Windows XP Security II

1
Windows XP Security II

• Laurie Walters
• lwalters_at_psu.edu

2
XP Security II Seminar Objectives

• System Security II
• Software Update Services (SUS) Patching
• Automatic Updates on Standalone Machines
• Installing SUSAdmin
• Configuring SUSAdmin
• Approving Updates
• Installing SUSClient
• Configuring SUSClient to update from server via
  AD OU Group Policy
• Simple File Sharing
• Simple File Sharing Overview
• Setting Up SFS Shares
• SFS Is Not Secure
• Disabling SFS

3
XP Security II Seminar Objectives

• System Security II (Continued)
• NTFS Permissions
• Definitions
• Changing Default Permissions
• NTFS Rules Additive Permissions and Deny
  Permissions
• Removing Access to Common Executables
• Windows Security Templates Policies
• Creating a New Security Template
• Defining Your Security Settings
• Using the Security Configuration and Analysis
  Tool
• Applying Security Templates
• Security Policies

4
XP Security II Seminar Objectives

• Network Security
• IPSEC filtering
• IP Security Overview
• Starting IPSec Service
• Installing an IPSec Policy
• Creating a Custom IPSec Policy
• Application Security
• Services to Shut Off
• Disabling Un-necessary Services
• Use Secure Services
• Specific XP Services to Disable

5
XP Security II Seminar Objectives

• Application Security
• Remote Desktop / Remote Assistance
• Remote Assistance Overview
• Disabling Remote Assistance
• Setting Up Remote Desktop
• Changing Default Remote Desktop Port
• Disabling Remote Desktop
• Using HFNetChk and Baseline Security Analyzer
• HFNetChk Overview
• Microsoft Baseline Security Analyzer Overview
• Reading Logs
• System LogFile Locations
• IIS LogFile Locations
• Conclusion

6
XP Security II Seminar Objectives

• System Security II
• Software Update Services (SUS) Patching
• Simple File Sharing
• NTFS Permissions
• Windows Security Templates Policies
• IPSEC filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

7
Windows XP Security II

• System Security II
• Software Update Services (SUS) Patching
• Automatic Updates on Standalone workstations
• Installing SUSAdmin
• Configuring SUSAdmin
• Synchronizing SUS
• Approving Updates
• Installing SUSClient
• Configuring SUSClient to update from server via
  AD OU Group Policy
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• Network Security
• Application Security

8
Automatic Updates on Standalone Workstations
9
Installing SUSAdmin

• SUS has two portions
• Server (SUSAdmin)
• Client (Automatic Updates Client)
• SUSAdmin can only be installed on Windows 2000 or
  2003 Server
• It is recommended that SUSAdmin be installed on
  Standalone Server (Not domain controller or
  application server)
• Install Server Software from http//download.mic
  rosoft.com/download/0/b/9/0b97f864-2408-4748-ad96-
  3691e2451006/SUS10SP1.exe
• Read SUS Deployment Whitepaper
  http//www.microsoft.com/windowsserversystem/sus/s
  usdeployment.mspx

10
(No Transcript)
11
Configuring SUSAdmin

• On SUSAdmin Server, open following URL
• http//localhost/SUSAdmin
• Welcome screen will appear. Click on Set
  Options in left frame.
• Choose whether to maintain the updates on a MS
  Windows Update Server or save the updates to a
  local folder.
• If updates saved to local folder, choose
  Locales (Languages) for install packages. Only
  use minimum necessary languages to reduce
  download time of updates
• It is recommended that you use SSL for SUS.
  Instructions on enabling SSL for SUS can be found
  in the MS SUS Whitepaper on page 25.

12
Synchronizing SUS

• Click on Synchronize Server on left frame.
• On right side of page, click on Synchronization
  Schedule
• Choose when synchronization should occur (weekly,
  daily, etc).
• Recommended setting daily
• Click on Synchronize now
• Catalog Download Progress will appear. It will
  appear to hang on 100 with a cancel button
  below. Do not cancel!
• Next, it will start downloading the actual updates

13
Approving Updates

• Click on Approve Updates in left hand pane.
• All available updates that have been downloaded
  will be listed with one of the following status
• New (recently downloaded and not approved)
• Approved (approved and available for download by
  client computers)
• Not Approved (Declined by SUS administrator and
  will not be made available for client computers)
• Updated (A change has been made to an update)
• Temporarily Unavailable (Update package or a
  dependency is not available)
• Check the box next to the updates you have
  previously examined in a test environment and
  want to approve for distribution to your client
  computers.

14
Installing SUSClient

• Client can be downloaded from http//www.microsof
  t.com/windows2000/downloads/recommended/susclient/
  default.asp
• Client can be installed on
• Windows 2000 Professional with Service Pack (SP)
  2 (already included with W2K SP3)
• Windows 2000 Server with SP2
• Windows 2000 Advanced Server with SP2
• Windows XP Professional (already included with XP
  SP1)
• Windows XP Home Edition

15
Configuring SUSClient to update via AD OU Group
Policy

• Type dsa.msc on an Active Directory Domain
  Controller.
• Right click the OU or domain where you want to
  create the policy
• Choose properties
• Click the Group Policy tab and click new
• Type a name for the policy and click edit.
• Double click either Computer or User
  Configuration (Settings) and right-click on
  Administrative Templates
• Choose Add/Remove Templates, and then click Add
• If you dont already see wuau in the list of
  current policy templates, click the add button at
  the bottom of the screen.
• Navigate to \Systemroot\Windir\inf\WUAU.adm
• Click Open

16
(No Transcript)
17
Configuring SUSClient to update via AD OU Group
Policy (Cont.)

• In Group Policy Editor, Click on Computer
  Configuration in left hand pane.
• Click next to Administrative Templates to
  expand it.
• Click Next to Windows Components
• Click on Windows Update
• Configure options in right hand pane
• Configure Automatic Updates
• Specify intranet Microsoft update service
  location
• Reschedule Automatic Updates scheduled
  installations
• No auto-restart for scheduled Automatic Updates
  installations
• SUS can be set up via Registry entries if you
  arent using Active Directory. Please see page
  61 of the SUS Whitepaper for installation
  instructions.

18
Windows XP Security II

• System Security II
• Software Update Services (SUS) Patching
• Simple File Sharing
• Simple File Sharing Overview
• Setting Up SFS Shares
• SFS Is Not Secure
• Disabling SFS
• NTFS Permissions
• Windows Security Templates and Policies
• Network Security
• Application Security

19
XP Simple File Sharing

• With Windows XP, Microsoft introduced a new
  feature called Simple File Sharing
• By default with Simple File Sharing, no files or
  folders on the hard drive are shared with other
  network users.
• Simple File Sharing enabled by default in
• XP Home This feature cannot be disabled in XP
  Home Edition.
• XP Pro Only enabled in workstation / standalone
  mode. It may be disabled in this mode. When an
  XP Pro machine is joined to a domain, this
  feature is automatically disabled, and uses
  standard NTFS permissions instead.

20
Setting Up Shares Using Simple File Sharing

• To share a folder with simple file sharing
  enabled, right click on folder and choose
  properties and select the sharing tab.
• To share files/folders with other users on the
  same machine, drag the desired items to the
  Shared Documents folder
• To share file(s) or folder(s) with other network
  users, (use the network setup wizard) and then
  give share a name. There is a check box to
  Allow network users to change my files This
  is not recommended!!!

21
XP Simple File Sharing Is Not Very Secure!

• Simple File Sharing does not use passwords or
  access restrictions.
• Everything that is shared is accessible by
  everyone on the network.
• If Allow network users to change my files is
  checked, others have write privileges to the
  folder without any access controls.
• This is a good way for viruses to spread!
• If any folders or files are shared, it is
  recommended that you do not use simple file
  sharing.

22
Simple File Sharing Enabled
23
Disabling XP Simple File Sharing

• To disable simple file sharing, open up Windows
  Explorer or My Computer folder. Under the Tools
  Menu, Select Folder Options. Choose the View
  Tab. Scroll down to Use Simple File Sharing
  and uncheck the box.

24
Disabling Simple File Sharing
25
Simple File Sharing Disabled
26
Security (NTFS Permissions) Tab Appears After
Disabling SFS
27
Windows XP Security II

• System Security II
• Software Update Services (SUS) Patching
• Simple File Sharing
• NTFS Permissions
• Definitions
• Changing Default Permissions
• NTFS Rules Additive Permissions and Deny
  Permissions
• Removing Access to common executables
• Windows Security Templates Policies
• Network Security
• Application Security

28
NT File ACLs (Permissions) For Shared Files

• NTFS uses DACLs (Discretionary Access Control
  Lists) to determine authorization
• An individual object in an Access Control Lists
  us known as an Access Control Entry (ACE).
• Generically, a collection of ACLs can be
  referred to as permissions
• Microsoft default for permissions has been
  Usability over security
• For security purposes it is prudent to restrict
  access to everyone and anonymous users where
  possible.

29
Changing Default NTFS Permissions

• After applying service pack, replace Everyone
  with Full Control to Administrators on pertinent
  files/folders
• Folders created by OS generally have correct
  permissions. Any folders created by you will
  inherit root folder permissions by default which
  is Everyone has Full Control
• Note Always add administrator(s) with full
  control before taking away full control for
  everyone.
• Add Authenticated Users give them desirable
  permissions
• E.g. RWXD or RX

30
NTFS ACL Rule 1 ACL Permissions Are Additive

• Example Your account is a member of two groups
  Backup Operators and Users.
• The Users group is not listed in the group of
  people allowed access to the folder. However,
  the Backup Operators group has permissions listed
  as RWXD.
• Result You have RWXD permissions for this
  folder.

31
NTFS ACL Rule 2 Deny Explicitly Overwrites Any
Allow Permissions

• Example Your account is again a member of two
  groups Backup Operators and Users
• The Users group has an explicit deny flag set for
  the folder. The Backup Operators Group is set to
  RWXD.
• Result You will not be able to access this
  folder!

32
Remove Access to Known Command Line Executables
From Everyone

• Grant ACLs for authenticated users only for the
  following C\Winnt\System32 executables
• Cmd.exe
• Command.com
• Ftp.exe
• Regedit.exe
• Regedt32.exe
• Telnet.exe
• Tftp.exe

33
Windows XP Security II

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Templates Policies
• Security Policies Overview
• Account / Password Policies
• Auditing Policies
• User Rights Assignment
• Security Policies
• Network Security
• Application Security

34
Security Policies

• Control Panel ? Classic View ? Administrative
  Tools ? Local Security Policy
• Policies Include
• Account Policies, Local Policies, Security
  Options, Public Key Policies, Software
  Restriction, IPSEC

35
Security Templates

• Template A predefined stencil of computer
  settings which can be quickly and/or
  automatically applied.
• Microsoft has predefined some computer security
  templates
• Designed to lock down settings and make the
  computers more secure.
• They are located at SystemRoot\Security\Templat
  es and are kept as .ini files.
• You can directly edit the .ini files in notepad
  if you wish
• You can use the MS templates, but it is suggested
  that you create a new template and define the
  security settings
• Then use the Security Configuration and Analysis
  tool to compare your settings to MS recommended
  settings.

36
Creating a New Security Template

• Go to the Start Menu and choose Run. Type mmc
  in the box and press enter.
• Under the file menu, select Add/Remove Snap-in
  and select the add button when it appears
• Click the Security Templates from the Add
  Standalone Snap-in Window
• Click ok and the close button
• The Security Templates button will now appear in
  the left pane of the MMC console window.
• Right click on the location of the templates and
  select New Template Next, type in the name of
  your template and a description.

37
Creating a New Security Template
38
Defining your Security Settings

• Click on the Sign next to the name of your
  newly created security template and navigate
  through the entries.
• Change the security settings you see fit.
• Once you have done so, right click on the name of
  your security template and choose Save As to
  save your settings to a file.
• Extensive information about security settings
  will be discussed in following section of seminar.

39
Opening the Security Configuration and Analysis
Tool

• Open the MMC and add the Security Configuration
  and Analysis Snap-In exactly as you added the
  Security Templates Snap-In.
• Right Click on the Security Configuration and
  Analysis in the left pane. Choose Open
  Database and type in a filename for a new
  database you will be creating to compare your
  security settings in.
• Next, you will see an import template dialog
  box. Choose the name of the template you want to
  compare your settings to (e.g. HISECWS). Click
  on Open.

40
Using the Security Configuration and Analysis Tool

• Right-click on the tool and choose Analyze
  Computer Now It will put a check mark next to
  any of your settings that it deems sufficiently
  match the MS predefined template and an X next to
  those that do not.
• To apply all settings from a MS template to your
  computer, right-click on the Tool and Click
  Configure Computer Now. Warning, this applies
  MS settings over yours, which is Non-reversible!
  Use Caution!

41
Applying Security Templates

• Security templates should be applied both for
  domain settings and local settings (in case the
  domain is not available).
• You can apply the templates manually to the local
  system or though the secedit command (you can
  use a batch file at logon to automatically apply
  the desired template).
• You can also apply domain security settings for
  domain to automatically be applied to all
  computers the domain.

42
Importing a template into Active Directory

• You can set templates for Organizational Units in
  the following manner on an AD Domain Controller
• Open Administrative Tools in the Control Panel
  and select Active Directory Users and Computers
• Right-click on the Organizational Unit that
  requires the security policy. Select properties
• Click on the Group Policy Tab. Select New and
  type in the name of the new policy you will be
  adding
• Click on the Edit button and the Group Policy
  Object Editor will appear
• Click the next to Computer Configuration.
  Then, Click the to expand the Windows Settings
• Right click on Security Settings and choose
  Import Policy
• Select the template that you wish to be applied
  to the OU and click on Open to import the policy.

43
Local Security Settings
44
Account / Password Policies

• Password History (X passwords remembered)
• Default 0, Recommended 5
• Maximum Password Age (X days)
• Default 42 days, Recommended ?
• Minimum Password Age
• Default 0 days, Recommended ?
• Password Length
• Default 0, Recommended 7

45
Password Policies (cont.)

• Password Must Meet Complexity Requirements
• ¾ of the following lower case, upper case,
  numbers, symbols AND passwords cannot contain
  user name or any part of full name.
• Default Disabled, Recommended Enabled
• Store passwords using reversible encryption for
  all users in the domain
• Default Disabled

46
Account Lockout Policy

• Account Lockout Duration
• Recommended 15 minutes or longer
• Account Lockout Threshold
• Recommended 5 attempts or lower
• Reset Account After
• Recommended 15 minutes or longer

47
Auditing Policies

• By default, nothing is audited in XP!
• Audit Account Logon Events Records response of
  a domain controller to authenticate a network
  user.
• Recommended Success / Failure
• Audit Account Management Audits account changes
  such as renaming, enabling/disabling, password
  changes, creation, deletion, etc.
• Recommended Success / Failure

48
Auditing Policies (Cont.)

• Audit directory service access logs events of
  standard active directory objects
• Recommended Failure
• Audit Logon Events Records user authentication
  for local machine or domain controllers
• Recommended Success / Failure
• Audit Object Access Allows setting of auditing
  on files or directories (you must set each
  directory/file separately).
• Recommended Varies

49
Auditing Policies (Cont.)

• Audit Policy Change Audits additions,
  deletions, and changes made to local and domain
  security policies
• Recommended Success / Failure
• Audit Privilege Use Audits special privileges
  assigned to a user, privileged services that are
  called, and privileged object operation
• Recommended Failure (Auditing success will fill
  up logs very quickly!)

50
Auditing Policies (Cont.)

• Audit Process Tracking Audits processes
  (creation, exits, and resources)
• Recommended Failure or None
• Audit System Events Audits events going on
  within the physical system that can affect
  security or logging (shutdowns, reboots, clearing
  of logs)
• Recommended Failure (can fill up logs VERY
  quickly)

51
Auditing Recap

• Audit success, failure of
• Logon events
• Account management
• Policy change
• Object Access
• Audit failure of
• Privilege use
• Process tracking
• System events

52
User Rights Assignment

• Access this computer from the network
• Default includes everyone in Windows NT
• You can remove Everyone and add desired users
• Other User Rights Assignment options include who
  is allowed to
• Back up files,
• Increase quotas,
• Log on locally,
• Shut down the system,
• Take ownership of files of other users

53
User Rights Assignment (Cont.)

• Bypass Traverse Checking Allows access to files
  and folders regardless of users permission to
  parent folder for users included in list.
• This setting basically nullifies Inherit parent
  permissions
• E.g. if you remove Everyone, then anyone not in
  one of the listed groups will access files based
  on parent inheritance, not individual file
  permissions.

54
Security Options Accounts

• Only those that should be changed are listed
  here.
• Guest Account Status
• Should be set to disabled. If it is not, please
  change this policy status to disabled
• Administrator Account Status
• May be disabled
• Rename Guest Account
• Recommended!
• Rename Administrator Account
• Recommended!
• Limit Local use of blank passwords to console
  logon
• Do not change this to disabled!!!

55
Security Options Devices

• Restrict access of CD Rom and Floppy to locally
  logged on User Recommended especially if running
  Remote Desktop or IIS is installed (e.g. A
  windows setup disk is left in the cd drive).

56
Security Options Interactive Logon

• Do Not Display Last User Name in Logon Screen
  Change to enabled (Users must know username and
  pw).
• Message text/title for users attempting to log on

57
Security Options Network Access

• Do not allow anonymous enumeration of SAM
  Accounts, Do not allow anonymous enumeration of
  SAM account and Shares Should be set to enabled
• If not enabled, local/domain accounts can be
  enumerated via the NetBIOS protocol
• Scripts / Lophtcrack can then be used to
  determine passwords associated with userid
• Let Everyone permissions apply to anonymous user
  should be disabled
• Remotely accessible registry paths if possible,
  remove ALL paths.

58
Security Options Network Security

• Force logoff when logon hours expire should be
  enabled.

59
Security Options Shutdown

• Allow system to be shut down without users having
  to log on disable this option.
• Clear Virtual Memory Pagefile when Shutting Down
  Enable this option

60
Windows XP Security II

• System Security II
• Network Security
• IPSEC filtering
• IP Security Overview
• Starting IPSec service
• Installing IPSec Policy
• Creating a Custom IPSec Policy
• Application Security

61
IP Security Filtering

• IP filtering using IPSEC allows the computer
  administrator to create a list of connections
  allowed or disallowed based on a number of rules
  such as port number, source, or destination.
• For example, you can block all NetBios traffic
  external to PSU but allow connections from the
  Penn State address space.

62
Starting the IPSEC Service

• In the Control Panel, open Administrative Tools
  and then Services. Make sure that IPSEC Policy
  Agent is Started and Set to Automatic.

63
Installing IPSEC Policy

• Next, open the Control Panel ? Administrative
  Tools ? Local Security Policy. Right click on
  IP Security Policies on local machine. From
  the menu that appears, choose All Tasks.
  Select Import Policies and browse to the
  location of the IPSEC policy.
• The policy should now appear in the list on the
  right hand side. Right click the new policy and
  select Assign.

64
Installing An IPSec Policy
65
Creating a Custom IPSEC Policy

• Open up the XP Help and Support button and click
  on Add or edit IPSec filters
• This help guide will walk you step by step
  through configuring custom IPSEC filters.

66
Common Breaches of System Security

• Most breaches are a result of this aspect!
• Open Network Shares
• Incorrect ACLS
• No Auditing / Logging
• Weak Passwords (Lophtcrack)
• Policies not set correctly

67
XP Security II Seminar Objectives

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• Network Security
• IPSEC filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

68
Windows XP Security II

• System Security II
• Network Security
• Application Security
• Services to Shut Off
• Disabling un-necessary services
• Use Secure Services
• Specific XP Services to disable
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

69
Application Security

• Check for patches for all software (Application
  patches should be applied before system is placed
  on network)
• Adding remote access software increases risk of
  breaches
• Backdoors
• Warez servers
• SMTP servers
• Admin tools for dDos attacks
• Scanners/automated scripts disguised as innocent
  files
• OS files removed

70
Services

• Disable any that you are not using
• SMTP
• RAS (including VNC, Timbuktu, Terminal Services)
• HTTPD (IIS) Caution - May be installed with
  Network Monitoring Tools in 2000/XP
• FTP/tFTP
• Telnetd
• Service Distribution Do NOT install all services
  on one machine!
• Do Not install on PDC/ BDC

71
Use Secure Services

• Plugins for Email (Kerberos, PGP)
• SSh vs. Telnet
• HTTPS vs. HTTP
• Scp vs. FTP
• Use Secure services wherever possible.

72
XP Services

• Accessed from Control Panels ? Classic View ?
  Administrative Tools ? Services
• If not needed, stop and set to manual
• Remote Registry
• Remote Desktop
• Remote Access Auto Connection Manager
• NetMeeting Remote Desktop Sharing
• SSDP (Universal Plug and Play)
• TCP Port 5000
• UDP Port 1900

73
Windows XP Security II

• System Security II
• Network Security
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Remote Assistance Overview
• Disabling Remote Assistance
• Remote Desktop Overview
• Setting Up Remote Desktop
• Changing Default Remote Desktop Port
• Disabling Remote Desktop
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

74
Remote Assistance

• Designed to allow others to take control of your
  computer to assist in troubleshooting and even
  fix problems.
• Turn this off until it is needed!
• Control Panel ? Classic View ? System ? Remote
  tab ? Settings button
• Administrators group can connect to the computer
  by default.

75
Disabling Remote Assistance

• To disable uncheck one of the following
• Allow Remote Assistance invitations to be sent
  from this computer
• Under Advanced button, Allow this computer to be
  controlled remotely

76
Remote Desktop

• Other computers can access your windows session
  by remotely logging in to your computer with a
  valid username and password
• This feature is based on Terminal Services
  session data is sent encrypted.
• (E.g. you can leave your machine logged in at
  work and then log on to Remote Desktop at home to
  control your computer).
• Logging on remotely locks screen locally

77
Setting Up Remote Desktop

• On host computer, navigate to the Control Panel
  and choose the System icon. Click on the Remote
  tab.
• Check the box for Allow Users to connect remotely
  to this computer.
• Click on the settings button to change which
  users have remote access.

78
Setting Up Remote Desktop

• To open Remote Desktop Client
• On connecting computer if XP, navigate to the
  Start Menu ? Accessories ? Communications ?
  Remote Desktop Connection
• On a non-XP Windows machine, insert the XP CD
  into the CD Rom drive. When the Welcome page
  appears, click Perform additional tasks, and then
  choose Set up Remote Desktop Connection
• You will need to enter the IP address of machine
  you are connecting to, and your username and
  password on that machine.

79
Remote Desktop Connection

• Click the options button to expand so additional
  options (username and password, domain, display
  options, etc are shown).

80
Changing Remote Desktop Port

• By default, Remote Desktop (and Terminal
  Services) runs on port 3389.
• You can add security by obscurity by changing
  the default port.
• You need to
• Make a simple registry change on the host
  computer (see)
• http//support.microsoft.com/default.aspx?scidkb
  EN-US306759
• Add portnumber after IP address on connector for
  client.

81
Entering Remote Desktop Port in Client

• In example, 10.0.0.1 is theoretical IP Address
  and 8337 is port that Remote Desktop was changed
  to.

82
Disabling Remote Desktop

• If not needed, do not run this feature.
• Control Panel ? Classic View ? System ? Remote
  tab ? Settings button
• Uncheck Allow others to connect remotely to this
  computer
• All Remote Access Services should log all traffic

83
Windows XP Security II

• System Security II
• Network Security
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• HFNetchk Overview
• Microsoft Baseline Security Analyzer Overview
• Reading Logs

84
HFNetchk

• Command Line utility which tells you if you are
  up to date on patches.
• Every time you run HFNetchk, it will attempt to
  connect to Microsoft to download an up to date
  XML document which indicates what patches should
  be on your machine.
• If the network is unavailable, it will use
  configuration already saved to your hard disk.
• You can download HFNetchk from
  http//support.microsoft.com/default.aspx?scidkb
  en-us303215

85
Baseline Security Analyzer

• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/tools/Tools/MBSAhome.asp
  
• Checks for hotfixes and security
  misconfigurations on systems.
• Scan by machine name or IP Address(es) Can scan
  multiple computers at a time.

86
Windows XP Security II

• System Security II
• Network Security
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs
• System Logfile locations
• IIS Logfile location

87
Reading Logs

• Event Viewer (eventvwr)
• System
• Application
• Security
• IIS Logs (c\winnt\system32\logfiles)
• W3SVC1, etc.
• If you do not look through logs you may not
  notice anything is going on!

88
XP Security II Seminar Objectives

• System Security II
• Software Update Services (SUS) Patching
• Automatic Updates on Standalone Machines
• Installing SUSAdmin
• Configuring SUSAdmin
• Approving Updates
• Installing SUSClient
• Configuring SUSClient to update from server via
  AD OU Group Policy
• Simple File Sharing
• Simple File Sharing Overview
• Setting Up SFS Shares
• SFS Is Not Secure
• Disabling SFS

89
XP Security II Seminar Objectives

• System Security II (Continued)
• NTFS Permissions
• Definitions
• Changing Default Permissions
• NTFS Rules Additive Permissions and Deny
  Permissions
• Removing Access to Common Executables
• Windows Security Templates Policies
• Creating a New Security Template
• Defining Your Security Settings
• Using the Security Configuration and Analysis
  Tool
• Applying Security Templates
• Security Policies

90
XP Security II Seminar Objectives

• Network Security
• IPSEC filtering
• IP Security Overview
• Starting IPSec Service
• Installing an IPSec Policy
• Creating a Custom IPSec Policy
• Application Security
• Services to Shut Off
• Disabling Un-necessary Services
• Use Secure Services
• Specific XP Services to Disable

91
XP Security II Seminar Objectives

• Application Security
• Remote Desktop / Remote Assistance
• Remote Assistance Overview
• Disabling Remote Assistance
• Setting Up Remote Desktop
• Changing Default Remote Desktop Port
• Disabling Remote Desktop
• Using HFNetChk and Baseline Security Analyzer
• HFNetChk Overview
• Microsoft Baseline Security Analyzer Overview
• Reading Logs
• System LogFile Locations
• IIS LogFile Locations
• Conclusion

92
Windows Is a Popular OS to Hack

• Millions of lines of code
• All aspects add to increase security
• ACLS, Services and Applications run among most
  important
• Frequent patching and examination of logs is a
  must
• Also consider other means to secure
• Apply ideas to workstations in department as well
• Spend extra time setting up a machine when you
  have time rather than rebuilding when downtime is
  highly inconvenient

93
Appendix 1 File and Folder Permissions
94
Appendix 2 PSU Security Policies

• Located at http//sos.its.psu.edu/policy.html

95
Appendix 3 Additional Resources

• SANS guidelines
• //common/docs/SANS
• NSA Guide to Securing W2K
• nsa2.www.conxion.com/win2k/download.htm
• Microsoft Windows 2000 Server Security Guide
• http//www.microsoft.com/technet/security/prodtech
  /windows/windows2000/staysecure/Default.asp
• Microsoft SUS Whitepaper
• http//www.microsoft.com/windowsserversystem/sus/s
  usdeployment.mspx

96
Note

• Powerpoint slides to this and other seminars,
  links to utilities, patches, and suggestions for
  securing Windows operating systems and
  applications can be found at http//www.personal.
  psu.edu/lxm30/windows/windows.html