A Windows Desktop Security Primer ITSS Technical Briefing
A Windows Desktop Security Primer ITSS Technical Briefing Jay Stamps, ITSS, jstamps@stanford. edu, 723 -0018 Turing Auditorium, May 20, 2005
Topics for the Afternoon u Windows XP Professional Security u Setting Up a New PC Safely u Secure Windows Configuration u Software Tools for Better Security u Good Security Practices for You u Passwords vs. Pass Phrases u “Malware” and “Phishing” Scams u Windows Security Top 10 List u What to Look Forward To u Other Security Resources
Speaking of Computers, etc. u Stanford University Libraries Publication Three issues each year (Fall, Winter, Spring) u To subscribe to Speaking of Computers: u http: //speaking. stanford. edu/subscribe. html u Windows Security Article (Spring 2005): http: //speaking. stanford. edu/highlights/Make_Your_PC_Secure. html u Friday Tech Briefings Web Site: http: //www. stanford. edu/services/techtraining/techbriefings/ u To subscribe to the Tech Briefings mailing list: http: //www. stanford. edu/services/techtraining/techbriefings/#list
Important Updates on ESS u Symantec u The previous ESS distribution is threatened u u http: //securecomputing. stanford. edu/alerts/symantecav-05 -feb. html http: //www. stanford. edu/~jstamps/SAV_repair. html u Eudora u u u Microsoft Office Patcher Redux Critical vulnerability in MS Office XP (et al. ) u u <= 6. 2. 0 for Windows Is Vulnerable http: //www. eudora. com/security. html http: //www. ngssoftware. com/advisories/eudora-01. txt http: //www. stanford. edu/dept/itss/ess/pc/eudora. html u ITSS u Anti. Virus 9. 0. 3 Is on ESS http: //www. microsoft. com/technet/security/bulletin/ms 05 -005. mspx ITSS MS Office Patcher is here: u http: //www. stanford. edu/dept/itss/ess/pc/msoffice_patcher. html u PC-Leland 2. 1. 4. 7 Is on ESS
Windows XP Pro Security u What We Will Talk About Windows XP Professional Security u Advice applies to non-English editions, too u Focus on stand-alone PCs attached to SUNet u u What We Won’t Talk About (after this slide…) Windows XP Home Edition u Windows 95/98/ME, Windows NT/2000/2003 u Mac OS X, Linux, Unix, Palm OS, etc. u u But Don’t Walk Out Just Yet! Some of my advice may apply to other OSes u PC users should consider upgrading to XP Pro u
What’s the Threat? u Viruses, u Hackers and Worms - Oh, My! Purists reserve the term “hacker” for ace programmers, not “attackers” http: //catb. org/~esr/jargon/html/H/hacker. html u “Virus” is also an overworked term Internet worms, mass-mailing worms, viruses (infectors), Trojan Horses, backdoors, rootkits, bots, zombie networks, spyware, hijacking… u The best general term is “malware” u u You u Get the Idea: It’s a Jungle Out There! And an oz. of protection is worth a lb. of cure
A Little Caveat u Some of You Have Local Technical Support Staff u Some of You May Be Local Technical Support Staff u A Quick Quiz Question: If I Say Something That Contradicts What Your Local Support Staff Say, You Should… A. Do what I say anyway B. Do what your local support folks say C. Talk to your local support staff D. Give up using computers: Too much hassle!
A Few Assumptions u Much of What Follows Assumes That You have administrator rights for your PC u Your PC is not a member of a Windows domain - though maybe it should be! See: http: //windows. stanford. edu u If you have local technical support staff, you have their blessing to make changes to your PC’s configuration u You understand that changing securityrelated settings can impair functionality: You might have to undo some changes u
User Rights & Privileges u What Are “Administrator Rights”? u A User in the Administrators Group Can modify or delete all files, including (with some protections) system files u Can modify the Windows registry u Can define local security policies u Has more or less total control u u Because of How Windows Applications Are Designed, Administrator Rights Are Often Necessary for “Normal Use” u Primary XP user has administrator rights
Out of the Box u You Just Got a New PC: Now What? It’s not securely configured by default u Security software is probably missing u The “survival time” of an unpatched PC u See http: //isc. sans. org/survivalhistory. php u u First: Don’t Put It on the Network! Do set strong passwords or pass phrases u Do disable File & Printer Sharing u Do enable the Windows Firewall u u Configure u Your Network Settings Now you can connect to the Internet
So You’re on the Internet… u Go to http: //windowsupdate. microsoft. com Install critical updates and service packs u Reboot and revisit the Windows Update site u Lather, rinse, repeat… u u Go to http: //ess. stanford. edu Stanford Essential Software: Gotta have it! u Download and install Symantec Anti. Virus u u Remove any previously installed AV software u Start | Settings | Control Panel | Add or Remove Download and install Spy. Sweeper u Download and install Big. Fix u Download and run the Security Self-Help tool u
What’s All This, Then?
Summary of Demonstrations u Symantec u Schedule Live. Update to run daily u You u Anti. Virus must have administrator rights Schedule full scans weekly u Scheduled u scans are specific to user accounts If you use Eudora see: http: //securecomputing. stanford. edu/sav/index. html u Spy. Sweeper Requires administrator rights u Read instructions; Configure weekly “sweeps” u Restore “cookies” or “spyware” if required u Try other anti-spyware programs u
Summary of Demonstrations u Big. Fix Client Software Use to supplement Windows Auto Updates u Must be installed with administrator rights u Runs invisibly in background u Collects a little inventory information u u Subscribe u Supports all Windows platforms (& most languages) u Stanford u to bigfix-users@lists. stanford. edu Security Self-Help Tool Configures a number of important settings u Does not check your PC’s patch level! Checks for blank or weak passwords u Configuration changes can be undone u
A Note on “Service Pack 2” u Windows u u XP Service Pack 2 Is Now Out Install on both Pro and Home Editions A number of important new security features u For example, Data Execution Prevention - see: http: //support. microsoft. com/default. aspx? scid=kb; en-us; 875352 u May change Windows’ behavior noticeably u Download u u the XP SP 2 Configuration Tool Available on the ESS site Will prevent problems with Internet Explorer for users of Stanford business applications u Check Out David Pogue’s (copyrighted) New York Times Article on SP 2: u Use Google to search on Pogue Windows SP 2
Pogue’s 7 Steps (Modified) u Check Your Hard Drive for Free Space u Remove Spyware & Scan for Viruses u Visit the Windows Update Web Site u Install everything except SP 2 u Visit u Your PC Manufacturer’s Web Site Download and run BIOS updater u Back Up All Your Files, Including Hidden u Remove Antivirus and 3 rd-Party Firewalls u Enable XP’s built-in firewall first! u Log Off Everyone But Yourself
Uninstalling SP 2 u Installing Service Pack 2 Seldom Causes Problems u But If It Does… Go to Start | Settings | Control Panel | Add or Remove Programs u Look for “Windows XP Service Pack 2” and click the “Remove” button u Restart Windows u u Good Luck! But This Usually Works
Quick Tour 1: The WF u The Service Pack 2 Windows Firewall Successor to the Internet Connection Firewall u Deeply integrated, easily configurable u Doesn’t block outgoing network traffic u Can prompt you to open listening ports u Allows you to configure “exceptions” u u Some Other Personal Firewalls Zone Lab’s Zone. Alarm u Symantec’s Norton Personal Firewall u Trend Micro’s PC-cillin Internet Security u ISS’s Black. ICE PC Protection u
Quick Tour 1: The WF u Go to Start | Settings | Control Panel u Click “Switch to Classic View” u Double-click “Network Connections” u Right-click “Local Area Connection” u Choose Properties u Click the Advanced Tab u Click the “Settings…” Button u Click the Exceptions Tab u Use the “Add Program…” or “Add Port…” Button to Configure Exceptions
Quick Tour 1: The WF In Windows XP SP 2 you can go directly to the Windows Firewall control panel, found among all your other control panels.
Quick Tour 1: The WF If you select a program or port under the Exceptions tab and click “Edit, ” you can specify a “scope”: i. e. , tell the firewall only to permit traffic from an IP address or range of addresses to the selected program or port. The externally routable network address space for most of SUNet is defined by 171. 64. 0. 0/255. 252. 0. 0 where 255. 252. 0. 0 is the appropriate network mask. Firewall exceptions apply to all network interfaces.
Quick Tour 2: User Accounts u Ensure That All User Accounts Have Good Passwords or Pass Phrases u By default no remote logon with null password u Go to Start | Settings | Control Panel u Click “Switch to Classic View” u Double-click “User Accounts” u Click on a User Account by Name u Choose “Create Password” or… u To Change an Existing Password, Log in as User Whose Password Is to Be Changed
Quick Tour 2: User Accounts u Not Available for Windows XP Home u Go to Start | Settings | Control Panel u Click “Switch to Classic View” u Open “Administrative Tools” Folder u Double-click “Computer Management” u Click to Expand “Local Users and Groups” u Click on Users Folder Icon u Right-click Individual User Accounts by Name and Select “Properties” u Disable Unneeded Accounts
Quick Tour 2: User Accounts
Quick Tour 3: Auto Updates u Use u Windows Automatic Updates In conjunction with Big. Fix u Go to Start | Settings | Control Panel u Click “Switch to Classic View” u Double-click Automatic Updates u Select “Automatic” u Choose “Every Day” u Pick a Time When the PC Will Be On u But no one has to be logged in u Click OK
Quick Tour 3: Auto Updates
Note on Folder Views u In Windows Explorer Go to Tools Menu u Select “Folder Options…” u Click the View Tab u Select “Show hidden files and folders” u If you look inside the Documents and Settings folder, you’ll now be able to see folders that had been hidden previously u Uncheck “Hide extensions for known file types” u Click OK
Note on Folder Views
Note on Windows File Sharing u Always Disable Unneeded Services u File & Printer Sharing Is an Open Door u Go to Start | Settings | Control Panel u Click “Switch to Classic View” u Double-click “Network Connections” u Right-click “Local Area Connection” u Choose Properties u Uncheck “File and Printer Sharing” u Consider Using PC-AFS for File Sharing u http: //filetransfer. stanford. edu
Note on Windows File Sharing
Encrypting File System u Stanford Has No Central PKI That’s “Public Key Infrastructure” u If something goes wrong, your encrypted data will probably be unrecoverable - lost forever u u Not Supported by XP Home u 256 -bit AES Encryption on >= XP SP 1 u http: //msdn. microsoft. com/msdnmag/issues/03/11/AES/ u Use with Caution u Back up your EFS certificate u http: //support. microsoft. com/default. aspx? scid=kb; en-us; 223316 u Win XP provides no default Recovery Agent u http: //support. microsoft. com/default. aspx? scid=kb; en-us; 887414
Encrypting File System You should encrypt entire folders rather than individual files: All files in that folder will then automatically be encrypted. Rightclick the folder you want to encrypt, select Properties from the contextual menu, and under the General tab click the “Advanced…” button. Click the check-box to “Encrypt contents to secure data” and then click the “OK” button.
Encrypting File System Click the “OK” button to confirm. Note that the labels for encrypted files and folders will be green in color.
Passwords vs. Pass Phrases u Security: A Tradeoff with Convenience u Attacks against User Account Passwords Dictionary, Brute-Force & Hybrid Attacks u Pre-Computed Hashes u u Password Complexity Is a Function of Length, size of the symbol set, and ordering u Thus, assuming a random ordering, for each additional character in a password, cracking becomes exponentially harder u u See This Speaking of Computers Article: http: //speaking. stanford. edu/highlights/Passwords_Are_Passe. html
Single Sign-On u If You’ve Got a Really Good Pass Phrase, Why Waste It? u By Logging in to Windows, You Can Also Log in to PC-Leland u You Now Have Carte Blanche to Access Many Restricted Stanford Resources u Configure PC-Leland Right-click the PC-Leland System Tray icon u Choose “Settings…, ” then Security u For instructions see the Security section of u http: //www. stanford. edu/group/itss/pcleland/help/settings. htm
Malware & Phishing Scams u Mass-Mailing Worms Arrive as email attachments u Generally can’t be activated unless you open an infected attachment u Could be embedded in HTML messages u u Phishing u Scams Try very hard to look legitimate u International Domain Name spoofing doesn’t affect IE Latest scams direct you to a phony web site to enter personal information - or else! u Don’t open unexpected attachments! or respond to unsolicited requests! u
Spyware & Adware u Spyware u u Tracks Web Browsing Habits Some “adware” is “legitimate” You have to read the fine print! u Marketscore u http: //securecomputing. stanford. edu/alerts/windowsmarketscore-jan. html u Browser u u Be u u Hijacking You’ll notice if this happens to you! Wary of “Free” Software That includes “security” software! Also some alleged “antispyware” products u Think u Brings a New Twist Before You Click! Web links, software downloads, etc.
Top 10 Security Measures u Patch Microsoft Windows Automatically New patches 2 nd Tuesday of each month u Use Big. Fix & Windows Automatic Updates u u Use Strong Passwords (even better, pass phrases) for All User Accounts u Use and Properly Maintain Good Antivirus Software u Use a Firewall, such as Windows XP’s Builtin Software Firewall u Don’t Open Suspicious Email Attachments or Respond to Suspicious Requests
Top 10 Security Measures u Disable Windows File & Printer Sharing So long as you’re not using these services u Disable in Local Area Connection Properties u u Disable Unneeded User Accounts u Don’t Use Automatic Logon (off by default) u Less likely to forget your password! http: //support. microsoft. com/default. aspx? scid=kb; en-us; 315231 u Use the Screen Lock When You Step Away & Shut Down When Gone for Over 6 Hours u If Possible, Don’t Use Internet Explorer: u Try http: //www. mozilla. org/firefox
What’s Next? u ITSS u Is Working to Provide Best practices documents for configuring u Windows u Mac OS X Tools to help standardize configurations u Management tools (Big. Fix, for example) u u Big. Fix will also help with asset tracking Controlled Network Access u Greater user awareness of good computer security practices u Better self-help documentation and tools for ordinary computer users u
Tools for Prevention u Essential Stanford Software http: //ess. stanford. edu u Symantec Anti. Virus u Big. Fix client (http: //patching. stanford. edu) u Spy. Sweeper u Security Self-Help Tool u u Use the Firefox Web Browser (not IE) u Stanford Secure Computing Web Site u http: //securecomputing. stanford. edu u Microsoft u Baseline Security Analyzer http: //support. microsoft. com/kb/320454
More Help Resources u Networking u Resources Connect your PC to SUNet http: //www. stanford. edu/dept/itss/ess/pc/sunet. html u Stanford’s Netspeed web site http: //netspeed. stanford. edu u http: //helpme. stanford. edu u “Windows XP: Surviving the First Day” http: //www. sans. org/rr/whitepapers/windows/1298. php u Use u Windows’ Built-in Help Go to Start | Help and Support u Check out http: //www. sysinternals. com
Questions? Research Tools u If You’ve Been Saving Up Questions, Now’s Your Chance! u Malware Research & Troubleshooting: u u u http: //support. microsoft. com/kb/129972 http: //www. google. com http: //www. sarc. com http: //www. mcafeesecurity. com/us/security/home. asp http: //housecall. trendmicro. com/ http: //en. wikipedia. org/wiki/Computer_virus http: //www. educause. edu/Browse/645? PARENT_ID=741 http: //www. spywareinfo. com/ http: //support. microsoft. com http: //www. microsoft. com/technet http: //www. cert. org/ http: //www. cisecurity. org/
- Slides: 43
