Build a Secure Windows XP Desktop
not
As you know, desktop security has become a constant battle. There are no clear victories, only the ongoing triumph of a smoothly-operating computer. The Internet today is awash with viruses, trojans, spyware, spam, and many other exploits that can bring your clients' systems to a halt. Unfortunately, many small businesses lack the IT resources needed to protect their systems against these various onslaughts. That's why desktop security for small business must start with the initial build.
The good news is that any system builder can build safer, more secure PCs by bundling just a few items in with a corporate desktop and making a few non-invasive tweaks to a Windows configuration. In this TechBuilder Recipe, I'll show you how to build systems that will help your clients fend off many common security exploits and vulnerabilities to keep their systems up and smoothly running.
Ingredients
Ultimately, a PC's configuration of memory, networking, and storage capacity is a matter decided between your client and you. But several key elements are all important to a secure build. You should discuss the following with all your clients:
- At least one spare USB port: With the advent of high-capacity, small form factor hard drives, every open port on a PC must be seen as a security risk. Yet to support either hardware encryption (described later in this Recipe) or biometric authentication, the system will need at least one port open after the keyboard, mouse, and all other peripherals are accounted for. The alternative -- requiring users to add their own USB hubs " only expands the risk.
- Windows XP Professional: Yes, the Home version is cheaper and for businesses that won't grow past a few PCs or make much use of Windows networking, they may not think they care. But Home is actually harder to secure. Some of its networking modes are kept open for ease-of-use, and that's bad for business environments.
- Spyware protection: Much like fighting a deadly disease, there is no one solution to spyware. Instead, a "cocktail" of remedies should be applied to address the most common root causes and side effects. For this Recipe, I used Lavasoft's AdAware and Microsoft's Windows AntiSpyware (Beta) tool.
- Virus protection: Unlike the spyware problem, virus protection is reasonably well-understood and commoditized. Threat data is documented and propagated between security labs rather quickly. So your vendor of choice is likely suitable for the client desktop. For this Recipe I used GRISoft's AVG Anti-Virus.
- WinXP Service Pack 2 on CD-ROM: If your Windows XP OEM versions are not yet carrying Service Pack 2, obtain the administrator's version of Service Pack 2 from Microsoft.com and burn it to a convenient CD-R.
- Firefox (optional): While you should discuss this with the client before you foist it on their users, the browser is one of the primary vectors for exploits, and a number of exploits attack Internet Explorer specifically. True, improvements in Service Pack 2 significantly strengthened IE's defenses. But Firefox is still less susceptible to common exploits, and the software is updated on a nightly basis. By comparison, IE6's update schedule has been long and slow. Ideally, Firefox should be the default browser.
- Hardware encryption token: Windows XP provides built-in encryption capabilities. But the decryption is tied to software only (that is, the user's password), unless the client environment has a more elaborate domain authentication scheme, which many small businesses lack. There are a variety of options in this space, including random-number tokens and plug-in authentication. For this Recipe, I used DESLock+ from Data Encryption Systems. It's a USB hardware token system that costs about $180 for a single-user deployment, plus $80 for each additional USB token.
- 25 Steps Toward Building a Secure Windows XP Desktop
- Now that you have all your components assembled, let's start building a secure desktop system.
- 1. Assemble the desktop system to the client's specifications. Do not connect it to a network yet. If you have a wireless radio in the machine and a WLAN in your lab, ensure that the WLAN is either on an access key, restricted to certain MAC addresses, or both, so that outside machines cannot see the new computer yet.
- 2. Install Windows XP. Assign the initial administrator account either as a temporary account that will later be removed, or to the specification of the client's IT manager. Do not configure the end-user account yet.
- 3. Now that Windows is installed, users no longer have any cause to boot from CD, a common security exploit. Reboot the machine and enter the BIOS setup using the assigned key (commonly ESC, DEL, or F12). Find the boot device priority list -- it's often in Advanced BIOS Settings or Boot Options -- and remove CD-ROM and Diskette from the list. Ideally, hard-drive partition C (or IDE-0, for the primary hard drive on the system) will be the only option listed in the boot priority.
- 4. If the BIOS offers a password-protection to enter the BIOS screen, assign one now, and make a note for the client's sysadmin. But remember, a BIOS entry password is not the same thing as a BIOS password to boot the computer. You may wish to assign that as well, but it's less critical if good password policies are enforced in Windows. What we really want is to keep users from entering the BIOS and making changes that will result in either downtime or potential security holes, such as re-activating CD-ROM boot.
- 5. Reboot back to Windows and log in. Keep the machine isolated from the Internet for as long as possible. If your Windows OEM builds are not Service Pack 2, keep SP2 handy on a CD and install it now, before the machine is connected to the network. If the system must go online before it's fully "hardened," at least keep the system as far from the Net as possible, for example, behind your shop's own firewall and NAT (network address translation).
- 6. Access the Service Pack 2 Security Center. It will come up automatically after Service Pack is installed for the first time. After that, it is available in Control Panels. Go into the Windows Firewall setting, access the Exceptions list, and turn off anything checked. Here's a screen shot of the Windows Security Center:
- 7. Go to the System control panel, and select the Remote tab. If Remote Assistance and Remote Desktop are enabled, turn them off. (In Service Pack 2, Remote Desktop should be off by default, but it's always good to check.)
- 8. If the user wants Mozilla Firefox as their primary Web browser, install Firefox now and allow it to configure itself as the default browser. To improve Firefox's default security settings, select Tools, then Options, then Privacy, and then Cookies. Turn on "for the originating site only." While still in Options, click on Web Features; locate "Allow Web sites to install software," and uncheck that option.
- Sooner or later, the user will need to use Internet Explorer. So let's tighten up IE's settings, too. Access the Internet Options control panel, then go to Advanced Settings. Disable Install On Demand, and change the setting for "Search from the Address Bar" to "Do not search from the address bar" or "Just display the results." This will minimize the chances that the user accidentally reaches potentially harmful sites through mistyped URLs or other mistakes in IE's location field.
- 9. In the Windows Start menu, open the Administrative Tools, and select Local Security Policy / Local Policies / Audit Policy. To improve security auditing after an incident, turn on options to track success and failure of all logon events, policy changes, account management procedures, and policy changes. For added security, track at least the success of all system events, privilege uses, and audit object access. To do so, double-click each line item and check the "success" and "failure" boxes.
- 10. Make life more difficult for hackers by tightening the display of valid usernames. First, enter the Group Policy control panel. The easiest way to reach this is through the Start/Run command, gpedit.msc. Browse to Computer Configuration/Windows Settings/Security Settings/Local Policy/Security Options, and find "Interactive Logon: Do not display last user name." Double-click and set to Enabled. You may also wish to rename the Administrator account from this interface to discourage obvious hacking attempts. It is under Accounts: Rename administrator account. You can also rename the Guest account in the same way.
- 11. Consider disabling the Guest account altogether, particularly in environments that use Windows domains rather than workgroup file and print sharing. On new builds, unless workgroup sharing will be used, Guest should not be displayed as a valid user. To kill the Guest, access the User Accounts control panel. Then right-click the Guest account to view its properties. Finally, check Account is Disabled.
- 12. Install Microsoft's Windows AntiSpyware (Beta). The current version is scheduled to time out on July 31, 2005, but the beta will likely be updated before then. When installing, allow the software to automatically update itself and run the real-time agent. But stay off the SpyNet community for now—that way, there is less risk that the spyware tool's information-sharing capabilities could be exploited. Once installed, Windows AntiSpyware will monitor for unusual behavior.
- 13. To provide a second anti-spyware opinion, install AdAware from Lavasoft. While Lavasoft offers free versions to private end-users (used here for demonstration purposes only), commercial versions are available for resellers. Ensure that the automatic definition update is functional. That way, AdAware can regularly refresh the banned site list and spyware definition files. Here's a look at AdAware:
- 14. Install anti-virus protection. Depending on the way the anti-virus program integrates into Windows, you may receive a spyware warning at this point, which you can safely ignore. GRISoft's AVG Anti-Virus is not licensed for corporate use or for reseller distribution, but we will use it here for demonstration purposes only. AVG, like most anti-virus packages, will automatically integrate itself with file changes and the e-mail queue.
- 15. Make it hard for uncredentialed users to browse shared folders and files, especially if the machine will be on a domain. Do this by disabling Simple File Sharing. Start by selecting the Tools/Options/View tab in any Windows Explorer window. Then disable "Use simple file sharing."
- 16. Now that the critical applications have been installed, create a Limited account for the computer's end user from Control Panels, User Account. Add the user account with Limited permissions.
- 17. Consider employing basic NTFS encryption, which is effective against the physical removal of the drive but offers no protection against a user with a credentialed login. Simply right-click a folder (such as My Documents for the Limited day-to-day users of the machine), and select Properties, then Advanced. Enable "Encrypt contents to secure data."
- 18. To provide encryption that goes deeper than password authentication, you need hardware. Install the DESLock+ software, and get the two provided DK5 USB keys ready. One is the end-user key; the other should be kept as an administrative backup. Each DK5 token has a unique serial number and can store up to 64 keys. So one administrator "key ring" can account for a number of user PCs. Here's a look:
- 19. After DESLock installs and reboots the computer, the circled D DESLock logo should appear in the tray. If it does not, start DESLock manually from the Start menu. Plug the user DK5 into an open USB port. Let Windows use the recommended drivers, then click the key's serial number and select Setup. Choose Corporate setup if multiple machines will use DESkey. Choose Single User for a solo implementation, a very small business, or a single, highly critical PC. (For this Recipe, I used the Corporate example.) DESLock prompts for a master password that controls access to the higher administrative functions of DESLock. Choose a strong password.
- 20. In the next step of DESLock setup, designate a tolerated number of bad login attempts, and a consequence for exceeding that amount. Erasing the encryption keys is a drastic remedy, used mainly in situations where you suspect a machine may come under serious attack. A simple time lock will discourage the casual passersby who may meddle with the PC, but not pose a long-term threat. For most circumstances, the default settings -- five failed attempts and time lock -- are appropriate.
- 21. DESLock now asks which administrative functions should be available to an authenticated user. If users should have the flexibility to swap key access with other machines, turn on Add Encryption keys and Create Encryption Keys. Otherwise, accept the defaults. For a highly secure environment, turn off all options; but note that this will make even simple housekeeping tasks, like changing the user password, a real burden.
- 22. After the settings are configured and the key is assigned a name, DESLock will generate a seed for a secret key pair. At this stage, you may choose between 3DES, Blowfish, or AES. The last is the newest algorithm, although for most security environments the choice will be largely meaningless unless interoperability with an existing PKI infrastructure is required. AES is the default.
- 23. DESLock will now load the key onto the USB device and the PC's database. To finish activating the key, double-click the D logo in the tray, then enter a user password. This, combined with the key, will grant access to any encryption-protected folders and files. A DESLock DK5 USB encryption token can hold up to 64 keys.
- 24. With DESLock installed, users can now right-click files or folders and select DESLock/Encrypt File with DESLock. But unlike NTFS encryption, DESLock requires that the USB decryption token be inserted and verified before a user can access these files. So, to protect large amounts of user data, let's create an encrypted partition.
- First, right-click the DESLock logo. Then select Mount Manager. This creates a "filemount disk," a large encrypted file that acts as a virtual drive. Click Create to begin. Then select a location for the large file disk; it can be anywhere that is not in an already compressed or encrypted NTFS folder, and it will ideally be limited to 2 GB. This mounted disk will automatically carry the PKI encryption. Moving a large filedisk in this way can be an efficient method for transferring large volumes of encrypted data in a single package that still honors the PKI system -- unlike, say, a password-protected Zip file.
- 25. Time for the final housekeeping steps. Enter the Desktop properties by right-clicking the desktop, then selecting Properties, then going to the Screen Saver tab. Ensure that "On resume, display Welcome screen" is turned on, and reduce the screensaver timeout to just a few minutes. This will ensure that the user password is requested to resume normal operations. It will also protect the computer against unauthorized logins when the user leaves the computer unattended.
- The final step is advocacy. Remind users of the importance of keeping the software on their client desktops simple. Particularly important is avoiding any server software, such as HTTP and FTP servers, as well as desktop-sharing servers. Such software turns a desktop system into a target. By preventing the spread of server software on desktops, we can all keep PCs cleaner, longer.
- JASON COMPTON is a technology writer who has covered topics ranging from 8-bit entertainment to supercomputing for more than a decade.