Windows Host Security: Network Security Hacks - Hacks 29 and 30: Clear the Paging File at Shutdown, and Restrict Applications Available to Users

(Page 8 of 8 )

Hack 29: Clear the Paging File at Shutdown

Prevent information leaks by automatically clearing the swap file before shutting down.

Virtual memory management (VMM) is truly a wonderful thing. It protects programs from one another and lets them think that they have more memory available than is physically in the system. To accomplish this, the VMM uses what is called a paging file.

As you run more and more programs over the course of time, you’ll begin to run out of physical memory. Since things can start to go awry when this happens, the memory manager will look for the least frequently used pieces of memory owned by programs that aren’t actively doing anything at the moment and write the chunks of memory out to the disk (i.e., the virtual memory). This is known as swapping.

However, there is one possibly bad side effect of this feature: if a program containing confidential information in its memory space is running, the memory containing such information may be written out to disk. This is fine when the operating system is running and there are safeguards to prevent the paging file from being read, but what about when the system is off or booted into a different operating system?

This is where this hack comes in handy. What we’re going to do is tell the operating system to overwrite the paging file with zeros when it shuts down. Keep in mind that this will not work if the cord is pulled from the system or the system is shut down improperly, since this overwrite will only be done during a proper shutdown.

To enable this feature of Windows, we must edit the system registry. To do this, open the Registry and find the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetControlSession ManagerMemory Management key. You should now see something that looks like Figure 2-8.

Locate the ClearPageFileAtShutdown entry in the right pane of the window and change its value to 1. Now restart Windows for the change to take effect, and your swap file will be cleared at shutdown. The only side effect of enabling this is that Windows may take longer to shut down. However, this is very much dependent on your hardware (e.g., disk controller chipset, disk drive speed, processor speed, etc.), since that’s what will govern how long it will take to overwrite your paging file with zeros.

Hack 30: Restrict Applications Available to Users

Prevent your users from running potentially dangerous applications.

Keeping users from running certain applications isn’t so important when you’re an administrator using your own workstation. But when you’re deal ing with regular users in an enterprise network environment, you don’t want your users running any nefarious programs. Such programs include those that can break their operating system installation, introduce security holes to their system, or even attack other machines on your network.

There are a couple ways to restrict the applications available to your users. First you can modify the ACLs for a particular program so that users cannot execute it. For example, suppose you have a sniffer installed on a user’s machine for network diagnostic purposes. Access to this program is fine for an administrator, but probably is not appropriate for a normal user. You can prevent normal users from running the program by removing execution per missions for the Users group. To do this, locate the program’s executable file and right-click it. Now click the Properties menu item, and you should see a dialog box like the one shown in Figure 2-9.

Now click on the Security tab and select the Users group from the list at the top of the dialog. You should now see something similar to Figure 2-10.

Now click the Deny checkbox that applies to the Read & Execute permis sion. After clicking the Apply button, anyone that is a member of the Users group will not be able to run the program. Alternatively, you could also mod ify the ACL for the directory that the program resides in and disallow read access. This approach could be useful if you want to keep all of your admin istrative tools under a single folder and restrict access to all of them at once.

If you are running a terminal-server version of Windows, there is another alternative to using ACLs. If you have the Microsoft Windows 2000 resource kit installed, you can use the AppSec program to disallow program access with just a few clicks. To use AppSec, locate its directory and start the pro gram. After the program loads, you will be presented with a list of programs. If the program that you want to disallow from your terminal-service users is on the list, simply click the Disabled radio button. For instance, if you wanted to disable cmd.exe, you would see something similar to Figure 2-11.

If the application you want to restrict is not on the list, you can click the Add button and browse for the application. After you have made your choices, click Exit. Before these changes can fully take effect, all users will have to log off of the terminal server. 

If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today! Visit the O'Reilly Network http://www.oreillynet.com for more online content.