10 Things I Like about XP Security
Suspicious of XP’s security features? As you spend quality time together, you’ll get to see its good points—maybe even become friends.
OK, true confessions now. I’m not exactly a Windows XP fan. However,
Scottie, my therapist and personal trainer, says any relationship should
be based on trust, and the only way to develop trust is to spend some
time, share some secrets and see what happens. So I’ve invited XP on a
few dates in hopes that with a bit of nurture our camaraderie might grow.
At this point I feel we’re at stage three, and while I’m not sure that
I want this to be a long-term intimate experience, I do have some interesting
things to report.
In Stage One (before XP was really ready to leave its close-knit family—and
the childhood salutation “beta”), my perception was that XP was an end-user
interface for Windows 2000 Professional: Great for the home user (about
time they had some basic file system security and other security features),
but not worth upgrading to.
Stage Two occurred when XP and I decided on a live-in arrangement and
signed an agreement that outlines, basically, how I won’t abuse XP or
share him with another. As we worked together, I became increasingly annoyed
by his chatty messages. “Activate me”; “Would you like to get a passport?”;
“May I get you a drink?” (Maybe that’s a paraphrase, but having XP around
was really like talking to Clippy on steroids.)
Little did I know that the obsequious behavior was a cover-up for all
kinds of undercover activity. I’m speaking of XP’s ability to do things
for me that I’m perfectly capable of doing for myself. Like his use of
Universal Plug and Play (UPnP) to seek out and connect with UPnP devices
such as printers. I know it’s hard for many users to do this on their
own and a bit of a pain for admins to manage, but I don’t like the idea
of something just occurring. After all, someone might figure out a way
to turn XP’s “a-stranger-is-just-a-friend-you-haven’t-met-yet” mentality
into a successful attack :-) ... (See "Q311311:
Invalid Universal Plug and Play Request Can Disrupt Computer Operation"
for just such a possiblity). Scottie says that’s a symptom of my obsessive/compulsive
controlling behavior; but truly, it’s a bit perturbing to find that your
lowly desktop is trying to communicate with other computers on the Internet.
(I don’t like the idea that he’s trying to connect with anyone I haven’t
told him he can connect with, even if it’s daddy Bill’s automatic update
service trying to arrange silently for patches and updates.)
Stage Three began when I stopped following Scottie’s advice and started
following my instincts. This isn’t the ’60s, and relationships can’t be
built on, “You do your thing and I’ll do mine and if we can do them together,
that’s beautiful.” Roberta’s first rule: Unlike children and desirable
human relationships, operating systems do come with instruction books.
Use them. Here’s what I discovered, tested and found handy.
1. Internet Connection Firewall
Wow! A built-in firewall. What a concept! (And why haven’t we seen this
before now?) While XP’s firewall is no excuse for managing your network
perimeter defenses in a more sophisticated manner, it’s great for those
times when you grab the laptop and hit the road. And what about all those
thousands of telecommuters, sales folks and others who just see their
computers as tools? XP’s firewall is basic. Turn it on or off—because
that’s almost all you can do. (See Figure 1.)
|Figure 1. The Internet Connection Firewall is
quite handy—if you know when to use it.
You can even configure it via group policy so it’s automatically enabled
when the domain controller can’t be reached. It’s important to remember
when it’s enabled; I’ve seen experienced, intelligent techies forget they
have the firewall on and attempt to connect with a buddy to share files.
I’ve also seen them enable it on their network, only to be chagrined when
they discover that’s the reason they can’t connect to the DC. I haven’t
read any side-by-side comparisons with commercial versions of personal
firewalls, but there’s at least two things in its favor: It’s there and
Be aware that XP’s firewall can be configured to allow the publishing
of a Web server behind it. You’ll want to make sure users can’t do this.
2. Force Guest
Ordinarily it doesn’t matter how carefully you secure network resources;
if a malicious individual obtains the user ID and password of some privileged
user, he or she is that user, including mapping to a drive and accessing
any resource ACL’d for that user. What if you could reduce the power and
access of any would-be network connector? What if it didn’t matter whether
the user ID and password belonged to the Administrator, because access
would still be only that ascribed to the Guest account? You can configure
this with XP.
If properly set up, XP will reduce to Guest status the authority of a
network connection authenticated by a local XP account database account.
Because the Guest account is limited to minimal access (and you’re not
going to change this, right?), the danger of successful attacks via compromised
local accounts is limited. So, if someone managed to obtain the local
Administrator account password and mapped a drive to such an XP system,
he or she wouldn’t be able to perform normal administrative duties nor
have access to files the Administrator would ordinarily have.
Configuration options for this vary. For an XP system not in a domain,
you can select the “Guest-only” security model, which allows only Guest
access across the network. Normal—or classic security model access—can
be restored if you desire. XP systems that are domain members can be configured
using group policy to “force network logons using local accounts to authenticate
as Guest. This means that, like the standalone system, local XP security
database accounts will only be allowed Guest access when used across the
network. Domain-level accounts will function normally. Local account access
is normal in either case, when the user sits at the console.
This offers the best of both worlds. If, for some reason, you must use
local accounts, you can; but knowledge of them and their passwords gives
an attacker no advantage when he or she doesn’t have physical access to
3. Blank Password Problem
We all know these shouldn’t be allowed, but sooner or later you’re going
to find an XP box set up and maintained by someone less observant than
you. Or maybe your users use personal machines to connect to your network
from home. By default, local accounts with blank passwords can’t be used
to access computers over the network! You can only use them when logging
on from the console. You can’t even use RunAs and use them to start a
program. There’s an exception, of course: An enabled Guest account with
a blank password can be used across the network. Note that this only applies
to local accounts. If your security policy allows—or your domain admins
so configure—domain accounts with blank passwords can still be used for
4. Anonymous Risks Reduced
Remember when you discovered that the Everyone group includes anonymous
users—those who connected to the computer using a null user account name,
domain and password? These anonymous users have access identical to the
Everyone group. In previous versions of Windows, that was a lot of access
to be granting unknown and potentially hateful creatures. XP doesn’t include
anonymous users in the Everyone group, lessening the potential impact
of this type of access. You can give the anonymous logon explicit access
to resources. This allows services and processes that must connect anonymously
to do so—but this access is more closely under your control.
You should also be aware that it’s possible to make a registry entry
and return the anonymous logon to Everyone group membership. This configuration
may be necessary to allow some Win2K applications work. However, it also
opens the possibility that some Trojan horse introduced in the next battle
for Internet supremacy will flip this bit and return your XP system to
the legacy security model.
I’ll not repeat the location for “EveryoneMeansAnonymous,” so as not
to tempt some lazy Trojan writer (see how silly we’re getting when we
attempt to restrict the free flow of information?). You can set it in
the preferred mode for your systems by using the local security policy
or group policy in your domain.
What’s more, XP has three security policy statements that limit information
available via anonymous access. Use combinations of these policies to
restrict anonymous access. By default, shares can be enumerated, users
can’t. For the typical XP user whose machine isn’t on the network, this
may be perfect. My recommendation would be to disable all three:
- Allow Anonymous SID/Name translation: When enabled, an anonymous
connection would allow the use of known SIDs (such as that for the Administrator
account) to determine user IDs. This policy is disabled by default.
- Don’t allow anonymous enumeration of accounts: Enabled by
default, this policy keeps an anonymous connection from being able to
list the members of your account database.
- Don’t allow anonymous enumeration of accounts and shares:
Disabled by default, this policy allows the listing of accounts and
network shares. When the previous policy is enabled and this policy
disabled, shares may be enumerated, but not user accounts.
5. Password Resets and the Encrypting File System
You’ve probably heard my EFS rant—you know, the one where I tell you to
disable it until you can properly implement a Public Key Infrastructure?
XP has some additional issues that make me scream even louder, including
this one: It pays no attention to your Win2K group policy settings, which
disable EFS in Win2K. As you’ll recall from my last column, changes to
PKI in .NET give you even better control over EFS, but until then you
need to disable EFS at the desktop level.
If this isn’t an option, and you or your users must have the ability
to encrypt files, you should make sure they have proper instruction, including
how to archive their encryption keys. In addition, you should be aware
of the disaster looming if an Administrator resets the user’s password.
In XP, this forced reset removes coupling between user ID/password and
the ability to decrypt EFS-encrypted files. This prevents a rogue administrator
from resetting the user’s password, logging on as the user, and reading
the encrypted files. I like this!
To those of you who argue that the Administrator account is the de facto
recovery agent and doesn’t have to log on as the user, remember, best
practices advise that this should be changed. Unfortunately, once an administrator
resets the user’s password, even the legitimate user will be locked out
of encrypted files. XP does provide a solution. Access to the files can
be recovered by the user either by changing the password back to the previous
one or by using the password reset disk.
6. Restore Points
So now that XP and I are getting along a little better, Scottie thinks
I’m not spending enough time with him. “Well,” I said, “at least XP remembers
those places I like to go to.” Haven’t you ever wished you could take
back some hasty words or return to a point in a relationship before things
started to go south? XP allows this kind of time travel; in fact, he encourages
it. Whenever you start to make some major change, like installing a new
device driver, XP stops and records system status prior to the change.
If things aren’t improved by your change, XP allows you to restore the
system to the way things were, as shown in Figure 2.
|Figure 2. Restore Point administration is done
through XP’s Help and Support Center. (Click image to view larger version.)
Restore points isn’t a replacement for backup; you can’t restore your
data this way. You are, however, provided with some hope of recovery.
To feel really secure, create your own restore points prior to that big
registry mod, device driver install or click of that unknown attachment.
7. Support for 802.1x
Sure, wireless connectivity is a good thing—until you realize that all
that data floating around among computers is like secrets at a spy convention.
So then you try to protect it through encryption. That may sound secure,
but it really isn’t if you’re using the Wireless Encryption Protocol (WEP).
Turns out there are multiple problems with WEP, including the use of a
single, pre-shared key (the same key for many workstations), the lack
of a key management strategy, lack of authentication practices and generalized
impracticability for large wireless installations.
IEEE standard 802.1x, supported by XP, introduces a range of possibilities
for better security. Among these are the use of unique keys for each workstation,
frequent re-keying (rapid changing of encryption keys), the use of PKI
for authentication, user authentication, authorization and accounting
(think RADIUS, certificates and smart cards). 802.1x uses an authenticator/supplicant
model. (Oh, XP, how I love it when you talk like that.)
8. Credentials Management
Down at Blockbuster, Scottie wanted me to rent him a Jet Li movie. As
I searched for my cash, plastic cards fell from my wallet and scattered
on the floor. Along with the Visa, American Express and MasterCard, there’s
AARP, American Airlines, United Airlines, Delta, Marriott, Hilton, Kirksville
Motorcycle Club and multitudes more. Like an early Novell administrator
and most people engaged in working the Web, my personal credentials are
obviously out of control. While it’s impossible to have one piece of plastic
these days, advances in technology have meant we’re approaching single-sign-on
nirvana. But having one user ID and password isn’t always a good idea.
It can reduce security risks if the alternative is providing a user with
so many passwords and IDs that he or she must write them down. However,
it’s also a security risk, as an attacker need only know this single sign-on
to have access to everything. Like anything else, credentials management
is a balancing act. Things are also complicated by the numerous accounts
the average person accumulates when using the Internet. Without some secure
way to manage them, we’re easy targets for abuse and misuse. XP’s got
Control Panel | User Accounts, which can be used to manage NTLM, Kerberos,
Passport and SSL authentication credentials, builds on the past. Like
Windows NT and Win2K, XP stores these items in a secure area of the user
profile. XP, however, allows you to add, delete and manage them manually.
Here’s where it can add that .NET credential created in a past life; this
also makes modifying the information in the Passport easy. You can modify
your stats and even refuse to share information about yourself with a
Web site. Users can only manage their credentials and, in an enterprise,
be prevented from or allowed to manipulate credentials via group policy.
9. Password Reset Disk
Forgetting passwords is the most common computer-related gotcha for users.
In an enterprise, there are policies and procedures and technology that
allows for password resets. In the single system or workgroup setting,
this problem is magnified, as there may be only one user of the system.
I’m sure there are going to be many instances of users forgetting their
XP passwords and not being able to get at their data. XP allows those
users to create a password reset disk. This “Get out of Jail Free” card
can only be made for local accounts, and only by someone logged on using
that account. It doesn’t store the password; instead, making the disk
creates a private and public key pair. The user’s password is encrypted
using the public key and stored on the computer separately from the SAM.
The private key is only stored on the disk.
Sounds simple, doesn’t it? Now all we have to do is teach them to create
the disk before they need it and to store it in a safe, secure place.
10. Shadow Copy
Everyone knows a good backup is like that expensive long-term care
policy you should buy: not much good until you need it and you hope you
never will, but if you do need it and don’t have it, you’ll be out on
the street. We also know that some files may be missed in the typical
backup, because some files are open. Backup programs don’t back up open
Enter shadow backup. Because XP’s shadow backup makes a snapshot of the
disk and then proceeds to back up from the snapshot to tape, open file
issues are a thing of the past. Be aware, though, that some free disk
space is required; if it’s unavailable, a normal—not shadow copy—backup
will occur. You can also turn shadow copy off when, for instance, you
only want a file or two and don’t want to wait for the entire disk to
Your Keys—Or Else!
|If you think my EFS warning an overreaction,
tell it to the businessman who wrote me recently. It seems
he had years of business records encrypted on his disk
and no backup in unencrypted form. His profile was damaged
and he decided to format the disk and reinstall Windows.
When he restored his files from backup, he had lost access
to them. Neither his profile, nor that of the Administrator
account, was backed up. He’d never archived his keys.
Seems he’d read some article on the Internet (not in this
magazine) that told him file recovery wasn’t easy but
was possible. Unfortunately, without either his or the
recovery agent’s private keys, there was no recovery available,
short of a brute-force hack; the use of some forensics
tools; or low-level disk editing, which might discover
fragments of the data stored originally in clear text
and not overwritten by time, cipher or his disk formats.
No, he wasn’t a happy camper.
Now that XP and I have become bosom buddies, I sorta miss the little guy
when I’m away. There’s a lot more I need to test and explore, and a lot
more I’d like to tell you about. My goodness, I haven’t even talked about
XP’s software restriction policies, how to disable or control his extroverted
tendencies, the hundreds of new local and group policy settings or how
this all fits in with Windows .NET. Scottie’s rolling his eyes now, however,
and it’s time for my workout. (Maybe I can convince him we need to watch
“The One” instead.) Until next month.