Locking Down Windows Clients


For Windows clients, always follow the fundamental lockdown principles explained earlier. MBSA helps by detecting whether any service packs, security patches, or hot fixes need to be installed. It will also check local passwords for certain known weaknesses, such as blank passwords.

Format Disk Drives Using NTFS

All disk drives should be formatted using NTFS. NTFS can be used to ensure that only authenticated and authorized users can read or change files and folders. In addition, files and folders can be secured so that only members of certain security groups can access them. For example, Chapter 1 discussed how to store a private key in a file. The file can be secured by restricting its access to only certain Windows users. For an introduction to setting file permissions, see the Microsoft article “File Systems” at http://www.microsoft.com/windows2000/techinfo/reskit/en-us/core/fncc_fil_ufnd.asp .

MBSA will detect and report which drives are formatted with NTFS. A drive formatted with FAT or FAT32 can be converted to NTFS without losing any data. For information on doing this, see the TechNet article “Convert” at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/convert.asp.

In addition, for extra security, in Windows 2000 and Windows XP, you can encrypt a file or an entire folder so that its contents are available only to the user who encrypted it. Encrypting a folder, however, slows file access down. It’s useful in cases where intruders can get physical access to computers. For information on encrypting files and folders, see the TechNet article at http://support.microsoft.com/default.aspx?scid=kb;en-us;307877.

Disable Auto Logon

Auto logon should be disabled on the computer. Auto logon is a feature that allows the computer to be configured to silently log on to Windows using a preset user name and password, thereby avoiding user-name password security and allowing someone with physical access to your computer to log on as you. MBSA will detect whether auto logon is enabled. To disable auto logon, find the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and set the AutoAdminLogon to 0 (zero).

Enable Auditing

Auditing should be enabled on the computer. Auditing is a Windows feature that tracks and logs specific events such as successful and failed logon attempts. By monitoring the log, you can detect whether an intruder attempted to log on to the computer. For information on setting this up, see the Microsoft article “HOW TO: Monitor for Unauthorized User Access in Windows 2000” at http://support.microsoft.com/default.aspx?scid=kb;en-us;300958.

Turn Off Unnecessary Services

Windows services are programs that run in the background whenever the computer is running. It does not require a user to be logged on. Services extend Windows by performing tasks such as indexing files, managing file sharing, and maintaining a list of computers on the local network. Because some services allow remote users to access resources on the local computer, you should turn off unnecessary services. By default, MBSA will detect and report whether four particular services are running:

  • MSFTPSVC The IIS file transfer protocol service

  • TlntSvr The Telnet service

  • W3SVC The IIS Web service

  • SMTPSVC The IIS SMTP service

Learning what services can or can’t be turned off is often a process of trial and error (usually involving turning a service off and seeing whether anything stops working). For suggestions on what services to disable, see Appendix B of the “Security Operations Guide for Windows 2000 Server” at http://www.microsoft.com/technet/security/prodtech/windows/windows2000/staysecure/secopsb.asp.

Services are controlled through the Services MMC snap-in. To view the services running on your local computer, choose Run from the Start menu, enter services.msc, and press Enter.

Turn Off Unnecessary Sharing

Windows has the capability to share files and folders with other computers on the network, as well as to share your printer with other computers on the network. In addition to any folders you explicitly decide to share, Windows will share each hard drive as an administrative share, which is a share available to administrators of the computer or domain. File and folder sharing and printer sharing increase the attack surface because it allows people remote access to the drives of your computer. It’s a good practice to disable unnecessary shares and apply security to the share you do enable—especially because by default new shares allow everyone full control over them. For information about applying security to shares, see the TechNet article at http://support.microsoft.com/default.aspx?scid=kb;en-us;301195. For information on disabling administrative shares, see the TechNet article at http://support.microsoft.com/default.aspx?scid=kb;en-us;314984. For information on disabling sharing altogether, see the TechNet article at http://support.microsoft.com/default.aspx?scid=kb;en-us;255159.

Use Screen-Saver Passwords

It happens to all of us—we log on to our computers, begin examining some secure information, and then get a craving for a burrito and a cherry coke. We leave the computer and make a mad dash to the Seven-Eleven across the road. When this happens to your users, you need to make sure the machine they logged on to remains secure. A good way to do this is to configure their computer to require a password when the computer resumes from a screen saver, and configure the screen saver to start if the computer is idle for more than five minutes. For information on doing this, see the TechNet article “Protect your files by using a screen saver password” at http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/display_assign_screensaver_password.asp .

Remove File-Sharing Software

Remove file-sharing software such as Napster, Aimster, Kazaa, and Xolox. These applications are used for swapping files (typically mp3 music files) with other people (typically strangers). Users have no control of what gets downloaded onto their machine—many seemingly innocent files carry a virus payload. In addition, users might not have control over what is sent from their machine. Some file-sharing applications also install spyware, which monitors and collects information about the users’ computing habits and sends this information to servers somewhere on the Internet.

Implement BIOS Password Protection

Many modern computers can be configured with a password in the BIOS (basic input/output system). This means when the computer boots, before even starting Windows, the user has to enter a password. BIOS password protection is inconvenient—it requires users to enter a password when the computer boots, wait for Windows to start, and then enter their domain password. BIOS password protection is recommended only in cases when physical theft of the computer is a real possibility such as notebooks that are often taken out of the office. A limitation of BIOS password protection is that it prevents unattended computer reboots, because the user must enter a password even before Windows is started.

Disable Boot from Floppy Drive

Simply leaving a floppy disk in a disk drive and rebooting the computer will cause the computer to attempt to boot from the floppy disk. If the floppy disk contains a virus, this could infect the computer. This is one of the most common ways viruses are transmitted from computer to computer. Many modern machines can be configured in the BIOS to disable booting from floppy, which solves the problem. A related issue is allowing computers to boot from CD. This should also be disabled.




Security for Microsoft Visual Basic  .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net