10 Things I Like about XP Security

Suspicious of XP’s security features? As you spend quality time together, you’ll get to see its good points—maybe even become friends.


OK, true confessions now. I’m not exactly a Windows XP fan. However, Scottie, my therapist and personal trainer, says any relationship should be based on trust, and the only way to develop trust is to spend some time, share some secrets and see what happens. So I’ve invited XP on a few dates in hopes that with a bit of nurture our camaraderie might grow. At this point I feel we’re at stage three, and while I’m not sure that I want this to be a long-term intimate experience, I do have some interesting things to report.

In Stage One (before XP was really ready to leave its close-knit family—and the childhood salutation “beta”), my perception was that XP was an end-user interface for Windows 2000 Professional: Great for the home user (about time they had some basic file system security and other security features), but not worth upgrading to.

Stage Two occurred when XP and I decided on a live-in arrangement and signed an agreement that outlines, basically, how I won’t abuse XP or share him with another. As we worked together, I became increasingly annoyed by his chatty messages. “Activate me”; “Would you like to get a passport?”; “May I get you a drink?” (Maybe that’s a paraphrase, but having XP around was really like talking to Clippy on steroids.)

Little did I know that the obsequious behavior was a cover-up for all kinds of undercover activity. I’m speaking of XP’s ability to do things for me that I’m perfectly capable of doing for myself. Like his use of Universal Plug and Play (UPnP) to seek out and connect with UPnP devices such as printers. I know it’s hard for many users to do this on their own and a bit of a pain for admins to manage, but I don’t like the idea of something just occurring. After all, someone might figure out a way to turn XP’s “a-stranger-is-just-a-friend-you-haven’t-met-yet” mentality into a successful attack :-) ... (See "Q311311: Invalid Universal Plug and Play Request Can Disrupt Computer Operation" for just such a possiblity). Scottie says that’s a symptom of my obsessive/compulsive controlling behavior; but truly, it’s a bit perturbing to find that your lowly desktop is trying to communicate with other computers on the Internet. (I don’t like the idea that he’s trying to connect with anyone I haven’t told him he can connect with, even if it’s daddy Bill’s automatic update service trying to arrange silently for patches and updates.)

Security Watch Newsletter
Sign up for “Security Watch,” a free e-newsletter featuring news and commentary by Roberta Bragg at http://lists.101com.com/
NLS/pages/main.asp?
NL=ent&o=security
.

Stage Three began when I stopped following Scottie’s advice and started following my instincts. This isn’t the ’60s, and relationships can’t be built on, “You do your thing and I’ll do mine and if we can do them together, that’s beautiful.” Roberta’s first rule: Unlike children and desirable human relationships, operating systems do come with instruction books. Use them. Here’s what I discovered, tested and found handy.

1. Internet Connection Firewall
Wow! A built-in firewall. What a concept! (And why haven’t we seen this before now?) While XP’s firewall is no excuse for managing your network perimeter defenses in a more sophisticated manner, it’s great for those times when you grab the laptop and hit the road. And what about all those thousands of telecommuters, sales folks and others who just see their computers as tools? XP’s firewall is basic. Turn it on or off—because that’s almost all you can do. (See Figure 1.)

Internet Connection Firewall
Figure 1. The Internet Connection Firewall is quite handy—if you know when to use it.

You can even configure it via group policy so it’s automatically enabled when the domain controller can’t be reached. It’s important to remember when it’s enabled; I’ve seen experienced, intelligent techies forget they have the firewall on and attempt to connect with a buddy to share files. I’ve also seen them enable it on their network, only to be chagrined when they discover that’s the reason they can’t connect to the DC. I haven’t read any side-by-side comparisons with commercial versions of personal firewalls, but there’s at least two things in its favor: It’s there and it’s free.

Be aware that XP’s firewall can be configured to allow the publishing of a Web server behind it. You’ll want to make sure users can’t do this.

2. Force Guest
Ordinarily it doesn’t matter how carefully you secure network resources; if a malicious individual obtains the user ID and password of some privileged user, he or she is that user, including mapping to a drive and accessing any resource ACL’d for that user. What if you could reduce the power and access of any would-be network connector? What if it didn’t matter whether the user ID and password belonged to the Administrator, because access would still be only that ascribed to the Guest account? You can configure this with XP.

If properly set up, XP will reduce to Guest status the authority of a network connection authenticated by a local XP account database account. Because the Guest account is limited to minimal access (and you’re not going to change this, right?), the danger of successful attacks via compromised local accounts is limited. So, if someone managed to obtain the local Administrator account password and mapped a drive to such an XP system, he or she wouldn’t be able to perform normal administrative duties nor have access to files the Administrator would ordinarily have.

Configuration options for this vary. For an XP system not in a domain, you can select the “Guest-only” security model, which allows only Guest access across the network. Normal—or classic security model access—can be restored if you desire. XP systems that are domain members can be configured using group policy to “force network logons using local accounts to authenticate as Guest. This means that, like the standalone system, local XP security database accounts will only be allowed Guest access when used across the network. Domain-level accounts will function normally. Local account access is normal in either case, when the user sits at the console.

This offers the best of both worlds. If, for some reason, you must use local accounts, you can; but knowledge of them and their passwords gives an attacker no advantage when he or she doesn’t have physical access to the machine.

3. Blank Password Problem
We all know these shouldn’t be allowed, but sooner or later you’re going to find an XP box set up and maintained by someone less observant than you. Or maybe your users use personal machines to connect to your network from home. By default, local accounts with blank passwords can’t be used to access computers over the network! You can only use them when logging on from the console. You can’t even use RunAs and use them to start a program. There’s an exception, of course: An enabled Guest account with a blank password can be used across the network. Note that this only applies to local accounts. If your security policy allows—or your domain admins so configure—domain accounts with blank passwords can still be used for network logons.

4. Anonymous Risks Reduced
Remember when you discovered that the Everyone group includes anonymous users—those who connected to the computer using a null user account name, domain and password? These anonymous users have access identical to the Everyone group. In previous versions of Windows, that was a lot of access to be granting unknown and potentially hateful creatures. XP doesn’t include anonymous users in the Everyone group, lessening the potential impact of this type of access. You can give the anonymous logon explicit access to resources. This allows services and processes that must connect anonymously to do so—but this access is more closely under your control.

You should also be aware that it’s possible to make a registry entry and return the anonymous logon to Everyone group membership. This configuration may be necessary to allow some Win2K applications work. However, it also opens the possibility that some Trojan horse introduced in the next battle for Internet supremacy will flip this bit and return your XP system to the legacy security model.

I’ll not repeat the location for “EveryoneMeansAnonymous,” so as not to tempt some lazy Trojan writer (see how silly we’re getting when we attempt to restrict the free flow of information?). You can set it in the preferred mode for your systems by using the local security policy or group policy in your domain.

What’s more, XP has three security policy statements that limit information available via anonymous access. Use combinations of these policies to restrict anonymous access. By default, shares can be enumerated, users can’t. For the typical XP user whose machine isn’t on the network, this may be perfect. My recommendation would be to disable all three:

  • Allow Anonymous SID/Name translation: When enabled, an anonymous connection would allow the use of known SIDs (such as that for the Administrator account) to determine user IDs. This policy is disabled by default.
  • Don’t allow anonymous enumeration of accounts: Enabled by default, this policy keeps an anonymous connection from being able to list the members of your account database.
  • Don’t allow anonymous enumeration of accounts and shares: Disabled by default, this policy allows the listing of accounts and network shares. When the previous policy is enabled and this policy disabled, shares may be enumerated, but not user accounts.

5. Password Resets and the Encrypting File System
You’ve probably heard my EFS rant—you know, the one where I tell you to disable it until you can properly implement a Public Key Infrastructure? XP has some additional issues that make me scream even louder, including this one: It pays no attention to your Win2K group policy settings, which disable EFS in Win2K. As you’ll recall from my last column, changes to PKI in .NET give you even better control over EFS, but until then you need to disable EFS at the desktop level.

If this isn’t an option, and you or your users must have the ability to encrypt files, you should make sure they have proper instruction, including how to archive their encryption keys. In addition, you should be aware of the disaster looming if an Administrator resets the user’s password. In XP, this forced reset removes coupling between user ID/password and the ability to decrypt EFS-encrypted files. This prevents a rogue administrator from resetting the user’s password, logging on as the user, and reading the encrypted files. I like this!

To those of you who argue that the Administrator account is the de facto recovery agent and doesn’t have to log on as the user, remember, best practices advise that this should be changed. Unfortunately, once an administrator resets the user’s password, even the legitimate user will be locked out of encrypted files. XP does provide a solution. Access to the files can be recovered by the user either by changing the password back to the previous one or by using the password reset disk.

6. Restore Points
So now that XP and I are getting along a little better, Scottie thinks I’m not spending enough time with him. “Well,” I said, “at least XP remembers those places I like to go to.” Haven’t you ever wished you could take back some hasty words or return to a point in a relationship before things started to go south? XP allows this kind of time travel; in fact, he encourages it. Whenever you start to make some major change, like installing a new device driver, XP stops and records system status prior to the change. If things aren’t improved by your change, XP allows you to restore the system to the way things were, as shown in Figure 2.

Restore Point admin
Figure 2. Restore Point administration is done through XP’s Help and Support Center. (Click image to view larger version.)

Restore points isn’t a replacement for backup; you can’t restore your data this way. You are, however, provided with some hope of recovery. To feel really secure, create your own restore points prior to that big registry mod, device driver install or click of that unknown attachment.

7. Support for 802.1x
Sure, wireless connectivity is a good thing—until you realize that all that data floating around among computers is like secrets at a spy convention. So then you try to protect it through encryption. That may sound secure, but it really isn’t if you’re using the Wireless Encryption Protocol (WEP). Turns out there are multiple problems with WEP, including the use of a single, pre-shared key (the same key for many workstations), the lack of a key management strategy, lack of authentication practices and generalized impracticability for large wireless installations.

IEEE standard 802.1x, supported by XP, introduces a range of possibilities for better security. Among these are the use of unique keys for each workstation, frequent re-keying (rapid changing of encryption keys), the use of PKI for authentication, user authentication, authorization and accounting (think RADIUS, certificates and smart cards). 802.1x uses an authenticator/supplicant model. (Oh, XP, how I love it when you talk like that.)

8. Credentials Management
Down at Blockbuster, Scottie wanted me to rent him a Jet Li movie. As I searched for my cash, plastic cards fell from my wallet and scattered on the floor. Along with the Visa, American Express and MasterCard, there’s AARP, American Airlines, United Airlines, Delta, Marriott, Hilton, Kirksville Motorcycle Club and multitudes more. Like an early Novell administrator and most people engaged in working the Web, my personal credentials are obviously out of control. While it’s impossible to have one piece of plastic these days, advances in technology have meant we’re approaching single-sign-on nirvana. But having one user ID and password isn’t always a good idea. It can reduce security risks if the alternative is providing a user with so many passwords and IDs that he or she must write them down. However, it’s also a security risk, as an attacker need only know this single sign-on to have access to everything. Like anything else, credentials management is a balancing act. Things are also complicated by the numerous accounts the average person accumulates when using the Internet. Without some secure way to manage them, we’re easy targets for abuse and misuse. XP’s got some answers.

Control Panel | User Accounts, which can be used to manage NTLM, Kerberos, Passport and SSL authentication credentials, builds on the past. Like Windows NT and Win2K, XP stores these items in a secure area of the user profile. XP, however, allows you to add, delete and manage them manually. Here’s where it can add that .NET credential created in a past life; this also makes modifying the information in the Passport easy. You can modify your stats and even refuse to share information about yourself with a Web site. Users can only manage their credentials and, in an enterprise, be prevented from or allowed to manipulate credentials via group policy.

9. Password Reset Disk
Forgetting passwords is the most common computer-related gotcha for users. In an enterprise, there are policies and procedures and technology that allows for password resets. In the single system or workgroup setting, this problem is magnified, as there may be only one user of the system. I’m sure there are going to be many instances of users forgetting their XP passwords and not being able to get at their data. XP allows those users to create a password reset disk. This “Get out of Jail Free” card can only be made for local accounts, and only by someone logged on using that account. It doesn’t store the password; instead, making the disk creates a private and public key pair. The user’s password is encrypted using the public key and stored on the computer separately from the SAM. The private key is only stored on the disk.

Sounds simple, doesn’t it? Now all we have to do is teach them to create the disk before they need it and to store it in a safe, secure place.

10. Shadow Copy
Everyone knows a good backup is like that expensive long-term care policy you should buy: not much good until you need it and you hope you never will, but if you do need it and don’t have it, you’ll be out on the street. We also know that some files may be missed in the typical backup, because some files are open. Backup programs don’t back up open files.

Enter shadow backup. Because XP’s shadow backup makes a snapshot of the disk and then proceeds to back up from the snapshot to tape, open file issues are a thing of the past. Be aware, though, that some free disk space is required; if it’s unavailable, a normal—not shadow copy—backup will occur. You can also turn shadow copy off when, for instance, you only want a file or two and don’t want to wait for the entire disk to be flashed.

Archive Your Keys—Or Else!
If you think my EFS warning an overreaction, tell it to the businessman who wrote me recently. It seems he had years of business records encrypted on his disk and no backup in unencrypted form. His profile was damaged and he decided to format the disk and reinstall Windows. When he restored his files from backup, he had lost access to them. Neither his profile, nor that of the Administrator account, was backed up. He’d never archived his keys. Seems he’d read some article on the Internet (not in this magazine) that told him file recovery wasn’t easy but was possible. Unfortunately, without either his or the recovery agent’s private keys, there was no recovery available, short of a brute-force hack; the use of some forensics tools; or low-level disk editing, which might discover fragments of the data stored originally in clear text and not overwritten by time, cipher or his disk formats. No, he wasn’t a happy camper.
—Roberta Bragg

Separation Anxiety
Now that XP and I have become bosom buddies, I sorta miss the little guy when I’m away. There’s a lot more I need to test and explore, and a lot more I’d like to tell you about. My goodness, I haven’t even talked about XP’s software restriction policies, how to disable or control his extroverted tendencies, the hundreds of new local and group policy settings or how this all fits in with Windows .NET. Scottie’s rolling his eyes now, however, and it’s time for my workout. (Maybe I can convince him we need to watch “The One” instead.) Until next month.

Featured