Windows 2000/XP Professional

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:22

lượt xem

Windows 2000/XP Professional

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

The upgrade to Windows 2000 Professional is Windows XP Professional. The upgrade to Windows 2000 Server will be Windows Server .NET. Windows 2000 and XP Professional are very similar. They both inherit multiple security configuration tools from the Windows 2000 platform – but XP adds some new security features as well. Any study of Windows 2000/XP Professional should keep in mind the numerous Windows 2000 platform security features.

Chủ đề:

Nội dung Text: Windows 2000/XP Professional

  1. Windows 2000/XP Professional Windows 98/Me Security - SANS ©2001 1 The upgrade to Windows 2000 Professional is Windows XP Professional. The upgrade to Windows 2000 Server will be Windows Server .NET. Windows 2000 and XP Professional are very similar. They both inherit multiple security configuration tools from the Windows 2000 platform – but XP adds some new security features as well. Any study of Windows 2000/XP Professional should keep in mind the numerous Windows 2000 platform security features. 1-1
  2. Goals • Distinguish between ‘Professional’ and Server versions of Windows 2000 • Learn the new security features of Windows XP • Map strategy for securing these workstations, both as domain members, and as standalone systems Windows Legacy Desktop Security - SANS ©2001 2 Its important to distinguish between the Professional, or desktop edition of Windows 2000, and Windows 2000 Server. While many of the security features mentioned in the previous discussion are relevant here, this section looks at security from the desktop system perspective. 1-2
  3. Professional vs. Server • Similar code base and architecture • Server is meant to be server • Professional meant for desktop system Windows Legacy Desktop Security - SANS ©2001 3 Its important to note that a special version of Windows 2000, Windows 2000 Professional, is available for desktop use. Although the code base and architecture is similar, Professional is tuned for foreground application processing and lacks many of the server features and tools. The security features available parallel those available to Windows 2000 standalone servers. In fact, distinct security policies for ‘secure’ and ‘high security’ workstation and server versions do not exist. Instead, one security policy template exists to enable the application of like features to both. 1-3
  4. Home vs. Professional Home Edition XP Professional • ICS • ICS • ICF • ICF • NTFS • NTFS • EFS • Ability to join domain Windows Legacy Desktop Security - SANS ©2001 4 XP also exists in a ‘Home’ edition. Many features of XP are not available in the Home Edition. It is meant to be used in a ‘standalone’ non-business-networked, home use environment. XP Home Edition does not support EFS or Group Policy. Although XP Home Edition systems cannot join a Windows domain, they can participate in a network environment by using the built in Internet Connection Sharing feature. They can protect themselves, and computers connecting through this feature to the Internet, by using their Internet Connection Firewall. They cannot encrypt files using the Encrypting File System (EFS). 1-4
  5. Workgroup vs. Domain Workgroup Domain member • Local account database • Local account database • Logon using local • Logon using domain account account • User rights assigned to • User rights assigned domain accounts and locally groups • Access to local • Access to local resources via local resources should be group or account controlled by membership in domain groups Windows Legacy Desktop Security - SANS ©2001 5 The task of securing a Windows desktop system depends in part on whether the system is joined in a domain. W2K Professional and XP can exist as desktop systems which are either workgroup or domain members. As a standalone or workgroup member, each machine has its own security account database. Access to the system itself is controlled via logon accounts, unless automatic logon is desired. As a member of a domain, system access can be via local account database account, or domain account. The best practice is via a domain account. Access to the system files, registry, and local printer can be controlled by setting Discretionary Access Controls Lists (DACLs) on the resource. In a domain environment, access to domain resources is controlled via domain account membership in groups which are granted access via DACLs on resources. 1-5
  6. Professional/XP Security Features • Security Templates • Security Configuration and Analysis • Local Security Policy • NTFS File System • Encrypting File System • Central Control through Group Policy Windows Legacy Desktop Security - SANS ©2001 6 Regardless of domain membership, security settings for each Professional system can be set by applying a security template using Security Configuration and Analysis or by configuring a Local Security Policy. Domain membership provides the ability to set security policy via group policies. Domain policy will win where conflicts arise. While the implementation is different, Windows 2000/XP systems that use NTFS, support file encryption. While use of NTFS is recommended, both systems support FAT and FAT32 file systems. 1-6
  7. Managing Clients in a Domain Windows Legacy Desktop Security - SANS ©2001 7 While Windows 2000/XP can join a Windows NT domain, adding them to a Windows 2000 domain provides additional centralized control. Windows 2000 Site, Domain, and OU Group Policies can be created to manage security policy settings, as well as provide administrative control of application installation, logon and logoff scripts, and desktop application restrictions and utility management. Administrative authority can be delegated, allowing ordinary users who require a few administrative rights to have them without making these users full administrators. When Windows .NET server is available, it will also provide centralized management and control of Windows 2000/XP Professional systems. Windows XP adds the ability to view the resultant set of policies for any user on a computer. This tool can be used to troubleshoot policy problems. 1-7
  8. Operating System Reliability Improvements • Compatibility • Device and Driver Issues • Shutdown Event Tracker • Crash Recovery and Analysis Windows Legacy Desktop Security - SANS ©2001 8 Windows XP includes and expands Windows 2000 system reliability improvements. This includes improved compatibility, increased device and hardware support, and crash recovery and analysis features. Windows XP represents convergence between home user/desktop systems from the Windows 9x family to the business Windows 2000 systems. Availability is a part of security. Windows XP improves reliability over Windows 9x via compatibility, device and hardware support, shared dll support, the Shutdown Event tracker, online crash analysis, windows driver protection, and device driver rollback. 1-8
  9. Compatibility • Compatibility • Safe sharing of DLL’s Windows Legacy Desktop Security - SANS ©2001 9 Compatibility - approximately 1000 major programs, currently compatible with Windows 9x and most Windows 2000 applications. The exceptions are virus and backup programs. These programs must be explicitly written for Windows XP. A compatibility wizard can also be used to assist the administrator in providing additional application compatibility. Safe sharing of dll’s – the effects of DLL hell are mitigated by the ability to use side-by-side component sharing. Prior to Windows 2000, system and application dll’s were often overwritten when new applications were installed. This resulted in poor system stability and the ability of a newly installed application to prevent an existing application from running well or at all. Side-by- side component sharing means multiple versions of a component can run at the same time. In XP, this means that Win32 components and applications use the exact version of components that they require. 1-9
  10. Device and Driver Issues • Device and Hardware Support • Windows Driver Protection • Device Driver Rollback Windows Legacy Desktop Security - SANS ©2001 10 Many compatibility and system reliability issues are the result of poorly written device drivers. Windows XP offers support for many new device drivers. Windows Driver Protection – A defective driver database allows XP to prevent the installation of known problem device drivers when the Add Hardware Wizard is used. If other methods of installation (programmatic or manual registry modification) are used, they may allow the installation of these drivers. However, use of the update site will reveal problem issues that may exist on the machine. Device Driver Rollback – Copies of existing drivers are automatically saved when an update is installed. If a malfunctioning device driver is loaded, the system can be rolled back to the previous driver. No reinstallation is necessary. 1 - 10
  11. Shutdown Event Tracker –The Shutdown Event Tracker allows you to document the reasons for system shutdown. You can record the reason for a normal system shutdown in the systems log and thus keep a maintenance record. Should you have an unexpected crash, information must be collected at system reboot. (If the information is not collected, the user is logged off.) To add this option, you must edit the registry. Locate the key: HKEYLocalMachine\Software\Microsoft\Windows\CurrentVersion\Reliability And change the value of ShutdownReasonUI 1 1 - 11
  12. Crash Recovery and Analysis • Online crash analysis • Unresponsive application closure Windows Legacy Desktop Security - SANS ©2001 12 Online Crash Analysis – After a Stop error (blue screen crash event), Windows XP can be rebooted and a browser can be used to upload system log details of the shutdown to Microsoft Product services for analysis by Microsoft. Within 24 hours, an analysis report (any known information on the cause and how to avoid it) will be returned to you. Visit for more information. Unresponsive application closure - now available from the application window in Windows XP. Windows 2000 Professional requires access to Task Manager. 1 - 12
  13. In addition to service packs, which must be downloaded and manually applied, Windows XP allows automatic update. Dynamic update – Updated system files can be downloaded from Microsoft during system installation by choosing the Dynamic Update option in setup. Automatic Updates – By default, Windows XP is configured to automatically download updates and notify the user that they are ready to be installed. Windows Update – The Windows Update site provides a central location for security / reliability and system updates. Consumer updates are available from Administrators can download a Dynamic Update package for use by computers on their network. Corporate updates are available from 1 - 13
  14. Windows XP provides new functionality for backing up and restoring the system state. These include:. Shadow Copy – Exact, point-in-time copies of files (including open files) can be made without interrupting user activity. Even open files and files in-use can be backed up. Last Known Good – Windows NT and Windows 2000 Professional allow the startup using essential registry information from a previous successful system startup. XP adds the ability to also restore at this time the last known good device drivers. Recovery from problems with newly installed device drivers is now possible without reinstalling previous device drivers. Automated System Recovery(ASR) – This is a replacement for the Windows NT/2000 emergency repair disk. Applications, system state, critical files, and Plug and Play portions of the registry are backed up by using the ASR wizard in Backup to produce an ASR disk. Recovery can be accomplished by pressing F2 during the text portion of system boot and selecting recovery. ASR reads disk configuration from its files, replaces disk signatures on the disk for volumes required to restart the system, starts a simple installation of Windows XP and restores system data from its disk. System Restore Enhancements – This system function, first available in Windows ME, monitors and records key system changes. Changes can thus be undone, or a previous configuration can be reverted to. User data (documents, drawings, e-mail) are not changed. Restore points are created each day, by default, as well as at signification system events such as device or application installation. Users can also create restore points. Improvements over Windows ME include: Selective drive monitoring, support for NTFS compressions, Group Policy application, better performance, and the ability to remove all but the latest restore point. System Restore can be accomplished and a restore point created at Start\All Programs\Accessories\System Tools\System Restore 1 - 14
  15. The Internet Connection Firewall (ICF) is designed for use by homes and small businesses, and for corporate users who telecommute or travel with laptop computers. Active packet filtering (the dynamic opening and closing of ports) allows access to the services on a network you wish to use, while protecting your system against intrusions. Ports and resources (including printer and network shares) cannot be scanned. No personal firewall can guarantee system invulnerability to an attack, but ICF significantly reduces the threat of an external attack. ICF can be used on a LAN, Point-to-Point Protocol over Ethernet (PPPoE, an IETF draft standard for cable and DSL connections). Information on traffic generated by the local computer, or by computers on the internal network which are using Internet Connection Sharing is kept in a table on the ICF computer, thus responses to these outward bound requests are allowed through the firewall. While unsolicited in-bound traffic is dropped without user notification, a log can be kept for review. In addition, port mapping, or the opening of specific ports for external access, can be configured. Thus, a Windows XP computer can host a web site if appropriately configured. 1 - 15
  16. Security for the Home User Windows Legacy Desktop Security - SANS ©2001 16 XP Home edition security features provide advanced security for the home user. This includes individual logon, profiles, web privacy preferences, cookie management, protection of other systems on home networks, Internet Connection Sharing, Internet Connection Firewall, shared document folders, separate, protectable file storage. Policy settings protect users from themselves, including limiting the use of accounts with blank passwords to console logon. While users of Windows NT Workstation and Windows 2000 Professional also benefit from individual logon and the ability to prevent private file access by other users, this is a real increase in security for most home users who previously used Windows 9x or ME. Since each user has their own account, they each rely on individual profiles within which can be set internet site access restrictions. Each user has their own Documents folder which can be automatically configured so that only they can access it. Items which need to be shared by multiple users can be placed in shared folders. Setup of these features is easier than it is in Windows 2000 or NT. If multiple computers are present in a home network, the internet connected system can be used to provide internet connectivity for all. Windows XP’s Internet Connection Sharing (ICS) uses DHCP to internally accessible IP addresses for these systems and Network Address Translation (NAT) to allow them connectivity to the Internet. Only the computer connected to the Internet is visible on the Internet. The Internet Connection Firewall on this computer can be used to protect it. Users of Windows XP (and of Windows XP Professional in a standalone or workgroup setting) can use Fast User Switching to change between user accounts without logging off and then logon again. 1 - 16
  17. XP Product Activation • What information does Product Activation send to Microsoft? • When might it be reactivated? Windows Legacy Desktop Security - SANS ©2001 17 Packaged product (Home version and retail and single system Professional purchase) XP requires product activation within 30 days of installation. Activation requires the owner or user of the system to contact Microsoft, either over the Internet (silent) or via telephone. Activation is not registration. Activation does not require the divulgence of personal information. However, without activation, the product will cease to work, and product activation can be re-triggerd if substantial hardware changes (either at one time or cumulatively) are made to the system. The XP system may be activated if the system has ceased functioning. Mandatory information is the product ID (unique to the application) and a hardware hash (a non- unique representation of the PC). (Office and Visio also require the name of the country). Volume licensed product (5 or more licenses acquired through the volume licensing program) do not require activation. 1 - 17
  18. XP Professional System Security • Encrypting File System • Centralized Control of Security Policy Windows Legacy Desktop Security - SANS ©2001 18 In addition to Home edition security features, Windows XP Professional is able to benefit from Windows 2000 domain based security features, such as the centralized control of security policy and the Encrypting File System. 1 - 18
  19. Like Windows 2000, XP has the built-in ability for file encryption. However, Windows XP offers unique functionality and additional capabilities, which may make the system more vulnerable to data loss. Differences include: 1. DESX (the expanded Data Encryption Standard) or Triple-DES (3DES) can be used as the encryption algorithm. 2. Windows XP EFS does not require a Data Recovery Agent to be available in order for files to be encrypted. If no Data Recovery Agent exists, a self-signed certificate is generated and used. If the certificate is corrupted or lost, the encrypted files are unrecoverable. 3. To disable EFS on Windows XP, uncheck Local Securty Policy\Public Key Policies\Encrypting File System properties page ‘Allow users to encrypt files using Encrypting File System’. Even in a domain environment in which the EFS policy has been deleted, file encryption on Windows XP is possible. When .NET server is available, it is expected to have the ability for key recovery vs file recovery. 4. XP encrypted files may be shared by the user who encrypts the file. This user selects additional users and the system adds additional Data Decryption fields using the added user’s certificate. This can be a problem, as every added user also has the ability to share these files with other users. 5. Offline files can be encrypted. This will allow the protection of sensitive files that are cached on local systems. 6. Encrypted files can be safely stored on networked computers using Web Distributed Authoring and Versioning (WebDAV) web folders. These files will not be decrypted and travel the network in clear text. They remain encrypted. 1 - 19
  20. Windows 2000 offers additional Local Security Policy settings and its defaults are different. Guest only security model. Connection from the network to Windows XP by the use of a local account, reduces the account to the security status of guest. This prevents attackers from using hacked or guessed passwords for privileged local accounts. Even if the local Administrator account is left blank – an attacker successfully connecting across the network will have only guest privileges. (In Windows 2000 and previous Windows operating systems, a user connecting across the network has the privileges associated with the local account. Connection using a domain account will operate in the normal manner. This ‘force network logon using local accounts to authenticate as Guest’ policy can be modified. User accounts (local Windows XP Professional accounts) without passwords, can only be used to log on at the physical computer console. You cannot use the RunAs secondary logon service to logon using these accounts. Keyring - credentials (stored user names and passwords) from applications and web sites can be stored and managed through this utility in User Accounts/ Control Panel. This can be enabled or disabled via group policy. Internet Connection Sharing and Internet Connection Firewall have location-aware group policies. This allows domain member computers to be denied the ability to use ICS and/or ICF via group policy and yet these same computers, when used at home, can use ICS and/or ICF. This is especially important for traveling laptops who need ICF when connecting to the Internet from hotels, airports, and other non-corporate firewall-protected spots. Software Restriction Policies controls the ability of software to run in a domain environment. This allows an administrator to prevent unwanted applications (including Trojans and viruses) from running. The policy can restrict applications identified by path, file hash, certificate, or Internet Zone. Scripts can also be controlled by allowing only those signed by the IT organization to run. Software restriction is available in Local Security Policy and Group Policy settings. Internet Protocol Security (IPSec) – Like Windows 2000 Professional, XP can use IPSec policies to block protocols and to protect communications between machines. 1 - 20
Đồng bộ tài khoản