Battening down the hatches

Roger Gann (PC World)
— 17 February, 2005 09:04

Share
Share this article
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
Tweet
Be the first to comment 0

With Service Pack 2 (SP2), Windows XP may be more secure than ever, but there are still one or two things you can do to tighten things up a bit.

One of the big problems concerning older networks based on Windows 9x clients was their inherent lack of security. Sure there were a couple of tricks you could use to deter a casual probe, but the Windows 9x armoury was pretty sparse when it came to stopping a determined hacker.

It wasn't until Windows 9x was ousted from the desktop by Windows XP three years ago that network administrators got an operating system that was capable of being nailed down thoroughly.

Even so, and despite the fact that SP2 has put Windows XP light years ahead of Windows 9x, many lax features are left as defaults. As a result, many Windows XP networks are less secure than they could be. The good news is that it'll cost you nothing but a little bit of elbow grease to straighten these out. And who knows? - it could prevent a bad guy from accessing your network and doing goodness knows what to it.

Accordingly, Windows XP security is the subject of this month's column.

Back to basics

I have no wish to be accused of stating the obvious, but basic physical security is pretty important, especially for easily portable devices such as laptops. So before you do anything else, think about office locks, Kensington locks for notebooks and keeping keys for lockable cases and CPUs in a central (secure) place.

I'll take it for granted that you use a firewall, antivirus software and Windows Update - and if you're using SP2, you'll know if you're not. If you're feeling particularly paranoid, use the Microsoft Baseline Security Analyser to check your system for known vulnerabilities (www.microsoft.com/technet/security/tools/mbsahome.mspx).

Moving up the food chain slightly, the next thing to consider is the file system that's running on your PCs. If it's FAT32, it's wide open to attack. Consider upgrading to NTFS: not only is it faster than FAT32, it also allows you to set permissions down to the file level.

You can check your file system by examining the properties of your drives. The NTFS conversion tool, convert.exe (which comes with Windows XP), will do the business on FAT32 partitions, though you should bear in mind that it won't reverse the process if you change your mind. If you have particularly sensitive data on your PC and are running Windows XP Pro, consider installing the encrypting file system (EFS) to safeguard your files and folders. Don't forget: you'll need to be logged on via an Administrator account to perform most of the tasks in this column.

Open all hours

Windows XP Home and XP Pro workstations that are on a peer network (one that's not attached to a domain) use a feature called simple file sharing (SFS). With SFS turned on, there are no restrictions and almost everything that's shared is accessible to everyone on the network.

Anyone logging on to the PC from across the network is forced to use the Guest account to prevent them from using a local Administrator account that wasn't configured with a password. The bottom line: if you're connected to the Internet and don't use a secure firewall, the files contained within those shares are available to the world and his dog.

To disable SFS on XP Pro, open My Computer and click on Tools-Folder Options-View then, in Advanced Settings, uncheck the Use Simple File Sharing box and click Apply. Unhelpfully, Windows XP Home doesn't let you do this. The best you can manage here is to set your shared folders to read-only and hide the file shares from network browsers by adding a $ sign after the folder name. Or, if it's an NTFS volume, you can use the Make Volume Private option in the folder properties.

Passwords and Accounts

It goes without saying that passwords are crucial. Windows XP Home is particularly neglectful in this respect as it has a blank password for the Administrator account by default.

Boot into Safe Mode (hit <F8> during startup) to reveal the Administrator account and go into the User Accounts Control Panel applet to add a decent password. Ensure that passwords, rather than blanks are assigned to all accounts. Make sure that these accounts are limited users, too - there can be only one true Administrator. If that's you, it's a good idea not to use the local administrator account as your default login account. It's also a good idea to use a name other than Administrator for this account. Some hackers will argue that this won't stop them, because they'll use the security ID (SID) to locate the name of the account and hack into that. A simple ruse such as renaming won't block them all, but it will stop most amateur hackers in their tracks. And it all counts.

It's a hoax, dummy

You might also want to create a dummy Administrator account that has no privileges and a really complex 16+ character password. This should keep the script kiddies busy for a while, even if they have a processor farm at their disposal.

That old hacker favourite, the Guest account, should be for the chop, too. Again, losing this is straightforward in XP Professional, but XP Home has other ideas. If you disable the Guest account, all it does is eliminate this account from the Welcome screen and Log-On local screen. The network credentials actually remain intact and guest users will still be able to connect to the shared resources of the affected machine across a network. Ultimately, all you can practicably do is to assign a really strong password to your Guest account. Don't forget to remove all accounts that are no longer used, such as those of staff who may have left.

Click here to view a screen shot of Baseline Security Analyzer.

Click here to view a screen shot of the NT File System (NTFS), which is much more secure than FAT32. Check the properties of your hard disks to see what file system it's running.

Click here to view a screen shot the Protected Storage PassView tool, where by you can get Windows XP to willingly cough up almost all of its passwords. Scary, eh?

LOCK AND LOAD

It might not be too popular with the staff, but it's a good idea to password-protect the screensaver on all your workstations. Use the blank or logon screensaver to avoid eating up CPU cycles, rather than the prettier, but more graphically intensive modules.

Remember, you can prevent users from undoing these changes using either a Group Policy or the local security policy.

You can also force XP Pro clients to use stronger passwords through the Management Console Local Security snap-in. Microsoft advises that you:

Set the minimum password length to at least eight characters

Set a minimum password age appropriate to your network (typically between one and seven days).

Set a maximum password age appropriate to your network (typically no more than 42 days)

Set a password history maintenance (using the Remember Passwords radio button) of at least six.

You should also use the account lockout feature that disables an account after an administrator-specified number of logon failures.

SP2 and USB2

It has recently come to light that SP2 doesn't take very kindly to some USB2 devices, like external hard disks, data vaults and the like - citing the fault as excessive power drain by certain USB devices.

The bottom line is that if your system uses Intel's ICH5 or ICH6 USB controller system and the device you plug in draws more than 500mA, then it just won't work. Some VIA chipsets don't seem to be affected.

For the full story, go to http://support.microsoft.com/ and search for 870893.

Career dead-ends aside, for the past decade or so Roger has earned his crust as an IT journalist. He's now a freelancer, writing about all manner of IT subjects. He also likes to fix other people's networks when he can.