Section 7.6. Securing Your System on a Network

7.6. Securing Your System on a Network

Security is a very real concern for any computer connected to a network or the Internet. There are three main categories of security threats:

A deliberate, targeted attack through your network connection

Ironically, this is the type of attack most people fear, even though realistically, it is the least likely to occur, at least where home and small office networks are concerned. It's possible for a so-called hacker to obtain access to your computer, either through your Internet connection or from another computer on your local network; it's just not terribly likely that such a hacker will bother.

An automated invasion by a virus, worm, Trojan horse, or robot

A virus is simply a computer program that is designed to duplicate itself with the purpose of infecting as many computers as possible. If your computer is infected by a virus, it may use your network connection to infect other computers; likewise, if another computer on your network is infected, your computer is vulnerable to infection. The same goes for Internet connections, although the method of transport in this case is typically an infected email message. (See Chapter 6 for complete coverage of viruses, worms, trojan horses, and spyware.)

There also exist so-called robots, programs that are designed to scan large groups of IP addresses, looking for vulnerabilities. The motive for such a program can be anything from exploitation of credit card numbers or other sensitive information to the hijack of computers for the purpose of distributing spam, viruses, or extreme right-wing propaganda.

Finally, a Trojan horse is a program that works somewhat like a virus, except that its specific purpose is to create vulnerabilities in your computer that can subsequently be exploited by a hacker or robot. For example, a program might open a port on your computer (see Appendix C) and then communicate with a remote system to announce its presence.

A deliberate attack by a person sitting at your computer

A person who sits down at your computer can easily gain access to sensitive information, including your documents, email, and even various passwords stored by your web browser. An intruder can be anyone, from the jerk who has just stolen your laptop to a coworker casually walking by your unattended desk. Naturally, it's up to you to determine the actual likelihood of such a threat and to take the appropriate measures (such as password-protecting your screen saver). Several examples are discussed in Chapter 8.

Defending your computer (and your network) against these attacks essentially involves fixing the vulnerabilities they exploit, as described in the next section.

See Section 7.5.3, earlier in this chapter, for ways to protect your computer and your workgroup if you're using someone else's Internet connection.

7.6.1. Closing Back Doors in Windows XP

Windows XP includes several features that will enable you to implement a reasonable level of security without purchasing additional software or hardware. Unfortunately, none of these features are properly configured by default.

The following steps will help you close some of these "back doors:"

By default, the file-sharing service is enabled for Internet connections, but in most cases, there's no reason for this. Open the Network Connections window, right-click the icon corresponding to your Internet connection, and select Properties. In the General tab, clear the checkmark next to the File and Printer Sharing for Microsoft Networks entry, and then click OK. If you have more than one Internet connection icon, repeat this procedure for each of the others. Make sure to leave it enabled for the connection to your workgroup (if applicable).
One of the main reasons to set up a workgroup is to share files and printers with other computers. But it's wise to share only those folders that need to be shared, and disable sharing for all others.
A feature called Simple File Sharing, which could allow anyone, anywhere, to access your personal files without your knowledge, is turned on by default in Windows XP. Go to Control Panel Use simple file sharing option.
Details on sharing resources can be found in Chapter 8.
Another feature, called Universal Plug and Play (UPnP), can open additional vulnerabilities on your system. UPnP would more aptly be called Network Plug and Play, since it only deals with network devices. UPnP is a collection of standards that allow such devices to announce their presence to UPnP servers on your network, much in the same way as your PnP sound card announces its presence to Windows when you boot your system.
Windows XP supports UPnP out of the box, which, on the surface, sounds like a good idea. However, UPnP is a service that most users don't need, and unless you specifically need to connect to a UPnP device on your network, you should disable UPnP on your system immediately. Leaving a service like UPnP running unnecessarily exposes your system to several security threats.
To disable UPnP, open the Services window (services.msc). Find the SSDP Discovery Service in the list and double-click it. Click Stop to stop the service, and change the Startup type to Disabled to prevent it from loading the next time Windows starts. Click OK and then do the same for the Universal Plug and Play Device Host. Close the Services window when you're done.
The Remote Desktop feature, described in Section 7.4.3, earlier in this chapter, is enabled by default in Windows XP. Unless you specifically need this feature, it should be disabled. Go to Control Panel System Make sure each and every user account on your system has a unique password. Even though you may not be concerned about security between users, unprotected accounts can be exploited by an attack over a network. See Chapter 8 for more information on user accounts.
Set up a firewall, as described in the next section, to further protect your computer by strictly controlling network traffic into and out of your computer.
Finally, look for vulnerabilities in your system by scanning for open ports, as explained at the end of this chapter.

7.6.2. Using the Windows Security Center

Next to the new wireless support highlighted in Section 7.5.2 earlier in this chapter, one of the biggest changes in Windows XP Service Pack 2 is the addition of the Windows Security Center, shown in Figure 7-25. You can get to the Security Center from the Windows Control Panel.

Figure 7-25. The new Security Center that comes with Service Pack 2 goes a long way to make Windows appear safer (not that it does anything to actually improve security . . . )

The Windows Security Center, unfortunately, is big on appearances and short on functionality. In fact, it's dangerous in that it may lull users into a false sense of security (it's effectively a placebo). The Security Center does nothing more than report the status of these three so-called "security essentials":

Firewall: The Windows Firewall, discussed in the next section, is the firewall software built into Windows XP SP2. If you're already using firewall software, or are relying on a router to protect your network, click Recommendations and then turn on the I have a firewall solution that I'll monitor myself option. Click OK, and the firewall status will change to NOT MONITORED.
Automatic Updates: The Automatic Updates feature is responsible for periodically contacting Microsoft to see if new Windows updates are available. In its most automated setting, Windows downloads and installs so-called "high priority" updates automatically. (Others, falling under the "optional" and "hardware" categories, will only be installed if you do so manually.) You can configure this setting by going to Control Panel
Virus Protection: This one's funny, because Windows XP doesn't come with antivirus software of any kind, nor is it able to scan your system and confirm that any antivirus software is actually installed and functioning! Rather, it simply reports whether or not antivirus software has been properly registered with the Security Center. (And of course, it won't take long for someone to figure out how to spoof the Security Center and report that your system is protected when it actually isn't.) See Chapter 6 for effective ways to protect your system against viruses and the like.

Some newer antivirus software may support the Security Center, but you may not want to start hunting for such products just yet. The Security Center has been known to initiate virus scans unnecessarily, including for some users every time Windows starts. Even if you already have Security Center-aware antivirus software installed, you may wish to disable monitoring for this reason. Click Recommendations and then turn on the I have a antivirus program that I'll monitor myself option. Click OK, and the antivirus status will change to NOT MONITORED. See the Disable the Security Center sidebar for another solution.

Disable the Security Center

If you find that the Security Center is hassling you with unnecessary scans and warning messages, your only resort may be to disable it completely. Here's how to do it:

Open the Services window (services.msc).
Locate Security Center in the list, double click it, and change the Startup type to Disabled.
Click OK and close the Services window when you're done.

Note that this doesn't actually disable the firewall, antivirus, or automatic updates features you may have employedonly the "monitoring" effects of the Windows Security Center.

So, if you really want to protect your system, you'll basically ignore the Security Center and scrutinize each of these "essentials" individually. See the next section, for instance, for help setting up the Windows Firewall.

7.6.2.1 Setting up the Windows Firewall

A firewall is a layer of protection that permits or denies network communication based on a predefined set of rules. These rules restrict communication so that only certain applications are permitted to use your network connection. This effectively closes backdoors to your computer that otherwise might be exploited by viruses, hackers, and other malicious applications.

The Windows Firewall is the firewall software built into Windows XP Service Pack 2. It replaces the nearly worthless Internet Connection Firewall (ICF) found in earlier versions of Windows XP; while it's better than its predecessor, it's not nearly as effective as a router. See Section 7.1.2 and Section 7.5.1, both earlier in this chapter, for more information on routers.

The Windows Firewall only blocks incoming data, not outgoing data. This means that, by default, it will not allow you to host an FTP server, but it won't hinder your ability to connect to other, remote FTP servers. See "Alternatives to the Windows Firewall," later in this chapter, for other solutions that may provide better protection.

To illustrate the difference between the security offered by the Windows Firewall and that afforded by a router, consider Figure 7-26.

Figure 7-26. The larger dotted box shows the scope of protection offered by a router; the smaller box shows the scope of the Windows Firewall

The larger dotted rectangle shows what's protected by your router's firewall, and the smaller rectangle shows what's protected by Windows. In addition to the larger scope of the router's protection, it's also much less likely to be compromised than a software-based solution like the Windows Firewall.

Now, assuming you've bought the previous argument, you might think that more firewall is better, that using Windows Firewall along with a router will protect your system better than a router alone. The problem with this approach is that, again referring to Figure 7-26, the Windows Firewall isolates your PC somewhat from the other computers in your workgroup. This causes real problems when you try to share files across your workgroup, among other things.

Now, there is the chance that another computer in your workgroup can become infected with a virus (presumably through someone else's carelessness) and then infect yours if you're not using the Windows Firewall. Naturally, you'll need to assess the risk of such an attack and decide for yourself if enabling the Windows Firewall is worth the hassle.

If you're not using a router or other firewall solution, the Windows Firewall is better than nothing. For instance, you'll definitely want to employ a firewall to protect you if you're "roaming" on a portable computer and connecting to an unknown or public wireless connection.

Should you decide to use the Windows Firewall, here's how to enable it:

Open the Network Connections window.
If you haven't already done so, select Details from the View menu; this will allow you to see which connections are firewalled (and which aren't) at a glance.

Right-click the connection icon corresponding to your Internet connection, and select Properties. In most cases, it will be the Ethernet or wireless adapter connected to your Internet adapter or router.

If you're using a DSL or cable connection that requires a login with a username or password, the icon to use is the broadband connection icon corresponding to your PPPoE connection. See Section 7.3.1.2, earlier in this chapter, for further instructions.

Choose the Advanced tab, and click the Settings button in the Windows Firewall section. The Windows Firewall window is shown in Figure 7-27.

Figure 7-27. The new Windows Firewall included in Service Pack 2 has a simpler interface and is more configurable than its predecessor, the Internet Connection Firewall
Click On to enable the Windows Firewall, or Off to disable it.
By default, Windows will apply the firewall to all network connections as soon as you enable it for any single connection. Since it's unlikely that this is what you want, choose the Advanced tab and remove the checkmarks next to the connections you don't need to protect. For instance, turn off the firewall for your 1394 Connection (Firewire), unless you want Windows to block data from your FireWire camcorder.
Windows XP does not log communication blocked by its firewall, unless you specifically request it to do so. To enable firewall logging, choose the Advanced tab, click Settings in the Security Logging section, and turn on the Log dropped packets option. The log is simply a text file that can be opened in your favorite text editor (or Notepad); by default, it's stored in \Windows\pfirewall.log.
Click OK, and then OK again when you're done. The change will take effect immediately (or at least after a several-second delay).

Verify that Internet Connection Sharing is enabled; it should say "Enabled, Firewalled" or "Enabled, Shared, Firewalled" in the Type column of the Network Connections window.

The real test, however, is to see if the Windows Firewall has broken anything. Verify that your Internet connection still works by attempting to open a web page.

7.6.2.2 Poking holes in the firewall

As you use your computer, you may find that a particular network program or task no longer works properly after enabling the Windows Firewall (or after installing SP2). For example, you may lose your ability to access shared files and folders (as described in Chapter 8) when the firewall is activated. Or, if you use the Internet Time feature (Control Panel

When Service Pack 2 was initially released, it got a bad rap for breaking many different kinds of network-sensitive applications. In reality, this was simply due to the firewall doing what it was designed to do, combined with the fact that it has different exceptions than its predecessor, the Internet Connection Firewall.

If you suspect that the Windows Firewall is preventing an application from working, verify that the firewall is actually causing the problem by temporarily disabling it (as described in the previous section) and then trying the task again.

Assuming the firewall is indeed the culprit, you can add a new rule to permit the program to communicate over your Internet connection.

Open the Network Connections window.
Right-click the connection icon corresponding to your Internet connection, select Properties, and choose the Exceptions tab.

There will likely be a few entries already present in your Programs and Services list, shown in Figure 7-28.

Figure 7-28. The Exceptions tab lists the programs and services permitted to receive data through all your network connections

This dialog can be a little misleading. Placing a checkmark next to an entry here won't turn on the service, but rather only lift the firewall's restriction for that service. Open the Services window (services.msc) to actually enable or disable services like the FTP server or Telnet server on your system.

At this point, you can modify an existing exception by highlighting it and clicking Edit, but you're here to add a new exception, so click one of the Add buttons:

Add Program

Use this to give a specific application free rein over your Internet connection. This is the easiest way to fix an application that has been broken by the Windows Firewall's restrictions. Just select an application from the list, or click Browse to choose one anywhere on your hard disk.

Add Port

Click Add Port to create a new rule based on a TCP/IP port. Use this to permit incoming data based on the type of data, as opposed to the application that uses the data. Type a Name for the new exception (it can be anything you want) and then specify a Port number, as illustrated in Figure 7-29. For instance, type 123 here to get the Internet Time feature to work. See Appendix C for more information on TCP/IP port numbers.

Figure 7-29. Add a new rule to the Windows Firewall to permit certain types of incoming data
Click OK when you're done. Place a checkmark next to the new exception to activate it, or clear the checkmark at any time to ignore it.
Click OK to close the Windows Firewall window, and then click OK to close the properties window.

The new exception will take effect as soon as all the windows are closed, at which point you can test the new exception. You may have to experiment with different firewall rules until your software or service works properly.

The Windows Firewall in SP2 only maintains one list of exceptions. This means that if you have more than one network connection, you won't be able to enable some services for one connection while blocking those same services for another connection. This is yet another reason that you shouldn't rely solely on the Windows Firewall to protect your computer.

7.6.2.3 Alternatives to the Windows Firewall

Strictly speaking, the Windows Firewall is pretty feeble. For example, it's only capable of blocking incoming communication; it won't block any communication originating from your computer, which means it may not protect you (or the other computers on your network) from viruses and Trojan horses (described in Chapter 6). It's also incapable of allowing incoming data from some remote computers while restricting data from others, which means that in order to enable a service, such as file sharing (explained in Section 7.6.2.2, earlier), for one computer, you'll have to enable it for any and every computer that has access to your PC.

Probably the best firewall available, at least one that's reasonably affordable, is that built into an ordinary router, described in Section 7.1.2 and Section 7.5.1, earlier in this chapter. In addition to protecting your Windows XP machine, however, a router will also protect all the computers on your network from a single interface, which means that you don't have to install and configure a firewall on each computer individually.

There are also third-party firewall software products available for Windows XP, all of which promise to do a better job protecting your PC than the Windows Firewall.

Be careful, however, when installing and configuring a third-party firewall solution, including the ones discussed here. Overly strict firewall rules may break some software on your system. Worse yet, overly lenient rules may not protect your computer adequately and give you a false sense of security.

Here are a few third-party firewall solutions, most of which have free versions available:

Agnitum Outpost. http://www.agnitum.com

Kerio Personal Firewall. http://www.kerio.com

Norton Personal Firewall. http://www.symantec.com

Sygate Personal Firewall. http://soho.sygate.com

Tiny Firewall. http://www.tinysoftware.com

No matter which firewall solution you choose, however, you'll most likely still need to take the time to configure custom rules using a similar procedure to the one described earlier in this section. For example, a common problem when installing an incorrectly configured firewall is that images will stop appearing in web pages, a situation that can be remedied by massaging the firewall's settings.

If you're currently using another firewall solution, such as firewall software or a firewall-enabled router, you'll probably want to disable the Windows Firewall. Although some people claim to have successfully used the Windows Firewall in conjunction with one of the third-party firewalls listed here, you're essentially asking for trouble if you do so.

7.6.3. Scan Your System for Open Ports

Each open network port on your computer is a potential security vulnerability, and Windows XP's tendency to leave more ports open than it needs is a common cause for concern (even with XP Service Pack 2). Fortunately, there's a way to scan your computer for open ports so you know which holes to patch.

Start by opening a Command Prompt window (cmd.exe). Then, run the Active Connections utility by typing:

netstat /a /o

The /a option is included so that all open ports are shown. Without it, only ports participating in active connections would appear. The /o option instructs the Active Connections utility to show the owning process of each port (explained below). The report will be displayed in the Command Prompt window, and will look something like this:

Active Connections Proto  Local Address     Foreign Address            State          PID TCP    annoy:pop3        localhost:4219             TIME_WAIT        0 TCP    annoy:3613        javascript-of-unknown:0    LISTENING     1100 TCP    annoy:3613        localhost:3614             ESTABLISHED   1100 TCP    annoy:3614        localhost:3613             ESTABLISHED   1100 UDP    annoy:1035        *:*                                      1588 UDP    annoy:1036        *:*                                      1588 UDP    annoy:1037        *:*                                      1588 UDP    annoy:1038        *:*                                      1588 UDP    annoy:1039        *:*                                      1588

The width of the Command Prompt window is typically limited to 80 characters, causing some pretty ugly word wrapping. To send the report to a text file (say, report.txt) for easier viewing, type netstat /a /o > report.txt at the prompt.

The Active Connections utility displays information in these five columns:

Proto

This will either be TCP or UDP, representing the protocol being used, as explained in Appendix C.

Local Address

This column has two components, separated by a colon. The first part is the computer name, which will typically be the name of your computer. The second part will be either a port number or the name of a service. See Appendix C for help deciphering the port numbers that appear here (and in the Foreign Address column).

Foreign Address

For active connections, this will be the name or IP address of the remote machine, followed by a colon, and then the port number being used. For inactive connections (showing only the open ports), you'll typically see only *:*.

State

This shows the state of the connection (TCP ports only). For example, for server processes, you'll usually see LISTENING here, signifying that the process has opened the port and is waiting for an incoming connection.

For connections originating from your computer, such as a web browser downloading a page or an active Telnet session, you'll see ESTABLISHED here.

PID

This is the Process Identifier of the application or service that is responsible for opening the port.

To find out more, open Task Manager (launch taskmgr.exe or right-click an empty area of your taskbar and select Task Manager), and choose the Processes tab. If you don't see a column labelled PID, go to View PID (Process Identifier) option, and click OK. Finally, turn on the Show processes from all users option at the bottom of the Windows Task Manager window.

You can then sort the listing by PID by clicking the PID column header. The program filename is shown in the Image Name column.

This means that you can use the Active Connections utility in conjunction with the Windows Task Manager, as described here, to look up the program responsible for opening any network port on your computer.

Don't be alarmed if you see a lot of open ports. Just make sure you thoroughly track down each one, making sure it doesn't pose a security threat.

You may see svchost.exe listed in the Windows Task Manager, and reported by the Active Connections utility as being responsible for one or more open ports. This program is merely used to start the services listed in the Services window (services.msc). For an example of a service that is running by default, but should be disabled for security reasons, see the discussion of Universal Plug and Play in Section 7.6.1, earlier in this chapter.

7.6.3.1 Using an external port scanner

If you're using a firewall, such as the Windows Firewall feature built into Windows XP SP2 (discussed in the previous section), it should block communication to most of the currently open ports, even though they're listed by the Active Connections utility.

For this reason, you may prefer to use an external port scanner, a program that can connect to your computer through its Internet connection to check for all open ports, and do it more aggressively than the Active Connections utility. Here are some utilities that you can run from your own computer:

Nmap Security Scanner. http://www.insecure.org

AATools Port Scanner. http://www.glocksoft.com/port_scanner.htm

Furthermore, these web sites will allow you to perform port scans right from your web browser:

Sygate Security Scan. http://scan.sygatetech.com

PCFlank http://www.pcflank.com

Among other things, you can use these services to test the effectiveness of your firewall. If a port scanner cannot detect any open ports, cannot determine your computer name, and cannot detect any running services, then you're in pretty good shape!