Windows Host Security: Network Security Hacks

This chapter shows you some ways to keep your Windows system up-to-date and secure. Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort. (Network Security Hacks by Andrew Lockhart, O'Reilly Media, ISBN: 0596006438, 2004.)

Contributed by
Rating: 5 stars5 stars5 stars5 stars5 stars / 13
September 20, 2004
Rate this Article:
MEH MEH++


SEARCH ASP FREE
TOOLS YOU CAN USE

advertisement

 

LockhartThis chapter shows you some ways to keep your Windows system up-to-date and secure, thereby making your network a safer place to work (and have fun). Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort.

One of the main reasons that Windows gets a bad rap is the poorly administered state in which Windows machines seem to be kept. The recent deluge of worm and virus attacks that have brought down many a network shows this to hold true. Alot of this can be traced back to the “ease” of administration that Windows seems to provide by effectively keeping the Windows administrator out of the loop about the inner workings of her environment—effectively wresting control from the system administrator’s hands.

This chapter seeks to remedy that to some degree by showing you ways to see exactly what your server is really doing. While this may seem old hat to a Unix sysadmin, getting details on open ports and running services is often a new concept to the average Windows administrator. In addition, this chapter shows you how to disable some Windows “features,” such as sharing out all your files automatically and truncating log files. You’ll also learn how to enable some of the auditing and logging features of Windows, to give you early warning of possible security incidents (rather than waiting for the angry phone call from someone at the wrong end of a denial-of-service attack originating from your network).

Hack 21: Check Servers for Applied Patches

Make sure your Windows servers have the latest patches installed.

Keeping a network of systems patched and up-to-date is hard enough in Unix, but it can be even more difficult on Windows systems. A lack of robust built-in scripting and remote access capabilities makes Windows unsuitable for automation. Nevertheless, before you even attempt to update your systems, you need to know which updates have been applied to each system; otherwise, you might waste time and effort updating systems that don’t need it. Clearly, this problem gets more difficult as the number of systems that need to be managed increases. We can avoid much of the extra work of manually updating systems by using the tool, which was originally a standalone program from Shavlik Technologies. It is now a part of Microsoft’s Baseline Security Analyzer (search http://download.microsoft.com) and is available through its command-line interface, mbsacli.exe.

Not only can HFNetChk remotely check the status of Windows Server 2003 and Windows XP/2000/NT, but it can also check whether critical updates for IIS, SQL Server, Exchange Server, Media Player, and Internet Explorer have been applied. Although it can only check the update status of a system (and won’t actually bring the system up-to-date), it is still an invaluable timesaving tool. HFNetChk works by downloading a signed and compressed XML file from Microsoft that contains information on all currently available updates. This information includes checksums and versions of files covered by each update, as well as the registry keys modified by each update. Additional dependency information is also included. When scanning a system, HFNetChk will first scan the registry for the keys that are associated with the most current set of updates available for the current system configuration. If any of these registry keys are missing or do not match what is contained in the XML file, it will flag the update as not having been installed. If the registry key for an update is present and matches the information in the XML file, HFNetChk will then attempt to verify whether the files specified in the update information are present on the system and whether their version and checksum matches. If any of the checks fail, the update will be flagged. All flagged updates are then displayed in a report, along with a reference to the Microsoft Knowledge Base article with more information on the specific update.

To get HFNetChk installed on your system, you first need to download and install the Microsoft Baseline Security Analyzer. To run HFNetChk, open a command prompt and change to the directory that was created during the install (C:\Program Files\Microsoft Baseline Security Analyzer) is the default).

To check the update status of the local system, run this command:

C:\> Program Files\Microsoft Baseline Security Analyzer> mbsacli /hf
Microsoft Baseline Security Analyzer
Version 1.1.1
Powered by HFNetChk Technology - Version 3.82.0.1
Copyright (C) Shavlik Technologies, 2001-2003
Developed for Microsoft by Shavlik Technologies, LLC
info@shavlik.com (www.shavlik.com)
Please use the -v switch to view details for
Patch NOT Found, Warning and Note messages
Attempting to get cab from
http://go.microsoft.com/fwlink/?LinkId=16932
XML successfully loaded.
Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Note MS02-008 317244
Warning MS02-055 323255
Note MS03-008 814078
Note MS03-030 819696
Patch NOT Found MS03-041 823182
Patch NOT Found MS03-044 825119
Patch NOT Found MS03-045 824141
Patch NOT Found MS03-049 828035
Note MS03-051 813360
* INTERNET EXPLORER 6 SP1
Patch NOT Found MS03-048 824145
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.

The first column tells why the check for a particular update failed. The second column shows which update failed the check, and the third column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number that you can refer to for more information on the issue fixed by that particular update.

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Run the Verbose Switch

If you want more information on why a particular check failed, you can run the command with the -v (verbose) switch. Here are the results of the previous command, but this time with the verbose switch:

Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Note MS02-008 317244
Please refer to Q306460 for a detailed explanation.
Warning MS02-055 323255
File C:\WINDOWS\system32\hhctrl.ocx has a file
version [5.2.3735.0] greater than what is expected [5.2.3669.0].
Note MS03-008 814078
Please refer to Q306460 for a detailed explanation.
Note MS03-030 819696
Please refer to Q306460 for a detailed explanation.
Patch NOT Found MS03-041 823182
File C:\WINDOWS\system32\cryptui.dll has a file
version [5.131.2600.1106] that is less than what is expected
[5.131.2600.1243].
Patch NOT Found MS03-044 825119
File C:\WINDOWS\system32\itircl.dll has a file
version [5.2.3644.0] that is less than what is expected
[5.2.3790.80].
Patch NOT Found MS03-045 824141
File C:\WINDOWS\system32\user32.dll has a file
version [5.1.2600.1134] that is less than what is expected
[5.1.2600.1255].
Patch NOT Found MS03-049 828035
File C:\WINDOWS\system32\msgsvc.dll has a file
version [5.1.2600.0] that is less than what is expected
[5.1.2600.1309].
Note MS03-051 813360
Please refer to Q306460 for a detailed explanation.
* INTERNET EXPLORER 6 SP1
Patch NOT Found MS03-048 824145
The registry key **SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{69DEAF94-AF66-11D3-BEC0-00105AA9B6AE}** does not
exist. It is required for this patch to be considered installed.
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.

After applying the listed updates, you should see something like this:

Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Information
All necessary hotfixes have been applied.
* INTERNET EXPLORER 6 SP1
Information
All necessary hotfixes have been applied.
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.

When scanning the local system, Administrator privileges are needed. If you wish to scan a remote machine, you will need Administrator privileges on it. There are several ways to scan remote machines. To scan a single remote system, a NetBIOS name can be specified with the -h switch. Likewise, an IP address can be specified with the -iswitch.

For example, to scan the machine PLUNDER from another machine, either of these two commands can be used:

mbsacli /hf –h PLUNDER
mbsacli /hf –i 192.168.0.6
5

You can also scan a handful of additional systems by listing them on the command line with commas separating each NetBIOS name or IP address.

Note that, in addition to having Administrator privileges on the remote machine, you must also ensure that you have not disabled the default shares [Hack #27. If the default administrative shares have been disabled, then HFNetChk will not be able to check for the proper files on the remote system and, consequently, will not be able to determine whether an update was applied.

If you wish to scan a group of systems, there are several options for this as well. Using the -fh option, you can specify a file containing up to 256 Net-BIOS hostnames (one on each line) that will be scanned. You can do the same thing with IP addresses, using the -fip option. Ranges of IP addresses may also be specified by using the -r option.

For example, you could run a command like this to scan from 192.168.1.23 to 192.168.1.172:

mbsacli /hf –r 192.168.1.123 – 192.168.1.172

All of these options are very flexible, and you can use them in any combination to specify which remote systems will be scanned.

In addition to specifying remote systems by NetBIOS name and IP address, you can also scan systems by domain name by using the -d option, or you can scan your entire local network segment by using the -n command-line option.

When scanning systems from a personal workstation, the -u and -p options can prove useful. These allow you to specify a username and password to use when accessing the remote systems. These switches are particularly handy if you don’t normally log in using the Administrator account. The account that is specified with the -u option will of course need to have Administrator privileges on the remote machines being scanned.

Also, if you’re scanning a large number of systems, you might want to use the -t option. This allows you to specify the number of threads used by the scanner, and increasing this value generally will speed up scanning. Valid values are from 1 to 128; the default value is 64.

If you are scanning more than one machine, a huge amount of data will sim ply be dumped to the screen. Use the -f option to specify a file to store the results of the scan in, and view it at your leisure using a text editor.

HFNetChk is a very flexible tool and can be used to check the update status of a large number of machines in a very short amount of time. It is espe cially useful when a new worm has come onto the scene and you need to know if all of your systems are up-to-date on their patches.

See Also

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Hack 22: Get a List of Open Files and Their Owning Processes

Hack 22: Get a List of Open Files and Their Owning Processes

Look for suspicious activity by monitoring file accesses.

Suppose you’re looking at the list of processes in the task manager one day after noticing some odd behavior on your workstation, and you notice a process you haven’t seen before. Well, what do you do now? If you were running something other than Windows, you might try to determine what the process is doing by looking at the files it has open. Unfortunately, Windows doesn’t provide a tool to do this.

Sysinternals makes an excellent tool called Handle, which is available for free at http://www.sysinternals.com/ntw2k/freeware/handle.shtml. Handle is a lot like lsof [Hack #8], but it can list many other types of operating resources, including threads, events, and semaphores. It can also display open registry keys and IOCompletion structures.

Running handle without any command-line arguments will list all open file handles on the system. You can also specify a filename, which will list the processes that are currently accessing it, by typing this: 

C:handle filename

Or you can list only files that are opened by a particular process -- in this case Internet Explorer:

C:\> handle –p iexplore
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals -
www.sysinternals.com
-----------------------------------------------------------
IEXPLORE.EXE pid: 688 PLUNDER\andrew
98: Section \BaseNamedObjects\MTXCOMM_MEMORY_MAPPED_FILE
9c: Section \BaseNamedObjects\MtxWndList
12c: Section \BaseNamedObjects\__R_0000000000d4_SMem_ _
18c: File C:\Documents and Settings\andrew\Local Settings\
Temporary Internet Files\Content.IE5\index.dat
198: Section \BaseNamedObjects\C:_Documents and Settings_andrew_
Local Settings_Temporary Internet Files_Content.IE5_index.dat_3194880
1a0: File C:\Documents and Settings\andrew\Cookies\index.dat
1a8: File C:\Documents and Settings\andrew\Local Settings\
History\History.IE5\index.dat
1ac: Section \BaseNamedObjects\C:_Documents and Settings_andrew_
Local Settings_History_History.IE5_index.dat_245760
1b8: Section \BaseNamedObjects\C:_Documents and Settings_andrew_
Cookies_index.dat_81920
228: Section \BaseNamedObjects\UrlZonesSM_andrew
2a4: Section \BaseNamedObjects\SENS Information Cache
540: File C:\Documents and Settings\andrew\Application Data\
Microsoft\SystemCertificates\My
574: File C:\Documents and Settings\All Users\Desktop
5b4: Section \BaseNamedObjects\mmGlobalPnpInfo
5cc: File C:\WINNT\system32\mshtml.tlb
614: Section \BaseNamedObjects\WDMAUD_Callbacks
640: File C:\WINNT\system32\Macromed\Flash\Flash.ocx
648: File C:\WINNT\system32\STDOLE2.TLB
6a4: File \Dfs
6b4: File C:\Documents and Settings\andrew\Desktop
6c8: File C:\Documents and Settings\andrew\Local Settings\
Temporary Internet Files\Content.IE5\Q5USFST0\softwareDownloadIndex[1].htm
70c: Section \BaseNamedObjects\MSIMGSIZECacheMap
758: File C:\WINNT\system32\iepeers.dll
75c: File C:\Documents and Settings\andrew\Desktop
770: Section \BaseNamedObjects\RotHintTable

If you want to find the Internet Explorer process that owns a resource with a partial name of handle, you could type:

C:\> handle –p iexplore handle
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals -
www.sysinternals.com
IEXPLORE.EXE pid: 1396 C:\Documents and Settings\andrew\Local
Settings\Temporary Internet Files\Content.IE5\H1EZGFSH\handle[1].htm

Additionally, if you wanted to list all types of resources, you could use the -a option. Handle is quite a powerful tool, and any of its command-line options can be mixed together to quickly narrow your search and find just what you want.

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Hack 23: List Running Services and Open Ports

Hack 23: List Running Services and Open Ports

Check for remotely accessible services the Windows way.

Unix makes it quick and easy to see which ports on a system are open, but how can you do that on Windows? Well, with FPort from Foundstone(http://www.foundstone.com/resources/index_resources.htm) it’s as quick and easy as running good old netstat.

FPort has very few command-line options, and those deal mostly with specifying how you’d like the output sorted. For instance, if you want the output sorted by application name, you can use /a; if you want it sorted by process ID, you can use /i. While it may not be as full of features as netstat, it definitely gets the job done.

To get a listing of all ports that are open on your system, simply type fport. If you want the list to be sorted by port number, use the /pswitch:

C:\> fport /p
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
432 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
672 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1028 TCP
8 System -> 1031 TCP
1116 navapw32 -> 1035 TCP C:\PROGRA~1\NORTON~1\navapw32.exe
788 svchost -> 1551 TCP C:\WINNT\system32\svchost.exe
788 svchost -> 1553 TCP C:\WINNT\system32\svchost.exe
788 svchost -> 1558 TCP C:\WINNT\system32\svchost.exe
1328 svchost -> 1565 TCP C:\WINNT\System32\svchost.exe
8 System -> 1860 TCP
1580 putty -> 3134 TCP C:\WINNT\putty.exe
772 WinVNC -> 5800 TCP C:\Program Files\TightVNC\WinVNC.exe
772 WinVNC -> 5900 TCP C:\Program Files\TightVNC\WinVNC.exe
432 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
256 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
244 services -> 1027 UDP C:\WINNT\system32\services.exe
688 IEXPLORE -> 2204 UDP C:\Program Files\Internet Explorer\
IEXPLORE.EXE
1396 IEXPLORE -> 3104 UDP C:\Program Files\Internet Explorer\
IEXPLORE.EXE
256 lsass -> 4500 UDP C:\WINNT\system32\lsass.exe

Notice that there are some processes listed—such as navapw32, putty, and IEXPLORE—that don’t appear to be services. These show up in the output because FPort lists all open ports, not just opened ports that are listening.

While FPort is not as powerful as some of the commands available under other operating systems, it is still a valuable, quick, and easy-to-use tool that is a great addition to Windows.

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Hack 24: Enable Auditing

Hack 24: Enable Auditing

Log suspicious activity to help spot intrusions. 

Windows 2000 includes some very powerful auditing features, but unfortu nately they are all disabled by default. Windows 2003 has corrected this by enabling some features by default, but it is still wise to check that you are tracking precisely what you want to audit. Using these capabilities, you can monitor failed logins, account management events, file access, privilege use, and more. You can also log security policy changes as well as system events.

To enable auditing in any one of these areas, locate and double-click the Administrative Tools icon in the Control Panel. Now find and double-click the Local Security Policy icon. Expand the Local Policies tree node, and you should see something similar to Figure 2-1

Lockhart 

Now you can go through each of the audit policies and check whether to log successes or failures for each type. You can do this by double-clicking the policy you wish to modify, located in the right pane of the window. After double-clicking, you should see a dialog similar to Figure 2-2.

Lockhart

Leaving auditing off is akin to not logging anything at all, so you should enable auditing for all policies. Once you’ve enabled auditing for a particu lar policy, you should begin to see entries in the event logs for when a partic ular audit event occurs. For example, once you have enabled logon event auditing, you should begin to see entries for logon successes and failures in the system’s security event log.

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Hacks 25 and 26: Secure Your Event Logs, and Change Your Maximum Log Files Sizes

Hack 25: Secure Your Event Logs

Keep your system’s logs from being tampered with.

Windows has some very powerful logging features. Unfortunately, by default the event logs are not protected against unauthorized access or mod ification. You may not realize that even though you have to view the logs through the Event Viewer, the event logs are simply regular files just like any other. To secure them, all we have to do is locate them and apply the proper ACLs.

Unless their location has been changed through the registry, you should be able to find the logs in the %SystemRoot%system32configdirectory.

The three files that correspond to the Application Log, Security Log, and System Log are AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt, respectively.

Now, apply ACLs to limit access to only Administrator accounts. You can do this by bringing up the Properties dialog for the files and clicking the Security tab. After you’ve done this, remove any users or groups other than Administrators and SYSTEM from the top pane.

Hack 26: Change Your Maximum Log File Sizes

Change your log properties so that they see the whole picture.

From a security point of view, logs are one of the most important assets con tained on a server. After all, without logs how will you know if or when someone has gained access to your machine? Therefore, it is imperative that your logs not miss a beat. If you’re trying to track down the source of an inci dent, having missing log entries is not much better than having no logs at all.

One common problem is that the maximum log size is set too low—the default is a measly 512KB. To change this, open the Administrative Tools control panel, and then open the Event Viewer. You should now see some thing similar to Figure 2-3.

Lockhart

After you have done this, select one of the log files from the left pane of the Event Viewer window and right-click it. Now select the Properties menu item. You should now see something similar to Figure 2-4.

Lockhart

Now locate the text input box with the label “Maximum log size”. You can type in the new maximum size directly, or you can use the arrows next to the text box to change the value. Anything above 1MB is good to use here. It all depends on how often you want to review and archive your logs. How ever, keep in mind that having very large log files won’t inherently slow down the machine, but can slow down the Event Viewer when you’re trying to view the logs. While you’re here, you may also want to change the behav ior for when the log file reaches its maximum size. By default, it will start overwriting log entries that are older than seven days with newer log entries. It is recommended that you change this value to something higher—say 31 days. Alternatively, you could elect not to have logs overwritten automati cally at all, in which case you’ll need to clear the log manually.

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Hacks 27 and 28: Disable Default Shares, and Encrypt Your Temp Folder

Hack 27: Disable Default Shares

Stop sharing all your files with the world.

By default, Windows enables sharing for each logical disk on your system (C$ for the C drive) in addition to another share called ADMIN$ for the %SystemRoot% directory (e.g., C:WINNT). Although this is accessible only to Administrators, it is wise to disable these shares (if at all possible) since they still present a potential security hole.

To disable these shares, open the Registry by running regedit.exe and then find the HKey_Local_MachineSYSTEMCurrentControlSetServices lanmanserverparameterskey.

If you’re using Windows 2000 workstation, add an AutoShareWks DWORD key with the value of 0 (as shown in Figure 2-5) by clicking Edit -> New -> DWORD Value. For Windows 2000 Server, add an AutoShareServer key with a value of 0. When you’re done editing the Registry, restart Windows for the change to take effect.

Lockhart

After Windows has finished loading, you can verify that the default shares no longer exist by running net share:

C:\>net share
Share name Resource Remark
-----------------------------------------------------------
IPC$ Remote IPC The command completed successfully.

Before doing this, you should be sure that disabling these shares will not negatively affect your environment. Lack of these shares can cause some sys tem management software—such as HFNetChk [Hack #21] or System Manage ment Server—to not work. This is because software like this depends on remote access to the default administrative shares in order to access the con tents of the systems disks.

Hack 28: Encrypt Your Temp Folder

Keep prying eyes out of your temporary files.

Many Windows applications will create intermediary files while they do their work. They typically store these files in a temporary folder within the current user’s settings directory. Most often these files are created world-readable and aren’t always cleaned up when the program exits. How would you like it if your word processor left a copy of the last document you were working on for anyone to come across and read? Not a pretty thought, is it?

One way to guard against this situation is to encrypt your temporary files folder. To do this, open an Explorer window and go to the C:Documents and Settings Local Settings folder. In this folder you should see another folder called Temp. This is the folder that holds the temporary files. Right-click the folder and bring up its Properties dialog. Make sure the Gen eral tab is selected, and click the button labeled Advanced. This will bring up an Advanced Attributes dialog, as seen in Figure 2-6. Here you can choose to encrypt the folder.

Lockhart

Check the “Encrypt contents to secure data” box and click the OK button. When you have done that, click the Apply button in the Properties dialog. Another dialog (as seen in Figure 2-7) will open asking you whether you would like the encryption to apply recursively.

Lockhart

To apply the encryption recursively, choose the “Apply changes to this folder, subfolders and filesoption. This will automatically create a public-key pair if you have never encrypted any files before. Otherwise, Windows will use the public key that it generated for you previously. When decrypting, Windows ensures that the private keys are stored in nonpaged kernel memory, so that the decryption key will never be left in the paging file. Unfortunately, the encryption algorithm used, DESX, is barely an improvement on DES and is nowhere near as strong as 3DES. However, it serves the purpose of transpar ently encrypting temporary files very well. If you want to encrypt other files, it is suggested you use a third-party utility such as GnuPG (http://www.gnupg.org), which has Windows binaries available on its web site.

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Hacks 29 and 30: Clear the Paging File at Shutdown, and Restrict Applications Available to Users

Hack 29: Clear the Paging File at Shutdown

Prevent information leaks by automatically clearing the swap file before shutting down.

Virtual memory management (VMM) is truly a wonderful thing. It protects programs from one another and lets them think that they have more memory available than is physically in the system. To accomplish this, the VMM uses what is called a paging file.

As you run more and more programs over the course of time, you’ll begin to run out of physical memory. Since things can start to go awry when this happens, the memory manager will look for the least frequently used pieces of memory owned by programs that aren’t actively doing anything at the moment and write the chunks of memory out to the disk (i.e., the virtual memory). This is known as swapping.

However, there is one possibly bad side effect of this feature: if a program containing confidential information in its memory space is running, the memory containing such information may be written out to disk. This is fine when the operating system is running and there are safeguards to prevent the paging file from being read, but what about when the system is off or booted into a different operating system?

This is where this hack comes in handy. What we’re going to do is tell the operating system to overwrite the paging file with zeros when it shuts down. Keep in mind that this will not work if the cord is pulled from the system or the system is shut down improperly, since this overwrite will only be done during a proper shutdown.

To enable this feature of Windows, we must edit the system registry. To do this, open the Registry and find the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetControlSession ManagerMemory Management key. You should now see something that looks like Figure 2-8.

Lockhart

Locate the ClearPageFileAtShutdown entry in the right pane of the window and change its value to 1. Now restart Windows for the change to take effect, and your swap file will be cleared at shutdown. The only side effect of enabling this is that Windows may take longer to shut down. However, this is very much dependent on your hardware (e.g., disk controller chipset, disk drive speed, processor speed, etc.), since that’s what will govern how long it will take to overwrite your paging file with zeros.

Hack 30: Restrict Applications Available to Users

Prevent your users from running potentially dangerous applications.

Keeping users from running certain applications isn’t so important when you’re an administrator using your own workstation. But when you’re deal ing with regular users in an enterprise network environment, you don’t want your users running any nefarious programs. Such programs include those that can break their operating system installation, introduce security holes to their system, or even attack other machines on your network.

There are a couple ways to restrict the applications available to your users. First you can modify the ACLs for a particular program so that users cannot execute it. For example, suppose you have a sniffer installed on a user’s machine for network diagnostic purposes. Access to this program is fine for an administrator, but probably is not appropriate for a normal user. You can prevent normal users from running the program by removing execution per missions for the Users group. To do this, locate the program’s executable file and right-click it. Now click the Properties menu item, and you should see a dialog box like the one shown in Figure 2-9.

Lockhart

Now click on the Security tab and select the Users group from the list at the top of the dialog. You should now see something similar to Figure 2-10.

Lockhart

Now click the Deny checkbox that applies to the Read & Execute permis sion. After clicking the Apply button, anyone that is a member of the Users group will not be able to run the program. Alternatively, you could also mod ify the ACL for the directory that the program resides in and disallow read access. This approach could be useful if you want to keep all of your admin istrative tools under a single folder and restrict access to all of them at once.

If you are running a terminal-server version of Windows, there is another alternative to using ACLs. If you have the Microsoft Windows 2000 resource kit installed, you can use the AppSec program to disallow program access with just a few clicks. To use AppSec, locate its directory and start the pro gram. After the program loads, you will be presented with a list of programs. If the program that you want to disallow from your terminal-service users is on the list, simply click the Disabled radio button. For instance, if you wanted to disable cmd.exe, you would see something similar to Figure 2-11.

Lockhart

If the application you want to restrict is not on the list, you can click the Add button and browse for the application. After you have made your choices, click Exit. Before these changes can fully take effect, all users will have to log off of the terminal server. 

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.

blog comments powered by Disqus
WINDOWS SECURITY ARTICLES

- Botnet Malware Sleeps Eight Months Activatio...
- Windows Media Player Vulnerability, PCAnywhe...
- Solera Networks Threat Predictions for 2012,...
- ESET Windows Predictions, January Patch Tues...
- Windows Store: A Closer Look
- McAfee Identifies Threats for Windows 8 in 2...
- Automatic Updates Coming to Internet Explore...
- Microsoft`s December Patch Tuesday Fixes 17 ...
- Symantec: Spam Hits Three Year Low
- Latest Microsoft Security Essentials Public ...
- 25 Passwords to Avoid to Thwart Hackers
- Microsoft Seeks Beta Testers
- Windows 8 Promises Less Painful Security Upd...
- How to Detect and Fix an Infected PC
- Windows 8 Security Flaws

ASP Web Hosting ASP.Net Web Hosting Windows Web Hosting
 
 
 

ASP Free Forums 
 RSS  Tutorials RSS
 RSS  Forums RSS
 RSS  All Feeds
Site Map 
Request Media Kit
Write For Us Get Paid 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Privacy Policy 
Support 


© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 6 - Follow our Sitemap
Most Popular Topics
All ASP.Net Tutorials