Professor Windows - December 2002
A Look into Windows XP Professional Security
Tal Sarid, Solutions Security Architect, Microsoft Israel
David Cross, Program Manager, Microsoft Corporation
Whether or not you have to deal with IT Security in your daily job , you cannot neglect the security aspects of software today in your organization. Working on the internet, as well as on the intranet, compromises security and leaves your computer, your Operating System's functionality, and your valuable data vulnerable to attack.. In this vast world of IT Security where VPNs, SSLs and other "cool" three letter acronyms (TLA) grow and prosper, there's unfortunately a common attitude to neglect client side security, your desktop security. There's more to client security than anti-viruses, that's for sure. This short article will give you a look into the world of Windows XP Professional security features, along with some helpful tips.
Secure By Default
Even if you don't know the first thing about security, the Windows XP Professional operating system includes some basic features which were designed with increased security in mind, along with some more advanced options:
- Remote connections to a Windows XP Professional machines are forced to use the guest account rather than local users.
- No blank password logon, unless physically interactive on your machine. Remote connections or requests made by the secondary login service will not authenticate a local user account with blank password unless it's an interactive login. Note that when you join a domain, this behavior is cancelled (since you now live within your domain's security policies and boundaries). Also, this doesn't apply to the guest account.
- NTFS permissions
- Ability to grant permissions on shares based on users' unique IDs (SIDs)
- Ability to encrypt the files and folders (with no installation needed. More information below).
- Secure password repository (Credential Manager), allowing a client-side SSO (Single-Sign On) mechanism.
- New Group policies settings to control the look, feel and functionality of the OS, along with new types of policies called "Software Restriction Policies" (aka SAFER), that can allow/disallow applications from running, thus controlling how software will be executed on the machine. Software Restriction Policies can work according to rules based on Path, Internet zone, Certificate or Hash.
- Smart Card support, including the ability to condition the execution of tools such as net.exe or runas.exe to require a Smart Card (Note: In addition, when Windows Server 2003 comes out, you'll be able to auto enroll and renew Smart Card certificates to a Windows XP Professional client).
- Encrypted Remote Assistance (RA) sessions to strengthen remote control and support sessions (for more information on Remote Assistance in Windows XP, see eXPeriencing Remote Assistance).
- SysKey can be used to allow further protection of your Windows XP machine. SysKey was first introduced in Windows NT 4.0 and it makes it more difficult for an attacker to compromise passwords on a Windows machine. Syskey helps against such attacks by encrypting the SAM database using strong encryption, increasing the needed effort to carry out these types of attacks and thus rendering them infeasible to the potential attacker.
- Internet Connection Firewall (ICF) with IP filtering and many other features
- Advanced cookie handling and blocking (e.g. blocking 3rd party sites cookies) using P3P in IE 6
Let's have a bit closer look at some of those technologies.
Encrypting Your Data
EFS (Encrypting File System), first introduced in Windows 2000, enables users to encrypt and decrypt files, thus keeping their files safe from intruders who might gain unauthorized physical access to their sensitive, locally stored data (e.g. a stolen laptop, external disk drive etc). When using EFS you work with encrypted files and folders just as you would with any other files and folders, since the encryption is transparent - If the EFS user is the same person that encrypted the file or folder, the system automatically decrypts the file or folder when the user accesses itIf it's an intruder, however, he's prevented from accessing any encrypted files or folders.
EFS in Windows XP Professional has been enhanced with great new capabilities. Here are some of the new benefits, along with some helpful tips:
Supports encryption of offline cache. This wasn't supported before in Windows 2000. Now you can work with offline files & folders and be able to encrypt all your offline data.
- Mutli user EFS – The ability to allow other userspermission to decrypt your encrypted files. AS cool and useful as it is, you might want to note that you can work with multiple EFS users only per single files (not folders), and you can specify only single users, not groups.
- supports working against a WebDAV share. WebDAV is an HTTP 1.1 extension basically making HTTP "writable", so you can use URLs like you access file shares. Note that there's a difference when you open up an encrypted file over WebDAV versus over a file Share- While WebDAV first downloads the file to your PC and then decrypts it locally, files from "regular" file shares are decrypted on the server and sent over the wire, decrypted. This means that you can store encrypted blobs in WebDAV shares at your favorite Internet storage provider (MSN for example). When working with file shares and encrypted content, you may want to take into consideration that your files will travel across the wire "bare naked" in clear-text.
- Use of either local certificates or certificates issued by a CA (Certificate Authority, e.g. Windows core PKI services). Certificates are stored locally under \Documents and Settings\yossis\Application Data\Microsoft\SystemCertificates\My\Certificates
- Automates EFS work routines from the command line. This is very helpful in many scenarios when EFS is being used. You can user Cipher.exe to work with encrypted files and folders from CMD. You can use cipher to decrypt specified directories, mark directories so that files added afterward will not be encrypted or vise versus, force the encryption operation on all specified files and folders, and many more related tasks.
- In a domain environment, Administrators can easily add someone to the role of a recovery agent via group policy. In many companies, someone such as the security officer is generally designated as a recovery agent.
Restricting Software By Rules
I'll let you in on a personal secret of mine (well, ok, it isn't personal anymore after millions of TechNet readers are reading these lines now):
I have never played Solitaire in my life. Ever! If fact, I don't even know the game rules. Before you start to laugh at my expense, here's an example for you:
Unlike myself, think how fairly easy it is to "persuade" your average user to double-click and execute "an innocent" sol.exe file. It looks familiar to most of us; we even recognize the icon and everything. But are we sure this is the "original" sol.exe that we are supposed to be running? Hmm... Good question. How do we know it hasn't been "planted" there and once executed it will run in the background leaving a backdoor wide open into our system?
Protecting against viruses and Trojans has always been the #1 task of desktop security. A new type of Group policies based settings, Software Restriction Policies, can be used to granularly control the ability of software to run on your local computer, according to specific rules. You can protect your computer from unknown or untrusted code/application by configuring which applications are allowed to run.
Software restriction policies allow administrators to either:
- Allow all software to run by default, except for implicitly specified software
- Dissallow all software to run, except for implicitly specified software
The cool part is that, since these settings are applied on the GPO level, different site, domains and OUs can have different settings. You can configure these rules by using one or all of the following:
- Path rule: A path rule identifies programs by their file path (e.g. if you have a computer that has Software Restriction set to Disallowed default policy, you can set it to grant unrestricted access to a specific folder for each user, for paths such as %windir%, %programfiles%, %temp% etc.
- Internet Zone rule: a zone rule can identify software from the zone that is specified through Internet Explorer. These zones are Internet, Local computer, Local Intranet, Restricted Sites, and Trusted Sites. Note that these rules only apply to Windows Installer packages (MSI files).
- Certificate Rule: a rule that identifies a file by its signing certificate. You can create a certificate rule which identifies software and then, depending on the security level, allows or does not allow it to run (e.g. you can use certificate rules to automatically trust software from a trusted source in your domain without prompting the user). Note that these rules do not apply to files with .exe or .dll extensions. They can be applied to scripts and Windows installer packages.
- Hash rule: a hash is a series of bytes with a fixed length that uniquely identifies a program or file, computed by a hash algorithm. You can identify files by their hash using both SHA-1 (Secure Hash Algorithm) and MD5 hash algorithm (e.g. you can allow a file to run when you create a hash rule so if the file is renamed or moved to another folder it will still result in the same hash and run fine. Any tampering with the file content, however, will change its hash value and prevent its execution. Note that Software restriction policies will only recognize hashes that have been calculated using software restriction policies.
If your browser does not support inline frames, click here to view on a separate page.
Figure 1 Configuring Sol.exe to run by a specific hash rule
Securely Storing User Passwords
Using multiple credentials can be a pain when working in a heterogeneous environment where users have to access different content sources. Mechanisms have periodicially been developed to address these issues, yet Windows XP Professional introduces an easy and secure way of storing user passwords for servers, thus allowing the user to transparently connect to servers using user names and passwords that are different than those used to log on.
Stored User passwords can be managed via the GUI using the KeyRing. The keyring can be invoked from Control Panel->User Accounts->Advanced->Manage Passwords).
The great thing about this technology is that end users can enjoy a single sign on experience when browsing and accessing different servers, domains, internet sites and applications, without having to put up with annoying credentials pop-ups.
Tip You can also manage your stored passwords using a Windows Server 2003 tool called cmdkey.exe. This tool is part of the upcoming Windows Server 2003 Operating System. You can simply extract the file CMDKey.exe from a Windows Server 2003 build (When these lines where written, RC1 was the latest officially released milestone).
If your browser does not support inline frames, click here to view on a separate page.
Figure 2 Using cmdkey to manage saved user passwords
Hopefully this gave you an overall view of the Security capabilities incorporated into Windows XP Professional, and how you can start using them today.
Microsoft's Security homepage
Microsoft TechNet Security bulletins and resources for IT professionals
Security How-To's for Windows XP
Best Practices for Encrypting File System
Use Software Restriction Policies in the Windows Server 2003 Family
For any feedback regarding the content of this column, please write to Microsoft TechNet. Please be aware that a response is not guaranteed.