Windows 2000 Security - Shut Down Without Logon
(Page 5 of 6 )
Windows 2000 and Windows XP Professional machines come in a default configuration that allows you to shut down the system through the use of the Shutdown button on the logon screen. Windows 2000 and .NET servers disable this out of the box. Despite the convenience factor that this feature affords, it’s best to leave rebooting a machine to an aware user.
Disable the Allow System to Shut Down Without Having to Log On selection to secure this.
Automatic Logoff
Some users log on to the network and then don’t log off for months. This is a prominent security hole, because when that user leaves her desk, she is still authenticated to the network with her credentials. These can be used to do destructive things: file deletion and transfer, planting of a “root kit” or backdoor program, or password changing.
The way to make this work is twofold: First, each valid user needs to have a time when he isn’t permitted to log on. This can be somewhere in the morning for a standard 9 AM to 5 PM office, perhaps at 3 AM to 3:30 AM. Then, you need to make a change to the local security policy so that when the user’s logon time expires, he isn’t permitted to log on.
To set up a logon time restriction on a domain controller for an Active Directory–enabled domain, do the following:
- Go to the Active Directory Users & Computers snap-in.
- Expand the icon for your domain, and click the Users container.
- Right-click a username, and select Properties.
- Click the Account tab, and then click the Logon Hours button.
- Select the appropriate region of time in the calendar block, and click the radio buttons to the right to either permit or deny logons during that time.
- Click OK once, and then again to exit the user property sheet.
This option is only available on Active Directory–enabled machines.
Now, make the change to the computer’s local security policy. In the Local Computer Policy snap-in, enable the Automatically Log Off Users When Logon Time Expires option. If you don’t have a domain, you should enable the Automatically Log Off Users When Logon Time Expires (local) option.
Digitally Signing Communication
It’s a good idea these days for a computer to authenticate itself to other computers during a communication. Otherwise, a technique called “spoofing” could be used, and a cracker’s computer could pose as the remote end of a connection and acquire potentially sensitive information. You can prevent this by using digital signatures. However, they aren’t pervasive; Windows compensates for this limited use by providing two options in the local policy: require them when possible, or require them, period.
I recommend requiring the signatures when possible on both ends of a connection (the remote procedure call, or RPC) protocol refers to the requesting end as the “client” and the responding end as the “server,” no matter the systems’ usual roles). Unsigned transmissions should only occur when signatures aren’t available, supported, or possible.
To require digitally signed communication when possible, enable the Digitally Sign Client Communication (When Possible) and Digitally Sign Server Communication (When Possible) options.
Requiring the Three-Keystroke Salute at Logon
The logon screen is one of the most trusted aspects of a computer to a normal user. She trusts it enough that she gives her password and username, and then the computer trusts her, too, if all of that is correct and verified. A cracker can take advantage of this mutual trust by writing a program that runs as a system service—that is, it doesn’t need user privileges. The program will mimic the logon box, grab the user’s input, and do something with it. “It” could be emailing the password to the cracker, saving the credentials to a backdoor program data file, or any number of other nefarious things. However, pressing Ctrl-Alt-Del brings Windows itself to attention, and you get the authentic Windows logon instead of a shell of one that a cracker creates. This is an easy step that makes your system much more secure.
To require this keystroke, disable the Disable Ctrl-Alt-Del Requirement for Logon option. (Yes, that’s right. Microsoft uses some questionable terminology.)
Last Username Display
By default, Windows displays the username of the last successfully authenticated person who used that particular system on the logon screen. This is giving needless information away, although some of your users are probably accustomed to it.
To disable the last username from being displayed, enable the Do Not Display Last User Name in Logon Screen option.
Password Expiration Prompt
Earlier in this chapter I discussed setting password policies to prevent brute-force attacks. Of course, changing passwords is a problem for some users, who’d rather not be bothered with Internet security (IS) minutia and would like to simply use their computers to be productive. With this policy setting, you can tell the system to automatically remind a user when his password will expire and prompt him to change it. Setting this value to 14 days gives a user ample opportunity to change his password, because that’s in excess of most scheduled vacations and business trips.
To enable the password expiration prompt, set the Prompt User to Change Password Before Expiration option to 14 Days at Minimum.
 This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.
Buy this book now. |
Next: Other Security Considerations >>
More Windows Security Articles
More By Apress Publishing
/ 8 
