Introduction

The operating systems produced by Microsoft are infamous for their lack of security, but in Microsoft's defense, they made many trade-offs early on to make Windows easier to use and "on by default" instead of "secure by default." With Windows XP, especially after Service Pack 2, the operating system is much more secure after installation compared to its predecessors. But that is only part of the story. Computers cannot lie in state and remain secure. You have to be proactive and play an active role in keeping your systems secure.

And that is what this chapter is about. We cover several security best practices that every user should consider when maintaining Windows XP systems. This chapter is by no means comprehensive, but it does cover many of the basic security precautions that all users should consider.

Basic Tips

Before we dive into recipes, we're going to review a few general security precautions. Again, this isn't a comprehensive list, but if you did these and nothing else, you would be doing better than most people.

Understand Microsoft's 10 immutable laws of security

Microsoft discusses 10 laws of security on the TechNet web site: http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx.

Take some time to understand each law (if they aren't self-evident). These laws are some of the most basic tenants of computer security, especially when you are dealing with Microsoft technologies.

Protect physical access to computers

You could have the most hardened and locked-down system possible, but if an attacker can gain physical access to it, your efforts are for naught. Ensure that your computers are not left unattended.

Don't use administrative accounts during day-to-day use

In the Windows NT days, before Remote Desktop Connection and the runas command were available, it wasn't uncommon for administrators to have their own personal account as part of the Domain Admins group. Now, you shouldn't need to do this. Create alternate administrative accounts in Active Directory (e.g., rallen for my personal account and rallen.adm for my administrative account). Use Remote Desktop Connection or runas to run programs that need admin privileges. This will reduce the chance (however unlikely) that you accidentally perform a damaging action on your system. Using your normal user account will also reduce the damage a virus or worm can do if your computer becomes infected.

Keep virus and antispyware definitions up-to-date

One of the reasons viruses spread so fast is that virus definitions aren't up-to-date on computers. With many viruses and worms propagating at a blinding rate these days, you have to be on top of the latest definitions and able to push them out as quickly as you get them. The same goes for spyware, which is becoming an even larger problem today than viruses.

Make sure all critical patches are installed

Even if virus definitions aren't up-to-date, most viruses and worms would be struck dead in their tracks if everyone installed critical security updates when they came out. Granted, this wasn't as necessary with Windows NT and when Windows 2000 was first introduced, but now, if you don't update your systems within days (and sometimes minutes!) of new security updates becoming available, you are just asking to be hit with a new virus or worm. Here is a good site to bookmark and visit periodically to stay ahead of the curve with the latest Microsoft security issues:

http://www.microsoft.com/technet/security/current.aspx

Audit important activities

Windows provides the capability to log certain actions and activities that are performed on your systems. By logging important activities, such as the modification of particular files, you can maintain an audit trail for later reference in case incidents arise. For more information on auditing, see Recipe 17.2.

Check event logs regularly

The event logs can contain a wealth of important security-related information, but they are often overlooked. This is partly due to the amount of noise that is in the event logs in the form of unimportant event messages. Develop a process to centralize and analyze your event logs on a regular basis. Having a mechanism to scan your event logs on a regular basis will be even more critical if you are auditing important activities, as described previously.

Know what to do when you discover you've been attacked

Most people think it can never happen to them, but the sad truth is it can. In fact, most users don't have near as much security expertise as professional attackers. If a particular attacker (or worse, a group of attackers) takes a fancy to your organization, you'll have to be on top of your game to avoid some type of successful penetration. Some of the best in the business have been attacked. The moral of the story is that you should be prepared for the possibility of being attacked. What would you do? Here are a few good links that might help you develop an incident response plan:

http://www.cert.org/tech_tips/root_compromise.html

http://www.cert.org

http://www.securityfocus.com

http://microsoft.com/security

Maintain (and test!) backups

The worst case is that you have a system that gets successfully compromised. Unless you feel extremely confident that you know exactly what was compromised, your best bet would be to re-image the system and restore from a known good backup. That means you need good backups to start with. And if you are performing regular backups, we highly suggest performing a periodic test restore just to make sure the backups you have are good and can be used in case of an emergency. See Chapter 19 for more on performing backups of your system.