Chapter 9 - Windows Workstation Security
Within the 335 pages of "Defeating The Hacker" are 42 chapters. This is just one of them...
Those who sell computers pre-installed with Windows, antivirus software and a host of other applications tell their customers that the new machine is ready to use as soon as it has been unpacked from the box and plugged in. Equally, when you install a fresh copy of Windows onto a new hard drive the implication from the setup utility is that, once the operating system is installed, the computer is all ready to be used by an employee or a home-based user.
This is not the case, and if you mistakenly believe it to be so then you are in for a few nasty surprises. Fresh out of the box, or when newly installed from CD, Windows is dangerously insecure and there are a few things that you must do before you use it.
First, ensure that the hard disk has been formatted using the NTFS filing system rather than FAT or FAT32. If you’re installing Windows from scratch you’ll be offered the choice. NTFS is more secure and more resilient than FAT, so don’t even consider anything else.
You must never allow an unpatched computer to connect to the internet, so a new installation of Windows should be patched by installing the latest service packs for Windows and Office from a CD that has been prepared on another computer. Alternatively, if you are using the Microsoft tools for creating company-wide installation CDs for Windows and/or Office, you can use a technique called slipstreaming to pre-patch the software before it gets installed.
Having ensured that Windows and all key applications have had the latest security patches installed, you should then install your company’s standard antivirus software. Again, this must be updated to the latest version of the software and the virus signature files and should be done offline. Otherwise, if there is a virus-infected PC on your network that is continually seeking new unprotected machines to infect, the new computer will become infected as soon as it is connected to your network.
Assuming that the new computer will be operating within the confines of a corporate firewall, it can now be plugged into the network. If no such firewall exists, then install a personal firewall on the computer at this point. You may wish to use a dedicated product such as ZoneAlarm, or perhaps you will prefer to use one of the many antivirus programs which also include an optional firewall component such as Symantec’s Internet Security Suite. Once the new PC is plugged into the company network, ensure that all automatic-update features are enabled so that any new security patches will be installed automatically from now on.
Windows XP in both its Home and Professional incarnations normally sets up just one default user account, with full administrator privileges, and doesn’t even require that the user enters a password before being allowed to use it. Many companies leave Windows in this default state and simply hand the computer to the user. This is an incredibly dangerous thing to do.
Before handing over the new computer to its user, you should always configure Windows to require a password, and set up a new account for the user. The precise way that you do this will depend on various factors, such as whether your company network is domain-based or merely one or more workgroups. On a domain-based network, authentication is handled by a separate machine known as a domain controller, so the machine has to be added to the domain by someone with the knowledge and credentials that allow him to do so. On non-domain networks, authentication is handled by the PC itself, so an account must be created on that machine by someone who is in possession of its local administrator password.
Never, ever, allow your users to log into their PC using an administrator password. When you set up their login account, grant it only the minimum set of privileges that it requires (standard user or power user). Someone with an administrator account can install software and reconfigure the machine, which can cause major headaches for your technical support staff.
If a user logs into a PC using an administrator account then all of the programs he runs will run with greater privileges than would otherwise be the case. If the user inadvertently runs a virus-infected email attachment that tries to install a back door or some other item of malware, the installation will only succeed if the operating system allows it. So if the user (and therefore the malware) is running under the control of an account which does not have permission to install new software, the back door will not be installed.
Restricting user accounts can present occasional problems, such as if a user has a legitimate need to install a new application or printer and has to call upon the services of an IT support person. But this is a small price to pay, and is no reason to accept what might seem like the easier option of allowing all users to install new hardware and software unchecked. By ensuring that users don’t have access to administrator accounts, you also prevent accidental or deliberate removal of software. This can be just as important as preventing the installation of new programs. For example, someone (or a program that the user is running without their knowledge) running under an administrative account could remove or disable any antivirus software, personal firewall or other similar program.
Ensure that the Windows user account names which you use in your company do not provide any clues to hackers. The default administrator account on every new Windows installation is “Administrator” and this is the first one that every hacker tries, so you should always rename this account. Don’t use “admin” or “manager”, but something innocuous such as George or Yellow. Although Windows will allow you to rename the default administrator account you can’t remove it from the administrators group so if you need to set up a standard user account you’ll have to set up a new one from scratch.
When choosing passwords, pay particular attention to those of administrator accounts. These are the virtual keys to your kingdom so make them long and complex and ensure that they are known only to a few people. Each administrator should have his or her own administrator-level account rather than sharing one with someone else. This way, your log files will contain reliable details not just of any actions taken, but also who took them.
Each admin account user should also have a non-admin account, which they should use for all their routine non-admin duties. Administrator accounts should only be used when they are required, in order to avoid accidents caused by someone using an account which possesses more powers than they realised.
In Chapter 27 we will discuss the Windows Encrypting File System or EFS. One weakness with EFS concerns administrator accounts. The Windows default administrator account is designated as the Recovery Agent for EFS on a computer when Windows is first installed. This means that the Administrator account can read all of the files on that computer, even if they are encrypted, and even if the account is renamed from Administrator to something else. This is yet another reason why you must guard administrator accounts carefully.
Temporary Admin Permissions
If you are an administrator, ie you know the local admin password for a Windows computer, it can be frustrating if you need to sort out a problem that stems from the currently-logged-in user not having sufficient privileges. For example, the user might be trying to change a program’s settings and is being denied access by the operating system. The long-winded solution in such circumstances is:
Thankfully there are a couple of easier ways. One is to use the Run As option. Right-click on the icon of the program you want to run, and choose Run As from the menu that appears. Enter the administrator username and password, and the program will run with the privileges of that account rather than those of the user who is currently logged in. However, there is a problem with Run As. If you run a program in this way, any per-user settings that you change (rather than global ones) will be changed for the administrator rather than for the user.
There are two ways around this. One is to use the long-winded solution listed above, instead of using Run As. The other is to download a useful program from the Web called MakeMeAdmin. Once you have downloaded MakeMeAdmin, run it while logged in as the user. You’ll be asked for the user’s current password, and for the administrator username and password. Assuming you enter these correctly, you now have a command prompt (C:>) running under the user’s account but which has administrative privileges. Once you have done what you need to do, type EXIT and everything is back to normal.
The Three-Finger Salute
Configure Windows so that users must press Ctrl-Alt-Delete and enter a valid username and password in order to log in. By default, Windows doesn’t require either of these (assuming that the machine is not part of a domain) so anyone who turns on the computer can use it. This is clearly a bad idea in a company environment, even if it’s acceptable in a domestic setting. To change this in Windows XP Pro, select Administrative Tools from the Control Panel, then choose Local Security Policy. In the left hand tree under security settings, click on “local policies”, highlight “security options” and scroll in the right tree to "interactive logon: do not require Ctrl+Alt+Del”. Set this option to Disabled. Explore the options on the screen before you close the program - there may be others that will be of use in your company.
Local Security Policies
Modern versions of Windows (2000 onwards, but I shall concentrate on XP) include the facility to log almost everything which happens on the computer. To view the logs, right-click on My Computer and select Manage, then explore the Event Viewer section to browse the application, security and system logs (you need to be logged on as an administrator to do this). It’s important to examine these logs occasionally as they can provide useful pointers regarding possible misuse of the system.
The computer’s audit policy is where you specify which events get logged. To access this, select Administrative Tools from the Control Panel. Then choose Local Security Policy. Under Local Policies, click Audit Policy. The list of possible events to log is shown in the right-hand column. If you suspect unauthorised activity, take a copy of the log and keep it somewhere safe.
Having set the computer to require a Ctrl-Alt-Delete to log in and enabled logging, your next step is to enable a local password policy (again, assuming that the machine is not part of a domain). From the Control Panel select Administrative Tools and then choose Local Security Policy. Select Account Policies and then select Account Lockout Policy. From here you can set the maximum number of guesses that are allowed before the account is locked out, and the duration of the lockout. By default there is no lockout specified so a hacker with physical access to the machine, or via another computer on your network, can keep guessing passwords for as long as he likes. By setting a lockout policy of, say, 30 minutes after 3 unsuccessful attempts, this particular avenue into your systems is blocked.
If you allow users to be able to change their own passwords (it’s an option that you can tick when setting up a user account via the Control Panel), you can enforce rules to ensure that they choose sensibly. Click on Password Policy and you can specify values such as the maximum age for a password before it must be changed, how many previous passwords are remembered (and thus can’t be used again), and the minimum password length.
Another useful option when setting a password for a user is to force the user to change their password at the next logon. If an administrator changes a user’s password, tick this box so that the administrator will no longer be aware of the user’s new password and thus can’t be blamed for subsequent misuse of the account.
Setting options such as password policies and lockouts is known as hardening Windows or locking down the system. A web search on either of these terms will bring up much more information should you wish to explore this subject further. One useful Web site is www.windowsecurity.com.
Some Further Actions
Almost all PCs have a BIOS options page from where you can configure various settings that control how the computer operates. One very useful option lets you specify the boot device order. Ideally this should be set so that the computer boots from the hard disk first, and then from the CD drive if no bootable hard disk is found. This will ensure that no one can boot the machine from a CD-ROM once Windows is installed, but that Windows can be reinstalled if the drive fails and is replaced with a new, unformatted unit.
Failure to prevent users booting from other devices such as the CD drive, floppy disk or USB flash drive means that anyone who gains physical access to the computer can restart it and load any utility or operating system that they wish, bypassing the security precautions that you have established. Any information which is not encrypted can be accessed, even if you’ve used Windows to configure specific access permissions.
Once you have configured the BIOS boot options, enable password protection so that no one can change those options. All computers have such a facility in their BIOS pages and, although it’s not foolproof (you can generally wipe the password by temporarily removing the small battery on the computer’s motherboard) it adds another level of protection.
A new Windows XP installation comes with a few default accounts as standard, in addition to the Administrator user. The best way to manage these, rather than select User Accounts from the Control Panel, is to right-click My Computer and choose Manage, then select Local Users And Groups. Delete any accounts that are not required. Each Windows computer has a “guest” account and it’s important to configure the guest accounts correctly on each of your company’s PCs. Unfortunately this can be fairly complicated, as the way in which Windows uses guest accounts varies greatly according to which version of Windows is in use and whether your network is domain-based.
On Windows 2000, assuming a non-domain network, if someone on computer A wants to connect to computer B over the network (to access files stored on it or to share a resource such as a printer), the user of computer A will normally be required to enter a valid username and password for computer B. Or alternatively, the user’s username and password on A must also exist as a valid username and password on B. If the guest account is enabled on machine B, then the above doesn’t apply. Anyone on your LAN can connect to B, and Windows will automatically log them in as a guest user. You should, therefore, disable the guest account on all Windows 2000 machines in order to ensure that anyone who wants to connect to the machine has to provide a valid username and password.
With Windows XP Professional things are slightly different. All connections to machine B over the network are forced to use the guest account, even if the user of A supplies a valid non-guest username and password. Therefore, on a Windows XP Professional machine, you need to leave the guest account enabled if the machine will be accepting connections over the LAN from users who need to access shared files or other resources.
This behaviour in Windows XP, whereby all network connections are given guest access even if a different username and password are provided, is known as ForceGuest. Although it is enabled by default, and it makes good sense for security reasons, you can turn it off in the computer’s local security policy if you wish. With ForceGuest enabled, Windows XP Professional on a computer that is not joined to a domain uses Simple File Sharing to control permissions on files that are accessed over your network. Although this makes things easier, it reduces the amount of control that you have over who can access which files on that shared computer. It’s recommended that you turn off Simple File Sharing. To do this go to My Computer and, from the Tools menu, click Folder Options and then select the View tab. Deselect the “Use simple file sharing” box. Once you have done this, you can set the access permissions for any file or folder by right-clicking it and selecting Properties.
You can set up detailed access permissions for specific users and/or groups, rather than simply having catch-all permissions for a single guest account through which everyone has to connect. File permissions are an important tool on a Windows machine. They allow you to restrict access to folders on a per-user or per-group basis. Windows XP automatically applies a degree of file protection – if users A and B both have accounts on a computer, user A will not be able to see the “My Documents” area belonging to B. If you wish to protect other files or folders, simply right-click on the item and select Properties. You will generally see 2 relevant tabs at this point, namely Sharing and Security. The Sharing tab is where you set the permissions for the network share rather than for the actual files and folders. The Security tab is for setting the file and folder permissions, which is done on a per-user or per-group basis and applies regardless of whether those files are being accessed by a local user or by someone over your LAN.
Having separate permissions for the network share and the files/folders is confusing, and the easiest option is to set the share permissions so that everyone (ie the Everyone group) has either full control or read-only access, and then to use the Security tab to fine-tune those permissions to cater for groups or users.
A depressingly high percentage of the problems that security professionals have to fix on a daily basis come down to an incorrect access privilege somewhere or other. Not all such problems are easy to solve, either, especially when you enter the realms of inherited permissions in which a file’s permissions are not explicitly set but have permeated down from a folder higher up in the directory tree. While the easiest way to fix such problems is undoubtedly to grant people greater privileges than they actually need, either from the start or at the point that a problem comes to light, you must resist at all costs the temptation to do this. It will solve any problem in the short term, but will pose a serious security risk in the future.
Instruct users to lock their PC if they leave their desk. This prevents someone else (whether a staff member or a passing visitor) from accessing it, but is quicker than logging out and then having to log back in again. To lock Windows XP, just press Ctrl-Alt-Delete and then press K. Any programs that were running will continue to do so, and any documents which were open will remain so. The screen will be blanked, and contain only a message explaining that the computer has been locked and can only be unlocked by the original user or an administrator. To unlock and resume where you left off, just press Ctrl-Alt-Delete again and enter the account password.
A user who runs an ftp or Web server on their office computer without permission causes a significant security risk because hackers attack these services using tools which are widely available on the internet. Ensure that the ftp service is disabled and that no Web server such as IIS or Apache has been installed. If the computer is within a corporate firewall, you should also blocking incoming ports so that attempts from outside the organisation will fail to connect to any servers except those on a list of authorised machines.
There are various programs available on the internet for free download which will help you to find out whether a PC is running any unauthorised server software by telling you which, if any, of its TCP ports are listening (ie, waiting for an incoming connection). You can also use the netstat command that is part of Windows - just go to a command prompt and type netstat -an -p tcp and the results will be displayed like this:
[C:\] netstat -an -p
Proto Local Address Foreign Address State
For each port listed as LISTENING there is the potential for a connection to be accepted from an external computer via the internet and you need to find out why. In the example above, the listening ports are 135, 445, 20202, 1027 and 139. A Web search will help you track down the type of service associated with each port. Common port numbers include 21 (ftp server), 80 (web server) and 25 (smtp mail server). A useful list of port numbers can be found on the Web at www.iana.org/assignments/port-numbers.
Adding a -b to the end of the above command will cause the list to include the name of the program which established the listening port. For example:
[C:\] netstat -an -p tcp -b
Proto Local Address
Foreign Address State PID
To find out why a program called alg.exe is listening for connections on port 1025, type the program’s name into a search engine and you’ll discover that it’s part of Windows and is no cause for concern. Remember, too, that a listening port on a computer doesn’t always mean that it will be able to respond to any incoming connections on that port - it all depends on how your firewall is set up. If your corporate firewall is blocking all incoming traffic on port 1025 then alg.exe will never receive anything at all.
If you want to examine port traffic in greater depth there’s a free program available from Microsoft which will log all TCP/IP port access to and from the computer on which it’s installed. This is a very useful diagnostic tool, especially if you’re trying to investigate a possible security problem. A Web search for “Microsoft Port Reporter Tool” will lead you to it.
Ensure that the Internet settings are configured correctly on the computer. From within Internet Explorer, select Internet Options from the Tools menu. On the General tab, in the Temporary Internet Files section, press the Settings button. Set the “amount of disk space to use” to a fairly high value, depending on the amount of hard disk space available. Anything up to 1 GB is good. Not only will this speed up the user’s Web browsing, but it will result in a lot of evidence being available for scrutiny if an employee is suspected of having viewed “inappropriate material” on the Web.
Another option on the General tab lets you specify how many days the list of previously-viewed Web sites should be retained for. Again, the larger the value the more evidence you are gathering. This information is normally stored in \Documents and Settings\username\Local Settings\History.
All recent version of Windows support hard disk quotas. This allows you to specify the maximum amount of disk space that each user can occupy. Quotas can be per-user or per-group, and are easy to set up. Right-click on My Computer and choose Manage. Under Storage, click on Disk Management. Then right-click on the required drive, choose Properties, and select the Quota tab. You can set both a quota level and a warning level. For example you might set the quota at 500 MB and the warning at 400 MB, so that the user will receive warnings when his or her space is 80% full. You can also choose what happens once the quota is reached - continue to issue warnings, or deny the user the right to create any new files until he’s deleted some existing ones. It’s generally not a good idea to use the deny option because there’s a real danger that a user will lose work if they have been editing or creating a document and then discover that they have nowhere to save it. Most programs will handle the situation sensibly, but not all do.
Disk quotas are a useful way to prevent one user or department hogging all the space on your file server. It’s also a good way to prevent users from thinking that they can use their disk space at work to hoard MP3 music and downloaded movies. The other option is simply to keep adding new hard disks to your server as demand for storage increases. Although this is easy and cheap in the short term, it becomes less attractive once you factor in the additional costs of managing and backing up all those extra files.
Every file on a Windows-based PC normally has a 3-character extension which identifies its type. Excel spreadsheets end with .XLS, for example, and Word documents have .DOC on the end. Text files use a .TXT extension, and so on. Although file extensions are not 100% reliable (you can rename a .DOC file to .XLS if you want to cause confusion), they are a useful indicator. For reasons best known to itself, Windows XP does its best to hide file extensions from users. When you’re viewing the contents of a directory in Explorer, for example, a file called Personnel Data.XLS will appear merely as Personnel Data. If the directory contains both a .DOC and a .XLS version of the same file, it will appear that there are duplicated names and working out which one to click on in order to open it can be tricky.
By hiding file extensions, Microsoft makes it easy for hackers to disguise the true intent of some files. For example, if someone emails you an attachment called BROCHURE, it’s difficult to tell whether it’s brochure.doc or brochure.exe. If it’s the latter, clicking on it could cause untold damage to your computers because .EXE files are programs rather than simple documents. There are many file types which can contain executable content and which will run a program (possibly an undesirable one) if you click on the filename. The most common is .EXE but there are others. Viruses frequently use a .SCR file to send themselves to unsuspecting users, as most people are not familiar with this file type which is normally used by programs which install a new Windows screen saver.
Because Windows allows filenames that include dots, consider the case of someone emailing a file called BROCHURE.DOC to you. Is this a harmless Word document? Actually, no. It’s an executable file called BROCHURE.DOC.EXE but Windows has removed the extension (the .EXE part).
To avoid becoming a victim of ambiguity, configure all of your Windows workstations to display file extensions as nature intended. In the case of Windows XP, open My Computer and then, from the Tools menu, select Folder Options. On the View tab, clear the “hide extensions for known file types” checkbox.
The database known as the registry is the most important file on a Windows computer. Most programs use the registry to store their configuration data, as does Windows itself. Windows ships with a registry editor program called RegEdit that allows a user with sufficient privileges to edit any entry in the registry, or to export the registry to a text file for perusal elsewhere. RegEdit allows you to set access permissions for individual areas of the registry. Few people bother to do this, but it’s a very useful technique to help protect a computer. Simply fire up RegEdit, right-click on a particular branch and choose Permissions. By setting the permissions on registry entries you can prevent staff from changing a program’s settings, even if that program doesn’t have an inbuilt facility that allows you to do this.
Windows is notoriously bad at performing basic housekeeping on the registry, which can result in this critical database becoming fragmented, over-large, and filled with obsolete information that can safely be deleted or archived. Attempting to do this yourself is difficult, because the typical registry contains thousands of entries with meaningless names. Thankfully there are some excellent programs which can do the job for you. My favourite is Registry Mechanic (www.pctools.com), which costs around £20 for a single copy up to £689 for a company-wide site licence.
Eventually a PC reaches the end of its life and upgrading the processor or RAM or hard space becomes uneconomical. It’s time to throw away the machine and replace it. In many countries, disposing of electronic equipment is not simply a matter of dumping it in the nearest skip, so beware of doing so. You may well be legally required to call upon the services of a specialist contractor who can remove the toxic and/or valuable materials. Alternatively you can give or sell the machine to staff, a local school, a charity, or anyone else. Or even sell it on Ebay. Sadly such deeds are often more trouble than they’re worth. If money changes hands then it has to be accounted for. If there’s a copy of Windows on the hard disk then, technically, you may find that the licence originally supplied with the computer forbids you from reselling it or even giving it away. Applications, too, are normally non-transferable.
Whatever you decide to do with your old computers, it’s essential that you wipe all confidential information from the hard disk before the machine leaves your premises. Similar rules apply if you dispose of old hard disks, perhaps because they have been removed from machines that are being upgraded. Simply deleting every data file and then emptying the Windows recycle bin is not sufficient - undeleting files from a hard disk is trivial to anyone who has the correct software. Formatting the hard disk is not always sufficient either - if you inadvertently choose the “quick” format option then the operation can be reversed in just a couple of seconds. There are plenty of programs around that make a thorough job of wiping a hard disk. A web search for hard disk wiping software or secure erasure programs will find lots of them for you. If you fail to use such a program every time you dispose of a hard disk, whether as part of a usable computer or not, you risk hackers (or merely the curious) attempting to read the contents.
Such activity is very common. In 2004, security company Pointsec bought 100 second-hand hard disks on Ebay. Each had been wiped, according to the vendors, yet Pointsec was able to recover data from 70 of them. One particular drive, purchased for less than $10, contained information from one of Europe’s largest financial services groups including pension plans, customer databases, financial information, payroll records, personnel details, login codes, and administrator passwords for their intranet. There were more than 70 Excel documents of customers’ email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information. Pointsec carried out the exercise for purely publicity reasons, and the news of its discoveries made the TV and newspapers worldwide. In this particular case it was agreed not to name the company whose data-wiping efforts were so lax. The next time it happens, the culprits might not be so lucky.
Your action points for this chapter:
© John Wiley & Sons