• Why Would Someone Break In To My Machine?
• Leading Causes Of Security Problems
• Key Security Principles
• Social Security
• Physical Security
• System Security
• Additional Security Protection
• Incident Response and Disaster Recovery

5
Why Do We Need Security Anyway?

• Authentication
• Accountability
• Authorization / Access Control
• Integrity of Data
• Confidentiality
• Availability

6
Why Would Anyone Go to the Bother to Break in to
MY Machine?

• Sensitivity of data
• Available hard drive space / bandwidth
• Stepping stone for other activities
• Denial of Service(s)

7
Leading Causes of Security Problems

• Ignorance / Lack of training
• It aint broken, dont fix it
• Fear that updates will overwrite critical data or
  machine will crash
• Lack of time
• Laziness
• Maliciousness

8
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• Defense in Depth
• Minimalism
• Separation
• Least Privilege Principle
• Be Better Than the Other Guys
• Social Security
• Physical Security
• System Security
• Port and Process Identification
• Additional Security Protection
• Incident Response and Disaster Recovery

9
Defense In Depth

• Security Is a Multi-faceted Problem
• Many issues must be considered
• Physical
• Social
• System
• Application-based
• Network
• Combine strategies to do whatever necessary so
  that youre at least better off than average

10
Minimalism

• Less is More.Secure
• Dont install things such as Windows Messenger,
  Fax Services, IIS, if you are not planning on
  using them!

11
Separation

• Dont put all your eggs in one basket
• Vital services should be spread amongst machines
• E.g. Dont put an IIS, SQL, or Exchange server on
  a domain controller!
• Dont put your crucial data on the System
  partition
• E.g. Put your IIS Web content on D\Webdata
  instead of in the default location of
  C\Inetpub\WWWroot

12
Least Privilege Principle

• All employees should access computers with least
  privilege possible (as user or power user status)
• Non-system administrator accounts are more
  restricted.
• Can control programs and files that are
  accessible
• No installation or administration abilities
• Administrator uses Runas command or Fast User
  Switching to increase privileges for system
  administration tasks.

13
Be Better Than the Other Guys

• There is NO SUCH THING as a hack-proof computer.
• Hackers and script-kiddies are generally going
  to exploit the easy-pickings first.
• If you even take a few steps to make yourself
  more secure, you greatly improve your chances of
  not being hacked.

14
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• Social Security
• Creating Policies
• Sample Items For Security Policy
• Updating Policies
• Physical Security
• System Security
• Additional Security Protection
• Incident Response and Disaster Recovery

15
Create A Written Departmental Policy

• Clearly explain rights and responsibilities of
• All Users
• System Administrators
• Management
• Enumerate consequences of violations
• Help eliminate Social Engineering
• Who is responsible for ensuring policies are
  maintained?
• All departmental users, administrators, and
  management should sign this policy

16
Social Security Maintaining Policies

• E.g. All employees/departments must adhere to
  certain policies (e.g. AD-20, AD-53), certain
  departments can have more restrictive policies
• That which is not specifically allowed is denied,
  or
• That which is not specifically prohibited is
  allowed (usual PSU setting)
• See Appendix A for PSU Security Policies Link.

17
Sample Items For Security Policy

• Password Policy
• Physical Security
• Services Settings to Be Disabled Or Configured
• Virus Policy
• Backup Policy
• Auditing and Logging Policy
• Backups and Disaster Recovery Policy
• Privilege Policy
• Use of network server is for work-related
  materials only

18
Updating Policies

• Periodically review policies to ensure that they
  are sensible, still pertinent, and reflect new
  security threats.
• Management must agree to and support all changes.
  (This may be the hardest part!) If you dont
  have management back you up, you might as well
  not have a policy!

19
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• Social Security
• Physical Security
• Securing Machine Physically
• Common Physical Security Breaches
• System Security
• Additional Security Protection
• Incident Response and Disaster Recovery

20
Physical Security

• Is location of machines secure?
• Server Room must be highly guarded
• Lock machine cover, Enable Bios Password
• Disable CMOS Boot-up from Floppy Drive CD-Rom
• Create Boot Up Password (unless it is integral
  that machine reboots automatically after power
  outage).
• Password-Protected Screen Savers
• Create Redundant storage for integral data
• Maintain Backups in a SECURE location

21
Common Physical Security Breaches

• Placing hard drive in another machine
• Remove CMOS battery
• Dos Boot disk / NTFS Dos / Linux
• Leaving machine unattended and logged-in.

22
Suggestions from Think Tank (Bulletin Board)

• Require complex passwords on all accounts
• Install Security Updates before computer is put
  on network for first time and apply regularly
  thereafter
• Install and update antivirus software
• Install a personal firewall such as ZoneAlarm or
  Kerio
• Install an Anti-Spyware program such as Adaware
  or Spybot Search Destroy

23
Still To discuss XP Security Seminar II

• Disable unnecessary services / applications and
  limit network access to the necessary ones
• Set Security policies such as expiration date on
  passwords and Change name of default
  Administrator account

24
Require complex passwords on all accounts

• See slides 36 42 for detailed slides on
• All accounts should have passwords, not just
  administrative users
• Make sure hidden Administrator account has a
  password. By default it is blank.
• You can change the way users log off (Use the
  Welcome Screen and Fast User Switching)
• Use RunAs to log in as a regular user and use
  runas to execute a program as an administative
  user.

25
Install Security Updates Before Computer is Put
on Network For First Time

• See slides 31-35 for information about automatic
  updates and information about installing patches.

26
Install Antivirus Software

• See slide 49
• In addition, XP SP2 may not properly identify
  Symantec antivirus versions 7 and 8. They are
  working on a patch to fix this. For version 9,
  you can download Maintanance Pack 2 at
• http//www.symantec.com/techsupp/enterprise/produc
  ts/sav_ce/savce_9.0/files.html
• Thanks to Mike Waite for the link to that patch!

27
Install a Personal Firewall

• See slides 43-48

28
Install Anti-Spyware program

• Insall Spybot Search and Destroy or Adaware

29
Still to do will be discussed in XP II

• Disable unnecessary services / applications and
  limit network access to the necessary ones
• Set Security policies such as expiration date on
  passwords and Change name of default
  Administrator account

30
XP Security I Seminar Objectives

• Why worry About Security?
• Key Security Principles
• Social Security
• Physical Security
• System Security
• Installing XP
• Patches and Windows Update
• Account Policies and XP Passwords
• XP User Accounts, Changing Way Users Log On
• Admin Logon, Fast User Switching, And RunAs
• Additional Security Protection
• Incident Response and Disaster Recovery

31
Installing XP

• Install from a previously secured Image (e.g.
  Drive Image, Ghost) then Verify or install from
  scratch.
• Format hard drives with NTFS rather than FAT to
  use ACLs
• Install OS with Network cable unplugged!
• Patch OS with SP1
• NT4.0 Service Pack 6A
• Windows 2000 Service Pack 3
• Install ALL major patches and fixes for
  Applications before placing machine on network!

32
Install XP SP2 from Removable Media

• Network cable should still be unplugged until
  after XP SP2 is installed and administrative
  accounts have secure passwords.
• Otherwise, the machine WILL be quickly
  compromised.
• Machine must reboot after SP2.

33
Install other Critical Patches from Removable
Media (Esp. 04-038)

• Cumulative patch for I.E.
• There are a large number of other XP Critical
  Patches which you must install such as for the
  O.S., I.E., Outlook, Office, etc.

34
Windows Update on an Individually Administered
Machine

• After machine is plugged in to network, manually
  go to Start Menu ? All Programs ? Windows Update
  (at top of Menu).
• Click on Scan for Updates
• Three types of updates
• Critical Updates and Service Packs
• Windows XP (recommended patches)
• Driver Updates
• Install all critical updates immediately and look
  through XP and driver updates for which you
  should install.

35
Setting Automatic Updates on Standalone
Workstations

• In the Control Panel,
• select System. Then click
• on the Automatic Updates
• tab.
• Be sure the check box
• near the top is checked,
• then select the radio
• button below which
• suits you.

36
Account Policies

• Employees should sign written policy
• One user per account
• Disable Guest Account on local machines
• Rename Administrator Account
• Who has access to Administrator (root) Account?
• Assign administrators each an account rather than
  everyone logging on as admin or root

37
XP Passwords

• When setting up XP, you are prompted for type of
  Account/Password Scheme
• Use the Welcome Screen (user selected by clicking
  on picture of account). This can be
  password-protected or password-less.
• User must enter user name and password to log on
  to computer
• Use Good Practices for setting XP passwords
  (see Appendix B).

38
More XP Password Setup

• Navigate to the Control Panel and choose
  Category View. Click on the User Accounts
  icon.
• At the bottom you will see icons of the accounts
  on the machine. Look at the icon for
  Administrator (chess board by default). It
  should say Password Protected
• If administrator is not password protected, click
  on it and then choose change my password

39
Setting an Administrator Password

• The administrator account will not appear in the
  list of users in the Users and Accounts section
  of the control panel unless you are logged into
  the Administrator account.
• Log into the Administrator account either by
  booting into safe mode (press F8 on bootup) or by
  logging out of your other account and pressing
  Control Alt Delete and typing the name
  Administrator and leave the password field blank.
• Set a good password for the Administrator account
  just as you would for any other XP account.

40
Create an XP user account

• On left hand side of user account menu, choose
  Create another account
• Choose Create a new account
• Choose Limited
• For more information about what a limited account
  is, choose ?Account Types from the left hand menu.

41
Change the way users log on or off

• Located on main User Accounts page.
• Use the Welcome screen
• Use Fast User Switching
• This will force users to authenticate like the
  traditional NT/2000 dialog boxes.
• These two may become disabled when updating with
  SP1 for XP Pro (not Home) and when machine
  becomes a domain member.

42
Run As

• People often use administrative accounts to log
  on to ease administration.
• Staying logged in with administrative privileges
  increases chance of malicious code execution
  (e.g. Trojan Horse, backdoor, etc.)
• For many hacks, Intruder can leverage privilege
  of currently logged in user.
• To perform Runas in Windows XP, hold down the
  shift key and use right hand mouse button to
  click on desired icon. Runas will show up in the
  menu and you type in the user name of desired
  user and password.

43
XP Security I Seminar Overview

• Why worry About Security?
• Key Security Principles
• Social Security
• Physical Security
• System Security
• Additional Security Protection
• Firewalls, XP ICF, And Personal Firewalls
• Antivirus Software
• Encryption
• Using Security Tools
• Vulnerability Scans
• Incident Response and Disaster Recovery

44
Firewalls

• A Firewall restricts access from unauthorized
  users on your network.
• A Firewall contains specified rule-sets.
  Restrictions are based upon
• IP Addresses
• Port numbers
• The Firewall examines internet traffic to
  determine if access is allowed or disallowed. If
  disallowed, the traffic is blocked.

45
Example of A Firewall

Server Computer Port 80
Firewall
User Computer Ephemeral Port
46
XP Firewall ICF

• Control Panel ? Classic View ?Network ? Network
  Connections
• Right click on your internet connection icon and
  select properties
• Choose the Advanced tab.
• Under Advanced, choose Protect my computer and
  network by limiting or preventing access to this
  computer from the network.

47
Setting up ICF

• Click on Settings button under Advanced.
• Choose the services you are running (Web, FTP,
  SMTP, Remote Desktop, Telnet Server, etc.)
• Under security logging tab set location and size
  of logs and enable logging of successful connects
  to machine
• Default C\windows\pfirewall.log, 4096Kb
• Under ICMP tab, choose ICMP packets that you wish
  to allow through
• ICF is simple to use and setup and is free but
  doesnt block outgoing traffic

48
Install Personal Firewall

• Blocks incoming and outgoing packets as opposed
  to ICF
• You specify which programs, ports, or IP
  addresses may access the internet from your
  machine AND which may access your machine from
  the internet
• Examples include Zone Alarm, Tiny, Symantec)

49
Install Antivirus software on all machines

• Symantec Antivirus is available at no cost to all
  PSU faculty, staff, and students through a site
  license.
• http//computerstore.psu.edu/softwaredist/index.ht
  ml
• Keeping virus definition files up to date is
  vital.
• Virus definition files should be set to update
  automatically, at least weekly (Should be
  manually downloaded sooner if you hear of a new
  virus in the news).

50
Use Encryption where possible

• Encrypt Secure Data
• Use Secure Services Whenever Possible
• Plugins for Email (Kerberos, PGP)
• SSh vs. Telnet
• HTTPS vs. HTTP
• Scp vs. FTP

51
Request Vulnerability Scans

• http//sos.its.psu.edu/scan.html
• Ask network contacts to request a scan of your
  network via this page.
• Results returned within 48 business hours.

52
Other Security Strategies

• Run chkdsk /f c and back up data frequently
• Redundancy
• Multi Factor Authentication
• Ported Unix tools for NT(Tripwire, nmap, SSH,
  etc)
• Subscribe to listservs Microsofts Security
  Notification Service, Security Focus Bugtraq

53
XP Security I Seminar Objectives

• Why worry About Security?
• Key Security Principles
• Social Security
• Physical Security
• System Security
• Port and Process Identification
• Additional Security Protection
• Incident Response Disaster Recovery
• Performing Backups
• Incident Response
• Creating A Disaster Recovery Plan
• Testing Disaster Recovery Strategies

54
Performing Backups

• Backup system files
• Backup methods
• Seagate Backup exec, ArcServe
• NT Backup
• TSM (formerly ADSM)
• Backup types
• Full
• Incremental
• Differential

55
Incident Response

• Determine Course Of Action For Different Security
  Incidents (e.g.)
• Viruses
• System Compromise
• Determine If Machine Should Be Fixed Or Rebuilt
• Contact Security Operations And Services (SOS) In
  Case Of Compromise.
• Phone (814) 863-9533
• Email security_at_psu.edu

56
Creating A Disaster Recovery Plan

• Create A Plan BEFOREHAND
• Determine What The Longest Acceptable Downtime Is
• Rank order/prioritize Systems

57
Testing Disaster Recovery Strategies

• What Good Is A Plan If You Dont Know If It
  Works?
• Should Test For
• The Worst Thing That Could Happen
• The Most Likely Thing That Could Happen

58
XP Security I Seminar Objectives

• Why Worry About Security?
• Why Do We Need Security?
• Why Would Someone Break In To My Machine?
• Leading Causes Of Security Problems
• Key Security Principles
• Defense in Depth
• Minimalism
• Separation
• Least Privilege Principle

59
XP Security I Seminar Objectives

• Social Security
• Creating Policies
• Sample Items For Security Policy
• Updating Policies
• Physical Security
• Securing Machine Physically
• Common Physical Security Breaches

60
XP Security I Seminar Objectives

• System Security
• Installing XP
• Patches and Windows Update
• Account Policies and XP Passwords
• XP User Accounts, Changing Way Users Log On
• Admin Logon, Fast User Switching, And RunAs
• Port and Process Identification
• Definition of Ports
• TCP vs. UDP
• Using tools to identify processes and ports
• Examine processes in depth

61
XP Security I Seminar Objectives

• Additional Security Protection
• Firewalls, XP ICF, And Personal Firewalls
• Antivirus Software
• Encryption
• Using Security Tools
• Vulnerability Scans
• Incident Response and Disaster Recovery
• Performing Backups
• Incident Response
• Creating A Disaster Recovery Plan
• Testing Disaster Recovery Strategies

62
XP Security II Seminar Objectives

• System Security II Seminar
• Software Update Services (SUS) Patching
• Using HFNetChk and Baseline Security Analyzer
• Simple File Sharing
• NTFS Permissions
• Windows Security Templates Policies
• Network Security
• IPSec Filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Reading Logs

63
IIS Security Seminar Objectives

• IIS Security Seminar
• Installation of IIS 5 and 6
• Securing IIS Manually and With IIS Lockdown Tool
• Authentication
• Logging
• FTP and SMTP
• Common IIS Breaches and How to Overcome These
  Vulnerabilities

64
Appendix A PSU Security Policies

• Located at http//sos.its.psu.edu/policy.html

65
Appendix B Good Passwords

• http//www.alw.nih.gov/Security/Docs/passwd.html

66
Appendix C Additional Resources

• SANS guidelines
• /../common/docs/SANS
• NSA Guide to Securing W2K
• nsa2.www.conxion.com/win2k/download.htm
• Microsofts Guide to Securing Windows 2000 Server
• http//www.microsoft.com/technet/security/prodtech
  /windows/secwin2k/default.asp

67
Note

• Powerpoint slides to this and other seminars,
  links to utilities, patches, and suggestions for
  securing Windows operating systems and
  applications can be found at http//www.personal.
  psu.edu/lxm30/windows/windows.html