Overview of Security Administration

Windows XP Professional provides the administrator with a number of tools and controls for the security of the computer and its resources. The application of security varies based on a computer's network status. For example, both stand-alone computers and computers that are part of a small peer-to-peer network provide their own security by maintaining a security database known as the SAM (Security Account Manager). On the other hand, while a computer connected to a Windows-based domain also maintains its own SAM, it is subject tosecurity policies implemented by Active Directory. This chapter will focus on security as applied at the local workstation.

Controlling the Login Process

One security mechanism that varies based on network status is the manner in which users are able to log in to Windows XP Professional. When a computer is operated as a stand-alone system or as a member of a peer-to-peer network, the administrator has the ability to configure either the Classic login screen or the Welcome login screen. The Welcome screen displays a list of user accounts and allows a user to initiate a login session by selecting one. The Classic screen requires that the user specify a username and password in order to log in to the computer. The Classic screen requires that users know both their assigned username and password. Because the Classic screen is more secure, it is the only option available to Windows XP Professional computers that are part of a domain.

The following procedure outlines the steps involved in configuring which login screen is implemented on a stand-alone computer or a computer that resides on a peer-to-peer network.

1. Click on Start and then Control Panel. The Windows XP Control Panel appears.

2. Click on User Accounts. The User Accounts folder appears, as shown in Figure 9.1.

   
   Figure 9.1: The User Accounts folder displays local user accounts and provides access to basic account administration tasks

3. Click on Change the way users log on or off. By default, the Use the Welcome Screen option is enabled, as shown in Figure 9.2. To disable it and enable the Classic screen, clear the Use the Welcome screen option. This also disables the Use Fast User Switching option.

   Note

   When enabled, Fast User Switching allows two or more users to take turns sharing a computer without logging off. When enabled, Fast User Switching places a Switch User icon on the Log off Windows dialog, allowing users to toggle between active login sessions.

4. Click on Apply Options.

Applying Password Protection

Another key difference between a computer that is part of a Windows domain and one that is not is the applicability of user passwords. In order to log in to a computer that is part of a Windows domain, the user must supply both a username and a password in the Classic logon screen. However, passwords are optional for stand-alone computers and computers that are part of a peer-to-peer network.

While essential to corporate security, passwords may not be required in other situations, including small office networks. Instructions on how to create and delete passwords for individual user accounts on nondomain computers is provided in "User Account Administration" later in this chapter.

Figure 9.2: Configuring the Windows XP Professional login screen

Setting Up Password-Protected Screen Savers

Another mechanism for improving security is the application of a password-protected screen saver. Screen savers automatically start after a specified period of inactivity. When password protection is enabled for a screen saver, the user is prompted to resupply their password before resuming work on the computer. This helps to prevent a passerby from commandeering another user's login session if the user forgot to either log off or lock the computer before leaving it unattended.

The following procedure outlines the steps required to implement a passwordprotected screen saver.

1. Right-click on the Windows XP desktop and select Properties. The Display Properties dialog box appears.

2. Click the Screen Saver property sheet.

3. Select a screen saver.

4. Set the amount of time that must pass without any user activity before the screen saver starts.

5. Select On Resume, Display Welcome Screen.

6. Click OK.

Encrypting Data Stored on the Local Computer

Another security tool provided by Windows XP Professional is the EFS (Encrypted File System). EFS encodes data stored on a computer running Windows XP Professional so that only the person who encrypted it can view it. EFS uses public-key encryption that requires no administration. EFS automatically creates an encryption key pair and certificate for the users the first time that they encrypt a file.

While individual files can be encrypted, Microsoft recommends that encryption be applied at the folder level, thus ensuring that all files within the folder are encrypted. EFS is especially important for mobile users who run the risk that their computers may be stolen when they are on the road. One way to access dataon a stolen computer is to reinstall the operating system without reformatting the hard drive. The administrator account for the new operating system can then access any file on the computer, except for previously encrypted files. Another technique for stealing data is to take the hard drive from one computer and mount it in another where administrative access is available. However, any files and folders protected by EFS will once again remain protected.

Protecting Network Connections Using the Internet Connection Firewall

Another security utility provided by Windows XP Professional is the ICF (Internet Connection Firewall). ICF is a stateful packet filter. ICF maintains a table that tracks the flow of all network connections. Any time a data packet arrives from an external network connection, ICF checks the table to see if it is part of a previously established connection. If the packet cannot be associated with a network connection that was initiated by the local computer, it is blocked.

ICF is configurable and is administered on a connection-by-connection basis, allowing the administrator to apply different security settings for each connection. ICF is designed to protect computers that are connected directly to the Internet. It is appropriate for a stand-alone computer with a direct Internet connection and for a computer that runs the ICS (Internet Connection Service) in order to share an Internet connection with other computers on a small home or office peer-to-peer network.

ICF is not suitable for deployment on large corporate networks where network administrators and engineers are responsible for protecting network security and do so with the help of high-end routers, firewalls and gateway devices.