1 - 1 Windows 98/Me Security - SANS ©2001 1 Windows 2000/XP Professional The upgrade to Windows 2000 Professional is Windows XP Professional. The upgrade to Windows 2000 Server will be Windows Server .NET. Windows 2000 and XP Professional are very similar. They both inherit multiple security configuration tools from the Windows 2000 platform – but XP adds some new security features as well. Any study of Windows 2000/XP Professional should keep in mind the numerous Windows 2000 platform security features. 1 - 2 Windows Legacy Desktop Security - SANS ©2001 2 Goals • Distinguish between ‘Professional’ and Server versions of Windows 2000 • Learn the new security features of Windows XP • Map strategy for securing these workstations, both as domain members, and as standalone systems Its important to distinguish between the Professional, or desktop edition of Windows 2000, and Windows 2000 Server. While many of the security features mentioned in the previous discussion are relevant here, this section looks at security from the desktop system perspective. 1 - 3 Windows Legacy Desktop Security - SANS ©2001 3 Professional vs. Server • Similar code base and architecture • Server is meant to be server • Professional meant for desktop system Its important to note that a special version of Windows 2000, Windows 2000 Professional, is available for desktop use. Although the code base and architecture is similar, Professional is tuned for foreground application processing and lacks many of the server features and tools. The security features available parallel those available to Windows 2000 standalone servers. In fact, distinct security policies for ‘secure’ and ‘high security’ workstation and server versions do not exist. Instead, one security policy template exists to enable the application of like features to both. 1 - 4 Windows Legacy Desktop Security - SANS ©2001 4 Home vs. Professional Home Edition •ICS •ICF •NTFS XP Professional •ICS •ICF •NTFS •EFS • Ability to join domain XP also exists in a ‘Home’ edition. Many features of XP are not available in the Home Edition. It is meant to be used in a ‘standalone’ non-business-networked, home use environment. XP Home Edition does not support EFS or Group Policy. Although XP Home Edition systems cannot join a Windows domain, they can participate in a network environment by using the built in Internet Connection Sharing feature. They can protect themselves, and computers connecting through this feature to the Internet, by using their Internet Connection Firewall. They cannot encrypt files using the Encrypting File System (EFS). 1 - 5 Windows Legacy Desktop Security - SANS ©2001 5 Workgroup vs. Domain Workgroup • Local account database • Logon using local account • User rights assigned locally • Access to local resources via local group or account Domain member • Local account database • Logon using domain account • User rights assigned to domain accounts and groups • Access to local resources should be controlled by membership in domain groups The task of securing a Windows desktop system depends in part on whether the system is joined in a domain. W2K Professional and XP can exist as desktop systems which are either workgroup or domain members. As a standalone or workgroup member, each machine has its own security account database. Access to the system itself is controlled via logon accounts, unless automatic logon is desired. As a member of a domain, system access can be via local account database account, or domain account. The best practice is via a domain account. Access to the system files, registry, and local printer can be controlled by setting Discretionary Access Controls Lists (DACLs) on the resource. In a domain environment, access to domain resources is controlled via domain account membership in groups which are granted access via DACLs on resources. 1 - 6 Windows Legacy Desktop Security - SANS ©2001 6 Professional/XP Security Features • Security Templates • Security Configuration and Analysis •Local Security Policy • NTFS File System • Encrypting File System • Central Control through Group Policy Regardless of domain membership, security settings for each Professional system can be set by applying a security template using Security Configuration and Analysis or by configuring a Local Security Policy. Domain membership provides the ability to set security policy via group policies. Domain policy will win where conflicts arise. While the implementation is different, Windows 2000/XP systems that use NTFS, support file encryption. While use of NTFS is recommended, both systems support FAT and FAT32 file systems. 1 - 7 Windows Legacy Desktop Security - SANS ©2001 7 Managing Clients in a Domain While Windows 2000/XP can join a Windows NT domain, adding them to a Windows 2000 domain provides additional centralized control. Windows 2000 Site, Domain, and OU Group Policies can be created to manage security policy settings, as well as provide administrative control of application installation, logon and logoff scripts, and desktop application restrictions and utility management. Administrative authority can be delegated, allowing ordinary users who require a few administrative rights to have them without making these users full administrators. When Windows .NET server is available, it will also provide centralized management and control of Windows 2000/XP Professional systems. Windows XP adds the ability to view the resultant set of policies for any user on a computer. This tool can be used to troubleshoot policy problems. 1 - 8 Windows Legacy Desktop Security - SANS ©2001 8 Operating System Reliability Improvements • Compatibility • Device and Driver Issues • Shutdown Event Tracker • Crash Recovery and Analysis Windows XP includes and expands Windows 2000 system reliability improvements. This includes improved compatibility, increased device and hardware support, and crash recovery and analysis features. Windows XP represents convergence between home user/desktop systems from the Windows 9x family to the business Windows 2000 systems. Availability is a part of security. Windows XP improves reliability over Windows 9x via compatibility, device and hardware support, shared dll support, the Shutdown Event tracker, online crash analysis, windows driver protection, and device driver rollback. 1 - 9 Windows Legacy Desktop Security - SANS ©2001 9 Compatibility • Compatibility • Safe sharing of DLL’s Compatibility - approximately 1000 major programs, currently compatible with Windows 9x and most Windows 2000 applications. The exceptions are virus and backup programs. These programs must be explicitly written for Windows XP. A compatibility wizard can also be used to assist the administrator in providing additional application compatibility. Safe sharing of dll’s – the effects of DLL hell are mitigated by the ability to use side-by-side component sharing. Prior to Windows 2000, system and application dll’s were often overwritten when new applications were installed. This resulted in poor system stability and the ability of a newly installed application to prevent an existing application from running well or at all. Side-by- side component sharing means multiple versions of a component can run at the same time. In XP, this means that Win32 components and applications use the exact version of components that they require. 1 - 10 Windows Legacy Desktop Security - SANS ©2001 10 Device and Driver Issues • Device and Hardware Support • Windows Driver Protection • Device Driver Rollback Many compatibility and system reliability issues are the result of poorly written device drivers. Windows XP offers support for many new device drivers. Windows Driver Protection – A defective driver database allows XP to prevent the installation of known problem device drivers when the Add Hardware Wizard is used. If other methods of installation (programmatic or manual registry modification) are used, they may allow the installation of these drivers. However, use of the update site will reveal problem issues that may exist on the machine. Device Driver Rollback – Copies of existing drivers are automatically saved when an update is installed. If a malfunctioning device driver is loaded, the system can be rolled back to the previous driver. No reinstallation is necessary. [...]... activation 1 - 17 XP Professional System Security • Encrypting File System • Centralized Control of Security Policy Windows Legacy Desktop Security - SANS ©2001 18 In addition to Home edition security features, Windows XP Professional is able to benefit from Windows 2000 domain based security features, such as the centralized control of security policy and the Encrypting File System 1 - 18 Like Windows 2000,... are ready to be installed Windows Update – The Windows Update site provides a central location for security / reliability and system updates Consumer updates are available from windowsupdate.microsoft.com Administrators can download a Dynamic Update package for use by computers on their network Corporate updates are available from corporate.windowsupdate.microsoft.com 1 - 13 Windows XP provides new functionality... application window in Windows XP Windows 2000 Professional requires access to Task Manager 1 - 12 In addition to service packs, which must be downloaded and manually applied, Windows XP allows automatic update Dynamic update – Updated system files can be downloaded from Microsoft during system installation by choosing the Dynamic Update option in setup Automatic Updates – By default, Windows XP is configured... Internet Protocol Security (IPSec) – Like Windows 2000 Professional, XP can use IPSec policies to block protocols and to protect communications between machines 1 - 20 Best Practices • System Updates • System Access • Resource Access • Using Built-in Security Devices • Policy Settings Windows Legacy Desktop Security - SANS ©2001 21 To conclude, lets review some Windows Professional/ XP system best practices... including limiting the use of accounts with blank passwords to console logon While users of Windows NT Workstation and Windows 2000 Professional also benefit from individual logon and the ability to prevent private file access by other users, this is a real increase in security for most home users who previously used Windows 9x or ME Since each user has their own account, they each rely on individual profiles... have only guest privileges (In Windows 2000 and previous Windows operating systems, a user connecting across the network has the privileges associated with the local account Connection using a domain account will operate in the normal manner This ‘force network logon using local accounts to authenticate as Guest’ policy can be modified User accounts (local Windows XP Professional accounts) without... this computer can be used to protect it Users of Windows XP (and of Windows XP Professional in a standalone or workgroup setting) can use Fast User Switching to change between user accounts without logging off and then logon again 1 - 16 XP Product Activation • What information does Product Activation send to Microsoft? • When might it be reactivated? Windows Legacy Desktop Security - SANS ©2001 17... Shadow Copy – Exact, point-in-time copies of files (including open files) can be made without interrupting user activity Even open files and files in-use can be backed up Last Known Good – Windows NT and Windows 2000 Professional allow the startup using essential registry information from a previous successful system startup XP adds the ability to also restore at this time the last known good device drivers... registry Locate the key: HKEYLocalMachine\Software\Microsoft \Windows\ CurrentVersion\Reliability And change the value of ShutdownReasonUI 1 1 - 11 Crash Recovery and Analysis • Online crash analysis • Unresponsive application closure Windows Legacy Desktop Security - SANS ©2001 12 Online Crash Analysis – After a Stop error (blue screen crash event), Windows XP can be rebooted and a browser can be used to... configuration from its files, replaces disk signatures on the disk for volumes required to restart the system, starts a simple installation of Windows XP and restores system data from its disk System Restore Enhancements – This system function, first available in Windows ME, monitors and records key system changes Changes can thus be undone, or a previous configuration can be reverted to User data (documents, . 1 - 1 Windows 98/Me Security - SANS ©2001 1 Windows 2000/XP Professional The upgrade to Windows 2000 Professional is Windows XP Professional. . the Windows 2000 platform – but XP adds some new security features as well. Any study of Windows 2000/XP Professional should keep in mind the numerous Windows