Securing the operating system and utilizing the correct tools to combat threats is a major part of computer security. In this section of the guide, we will take a look at some of the tools and processes that should be used to secure a system.
Although not part of the operating system, this seemed like the most appropriate section to include CMOS security. By default, anyone can boot your computer, access your CMOS settings, and have a field day in the setup program. To prevent this, many CMOS programs allow you to create a password in order to access the setup utilities. Some also allow you to create a password that must be entered in order to boot to the operating system. This gives an added layer of security by forcing a person to enter the CMOS password and then the local/network username and password after the operating system loads.
When installing Windows 2000/2003/XP, you will basically be choosing between the FAT32 and NTFS file systems. FAT32 is OK for home systems, but should never be used in a business environment. This is because FAT32 offers no native file level security. NTFS, on the other hand, offers file and folder permissions and encryption. With NTFS you can set permissions on shares, folders, and files that specify which groups and users have access, and what level of access is permitted on NTFS partitions. As for encryption, NTFS supports Microsoft's Encrypting File System which prevents unauthorized access to file contents. The concept of encryption will be discussed in the next tutorial.
All current versions of Windows have local user accounts and groups that determine the user's ability to perform particular functions on their computer. Administrators can lock a computer down so that the user can only perform specific functions, or the user could be a member of the Administrators group and have full control of the system. You do not need to know the specific groups and permissions for the exam, but you need to know what they are and how local accounts, groups, and permissions are different from the network accounts, groups, and permissions.
A firewall is either a hardware (to be discussed in another section) or software entity (or a combination of both) that protects a network or computer by stopping network traffic from passing through it. In most cases, a firewall is placed on the network to allow all internal traffic to leave the network or computer (email to the outside world, web access, etc.), but stop unwanted traffic from the outside from entering the internal network or computer. This is achieved by granting and denying access to various ports. While there are many 3rd party software firewalls available, we will be looking at the one built into Windows XP which is aptly named Windows Firewall.
To access the Windows Firewall, go to the control panels, click the Security Center icon, and then click the Windows Firewall link in the Windows Security Center window. You should see this:
In the Window above, you can turn the firewall off. If you click on the Exceptions tab, you will see this:
This window lists the applications that are blocked (unchecked) and allows you to choose which ones to unblock. The default blocks may cause problems with some applications in which case, you may have to go in here and unblock them. This window also allows you to add programs and ports that aren't currently listed.
Click on the Advanced tab and you will see this:
Here you can select the connections that you wish the firewall to protect. You can also set up security logging, configure ICMP (PING), or reset all settings to default.
Dealing With Spam:
There are 2 basic tools for fighting spam; software and education. Let's take a look at some of the options available:
Email Filters - There are a variety of email filters available that use algorithms and/or user defined rules to filter junk mail. Services like AOL, Hotmail, Gmail, and others have built-in spam detection filters. Email clients such as Microsoft's Outlook have built-in filtering capabilities, but also offer user configurable rules to filter mail as well. The problem with any type of filtering or rule system is that they can sometimes filter out emails that you do want. Larger organizations often use 3rd party solutions that filter mail at the network level before it ever gets to the client computers.
Education - The best way to avoid spam is for the spammers to never be aware of your email address. One of the easiest ways to ensure your inbox will be flooded with spam is to post your email address on the internet. When you sign up for an account at some sites, your email address maybe publicly available, or if you post your email address in a newsgroup to get feedback from people, you are putting yourself at risk as well. Spammers use automated bots to scour the internet looking for email addresses. When one is found, it is added to their mailing list. These lists are then often sold to other spammers as well. Spammers often times send out millions of emails to random email addresses and when they get a response, they know they have a "live one" which they will either flood with spam or sell to someone else. It is very important to educate users about the dangers of making their email address publicly available. Users often should be instructed to be careful with who they share this information with, and to make sure never to respond to questionable email from people they don't know.
Dealing With Viruses, Trojans, and Worms:
While spam is a huge nuisance, viruses, worms, and trojans are typically a much more critical issue because they can severely damage a system, or even an entire network. Just like above, the solution to dealing with these problems is software and education. Let's take a look at the options available:
Anti-virus Software - There are many different brands of Anti-Virus software used to detect and eliminate viruses on computers. Some runs on servers, some are client-based, and others run on firewalls and other devices. A good Anti-virus program not only has the ability to clean viruses and worms when found, but actively scans email, downloads, running applications, etc., to prevent them from being executed in the first place. Virus definition files are what tell the anti-virus software what to look for and how to fix a particular virus or worm if found. Because new viruses are being released all of the time, it is critical to keep the virus definition files up to date.
Education - One of the most common ways that viruses are spread occurs when a user opens an email attachment containing a virus. Users should be taught to never open an attachement from somebody they don't know. They should also be instructed not to download files from untrusted sites as they can contain viruses, worms, and trojans. Administrators in larger organizations can configure policies to prevent users from installing unwanted software that may be infected.
Dealing With Spyware, Adware, and Grayware:
Most spyware and adware is installed by the user. The user may not know that the neat utility they are downloading has spyware or adware attached to or hidden in it, but the end result is the same. The best way to combat these types of applications is to simply not install them and to educate users about the dangers of installing seemingly harmless applications. If you believe that your system has been infected with adware or spyware, first go to the Add/Remove programs control panel and remove all applications that you know do not belong. The next line of defense is to use a 3rd party spyware removal software package such as Spybot or Ad-aware. In fact, you should probably used more than one. Like anti-virus software, these applications have definition files that should be updated before every scan.
Here we are updating our definition file in Ad-aware. Ad-aware is free for personal use, but if you get the professional version, you can detect spyware and adware before it is installed.
As was mentioned in the Security Threats section of this guide, grayware may or may not be a problem. It is up to the individual company to determine which applications are acceptable and which are not. Users should be educated as to the detrimental effects (i.e. network performance) of using grayware applications.
Operating System Updates:
It is important to keep your system service packed and install security updates from the operating system vendor. Windows Update is a service provided in Windows 2000/2003/XP that keeps track of updates installed on your system and will prompt you when additional updates are available. These updates often add additional security tools as was the case with Windows XP Service Pack 2, and usually correct exploitable flaws in the operating system.
There are a couple of ways to configure updates. The easiest way is to have Windows check with Microsoft to see which updates are available for your system and automatically install them. To do this, go to the control panels and open Automatic Updates.
The first option will automatically install Windows updates when available in the background. A major issue with this setting is that most updates will require you to restart your system. Windows will periodically interrupt you after the install telling you that it wants to restart which can be annoying if you are in the middle of a project. You can either set a convenient date and time when you aren't working for the regular updates, or there are a couple of other options. First, you can select the next option which allows automatically downloads the files, but lets you to choose when to install the updates. In this case, Windows will notify you via an icon in the system tray when updates are available. The option below that won't automatically download or install the updates, but will prompt you in the system tray. The final option is to turn Automatic Updates off.
If for some reason you have turned automatic updates off, you should manually check for updates by clicking on your start button and selection Microsoft Update as shown to the right. Notice there is a Windows Update and a Microsoft Update. Windows Update is the predecessor of the newer Microsoft Update, however, clicking on either of these takes you to the same page on Microsoft's web site. You can also get to this web page by clicking the Windows Update Web Site link in the Automatic Updates control panel applet shown above.
Once at this page, you can scan your system for available updates and select the ones that you wish to download and install.
One of the best tools for auditing security is the Event Viewer. This application logs the application, system, and security events on your system. While the application and system logs are great tools for troubleshooting problems with applications and the operating system problems, the security section offers a wealth of useful information for finding security issues. To get to the event viewer, double click on the Administrative Tools control panel applet. The double-click on the Event Viewer shortcut.
This is the event viewer window. We have already clicked on Security on the left menu (Note that if you have IE 7 installed, Internet Explorer will also appear on the left menu). After selecting Security, we see a list of security events that have been recorded. We have a failure showing. To check this out, simply double-click on the Failure Audit item and more information about the event will be displayed as shown below.
Here we have a description of what the problem is and a link to Microsoft's knowlegebase page for information on how to deal with this event.
By default, none of these events show up in the security section of the event viewer - we have to go turn them on first. To do this, we need to go back to the Administrative Tools section of the control panels and select Local Security Settings. On the left menu, click Local Policies and then Audit Policy. The right pane will show the audit policies currently in effect. Simply double-click on the policy to configure it.