Windows XP Security

With always-on connections to the Internet becoming more and more common, it becomes increasingly important to secure your Windows XP computer. This article will help you to protect it from outside threats. It is taken from chapter four of Hardening Windows by Jonathan Hassell (Apress, 2004; ISBN: 1590592662).

THE ADVENT OF ALWAYS-ON connections and the increase of business connectivity to the Internet has resulted in Windows XP computers being directly connected to the Internet, which is a hotbed of potentially dangerous people and computers. In this chapter, you’ll look at ways to specifically protect your Windows XP computers from threats that reside abroad.

Implementing a Firewall

It’s simply a given that on Windows XP, you should install a firewall. If you have a case of the cheaps, you should use the included Internet Connection Firewall (ICF) to control access to services running on the machine. It’s a simple process to configure the ICF, and by doing so you harden the exterior interfaces to the machine from public access.

To configure the ICF, do the following:

  1. Open Control Panel, and double-click Network Connections.

  2. Double-click the connection that refers to your external interface. The connection status window appears.

  3. Click the Properties button.

  4. Navigate to the Advanced tab, and select the box titled Protect My Computer and Network by Limiting or Preventing Access to This Computer from the Internet.

  5. Click OK.

Your computer is now protected by the ICF. You can also click the Settings button on the Advanced tab to open specific ports for certain services you might be running.

You should also enable ICF logging on critical computers directly connected to the Internet. Doing so will provide you with an audit trail for later forensic analysis; you can automatically see what changes a hacker or cracker may have made to your system so you can reverse them efficiently. To enable logging, navigate to the Security Logging tab in the Advanced Settings dialog box, as shown in Figure 4-1.


Figure 4-1.  Enabling ICF security logging

You can choose whether to log successful connections and packets that are dropped because of firewall rules, and you can also specify a custom location for the log file itself.


TIP Another reason to upgrade to XP: NT 4 is nearing the end of its life. Users should plan an upgrade to Windows XP or 2003. Users of Windows 2000 Desktop should consider an upgrade to Windows XP if only for the ICF filtering provided.

If you have a small business or home business network connected to the Internet, the most cost-effective way to obtain the most protection possible for your dollar is to purchase a broadband router, such as those manufactured by Linksys, D-Link, NETGEAR, and others. Most of these units even have built-in switches, and you simply connect each client to the router and the computers are automatically protected—by default—from the outside. Of course, this strategy won’t be as effective when your computing base grows, but it’s an efficient solution for a small business or home business.

{mospagebreak title=Changes to Services}

One of the easiest ways for crackers to exploit holes in your system is through open services. In addition to the security benefits you get from auditing and closing unused services, you also receive a performance enhancement because stagnant programs aren’t taking up available resources. Besides, a full security audit of your service can reveal some interesting details about your machine. Lately, viruses have been masquerading as services listed in the Task Manager, making them harder to detect, clean, and prevent.

Windows XP comes with only a few services that really require open access to an external interface for normal operation: Terminal Services, or Remote Desktop Connection, and the Remote Access Service for answering dial-in calls.

To manage services on your computer, do the following:

  1. Right-click My Computer, and choose Manage.

  2. Expand the Services & Applications tab, and select Services.

  3. Double-click a service.

  4. Under Startup Type select Manual to disable a service from automatically starting upon computer bootup. Click the Stop button to stop the service if it’s already running.

{mospagebreak title=List of Windows XP Services} 

Table 4-1 contains a nearly complete list of all services that ship with Windows XP and the recommended state that each should be in on your computer, assuming normal office functions are being performed on the machine.

Table 4-1. Common Services and Recommended Settings

SERVICE NAME DESCRIPTION RECOMMENDED STATE
Alerter Raises administrative alerts for selected users and computers. Disabled.
Application Layer Gateway Service Required if you use Internet Connection Sharing (ICS) or XP’s included Internet Connection Firewall to connect to the Internet. Automatic if using ICS; disabled if not.
Application Management Used to assign, publish, and remove software through Group Policy. Disabled unless you participate in an Active Directory domain.
Automatic Updates Services Used to check if there are any critical updates available for download.

Requires Cryptographic to be running. Automatic if you don’t wish to use Windows Update manually.

Background Intelligent Transfer Service Used by Windows Update to transfer data in the background using otherwise idle available network bandwidth. Disabled.
ClipBook Enables the ClipBook Viewer to create and share data to be viewed by remote computers. Disabled.
COM+ Event System Provides automatic distribution of events to subscribing programmatic components. Disabled.
COM+ System Application Provides automatic distribution of events to subscribing programmatic components. Disabled.
Computer Browser Maintains an up-to-date list of computers on your network, and supplies the list to programs that request it. Disabled.
Cryptographic Services Confirms signatures of Windows files. Required for Windows Update to function in manual and automatic mode, and required for Windows Media Player as well. Automatic.
DHCP Client Manages network configuration by registering and updating IP addresses and DNS server information. Automatic if required; disabled if not.
Distributed Link Tracking Client Maintains links between the NTFS file system files within a computer or across computers in a network domain. Disabled.
Distributed Transaction Coordinator Coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers. Disabled.
DNS Client Resolves and caches DNS names. The DNS client service must be running on every computer that will perform DNS name resolution. Automatic.
Error Reporting Service Calls home to Microsoft when errors occur. Disabled.
Event Log Logs event messages issued by programs and Windows. This can be useful in diagnosing problems. Automatic.
Fax Service Enables you to send and receive faxes. Disabling this service will render the computer unable to send or receive faxes. Disabled; or don’t install from distribution media.
Telephony Provides Java Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. Disabled unless required.
FTP Publishing Service Not available on Windows XP Home. Not installed by default on Windows XP Pro. Enables FTP service. Disabled; or don’t install from distribution media.
Help and Support Required for Microsoft’s online help documents. Automatic.
Human Interface Device Access If all your devices function then disable it. Disabled.
IIS Admin Not available on Windows XP Home. Not installed by default on Windows XP Pro. Allows administration of Internet Information Services (IIS). Disabled; or don’t install from distribution media.
IMAPI CD-Burning COM Service Used for the “drag-and-drop” CD-burn capability. You’ll need this service to burn CDs. Automatic.
Indexing Service Indexes contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. Disabled.
Internet Connection Firewall and Internet Connection Sharing Provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection. Automatic if sharing connection, disabled if not required.
IPSEC Services Manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE), and coordinates IPsec policy settings with the IP security driver. Disabled.
Logical Disk Manager Watches Plug & Play events for new drives to be detected and passes volume and/or disk information to the Logical Disk Manager Administrative Service to be configured.
If disabled, the Disk Management snap-in display will not change when disks are added or removed.
Manual.
Logical Disk Manager Administrative Service See previous item’s description. Manual.
Message Queuing A messaging infrastructure and development tool for creating distributed messaging applications for Windows. Disabled; or don’t install from distribution media.
Message Queuing Triggers Required only if you use Message Queuing Service. Disabled; or don’t install from distribution media. Disabled.
Messenger Sends and receives messages to or from users and computers, or those transmitted by administrators or by the Alerter Service. Disabled.
MS Software Shadow Copy Provider Used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services. Enabled.
NetMeeting Remote Desktop Sharing Allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet by using NetMeeting. Disabled.
Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections. Automatic.
Network DDE Useless service unless you use remote ClipBook. Disabled.
Network DDE DSDM See previous item’s description. Disabled.
Network Location Awareness (NLA) Required for use with the Internet Connection Sharing Service (server only). Disabled unless running ICS or ICF.
NTLM Security Support Provider Enables users to log on to the network using the NTLM Authentication Protocol.
If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Automatic.
Performance Logs and Alerts Configures performance logs and alerts. Disabled.
Plug & Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Automatic.
Portable Media Serial Number Retrieves serial numbers from portable music players connected to your computer. Disabled.
Print Spooler Queues and manages print jobs locally and remotely.
If you don’t have a printer attached, then disable.
Automatic.
Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services processes or users. Disabled.
QoS RSVP Provides network signaling and local, traffic-control functionality. Disabled unless required by your network administrator.
Remote Access Auto Connection Manager Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabled.
Remote Access Connection Manager Creates a network connection. Automatic if using Dial-Up Networking; disabled otherwise.
Remote Desktop Help Session Manager Manages and controls Remote Assistance. Disabled.
Remote Procedure Call (RPC) Provides the endpoint mapper and other miscellaneous RPC services. Automatic.
Remote Procedure Call Locator Manages the RPC name service database. Disabled.
Remote Registry Service Not available on Windows XP Home.
Allows users to connect to a remote registry and read and/or write keys to it—providing they have the required permissions.
Disabled.
Removable Storage Manages removable media drives and libraries.
This service maintains a catalog of identifying information for removable media used by a system, including tapes, CDs, and so on.
Disabled.
RIP Listener Not installed by default. Disabled; or don’t install from distribution media.
Routing and Remote Access Offers routing services in local area and wide area network environments. Disabled; or don’t install from distribution media.
Secondary Logon Allows you to run specific tools and programs with different permissions than your current logon provides. Automatic.
Security Accounts Manager Startup of this service signals other services that the Security Accounts Manager subsystem is ready to accept requests. Automatic.
Server Provides RPC support and file print and named pipe sharing over the network. The Server Service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. Automatic if you’re sharing files; disabled if not.
Shell Hardware Detection Used for the autoplay of devices like memory cards, some CD drives, and so on. Disabled unless required.
Simple Mail Transport Protocol (SMTP) Transports email across the network. Disabled; or don’t install from distribution media.
Simple TCP/IP Services Implements support for a number of IP protocols. Disabled; or don’t install from distribution media.
Smart Card Manages and controls access to a smart card inserted into a smart card reader attached to the computer. Disabled unless using a smart card reader.
Smart Card Helper Provides support for earlier smart card readers attached to the computer. Disabled unless using a smart card reader.
SNMP Service Allows Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. Disabled; or don’t install from distribution media.
SNMP Trap Service Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer. Disabled; or don’t install from distribution media.
SSDP Discovery Service Used to locate UPnP devices on your home network. Disabled.
System Event Notification Tracks system events such as Windows logon network and power events. Disabled.
System Restore Service Creates system snapshots or restore points for returning to at a later time. Disabled.
Task Scheduler Enables a program to run at a designated time. Disabled unless absolutely required.
TCP/IP NetBIOS Helper Service Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Only required if you need to share files with others. Disabled unless sharing is enabled.
TCP/IP Printer Server Used for setting up a local UNIX print server. Disabled; or don’t install from distribution media.
Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. Disabled.
Telnet Allows a remote user to log on to the system and run console programs by using the command line. Disabled; or don’t install from distribution media.
Terminal Services Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server. Disabled; or don’t install from distribution media.
Themes Used to display all those new XP themes and colors on your desktop. Lots of space needed. Automatic or manual, depending on your preferences.
Uninterruptible Power Supply (UPS) Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network. Disabled unless using a UPS.
Universal Plug & Play Device Host Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network. Disabled.
Upload Manager As with BITS, this service manages file transfers between clients and servers on the network. This service is NOT required for basic File and Print sharing. Disabled.
Volume Shadow Copy Used in conjunction with the MS Software Shadow Copy Provider Service. Microsoft Backup uses these services. Disabled.
WebClient Disable this for security reasons. Disabled.
Windows Audio Used to produce audio. Automatic.
Windows Image Acquisition (WIA) Used for some scanners and cameras.
If, after disabling this service, your scanner or camera fails to function properly, enable this service.
Disabled.
Windows Installer Installs, repairs, or removes software according to instructions contained in MSI files provided with the applications. Manual.
Windows Management Instrumentation (WMI) Provides system management information. WMI is an infrastructure for building management applications and instrumentation shipped as an integral part of the current generation of Microsoft operating systems. Automatic.
Windows Management Instrumentation Driver Extension Tracks all of the drivers that have registered WMI information to publish. Manual.
Windows Time Sets the computer clock. W32Time maintains date and time synchronization on all computers running on a Microsoft Windows network. Automatic.
Wireless Zero Configuration Automatic configuration for wireless network devices. Disabled.
WMI Performance Adapter Optimizes the speed of WMI queries. Disabled.
Workstation Provides network connections and communications.
If this service is turned off, no network connections can be made to remote computers using Microsoft Networks.
Automatic.
World Wide Web Publishing Service Provides HTTP services for applications on the Windows platform. Disabled; or don’t install from distribution media.

As you can see from the previous list, not very much is actually needed to keep your Windows XP installation functioning in a home environment. Most of the enabled services just pose an enormous security risk, bring little or no benefit, consume resources, and can be safely turned off.

{mospagebreak title=Microsoft Baseline Security Analyzer Patch Check and Security Tests}

Windows Update is a good way to update a few computers on your network, but it’s a bad strategy for a large network because it requires user intervention and isn’t easily automated. As you’ll discover in Chapter 9, Microsoft has a better way to automate patch rollout on more than a handful of computers using their Software Update Services package. However, neither option offers a good, sweeping way of determining the update level of your machines.

To fill this need, Microsoft has issued the Baseline Security Analyzer (MBSA) tool, which will query each machine on your network and detect which available patches haven’t been installed. The tool is simple to use, easy to automate, and is more suited to a mass analysis than Windows Update. However, it lacks the intelligence and logic of its web-based counterpart. You’ll probably see a lot of updates that don’t pertain to your machines, even though they aren’t installed. It’s up to you to verify that the specific patch listed in the results from the MBSA session doesn’t apply to specific machines on your network. You’ll also need to reboot after each patch application.

Installing Microsoft Baseline Security Analyzer

To install MBSA, follow this procedure:

  1. Go to http://www.microsoft.com and search for hfnetchk. (I would include a link, but Microsoft has a tendency to change their website around quite often.)

  2. Download, execute, and install the program to c:hfnetchk.

  3. At the command prompt, enter hfnetchk –z –v.

The –z and –v switches tell the MBSA tool to go out and download a database of all available patches. It will then scan a computer or set of computers for patches that haven’t been installed, and indicate which haven’t been installed along with the Microsoft Knowledge Base article number. You can look up the appropriate patch using the number provided by the MBSA at http://www.microsoft.com/support.

Penetration Tests

Many security vendors provide free or low-cost online tools that evaluate the security of your system, of course with the underlying motive of persuading you to buy their product. These tools are most often a “penetration test” that can indicate how effectively you’ve hardened your system.

Symantec offers their security check, as well as other tools, at http://security.symantec.com. Here you can scan for holes in your computer’s external interfaces—a very basic penetration test—or scan for viruses that might be present on your system, and track a cracker’s location if you have his source IP. If you’ve followed the steps in this chapter so far, I highly recommend taking advantage of the Scan for Security Risks option to ensure that you haven’t missed anything. In addition to probing your open ports, the option can also detect some Trojan horse viruses that can invade your computer and open a back door.

There’s one thing you should be aware of: Each of these Symantec tools download to your system Active X content, which of course should at least give a competent, astute administrator pause. It’s up to you to trust a particular vendor. Generally, the more popular security-testing sites will have the most robust scanning tools.

Steve Gibson, of the venerable Gibson Research Corporation, has also made available the popular ShieldsUp! test, which is available at http://www.grc.com. It performs much the same function as the Symantec tools.

{mospagebreak title=File System Security}

Part of hardening your overall XP system is to ensure that your file system is adequately secured. Microsoft provides NT File System (NTFS) support in Windows XP. NTFS allows for more robust security features and user permissions and also adds some basic fault tolerance, with which the older FAT file system just cannot compete. Make sure all of your hard drives are formatted with NTFS unless you have systems that dual-boot to another, older operating system that doesn’t support NTFS on the same disk.

To check your hard drive partitions, do the following:

  1. Log in as Administrator, and double-click My Computer.

  2. Right-click each hard drive letter and choose Properties.

  3. Navigate to the General tab. Here, Windows will identify the file system type.

Follow the previous steps for each drive letter, noting which ones are labeled FAT or FAT32.

To convert a FAT or FAT32 partition to NTFS, do the following:

  1. Open a command prompt.

  2. At the command prompt, enter convert x: /FS:NTFS /V. Replace x with one of the drive letters you noted previously.

  3. Repeat the previous step for each FAT or FAT32 partition.

When you’re finished, reboot the system for the changes to take effect.

You might also choose to use third-party disk conversion utilities, like PartitionMagic or Norton Disk Doctor, to convert your file system to NTFS. It’s a painless procedure, no matter which tool you use to do it. Of course, you should always remember to back up your data before performing any change to a disk’s configuration or function.

Disable Automated Logins

Windows XP offers a feature for machines that aren’t participating in a security domain where accounts without passwords can automatically log in at a computer’s startup without requiring any user intervention. Obviously, this is a huge security hole for machines connected to any kind of network. You’ll want to disable this.

To disable automated logins, do the following:

  1. Inside Control Panel, open Administrative Tools.

  2. Double-click Local Security Policy.

  3. Select a username.

  4. Make sure there is a password set for each user account that’s enabled.

Hardening Default Accounts

The main premise is that in order for someone to access an XP system, she must have a username and password. To that effect, Windows creates the administrator account, for use by the machine’s owner, and a Guest account, which has limited privileges and is designed for people who don’t have continuing business on a machine. This isn’t just an XP function.

Of course, crackers have taken advantage of the presence of both accounts. You might consider renaming the two accounts to reduce the surface vulnerability of the machine. This doesn’t work for server machines all the time; sometimes server software and services require the administrator account to be named the same, but for client machines, renaming is usually a good strategy. This is true particularly for XP computers, because they tend to be directly connected to the Internet more than computers that are running older versions of Windows.

You can configure the Administrator account as follows:

  1. Log in as Administrator.

  2. Go to the Control Panel, double-click Administrative Tools, and then Computer Management.

  3. Open Local Users and Groups.

  4. Click the User folder.

  5. Right-click the Administrator account, and choose to rename it. Make it a less obvious name.

  6. Right-click this renamed Administrator account and select Set Password.

You can configure the Guest account as follows:

  1. Right-click the Guest account, and choose to rename it. Make it a less obvious name.

  2. Right-click this renamed Guest account, then select Set Password.

For security reasons, the Guest account in XP is disabled by default. Enabling the Guest account allows anonymous users to access the system. Even if no one sits down and logs in as a guest to your system, the account is used. If you share a folder, the default permission is that everyone has full control, and because Guest is included within the built-in Everyone group, a hole is opened. A standard practice is to always remove the share permissions from Everyone and add them to Authenticated Users. This is a much safer configuration.

Using Forensic Analysis Techniques

Part of hardening a system is knowing when your efforts haven’t protected against or prevented an attack. Here are some common indicators that your system has been compromised:

  • A system alert, alarm, or related indication from an intrusion-detection tool

  • Suspicious entries in system or security logs in XP’s Event Viewer

  • Unsuccessful logon attempts

  • New user accounts of unknown origin

  • New files on the physical file system of unknown origin and function

  • Unexplained changes or attempt to change file sizes, checksums, timestamps, especially on files within the C:WINNT hierarchy

  • Unexplained addition, deletion, or modification of data

  • Denial of service activity or inability of one or more users to log in to an account, including admin or root logins to the console

  • System crashes

  • Poor system performance

  • Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames or passwords

  • Port scanning and the use of exploit and vulnerability scanners, remote requests for information about systems and users, or social-engineering attempts

  • Unusual usage times; statistically, more security incidents occur during nonworking hours than any other time

  • An indicated last time of usage for an account that doesn’t correspond to the actual last time of usage for that account

  • Unusual usage patterns; for example, programs are being compiled in the account of a user who doesn’t know how to program

Keep alert for these indicators. If any are tripped, back up any personal data on a machine, verify that data’s integrity, and then reformat the machine and reinstall Windows. It isn’t a safe bet to try to reconstruct a compromised machine for later production use.

{mospagebreak title=Checkpoints}

If you’re in a hurry, the action items within this chapter include the following:

  • Use XP’s included Internet Connection Firewall to close off open ports.

  • Enable ICF logging for later forensic analysis and intrusion detection.

  • If you have a small office or home office network, purchase an inexpensive broadband router for further protection.

  • Adjust your running services list to match that in the book.

  • Test your service load and ensure that only services required for necessary functionality are running and enabled.

  • Use the Microsoft Baseline Security Analyzer (MBSA) to analyze the current update level of machines on your network.

  • Also visit Windows Update to identify and install appropriate hotfixes and software updates.

  • Visit a reputable online software vendor and perform penetration tests on your machines to ensure that ports are closed off and your hardening efforts were effective.

  • Format the partitions on your machines with NTFS.

  • Disable automated logins by ensuring there is a password for each user account on a machine. (This applies only to machines that aren’t participating in a security domain.)

  • Rename the Administrator account.

  • Rename the Guest account.

  • Replace the Everyone group with the Authenticated Users group inside the access control lists (ACLs) of your shares.

  • Understand the typical signs of a compromised machine.

  • If a machine becomes compromised, don’t attempt to resurrect it. Get personal data off, verify the integrity of that data, and then reformat and reinstall the machine.

3 thoughts on “Windows XP Security

  1. I am still waiting for that day when Windows will not allow viruses to execute on my computer through the use of a simple web page, mail message or Word macro.
    After that day I will start thinking on “hardening” it. It always makes me smile when I see the huge number of posibilities to get a virus. It sometimes looks like a fatality for the common user. It will sure happen one day. It’s just a matter of time… Bottom line: I don’t consider it a safe OS for browsing the net. The struggle to get the latest updates and patches, the anti-virus updates it’s too much for me. Luckily some other people did something to help us, mortals: they built better browsers and mail clients that you can use instead of the standard tools provided in Windows. That helps. But it sure doesn’t cover all the holes.

    The “hardening” shall come from within MS itself.

[gp-comments width="770" linklove="off" ]