Security Recommendations for Windows Desktop Computers (Revised 12/01)

This document addresses potential security risks that exist in the Microsoft desktop operating system environment and makes recommendations on how to protect the system and data on your desktop computer. Many of these recommendations can be applied to your home computer so that it will be protected while connected to the Internet via your Internet Service Provider (ISP). Please be sure to read all three sections for the Windows platform you are using.

Windows 9x (Windows 95 and 98)
Problems that Can Occur
Establishing Good Security Practices
Protecting Your Computer on the Network

Windows NT Workstation
Problems that Can Occur
Establishing Good Security Practices
Protecting Your Computer on the Network

Windows 2000 Professional
Problems that Can Occur
Establishing Good Security Practices
Protecting Your Computer on the Network

Windows XP Professional
Problems that Can Occur
Establishing Good Security Practices
Protecting Your Computer on the Network
Additional URLs on Windows Security
University Contacts for Help

Problems that Can Occur

A workstation that is unprotected may be subject to accidental or hostile intrusion. This intrusion could result in the loss or compromise of data stored on the hard disk subsystem. Specific potential problems for unprotected workstations include copying or destruction of applications, masquerading as an authorized user in order to gain access to privileged data and performing malicious acts aimed at destroying the functionality of the computer. These problems can be exacerbated when your computer is connected to a network.

Establishing Good Security Practices for Windows 9x

Windows 9x’s security system is not foolproof and does not provide the same level of security as Windows NT Workstation. Windows 9x’s security system is designed to keep users out of resources they are not intended to use; it does not offer much protection against those who are determined to break in.

Share Level and User Level Security

There are two types of security in Windows 9x – share level and user level. With share level security each shared resource has a particular set of access rights which apply only to the resource regardless of which user tries to access the resource. If you set up your hard disk as a shared resource and give it a share level password, all users who know this password may access your hard drive. With this kind of security each resource is protected by a password, and you can use passwords for read-only access and for read/write access. Passwords should not be easily guessed. See these guidelines for strong passwords.

With user level security, you create a list of users who have access to a particular resource. In order for a user to gain access to this resource, he must be on the list. You can require a password and can use user level security for a variety of services including file and print sharing, backup agent, network management and dial-up networking.

Password Security and Physical Access

Windows 9x is not designed to be secure and is not protected from unauthorized use. Even if a username and password are set to protect the desktop, anyone with physical access to the computer can log on using a new name and password or bypass the login box entirely by pressing the Escape key.

For a higher level of security, add-on utilities are needed. There are many shareware utilities at www.windows98.com. If you don’t control physical access to your computer, you should consider using one of these utilities. If you have enabled user profiles, you can modify Windows 9x to be more secure. See www.conitech.com/windows/secure.html for more information. You can also download CLASP95 from www.cyberenet.net/~ryan or the killer security application StopLight 95 ELS at www.safe.net/security/default.asp.

If you are storing data on your Windows 9x computer that you do not want other people to access, you should save it to a file server where access controls are in place, or you can encrypt it with a program such as PGP or one of the many file encrypters that are available.

Service Packs and Fixes

One of the best protections against any security vulnerability is to make sure that the latest version of all the software running on the computer is installed including the latest operating system patches. Regularly check the Microsoft web site (www.microsoft.com) for patches and fixes plus many links to other information on security issues related to their products.

Protecting Windows 9x Computers on the Network

Sharing Resources

File sharing is a feature that allows access to directories and printers connected to your computer. Quite often people turn on this feature and inadvertently allow remote access to the contents of their entire hard drive. Indiscrete access to printers can allow malicious people to waste resources by sending very large print jobs to your printer.

If you need the functionality of multiple users having access to the same files on a computer, you should consider installing a file server which provides much greater control over access to shared files and protects against individual PCs being compromised.

If file sharing must be turned on, be certain that username and passwords are required to access the share and that the passwords are strong. See these guidelines for strong passwords.

Hacker Attacks

Windows 9x does not have strong native security and is vulnerable to security problems when connected to a TCP/IP network. It has been the target of many hacker intrusions such as Black Orifice that allows full control and manipulation of a Windows PC over the network. Microsoft has suggested some safe computing practices that you can follow in order to prevent this kind of intrusion such as not downloading software from sources you do not know and not installing software that is not digitally signed. Your computer will be safer if you do not share any resources, do not enable remote administration, do not enable Windows 9x Dial Up Server, require a logon password to your computer and do not allow others physical access to your computer.

It is also important that you install and always have running a virus scanner. New viruses appear constantly, and for a virus scanner to be effective it must be constantly updated to counteract these new viruses. It is best to install a scanner program that automates the download of the new virus signatures.

If you suspect that your computer is being hacked, here is a list of University contacts for help.

Establishing Good Security Practices for Windows NT Workstation

Windows NT was designed with security as one of its principal foundations, and the security subsystem is built into the core of the operating system. Windows NT is not, however, secure immediately after it is installed. It can be made secure and administrators/users must take the time to utilize the security provided by the operating system architecture.

Services and Protocols

NT by default runs some services that are not needed and are potential security risks. Go to the Services icon in the Control Panel and disable services that aren’t essential to the work you’re doing. Be careful with this since some services may be needed by your system even when you don’t think they are being used. Generally, disable them one-by-one and keep notes on which services you disable so that you can reactivate them if a problem develops later. It is generally recommended that for security reasons you disable the following services: NetBIOS Interface, RPC and Server. Also be sure to remove any networking protocols you are not using; each one consumes memory even when not being used. Generally, NetBEUI is not needed and should be removed; TCP/IP is necessary for Internet connectivity and NWLink is used for connecting to a NetWare environment.

Service Packs and Fixes

Password Security and Physical Access

Windows NT Workstation requires a log into the local machine as well as a log into the network if the workstation/user is a member of an NT Domain or a NetWare network.. It is recommended that you use different passwords for the local workstation login and the network login. Although it may be inconvenient to have to remember two passwords, it does increase security. If you have synchronized your passwords, and someone discovers your workstation password, they will now also have access to the network via your account. It is also recommended that you follow these guidelines for the establishment of strong passwords.

Login and user identification for Windows NT Workstation is much more sophisticated and secure than that for Windows 9x where the login process is not secure. A Security Accounts Manager (SAM) database containing username and password data is stored on the local machine, and during login process the security manager verifies the username and password that is entered against the data in this database. If a user does not have an account on the local machine or does not enter his username and password correctly, access is denied and he cannot use the workstation.

There are two workstation default user accounts that need to be protected. The Administrator account has full, unrestricted system access and cannot be deleted, disabled or locked out. However, this account can be renamed. This account should have a strong password in order to protect the local machine. The Guest account cannot be deleted, but it can be disabled, locked out and renamed. This account does not save user preferences or configuration changes and has a default blank password. It is important to rename and assign a password for both the Administrator and Guest accounts to maximize security. It is recommended to use strong passwords that are outlined in the password guidelines.

Protecting Windows NT Workstation Computers on the Network

Remote Access Services

Remote Access Services (RAS) is the capability of connecting to Windows NT via dialup modem lines. Windows NT Workstation supports a single RAS connection. While Windows NT RAS does have several built in security features to protect access and ensure authentication, it is a favorite target of hackers trying to infiltrate a network. There are many programs readily available on the Internet that hackers can use to gain access via RAS. One such tool is a daemon dial program that dials every number in an exchange looking for those that answer by modem. If proper security settings have not been set up on the RAS host, the intruder can easily gain access to the network via this hole. Because of the possibility of significant security breaches with RAS on Windows NT Workstation, it is recommended that you do not enable this service. RAS is more effective on a Windows NT server that provides more connections and a centralized approach to access control and security configurations.

Hacker Attacks

It is important to remove all sample software from your workstation. Sample software is a favorite target of hackers. There are often specific hacks designed to exploit sample software.

The security of strong passwords is the first step in preventing an intrusion by a hacker. There are many tools available on the Internet that hackers can use in an attempt to discover passwords on Windows NT systems. It is very important to setup your workstation system with strong passwords and proper access control to the data contained on the hard disk subsystem. See the section on Additional URLs on Windows Security for more information on establishing secure configurations.

If you suspect that your computer is being hacked, here is a list of University contacts for help.

Establishing Good Security Practices for Windows 2000 Professional

Windows 2000 has more security features than any of the previous versions of Windows. Many of the default settings of Windows NT that proved to cause problems have been corrected in Windows 2000; however, it is still necessary to make certain adjustments to harden the system in order to have a safe machine while connected to the network. The following are several steps that should be taken to make Windows 2000 Professional more secure:

Verify that all disk partitions are formatted with NTFS
NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions on your computer are formatted using NTFS. If necessary, use the convert utility to non-destructively convert your FAT partitions to NTFS.

Warning: If you use the convert utility, it will set the ACLs for the converted drive to Everyone: Full Control. Use the fixacls.exe utility from the Windows NT Server Resource Kit to reset them to more reasonable values.

Verify that the Administrator account has a strong password
Windows 2000 allows passwords of up to 127 characters. In general, longer passwords are stronger than shorter ones, and passwords with several character types (letters, numbers, punctuation marks, and nonprinting ASCII characters generated by using the ALT key and three-digit key codes on the numeric keypad) are stronger than alphabetic or alphanumeric-only passwords. For maximum protection, make sure the Administrator account password is at least nine characters long and that it includes at least one punctuation mark or nonprinting ASCII character in the first seven characters. In addition, the Administrator account password should not be synchronized across multiple computers. Different passwords should be used on each computer to raise the level of security in the workgroup or domain.
It is not recommend that you synchronize your local Windows 2000 Pro password with your network password because that would allow an intruder who was successful in obtaining your local password to also have access to the network.

Disable or delete unnecessary accounts
You should review the list of active accounts periodically (for both users and applications) on the system in the Administrative Tools/Computer Management/Local Users snap-in and disable any non-active accounts and delete accounts which are no longer required.

Set strong password policies
Use the Local Security Policy snap-in in Control Panel/Administrative Tools to strengthen the system policies for password acceptance. Microsoft suggests that you make the following changes:

Set the minimum password length to at least 8 characters
Set a minimum password age appropriate to your network (typically between 1 and 7 days)
Set a maximum password age appropriate to your network (typically no more than 42 days)
Set a password history maintenance (using the "Remember passwords" option) of at least 6

Install antivirus software and updates
It is imperative to install antivirus software and keep up-to-date on the latest virus signatures on all Internet and intranet systems. More security antivirus information is available on the Microsoft TechNet Security Web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/tech

Restrict Physical Access
Be sure that your Windows 2000 Professional workstation cannot be accessed when you are away from your desk. Either shut down the machine or use a password on your screen saver in order to protect your machine. Physical access to a machine enables a hacker to run programs that reveal or manipulate your local password.

Protecting Windows 2000 Professional Computers on the Network

Disable unnecesary services
After installing Windows 2000, you should disable any network services not required for the computer. In particular, you should consider whether your computer needs any IIS 5.1 Web services.

Protect files and directories
Refer to Default Access Control Settings in Windows 2000 document on the Microsoft TechNet Security Web site for details on the default Windows 2000 file system ACLs and how to make any necessary modifications.

Make sure the Guest account is disabled
By default, the Guest account is disabled on systems running Windows 2000. If the Guest account is enabled, disable it.

Set account lockout policy
Windows 2000 includes an account lockout feature that will disable an account after an administrator-specified number of logon failures. For maximum security, enable lockout after 3 to 5 failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to "Forever (until admin unlocks)".

Configure the Administrator account
Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the local Administrator account on each computer:

Rename the account to a nonobvious name (e.g., not "admin," "root," etc.)
Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.
Enable account lockout on the real Administrator accounts by using the passprop utility.
Disable the local computer's Administrator account.

Remove all unnecessary file shares
All unnecessary file shares on the system should be removed to prevent possible information disclosure and to prevent malicious users from leveraging the shares as an entry to the local system.

Set the appropriate ACLs on all necessary file shares
By default all users have Full Control permissions on newly created file shares. All shares that are required on the system should be ACL'd such that users have the appropriate share-level access (e.g., Everyone = Read).
Note: The NTFS file system must be used to set ACLs on individual files in addition to share-level permissions.

Install the latest Service Pack
Each Service Pack for Windows includes all security fixes from previous Service Packs. Microsoft recommends tht you keep up-to-date on Service Pack releases and install the correct Service Pack as soon as your operational circumstances allow. The current Service Pack for Windows 2000 is available at http://www.microsoft.com/windows2000/downloads/servicepacks/

Install the appropriate post-Service Pack security hotfixes
Microsoft issues security bulletins through its Security Notification Service. When these bulletins recommend installation of a security hotfix, you should immediately download and install the hotfix on your computer.

Establishing Good Security Practices for Windows XP Professional

If you are already familiar with the security model in Microsoft® Windows NT® 4.0 and Microsoft®Windows® 2000, you will recognize many of the features in Windows XP Professional. At the same time, you will also find a number of familiar features that have changed significantly, and new features that will improve your ability to manage system security.
Remember: When you’re working with Windows XP Professional as part of a workgroup or in a stand-alone environment, and you have administrator rights to your computer, you’ll have access to all of the operating system’s security features. If your Windows XP Professional-equipped computer is part of a domain, your options will be determined by the policies set by the IT administrator.

Verify that the Administrator account has a strong password
In general, longer passwords are stronger than shorter ones, and passwords with several character types (letters, numbers, punctuation marks, and nonprinting ASCII characters generated by using the ALT key and three-digit key codes on the numeric keypad) are stronger than alphabetic or alphanumeric-only passwords. For maximum protection, make sure the Administrator account password is at least nine characters long and that it includes at least one punctuation mark or nonprinting ASCII character in the first seven characters. In addition, the Administrator account password should not be synchronized across multiple computers. Different passwords should be used on each computer to raise the level of security in the workgroup or domain.
It is not recommend that you synchronize your local Windows XP Pro password with your network password because that would allow an intruder who was successful in obtaining your local password to also have access to the network.

Disable or delete unnecessary accounts
You should review the list of active accounts periodically (for both users and applications) on the system in the Control Panel/Performance and Maintenance/Administrative Tools/Computer Management/Local Users snap-in and disable any non-active accounts and delete accounts which are no longer required.

Restrict Physical Access
Be sure that your Windows XP Professional workstation cannot be accessed when you are away from your desk. Either shut down the machine or use a password on your screen saver in order to protect your machine. Physical access to a machine enables a hacker to run programs that reveal or manipulate your local password.

Protecting Windows XP Professional Computers on the Network

Controlled Network Access
Windows XP provides built-in security to keep intruders out. It does this by limiting anyone trying to gain access to your computer from a network to "guest"-level privileges. If intruders attempt to break into your computer and gain unauthorized privileges by guessing passwords, they will be unsuccessful—or obtain only limited, guest-level access.

Managing Network Authentication
An increasing number of Windows XP Professional–based systems are connected directly to the Internet rather than to domains. This makes proper management of access control (including strong passwords and permissions associated with different accounts) more critical than ever. To ensure security, the relatively anonymous access control settings commonly associated with open Internet environments need to be curtailed. As a result, the default in Windows XP Professional requires all users logging on over the network to use the Guest account. This change is designed to prevent hackers attempting to access a system across the Internet from logging on by using a local Administrator account that has no password.

Force Guest
The sharing and security model for local accounts allows you to choose between the Guest-only security model or the Classic security model. In the Guest-only model, all attempts to log on to the local computer from across the network will be forced to use the Guest account. In the Classic security model, users who attempt to log on to the local computer from across the network authenticate as themselves. This policy does not apply to computers that are joined to a domain. Otherwise, Guest-only is enabled by default. If a guest account is enabled and has a blank password, it will be permitted to log on and access any resource authorized for access by the Guest account. If the “force network logons using local accounts to authenticate as Guest” policy is enabled, local accounts must authenticate as a Guest. This policy determines whether a local account that connects directly to a computer on the network must authenticate as a Guest user. You can use this policy to limit the permissions of a local account that is attempting to access system resources on the target computer. If you enable this policy, all local accounts that attempt to connect directly are limited to Guest permissions, which are usually severely restricted.

Blank Password Restriction
To protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen. For example, you cannot use the secondary logon service (RunAs) to start a program as a local user with a blank password.
Assigning a password to a local account removes the restriction that prevents logging on over a network. It also permits that account to access any resources it is authorized to access, even over a network connection.
Caution: If your computer is not in a physically secured location, it is recommended that you assign passwords to all local user accounts. Failure to do so allows anyone with physical access to the computer to log on using an account that does not have a password. This is especially important for portable computers, which should always have strong passwords on all local user accounts.
Note: This restriction does not apply to domain accounts. It also does not apply to the local guest account. If the guest account is enabled and has a blank password, it will be permitted to log on and access any resource authorized for access by the guest account. If you want to disable the restriction against logging on to the network without a password, you can do so through Local Security Policy.

Encrypting File System
The increased functionality of Encrypting File System (EFS) has significantly enhanced the power of Windows® XP Professional by providing additional flexibility for users when they deploy security solutions based on encrypted data files. EFS is based on public-key encryption and takes advantage of the CryptoAPI architecture in Windows XP. The default configuration of EFS requires no administrative effort—you can begin encrypting files immediately. EFS automatically generates an encryption key pair and a certificate for a user if one does not exist already. EFS can use either the expanded Data Encryption Standard (DESX) or Triple-DES (3DES) as the encryption algorithm. Both the RSA Base and RSA Enhanced software that cryptographic service providers (CSPs) included in the operating system may be used for EFS certificates, and for encryption of the symmetric encryption keys. If you encrypt a folder, all files and subfolders created in, or added to, the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level to prevent plain-text temporary files from being created on the hard disk during file conversion. Encrypting File System (EFS) protects sensitive data in files that are stored on disk using the NTFS file system. EFS is the core technology for encrypting and decrypting files stored on NTFS volumes. Only the user who encrypts a protected file can open the file and work with it. This is especially useful for mobile computer users.

Install the latest Service Pack
Each Service Pack for Windows includes all security fixes from previous Service Packs. Microsoft recommends tht you keep up-to-date on Service Pack releases and install the correct Service Pack as soon as your operational circumstances allow. Information on the current service packs for Windows XP is available at http://www.microsoft.com/windowsxp/default.asp.

Disable unnecesary services
After installing Windows XP Professional, you should disable any network services not required for the computer. In particular, you should consider whether your computer needs any IIS Web services.

Smart Card Support
A smart card is an integrated circuit card (ICC) approximately the size of a credit card. You can use it to store certificates and private keys and to perform public key cryptography operations, such as authentication, digital signing, and key exchange. Smart cards can be used only by workstations that log into a Windows domain. If you are not a member of a Windows domain, you cannot use smart card technology.
A smart card enhances security as follows:

It provides tamper-resistant storage for private keys and other forms of personal identification.
It isolates critical security computations involving authentication, digital signatures, and key exchange from parts of the system that do not require this data.
It enables moving credentials and other private information from one computer to another (for example, from a workplace computer to a home or remote computer).

Additional URLs on Windows Security

www.zdnet.com for 10 steps to make Windows NT secure
www.scar.uq.edu.au/95/checklist.html for University of Queensland Win95 Security Checklist
www.ntsecurity.netfor NT security news<
www.sans.orgfor good security information and articles
www.ntfaq.com/security.html for Windows NT FAQ on security
www.trustedsystems.com/NSAGuide.htm for Windows NT Security Guidelines for NSA
www.microsoft.com/security/ for Microsoft security announcements
www.emf.net/~ddonahue/NThacks for Windows NT exploits
www.trusnet.com/seclinks/nt.html for Windows NT configuration guides
www.microsoft.com/WINDOWS2000/ for Windows 2000 information and service packs
www.microsoft.com/windowsxp/default.asp for Windows XP information

University Contacts for Help

Your local network manager
Vernon Williams, VCUNet, (8-9843 x 121), vwilliams@hsc.vcu.edu

MCV Campus:
Tilghman Broaddus, TS/Media & Computing Services(8-9843 x 125)

Monroe Park Campus:
Terry Leonard, TS/Media and Computing Services (7-1644), tlleonar@vcu.edu

Guidelines for Establishing Strong Passwords

Password security is one of the most important steps you can take to protect your system and the network. Although many users may think that the information on their system is not very important and they don’t need to be cautious, many break-ins into the network begin with a hacker first gaining access to a user account. Then the door is open for that hacker to attempt to gain access to the network. Hackers are often clever and have tools that enable them to infiltrate the network, sometimes without being detected until it is too late.

Although a determined hacker given enough time and opportunity can usually discover most passwords, it is important to make it as difficult as possible by using strong passwords. Strong passwords should have the following characteristics:

6 or more characters
Do not use common names, words that are searchable from a dictionary or words associated with your personal life which can be easily guessed
Do not use publicly accessible personal information such as your license plate number, SSN, birthday, etc.
A combination of letters and numbers is a good choice
An acroymn for a common phrase is a good choice since it is difficult to crack yet easy for you to remember
Change your password periodically if you are not forced to do so on your network