Abstract
In this chapter from "Hardening Windows," you'll learn about implementing a firewall, managing services, disabling automated logins, and hardening default accounts. You'll also find out about Microsoft Baseline Security Analyzer (MBSA) path and security checks, and file system security.
The advent of always-on connections and the increase of business connectivity to
the Internet has resulted in Windows XP computers being directly connected to
the Internet, which is a hotbed of potentially dangerous people and computers.
In this chapter, you’ll look at ways to specifically protect your Windows XP computers
from threats that reside abroad.
IMPLEMENTING A FIREWALL
It’s simply a given that on Windows XP, you should install a firewall. If you have a
case of the cheaps, you should use the included Internet Connection Firewall
(ICF) to control access to services running on the machine. It’s a simple process
to configure the ICF, and by doing so you harden the exterior interfaces to the
machine from public access.
To configure the ICF, do the following:
- Open Control Panel, and double-click Network Connections.
- Double-click the connection that refers to your external interface.
The connection status window appears.
- Click the Properties button.
- Navigate to the Advanced tab, and select the box titled Protect My
Computer and Network by Limiting or Preventing Access to This
Computer from the Internet.
- Click OK.
Your computer is now protected by the ICF. You can also click the Settings
button on the Advanced tab to open specific ports for certain services you might
be running.
You should also enable ICF logging on critical computers directly connected
to the Internet. Doing so will provide you with an audit trail for later forensic
analysis; you can automatically see what changes a hacker or cracker may have
made to your system so you can reverse them efficiently. To enable logging,
navigate to the Security Logging tab in the Advanced Settings dialog box, as
shown in Figure 4-1.
You can choose whether to log successful connections and packets that are
dropped because of firewall rules, and you can also specify a custom location for
the log file itself.
| TIP: Another reason to upgrade to XP: NT 4 is nearing the end of
its life. Users should plan an upgrade to Windows XP or 2003. Users
of Windows 2000 Desktop should consider an upgrade to Windows
XP if only for the ICF filtering provided.
|
If you have a small business or home business network connected to the
Internet, the most cost-effective way to obtain the most protection possible for
your dollar is to purchase a broadband router, such as those manufactured by
Linksys, D-Link, NETGEAR, and others. Most of these units even have built-in
switches, and you simply connect each client to the router and the computers
are automatically protected—by default—from the outside. Of course, this strategy
won’t be as effective when your computing base grows, but it’s an efficient
solution for a small business or home business.
CHANGES TO SERVICE
One of the easiest ways for crackers to exploit holes in your system is through
open services. In addition to the security benefits you get from auditing and
closing unused services, you also receive a performance enhancement because
stagnant programs aren’t taking up available resources. Besides, a full security
audit of your service can reveal some interesting details about your machine.
Lately, viruses have been masquerading as services listed in the Task Manager,
making them harder to detect, clean, and prevent.
Windows XP comes with only a few services that really require open access
to an external interface for normal operation: Terminal Services, or Remote
Desktop Connection, and the Remote Access Service for answering dial-in calls.v
To manage services on your computer, do the following:
1. Right-click My Computer, and choose Manage.
2. Expand the Services & Applications tab, and select Services.
3. Double-click a service.
4. Under Startup Type select Manual to disable a service from automatically
starting upon computer bootup. Click the Stop button to stop the
service if it’s already running.
Table 4-1 contains a nearly complete list of all services that ship with
Windows XP and the recommended state that each should be in on your computer,
assuming normal office functions are being performed on the machine.
As you can see from the previous list, not very much is actually needed to
keep your Windows XP installation functioning in a home environment. Most
of the enabled services just pose an enormous security risk, bring little or no
benefit, consume resources, and can be safely turned off.
MICROSOFT BASELINE SECURITY ANALYZER PATCH CHECK AND SECURITY TESTS
Windows Update is a good way to update a few computers on your network,
but it’s a bad strategy for a large network because it requires user intervention
and isn’t easily automated. As you’ll discover in Chapter 9, Microsoft has a better
way to automate patch rollout on more than a handful of computers using their
Software Update Services package. However, neither option offers a good,
sweeping way of determining the update level of your machines.
To fill this need, Microsoft has issued the Baseline Security Analyzer (MBSA)
tool, which will query each machine on your network and detect which available
patches haven’t been installed. The tool is simple to use, easy to automate, and
is more suited to a mass analysis than Windows Update. However, it lacks the
intelligence and logic of its web-based counterpart. You’ll probably see a lot of
updates that don’t pertain to your machines, even though they aren’t installed.
It’s up to you to verify that the specific patch listed in the results from the MBSA
session doesn’t apply to specific machines on your network. You’ll also need to
reboot after each patch application.
Installing Microsoft Baseline Security Analyzer
To install MBSA, follow this procedure:
- Go to http://www.microsoft.com and search for hfnetchk. (I would
include a link, but Microsoft has a tendency to change their website
around quite often.)
- Download, execute, and install the program to c:\hfnetchk.
- At the command prompt, enter hfnetchk –z –v.
The –z and –v switches tell the MBSA tool to go out and download a database
of all available patches. It will then scan a computer or set of computers for
patches that haven’t been installed, and indicate which haven’t been installed
along with the Microsoft Knowledge Base article number. You can look up the
appropriate patch using the number provided by the MBSA at
http://www.microsoft.com/support.
PENETRATION TESTS
Many security vendors provide free or low-cost online tools that evaluate the
security of your system, of course with the underlying motive of persuading you
to buy their product. These tools are most often a “penetration test” that can
indicate how effectively you’ve hardened your system.
Symantec offers their security check, as well as other tools, at http://security.symantec.com. Here you can scan for holes in your computer’s external
interfaces—a very basic penetration test—or scan for viruses that might be
present on your system, and track a cracker’s location if you have his source IP.
If you’ve followed the steps in this chapter so far, I highly recommend taking
advantage of the Scan for Security Risks option to ensure that you haven’t
missed anything. In addition to probing your open ports, the option can also
detect some Trojan horse viruses that can invade your computer and open a
back door.
There’s one thing you should be aware of: Each of these Symantec tools
download to your system Active X content, which of course should at least give a
competent, astute administrator pause. It’s up to you to trust a particular vendor.
Generally, the more popular security-testing sites will have the most robust
scanning tools.
Steve Gibson, of the venerable Gibson Research Corporation, has also made
available the popular ShieldsUp! test, which is available at http://www.grc.com.
It performs much the same function as the Symantec tools.
FILE SYSTEM SECURITY
Part of hardening your overall XP system is to ensure that your file system is adequately
secured. Microsoft provides NT File System (NTFS) support in Windows
XP. NTFS allows for more robust security features and user permissions and also
adds some basic fault tolerance, with which the older FAT file system just cannot
compete. Make sure all of your hard drives are formatted with NTFS unless you
have systems that dual-boot to another, older operating system that doesn’t support
NTFS on the same disk.
To check your hard drive partitions, do the following:
- Log in as Administrator, and double-click My Computer.
- Right-click each hard drive letter and choose Properties.
- Navigate to the General tab. Here, Windows will identify the file
system type.
Follow the previous steps for each drive letter, noting which ones are labeled
FAT or FAT32.
To convert a FAT or FAT32 partition to NTFS, do the following:
- Open a command prompt.
- At the command prompt, enter convert x: /FS:NTFS /V. Replace x with
one of the drive letters you noted previously.
- Repeat the previous step for each FAT or FAT32 partition.
When you’re finished, reboot the system for the changes to take effect.
You might also choose to use third-party disk conversion utilities, like
PartitionMagic or Norton Disk Doctor, to convert your file system to NTFS. It’s a
painless procedure, no matter which tool you use to do it. Of course, you should
always remember to back up your data before performing any change to a disk’s
configuration or function.
DISABLE AUTOMATED LOGINS
Windows XP offers a feature for machines that aren’t participating in a security
domain where accounts without passwords can automatically log in at a computer’s
startup without requiring any user intervention. Obviously, this is a huge
security hole for machines connected to any kind of network. You’ll want to disable
this.
To disable automated logins, do the following:
- Inside Control Panel, open Administrative Tools.
- Double-click Local Security Policy.
- Select a username.
- Make sure there is a password set for each user account that’s enabled.
HARDENING DEFAULT ACCOUNTS
The main premise is that in order for someone to access an XP system, she must
have a username and password. To that effect, Windows creates the administrator
account, for use by the machine’s owner, and a Guest account, which has
limited privileges and is designed for people who don’t have continuing business
on a machine. This isn’t just an XP function.
Of course, crackers have taken advantage of the presence of both accounts.
You might consider renaming the two accounts to reduce the surface vulnerability
of the machine. This doesn’t work for server machines all the time; sometimes
server software and services require the administrator account to be named the
same, but for client machines, renaming is usually a good strategy. This is true
particularly for XP computers, because they tend to be directly connected to the
Internet more than computers that are running older versions of Windows.
You can configure the Administrator account as follows:
- Log in as Administrator.
- Go to the Control Panel, double-click Administrative Tools, and then
Computer Management.
- Open Local Users and Groups.
- Click the User folder.
- Right-click the Administrator account, and choose to rename it. Make it
a less obvious name.
- Right-click this renamed Administrator account and select Set Password.
You can configure the Guest account as follows:
- Right-click the Guest account, and choose to rename it. Make it a less
obvious name.
- Right-click this renamed Guest account, then select Set Password.
For security reasons, the Guest account in XP is disabled by default.
Enabling the Guest account allows anonymous users to access the system. Even
if no one sits down and logs in as a guest to your system, the account is used. If
you share a folder, the default permission is that everyone has full control, and
because Guest is included within the built-in Everyone group, a hole is opened.
A standard practice is to always remove the share permissions from Everyone
and add them to Authenticated Users. This is a much safer configuration.
USING FORENSIC ANALYSIS TECHNIQUES
Part of hardening a system is knowing when your efforts haven’t protected
against or prevented an attack. Here are some common indicators that your
system has been compromised:
- A system alert, alarm, or related indication from an intrusion-detection
tool
- Suspicious entries in system or security logs in XP’s Event Viewer
- Unsuccessful logon attempts
- New user accounts of unknown origin
- New files on the physical file system of unknown origin and function
- Unexplained changes or attempt to change file sizes, checksums,
timestamps, especially on files within the C:\WINNT hierarchy
- Unexplained addition, deletion, or modification of data
- Denial of service activity or inability of one or more users to log in to an
account, including admin or root logins to the console
- System crashes
- Poor system performance
- Unauthorized operation of a program or the addition of a sniffer application
to capture network traffic or usernames or passwords
- Port scanning and the use of exploit and vulnerability scanners, remote
requests for information about systems and users, or social-engineering
attempts
- Unusual usage times; statistically, more security incidents occur during
nonworking hours than any other time
- An indicated last time of usage for an account that doesn’t correspond to
the actual last time of usage for that account
- Unusual usage patterns; for example, programs are being compiled in the
account of a user who doesn’t know how to program
Keep alert for these indicators. If any are tripped, back up any personal data
on a machine, verify that data’s integrity, and then reformat the machine and
reinstall Windows. It isn’t a safe bet to try to reconstruct a compromised machine
for later production use.
CHECKPOINTS
If you’re in a hurry, the action items within this chapter include the following:
- Use XP’s included Internet Connection Firewall to close off open ports.
- Enable ICF logging for later forensic analysis and intrusion detection.
- If you have a small office or home office network, purchase an inexpensive
broadband router for further protection.
- Adjust your running services list to match that in the book.
- Test your service load and ensure that only services required for necessary
functionality are running and enabled.
- Use the Microsoft Baseline Security Analyzer (MBSA) to analyze the
current update level of machines on your network.
- Also visit Windows Update to identify and install appropriate hotfixes and
software updates.
- Visit a reputable online software vendor and perform penetration tests on
your machines to ensure that ports are closed off and your hardening
efforts were effective.
- Format the partitions on your machines with NTFS.
- Disable automated logins by ensuring there is a password for each user
account on a machine. (This applies only to machines that aren’t participating
in a security domain.)
- Rename the Administrator account.
- Rename the Guest account.
- Replace the Everyone group with the Authenticated Users group inside the
access control lists (ACLs) of your shares.
- Understand the typical signs of a compromised machine.
- If a machine becomes compromised, don’t attempt to resurrect it. Get
personal data off, verify the integrity of that data, and then reformat and
reinstall the machine.
|
Windows IT Pro
Register
