Chapter 2: Implementing Security

Exam Objectives

Securing systems through BIOS

Implementing users and groups

Implementing permissions and rights

Implementing auditing

Implementing firewalls

Implementing security best practices

In this chapter, you find out how to implement security best practices on systems at home or at the workplace. The preceding chapter introduces terms such as authentication and authorization; this chapter demonstrates how to perform such tasks. You find out how to create a user account that can be used for authentication and how to authorize the user to access a folder or perform an action within the operating system. This chapter will ensure that you know how to perform basic security-related tasks!

When thinking about network security, understand that security is to be implemented at multiple layers, meaning that you cannot focus on just one security-related feature. You want to implement multiple security features to secure your environment. For example, a number of people feel that their systems are secure because they have a firewall. They don’t realize that the firewall protects the system only from attacks coming across the network. What if the hacker is in the same room as the computer? The firewall is of no use at that point, so you need to ensure that you implement other security features to protect the system from all potential threats.

Securing Systems through BIOS

When securing systems, your first security concern is physical access. This involves ensuring that critical systems, such as servers, are in locked rooms that are not accessible to unauthorized users. Physically securing systems could also involve changing some of the CMOS settings, such as boot device order, power-on password, and CMOS password.

Changing these settings in CMOS is different for each type of system, but the first thing to do is enter CMOS. Normally, you press Delete, F1, F2, or F10 when the system is booting.

After the system is booted, you will find the following settings in the CMOS setup program to help secure the system:

BIOS Password: Usually found in the security section of CMOS, you can set a power-on password (also known as a user password), which is a password that anyone who wants to use the system must type. You may also set an admin password, which is a password that must be known by anyone who wants to change CMOS settings.

Boot Devices: In CMOS, you can control what devices the computer can boot from. Most computers today can boot from CD-ROM, floppy disk, hard disk, network, and USB removable drives. It is important to understand that if you allow a computer to boot from CD-ROM, a hacker can possibly boot from a CD and bypass all security enforced by your OS.

Intrusion Detection: Most systems today have an intrusion detection option that will notify you if the computer case has been opened. This is important because instead of stealing the actual computer, a person could take the RAM or hard drive out of the computer, which is easier to hide and steal. Make sure that the intrusion detection option is enabled, and also be sure to lock the computer cases so they cannot be removed easily.

Implementing Users and Groups

In this section, you find out how to create user accounts that can be used to log on to the system and how to create groups to organize users together as a single object that permissions can be assigned to.

Creating user accounts

To secure the Windows OS from unauthorized access, you can create a user account for each person who is allowed to use the system. Anyone without a user account will be unable to log on to the system and, as a result, will not be able to use the computer. The other benefit of creating user accounts is that even if a person has a user account and logs onto the system, he might not be able to access a file because you have not given permission to that user to access the file.

To create a user account in Windows systems, use the Computer Management console. Right-click My Computer (Computer, in Windows 7 and Vista) and choose Manage. In the Computer Management console that opens, expand Local Users and Groups and select the Users folder (shown in Figure 2-1). In the Users folder, you will notice some user accounts on the right side. These user accounts are built-in accounts, meaning that they were built by the OS or by a piece of software you have installed.

Two built-in accounts you should be familiar with for the A+ exam are

Administrator: The administrator account is the built-in account in Windows that has full access to the system and can manage all aspects of the computer. During the installation of Windows, you were asked what you wanted to set as the password for the administrator account; you use that password to log on with the username of administrator. When you do log on as administrator, you can change any settings on the system. A normal user account cannot change major settings on the system such as the time, installing software, or any changes that affect the system. To make these types of changes, you need to log on as administrator to make changes.

Guest: Users can use the guest account if they don’t have an actual user account. When they try to access the system, they are authenticated as guest. The guest user inherits any permissions the guest account has on the system. There is one hook to this scenario, though. By default, the guest account is disabled, meaning that it is not available for use. Because of the security concerns of not requiring someone to log on, Microsoft has disabled the account. A disabled account appears with a red X on it and cannot be used.

Two default accounts are built in to Windows: administrator and guest. The administrator account has full access to the system, and the guest account is used for temporary access to the system. Also note that the guest account is disabled by default.

Now that you have identified the two major built-in accounts, you can create your own user accounts. To create your own user accounts in the Computer Management console, right-click the Users folder and choose New User. The New User dialog box appears (shown in Figure 2-2). Fill in the following account details:

User Name: This is the name that the user uses to log on to the system. Typically, it is a short version of the full name. For example, the full name Glen Clarke might get truncated to gclarke as the username. A username is also known as the logon name.

Full Name: This is typically the person’s first name and last name: for example, Glen Clarke as the full name.

Description: This is a description of the user account. I typically put the person’s job role here: for example, Accountant.

Password: Type what you want for the user accounts password. The user needs to know this password to log on to the system. Be sure to use good practices with passwords, such as not using words found in the dictionary and using a combination of uppercase and lowercase letters, numbers, and symbols. See the preceding chapter for more information about strong passwords.

Confirm Password: Type the password again in this box. This ensures that you typed what you thought you typed.

User Must Change Password at Next Logon: Set this option if you want to force the user to change the password the first time he logs on. This ensures that you don’t know the user’s password because the password you originally set is overwritten.

User Cannot Change Password: Set this option if you don’t want the user to be able to change the password. This ensures that the password you set is the password that the user must use.

Password Never Expires: In a password policy, you can specify that passwords must be changed every so many days. That policy applies to all users except for any accounts that have Password Never Expires activated. You might use this option if you have two employees sharing a user account.

Account Is Disabled: If you want to disable an account at any time, you can set this option. A disabled account is unusable until you enable it again.

After you enter all the account information, click the Create button and then click Close to dismiss the New User dialog box. The user account has been created, and you can start using it right away to log on to Windows.

It is also possible to create user accounts from within the Control Panel. If you choose Start⇒Control Panel, click the User Accounts link, and then click the User Accounts link again (in Windows 7), you will see a Manage User Accounts link that allows you to create and delete user accounts through the Control Panel.

Creating groups

A group in Windows is a collection of user accounts. The benefit of using groups when managing access to resources is that you don’t need to assign the same permissions multiple times. Instead, you assign the permission to the group, and anyone who is a member of the group receives the permission.

Like user accounts, Windows offers a number of built-in groups. A built-in group has predefined capabilities within Windows. For example, printer operators can manage all printers on the system, and anyone who is a member of the printer operators group will have that capability. The following is a list of some of the popular built-in groups found in Windows OS:

Administrators: This group has full access to the system and can change any setting on the system. The administrator account is a member of this group by default, which is why the administrator account is allowed to change any setting on the system.

Backup Operators: Members can perform backups and restores on the system.

Account Operators: Members can create user accounts. This group is available on Windows servers. The benefit of using this group is that if you want someone to be able to manage user accounts, you can place that person in this group instead of in the administrators group and he or she will only be able to manage the user accounts — not the entire system.

Printer Operators: Members can change any settings on the printers. Essentially, members of this group are trained to troubleshoot the printing environment and then assigned the task of managing all printing problems on the network.

Users: All user accounts that are created are members of the users group. You can assign permissions to the users group knowing that all users will get the permission.

Power Users: The power users group is the group on Windows client OSes prior to Windows Vista that allows its users to create user accounts and manage the printing environment. Use this group if the desktop OS does not have an account operator or a printer operator group.

Be sure you know the default groups in Windows. Some of the more useful built-in groups are account operators, printer operators, and backup operators. Also note that if a user is not placed in an administrative group, he or she is known as a standard user.

If the built-in groups do not satisfy your needs, create your own groups:

1. Click Start; then right-click My Computer (Computer, in Windows 7 and Vista) and choose Manage.

2. In the Computer Management console, expand Local Users and Groups.

3. Right-click the Groups folder in Local Users and Groups and then choose New Group, as shown in Figure 2-3.

4. In the New Group dialog box that appears, type the name you wish to use for the group.

In this example, I use Accountants (shown in Figure 2-4).

5. Fill in a description for the group in the Description text box.

6. To begin adding members to the group, click the Add button.

The Select Users dialog box appears.

7. Type the name of the user account you want to add and then click the Check Name button on the right side.

Windows should underline the account name, indicating that the user account exists and that you can add it to the group membership.

8. Repeat Step 7 for each account you want to add to the group.

9. After you add all the accounts to the group, click OK and then click Create to create the group.

After you create the users and place them into their appropriate groups, you are now ready to assign them permissions.

To practice creating users and groups, take a look at Lab 2-1 on the book’s companion website, www.dummies.com/go/aplusaio.

Implementing Permissions and Rights

When controlling a user’s access to the system, you typically modify the user’s rights and permissions. Microsoft has made a huge distinction between a permission and a right.

Permission: A user’s level of access to a resource, such as a printer or file

Right: A user’s privilege to perform an OS task

In this section, you discover the difference between permissions and rights within the Windows OS and how to implement both within the local security policy in Windows.

Rights

If you were to log on to your Windows system as just a user account and then double-click the time in the bottom-right corner to change that time, you get an error message indicating that you do not have the privilege to change the time. This is an example of user rights. The user account that you are currently logged in with does not have the right to change the system time, which is an action that typically has to be performed by an administrative account.

There is a large list of user rights; some of the most popular ones are listed below:

Access this computer from the network. This right is needed by anyone who wants to connect to the system from across the network: for example, if you wish to connect to a shared folder on computer A, you need to this right on computer A.

Back up files and directories. This right is needed by anyone who wishes to back up files on the computer. For security reasons, not everyone should be able to perform backups on a system, so Windows controls who can perform a backup via this right.

Change the system time. To change the time on the computer, your user account must be given this right.

Log on locally. To log on to the system by pressing Ctrl+Alt+Delete, you need this right. Microsoft classifies a local logon as you sitting in front of the computer at the keyboard (versus a remote logon, where you connect from across the network, which is controlled by the first right mentioned in this list).

Shut down the system. To shut down the computer, you must have this right.

Take ownership of files and other objects. In Windows, the owner of the object, such as a file or folder, always has the ability to change the permissions of the resource. You might want to give selected individuals the take-ownership right so that they can take ownership of a resource and then change the permissions.

To change the user rights (for example, to assign Bob Smith the right to change the system time), you need to modify the user rights assignments in the local security policies of the Windows computer. The local security policy controls all security settings for the system. To change the local security policies in Windows XP, follow these steps:

1. Choose Start⇒Control Panel.

2. In the Control Panel, choose Performance and Maintenance and then Administrative Tools, located at the bottom of the window.

3. In the Administrative Tools, double-click Local Security Policy to start the Local Security Policy console.

4. To modify the user rights within the local security policy, expand Local Policies and then highlight User Rights Assignments, as shown in Figure 2-5.

When the User Rights Assignments node on the left side has been selected, you will notice the list of user rights on the right side of the screen in the Details pane.

5. To modify a user right, double-click the user right.

You see a list of users or groups that have been assigned that right.

6. To add a user or group to the list, click the Add User or Group button, type the name of the account you wish to add, and then click Check Names to ensure that Windows recognizes the user account.

7. Click OK to add the account to the right you chose (as shown in Figure 2-6) and then click OK to close the window.

The steps used in Windows 7/Vista to change the user rights are very similar after you access the Local Security Policy console. Choose Start⇒Control Panel⇒System and Maintenance⇒Administrative Tools and then double-click Local Security Policy.

User Account Control (UAC)

Windows Vista added the User Account Control (UAC) feature (which was improved in Windows 7). When an administrative account logs onto Windows, that user is not initially given administrative access to the system. When the administrator launches a program to perform some administration, Vista prompts the user to raise the privilege level to the administrative level. If the administrator chooses Continue, the admin will be able to run the program.

Microsoft created the feature because over the last few years, a number of security incidents were caused by hackers that caused the user of the computer to run malicious software without the user’s knowledge — and because the user logged on had admin access to the system, so did the program that the user did not know was running. This malicious software that now had admin access could do anything it wanted to the system.

In response, Microsoft created the UAC feature. Now if software runs without your knowledge and tries to manipulate the system, you are prompted to decide whether you wish to continue. Unfortunately, you also get prompted when you launch the software yourself, which is why most people get frustrated with the UAC feature. Still, it is a great feature from a security point of view.

You can modify the local security policy to get rid of the UAC prompt and automatically elevate the admin privileges. Locate the User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode setting in the Security Options section of the Local Policy. You can set the value of the policy to Elevate Without Prompting as shown in Figure 2-7.

Permissions

Permissions are different than rights: A right governs an action that can be performed on the computer, but a permission is a user’s level of access to a resource. For example, you can give a user permission to read or modify a file. Figure 2-8 shows the permissions you can set for a file.

Permissions can be configured only on a partition formatted for NTFS. To obtain an NTFS partition, you can format the partition for NTFS (but lose all existing data), or you can convert the drive to NTFS by using the convert driveletter: /fs:ntfs command. When you convert, the existing data on the drive is preserved.

To modify the permissions on a folder or file in Windows, simply right-click the file or folder and choose Properties. In the properties window, choose the security page tab to set the permissions.

Here are the available permissions:

Read permissions: What I call the “read” permission is a combination of the three default permissions — Read, Read and Execute, and List Folder Contents. I personally classify all three as the read permission because at a minimum, this is typically what users need to read the file.

• Read: Allows you read the contents of a file

• Read and Execute: Allows you to read the contents of the file and execute a program

• List Folder Contents: Allows you to see the file when you look in the folder

Modify: Allows a user to read, modify, and delete a file. When given the Modify permission to a folder, a user can also create new files or folders in that folder.

Full Control: Allows a user to do everything that the Modify permission allows, but the user can also change permissions on the resource or take ownership of the resource.

If someone can take ownership of the resource, that person can change the permissions. The Full Control permission should be used sparingly so that not everyone has the permission to change permissions on you.

Write: Used by the Modify permission to allow users to write to the file or folder. When you choose the Modify permission, you will notice that the Write permission is automatically selected.

The major difference between the Modify permission and Full Control permission is that Full Control allows a user to modify permissions and take ownership of the resource in addition to being able to modify and delete the resource.

Looking at Figure 2-8, you will notice a number of permissions with gray check boxes next to them. The gray check box means that you are not allowed to change the permission because the permission is being inherited from a parent level. Permission inheritance (also known as permission propagation) is a feature of Windows that is designed to minimize how much permission management you need to do. With permission inheritance, when you set permission on a folder, that permission applies to all subfolders and files; you don’t need to go to subfolders and files to set the same permission.

When you go to modify the permissions on a folder, however, you need to understand that the existing permissions are being inherited from the parent folder. To change the permissions, you need to break the permission inheritance feature on the folder by going to the properties of the folder, clicking the Security tab, and clicking the Advanced button. That invokes the Advanced Security Settings dialog box for the folder, where you can turn off the Inherit from Parent . . . option (see Figure 2-9).

After you turn off the inheritance option and click OK to close that screen, you are presented with a dialog box asking whether you want to remove the existing permissions or copy the permission down from the parent folder so that you do not have to set all permissions again. Typically, I choose Remove and then add whoever needs to have access to the folder.

After you remove the existing permissions, you can add new users or groups to the permission list on the Security tab by clicking the Add button. You can type the name of the account or group you want to assign the permission to and then click the Check Names button. After you add all the users and groups to the permission list, you then choose which permission you want assigned to each user by selecting the user in the permission list and then choosing the permission. For example, in Figure 2-10, notice that the Accountants group has the Modify permission.

To practice changing permissions and rights, take a look at Lab 2-2. Lab 2-2 can be found on the book’s companion website, www.dummies.com/go/aplusaio.

Note that the descriptions in this chapter have been about allowing a permission such as the modify permission. From time to time, you may want to take someone’s permissions away with a deny permission. A reason to do this would be if the user is a member of a group that has been allowed a permission and you do not want the user to have the permission; you simply add the user to the access control list and deny him the permission! All users in the group will be allowed the permission except for that one user. Remember that in Windows, the deny permission wins over an allow permission when a conflict occurs.

Copying and moving files

Permissions on a file can change as you perform file management tasks, such as moving and copying files. The following list shows the outcome if you move or copy a file that has permissions set on it:

Move on same partition. When you move a file from one folder to another folder on the same partition, the file keeps its permissions.

Copy on same partition. When you copy a file from one folder to another folder on the same partition, the new file inherits the permissions of the folder that it was copied to.

Move across partitions. When you move a file from one folder to another on different partitions, the file inherits the permissions of the target folder and does not retain its original permissions. This is because when you move a file between partitions, Windows first copies the file and the deletes the original (if the copy was successful).

Copy across partitions. When you copy a file from one partition to another partition, the new file inherits the permissions of the destination folder.

Remember the effect that copy and moving files has on the permissions of the destination file.

NTFS versus share permissions

When you share a folder, you have the opportunity to place permissions on the share, as well as to set up your NTFS permissions. (Book VIII, Chapter 3 covers sharing network resources such as folders and printers.) The big question is what happens when the two permissions conflict? If a conflict in permissions between NTFS and shared folders exists, the most restrictive takes effect. For example, if you have NTFS permissions of modify on a folder and then you share the folder and give all users the read permission, the permission that takes effect will be the read permission because it is the most restrictive. Remember this for your A+ Certification exams!

The share permission is inherited for the entire folder structure of the share. Also, remember that administrative shares are already created in Windows, such as the root of every drive. You can connect to them with syntax such as \computernamec$, but remember that only administrators can connect to administrative shares!

Changing file attributes

You can change the attributes of a file and make it read-only so that no one can modify the file, or you can make it hidden so that no one can see the file. These are not great practices as far as security goes because when setting a file attribute, it applies to everyone. For example, if you set the read-only attribute on a file, the file cannot be modified by anyone, including users and administrators. With permissions, you get to choose who gets the permission.

Implementing Auditing

After you set up security on a Windows system by setting permissions on the folders and files, configuring user rights, and placing users in the appropriate groups, make sure that the security of the OS is effective. To monitor what is happening on the system, you enable auditing, which notifies you when certain things happen on the system. For example, you might want to be notified if someone fails to log on to the system, using a correct username and password — this could be someone trying to guess the password of the account.

To effectively work with the auditing feature in Windows, there are two steps:

1. Enable auditing.

You must first enable auditing. Simply choose what events you wish to audit. The nice thing about auditing in Windows is that you choose which events you care to know about.

2. Review the audit log.

After you enable auditing, ensure that you monitor the log regularly for any security-related issues. For example, if you notice a failure to log on over and over for the same account, that is an indication that an account is being hacked.

The following sections offer more details about these two steps.

Enabling auditing

To enable auditing in Windows, modify the Local Security Policy:

1. Choose Start⇒Control Panel.

2. In the Control Panel, choose Performance and Maintenance (XP) or System and Maintenance (Windows 7/Vista) and then Administrative Tools, located at the bottom of the window.

3. In the Administrative Tools, double-click Local Security Policy to start the Local Security Policy console.

4. In the Local Security Policy console, expand Local Policies and then highlight Audit Policy.

On the right side of the screen (the Details pane) is a list of events that you can enable auditing for; see Figure 2-11:

• Audit Account Logon: Audit any remote users who are authenticated by this user account database. This is the event to enable auditing on a domain controller.

A domain controller is a server in a Microsoft network environment that holds all the user accounts for an entire network. In the corporate world, users log on to the network, not a particular machine, which means that the logon request is sent to the domain controller where the username and password are checked against a database. The database that holds the user accounts on a domain controller is known as the Active Directory database.

• Audit Account Management: Record an event in the log for any user account changes, such as any new accounts that are built, modified, or deleted.

• Audit Logon Events: Record the fact that the user logged on from this station regardless of whether the account was authenticated from this system.

• Audit Object Access: Audit access to a specific folder, file, or printer.

After you enable Object Access Auditing, you need to go to the Security page in the properties of a file, folder, or printer and click the Advanced button. Click the Auditing tab and choose which users and which permissions to audit for. You must perform this step on any folder, file, or printer you wish to audit.

• Audit Policy Change: Notification of any change to the security policy.

• Audit Privilege Use: Logs when a user takes advantage of any rights you have given that user. For example, if you give Bob the right to perform backups, you want to know when he actually performs a backup.

• Audit Process Tracking: Notification of when a process starts or exits.

• Audit System Events: Notification of system-related actions, such as restarting or shutting down the system. You might want to be aware when the system is restarted, especially on server OSes.

5. To enable auditing on one of these events, double-click the event and then choose whether you want to audit the success of that event or the failure.

For example, I do not care about the success of logons, so I would choose Failure for that event.

The steps in Windows 7 and Vista to enable auditing are very similar after you access the Local Security Policy console. Choose Start⇒Control Panel⇒System and Maintenance⇒Administrative Tools and then double-click Local Security Policy.

Reviewing the security log

After you enable auditing on the different events, you then need to view the audited information in the security log of event viewer:

1. Choose Start⇒Control Panel.

2. In the Control Panel, click Performance and Maintenance and then Administrative Tools, located at the bottom of the window.

3. In the Administrative Tools, double-click the Event Viewer to start the Event Viewer console.

4. Select the log that you want to view.

Note the events on the right side of the screen. If you select the security log, as shown in Figure 2-12, any events with a lock are failure events, and any events with a key are successful events. Figure 2-12 shows an account logon event with a lock, indicating a failure to log on.

5. (Optional) To view a description of a particular event, double-click the event.

Going back to the account logon failure example, you can see the date and time the logon was attempted. You can also view the username that was attempted and the computer that the person used to try to log on to the network.

The steps in Windows 7 and Vista to review the security log are very similar after you access the Event Viewer console. Choose Start⇒Control Panel⇒System and Maintenance⇒Administrative Tools and then double-click the Event Viewer icon. When the Event Viewer launches, expand the Windows Logs folder on the left and then choose Security.

After enabling auditing, review the security events by checking out the security logon event viewer.

Implementing Firewalls

A firewall is software or hardware designed to stop information from reaching your system unless you selectively choose certain pieces of information to pass through. This information is sent in the form of network packets (pieces of data) that are broken down into three parts:

Header: Contains address information, such as source and destination addresses.

Body: Contains the packet data, known as the payload.

Trailer: Contains checksum information, which is a value calculated off the data in the packet and helps ensure that the data has not been tampered with or damaged in transit. If the receiving system calculates a different value based on the data it receives, and that calculated value is different than the checksum value, the receiving system knows that the data has been altered in transit.

How a firewall works

A firewall is designed to look at the contents of the packet — specifically, the header information — to decide whether the data should be allowed into the system or discarded. The firewall uses the source and destination IP addresses from the header, as well as the port number, to help make this decision. A port number represents an application that runs on the system. For example, the Web server installed on my system runs at my IP address on port 80. The FTP server I am also running on my system uses my IP address but uses port 21 instead of port 80. If I want to allow the public to see my Web site but not my FTP site, I configure the firewall to allow information to reach port 80 but not port 21. So each TCP/IP application that is running on your system uses a different port number, which is how data is sent to one application and not the other.

My point is that the firewall also uses the port number to decide whether the data should be allowed into your system. For example, I have a Web site at www.gleneclarke.com so I had to configure my firewall to allow data destined for port 80 to be allowed in. Now, I don’t have an FTP server, so I ensured that the firewall disallows data destined for port 21.

Understand that you don’t need to open ports on the firewall unless you are hosting your own servers. For example, you don’t need to open ports on the firewall to surf the Internet because most firewalls are built to allow responses to data you requested to come back through the firewall.

To enable the firewall feature in Windows XP, follow these steps:

1. Go to your network properties by choosing Start⇒Control Panel⇒Network and Internet Connections⇒Network Connections.

2. In the Network Connections window, right-click your LAN connection and choose Properties.

3. In the properties of the LAN connection, click the Advanced tab to view the advanced settings.

4. In the Windows Firewall section at the top of the screen, click the Settings button to enable the firewall (as shown in Figure 2-13).

5. Make sure the firewall is set to On.

6. (Optional) You can also build exceptions for information that is allowed to pass through the firewall by clicking the Exceptions tab.

On the Exceptions tab, select which data is allowed to pass through the network card into the system. You may select an existing application from the list or add a program or port by clicking the Add Program button or Add Port button.

7. Click the OK buttons to close the windows.

The firewall concepts in Windows 7 and Vista are the same but the steps to locate the Windows Firewall in Windows 7/Vista are a little different.

1. Choose Start⇒Control Panel⇒Windows Firewall.

You will notice a green check mark on the screen, stating that the Windows Firewall is turned on.

2. If the firewall is not turned on, click the Change Settings link to open the Windows Firewall Settings dialog box.

3. You can then turn on the firewall by choosing the On option.

Creating a DMZ

Most companies that want to publish their own Web sites or host other types of servers (such as FTP servers or e-mail servers) need to allow traffic to reach these types of servers. Placing public servers such as these alongside your private network servers is unrealistic because it means that you need to open the firewall to allow traffic into the network to reach these servers.

As a workaround, most network administrators create a demilitarized zone (DMZ) to hold these servers. A DMZ is a network segment between two firewalls where you have allowed selected traffic to reach the servers in the DMZ. The DMZ is different from your private network because you will not allow any content to come into your private network.

Figure 2-14 displays a typical DMZ setup. Note the two firewalls: firewall 1 and firewall 2. Firewall 1 connects the DMZ to the Internet and will allow only traffic destined for the three servers in the DMZ to pass through the firewall. The second firewall (firewall 2) is designed so that no systems from the Internet can pass through it, essentially protecting the private company network from outside access.

Servers that you wish to expose out to the Internet should be placed in a DMZ so that you can selectively choose which type of data is allowed to reach your servers.

Hardware versus software firewalls

There are hardware firewall solutions that are physical devices placed on the network between the clients on the network and the Internet. The benefits of using hardware firewalls are that they typically outperform a software firewall, and you get the extra security benefit of having a separate security device between you and the Internet. Too, a hardware firewall solution typically protects the entire network and not just one system. Software firewalls have the benefit of being much cheaper than a hardware firewall.

Hardware firewalls

A number of vendors make hardware firewalls; for example, Cisco offers the Cisco PIX firewall device. You can also use your D-Link or Linksys home router as a firewall; both have firewall features that allow you to control what traffic is allowed to enter your network.

Software firewalls

Software firewalls are applications installed on your computer that protect only that computer. So-called personal firewall software, this kind of firewall protects only your personal computer: the one with the firewall software installed.

A number of different software firewall solutions are available. For example, Zone Alarm is a popular software firewall installed on a number of home computers. Each OS will typically have its own firewall software as well. For example, Linux has IPTables, and Windows has the Windows Firewall.

Port security and exceptions

When configuring the firewall, you typically specify rules that control which packets are allowed or not allowed to enter the network. A default rule that you typically set first states “Drop all packets” or “Accept all packets,” and then you build a list of exceptions to that default rule.

For example, on my network, I have the default rule to drop all packets, but then I have an exception that says if traffic is destined for port 80, allow that traffic into the network. This way, people on the Internet can reach my Web site.

To configure exceptions in Windows 7/Vista, follow these steps:

1. Choose Start⇒Control Panel⇒Security⇒Windows Firewall.

2. Click the Change Settings link on the right side of the Windows Firewall dialog box. Then click Continue in the UAC query to give Windows permission to raise the level of security.

3. On the Exceptions tab, add exceptions for the type of traffic that can pass through the Windows Firewall. See some of your exception options in Figure 2-15.

I allowed Remote Desktop traffic to pass through the firewall by choosing it as an exception.

4. (Optional) To add an exception for an application or a type of traffic not in the list, click the Add Port button.

5. In the Add a Port dialog box that opens (see Figure 2-16), define the port:

a. In the Name field, enter a descriptive name for the type of traffic that you are allowing entry.

I am allowing FTP traffic, so I name my exception FTP Traffic.

b. Enter the port number.

I use 21, which is the port that FTP uses.

c. Select a protocol: TCP or UDP.

TCP is used for traffic that requires a connection to be established, and UDP is for connectionless. I want to go with TCP because FTP uses the TCP protocol.

6. Click OK and click OK again.

Adding exceptions to the firewall is similar in Windows XP but you locate the firewall exceptions a little bit differently. To locate the firewall exceptions in Windows XP:

1. Go to your network properties by choosing Start⇒Control Panel⇒Network and Internet Connections⇒Network Connections.

2. In the Network Connections window, right-click your LAN connection and choose Properties.

3. In the properties of the LAN connection, click the Advanced tab to view the advanced settings.

4. In the Windows Firewall section at the top of the screen, click the Settings button to enable the firewall.

5. Make sure the firewall is set to On.

6. (Optional) You can also build exceptions for information that is allowed to pass through the firewall by clicking the Exceptions tab.

In Book VIII, Chapter 3, you read about the firewall in Windows 7. Within the Control Panel⇒System and Security⇒Windows Firewall dialog box, you can choose Allow a Program or Feature through Windows Firewall. If you need more flexibility, you will need to add exceptions through the Windows Firewall with Advanced Security. Here you can add exceptions by port values.

Security Center versus Action Center

In Windows XP, Microsoft introduced the Security Center, which is a central window that you can enter to help improve the security of your system. In the Security Center, you can see whether you have a firewall enabled on your system and whether antivirus software is installed (if Windows does not see antivirus software installed on the system, it reports virus protection as not found!). From the Security Center, links are available so that you can manage your Internet Options, Firewall, and Automatic Updates settings — all a big part of the security of the system. To navigate to the Security Center in Windows XP, choose Start⇒Control Panel⇒Security Center.

In Windows 7, Microsoft replaced the Security Center with the Action Center. The Action Center is similar to the Security Center and informs you of critical security mistakes such as not enabling the firewall or not installing antivirus software. In the Action Center, you can change your User Account Control (UAC) settings, perform a backup, or perform a restore of a restore point. To get to the Action Center, choose Start⇒Control Panel⇒System and Security⇒Action Center.

Implementing Security Best Practices

In the following sections, you discover some basic best practices that can help you secure your environment. These sections are designed to be a summary of features that I discuss throughout the chapters of this book.

Hardening a system

The first thing you can do to secure your system is to harden it: You remove any software that you are not using and disable any Windows services that are not needed. The concept of hardening comes from the fact that hackers compromise systems by leveraging software that is installed or running on the system. The less software you have running, the less likely you are to be hacked!

Patching systems

Regularly patching the system by running Windows Update is critical. As Microsoft finds out about security problems with its OS and software, its programmers fix the problem and deliver the fix through the Windows Update site. To ensure that you are getting the security fixes and patches, you must run Windows Update often. More on this topic in the next chapter.

Microsoft changed Windows Update to Microsoft Update so that you can now get updates for more than just the Windows OS. You can download updates for a number of Microsoft products from the Microsoft Update site, such as Windows and Microsoft Office.

Firewalls

Make sure you turn on the Firewall feature in Windows. The firewall helps protect your system from network attacks, but it is not the be-all and end-all of network security. You also need to follow the other best practices presented in this chapter.

Password policies

Stress to your users the importance of using strong passwords. To enforce strong password usage, you can set a password policy in the Local Security Policies. To set the password policy, follow these steps:

1. Choose Start⇒Control Panel.

2. In the Control Panel, click Performance and Maintenance. Then click Administrative Tools, located at the bottom of the window.

3. In the Administrative Tools, double-click Local Security Policy to start the Local Security Policy console.

4. Expand Account Policies and highlight Password Policy.

5. Ensure that users use strong passwords by double-clicking the Password Must Meet Complexity Requirements policy and then choose Enable (see Figure 2-17).

This setting ensures that users use passwords of a minimum of six characters, with a mix of uppercase and lowercase characters, numbers, and symbols. The password will also not contain any part of the username.

Auditing

Make sure that you enable auditing on critical systems so that you will know (hopefully) when the system has been compromised. For example, if a hacker makes his way into the system and builds himself a hidden user account, you will know about it if you have enabled account management auditing.

Use switches instead of hubs

You can enable a number of security features when working with switches instead of hubs on the network. To begin with, switches filter traffic by sending only data to the port on the switch that the data is destined for. This can add to the security of the network because it is harder for a hacker to monitor network traffic when the port the hacker is using is not getting a copy of all data — just data destined for his system.

The second thing you could do to secure your environment with a switch is disable any unused ports on the switch. This way, if the hacker gets physical access to your network, she cannot simply plug into the switch to get access to the network.

The other thing you could do with more advanced switches is to configure a virtual local area network (VLAN), which is a grouping of ports on the switch that are allowed to communicate with one another but cannot communicate with other VLANs on the same switch. For example, I have a 24-port switch with two VLANs. The first VLAN comprises the first 12 ports, and the second VLAN comprises the last 12 ports. Any systems plugged into the first 12 ports cannot communicate with the systems on the second set of 12 ports, and vice versa. Essentially, you have two networks — but only one switch.

Use antivirus software

Using antivirus software is another security best practice. Ensure you are using antivirus software on all your systems and keep the virus definition database up to date! Antivirus software is designed to protect your system against viruses. For more information on antivirus software, check out Book IX, Chapter 3.

Securing wireless

As a last note, I just want to add a few tips here to help secure your wireless environment. You can configure most of these settings on the wireless router by navigating to the administration site of the router, which involves starting a Web browser and entering either 192.168.0.1 or 192.168.1.1. If you have hit the Web administration pages of the wireless router, you will be asked to log on. Most routers have a default username of admin with no password that you will use to logon.

After you are logged onto the router, locate the following options in the administration pages:

Router password: After you hook up your wireless router, be sure to connect to the router and change the admin password. Most wireless routers ship with no password, so be sure to protect your router by assigning one. Check the documentation that came with your router to find out how to set an admin password.

Setting the SSID: The Service Set Identifier (SSID) is a name assigned to your wireless network. You should change the name of the SSID, but do not use your company name. When hackers are “war driving,” they pick up on a signal from a wireless network. Say the SSID says “BridgetsWidgets.” Hackers then look for the building with the Bridget’s Widgets sign. When they spot the sign, they then drive close to the building so that they get a stronger signal. Don’t make it easy for them to figure out what building to get close to!

Disabling SSID broadcasting: After you set the SSID, you also want to disable SSID broadcasting. The wireless router broadcasts the SSID so that anyone who gets close will know the wireless network is there. If you disable broadcasting, then to connect to the wireless network, a person has to know and input the SSID manually into his network client.

MAC address filtering: If you check the administration pages on your wireless router, there is a place for you to enable MAC address filtering. This feature allows you to control which systems can connect to the wireless network by the MAC address of their network card. After MAC address filtering is enabled, only the MAC addresses listed can connect to the network.

Enable Encryption (WEP/WPA/WPA2): Be sure to enable some form of encryption for your wireless network. You can use a number of protocols to encrypt traffic on your wireless network: WEP, WPA, or WPA2 depending upon what is supported by your wireless router. If you can use the more secure WPA2, use that.

For more information on Wireless networking check out Book VIII, Chapter 2!

Getting an A+

This chapter introduces you to a number of best practices for securing your Windows environment. Some of the key points to remember for the exam are to

Create user accounts for each user of the system. Make sure that users use strong passwords for those accounts and understand to not share those passwords.

Assign permissions to resources such as folders and files to ensure that unauthorized users don’t get access to the resource.

Enable auditing so that you are aware of any security-related events that happen on the system. Also be sure to review the security log often.

Enable a firewall for the network and enable the Firewall on the Windows system.

Secure your wireless router by disabling the wireless feature if you are not using the wireless components of the router. If you are using wireless, be sure to implement WEP or WPA and disable SSID broadcasting.

Prep Test

1 What security feature stops network packets from entering the system through the network card?

A Auditing

B Password policy

C Permissions

D Firewall

2 What is the network name assigned to the wireless network?

A WEP

B SSID

C SID

D WPE

3 What permission on a folder is assigned to allow a user to read, modify, create, and delete a file?

A Read

B Full Control

C Modify

D Deny

4 You have enabled auditing; where do you go to view the audit information?

A Local Security Policy

B Event Viewer

C LAN Connection Properties

D Firewall

5 A privilege to perform an operating system task is known as what?

A Permission

B Policy

C Right

D Firewall

6 What permission allows a user to modify the permissions?

A Read

B Full Control

C Modify

D Deny

7 How would you allow Bob to change the time on his computer?

A Enable an Audit Policy.

B Place Bob in the Administrators group.

C Assign Bob the Change System Time permission.

D Assign Bob the Change System Time right.

8 Which security features might you enable through the system BIOS?

A Boot devices

B Password policy

C Permissions

D Audit policy

9 Which built-in group has full access to the system?

A Administrator

B Power Users

C Account Operators

D Administrators

10 Where do you go to enable the Firewall in Windows XP?

A Properties of the LAN connection

B Local Security Policy

C Event Viewer

D Security tab

Answers

1 D. A firewall is designed to stop data from entering your system through the ­network card. See “Implementing Firewalls.”

2 B. The SSID is the name assigned to the wireless network. Review “Securing wireless.”

3 C. To allow users to read, modify, create, and delete a file, you assign the Modify permission. Check out “Implementing Permissions and Rights.”

4 B. When auditing has been enabled, you view the auditing information by reviewing the security log in Event Viewer. Peruse “Implementing Auditing.”

5 C. A right gives you the privilege to perform an operating system task. Take a look at “Rights.”

6 B. The Full Control permission allows users to modify permissions on a file or folder. Peek at “Permissions.”

7 D. You would assign Bob the Change System Time right. You could put Bob in the Administrators group, but that is not the best answer because you have given him a number of other capabilities at the same time. Look over “Rights.”

8 A. The boot devices can be disabled through the BIOS, which controls whether someone can bypass your operating system by booting from a bootable CD or floppy. Study “Securing Systems through BIOS.”

9 D. Administrators is a built-in group that has full access to the system. Refer to “Creating groups.”

10 A. The Firewall can be enabled through the LAN connection properties. Examine “Implementing Firewalls.”