Controlling Logical Computer Access

Physical security is not the only area that home users need to worry about. Controlling logical computer access is the key issue faced by home users with always-on connections. This section deals with access controls and examines how the various operating systems provide for these controls. The majority of these controls are easy to implement and require just a few changes to the operating system's base configuration. We show you how to do all that.

Windows 9x was never really intended to be a secure operating system. Even though you can use passwords for your desktop, a simple test can show you how insecure it really is. When confronted with the login prompt, shown in Figure 10.4, if you simply press the Esc key or click the Cancel button, Windows boots normally, even without a password being entered! The reality of the situation is that the only thing that the Windows login password protects is your individualized settings. Operating system security in a Windows 9x environment is next to nothing. We'll now take a look at some other security issues faced by Windows 9x.

Do not rely on Windows 95/98 security. It cannot really be called security because anyone can bypass it and have access to your information.

Windows 95/98 File Sharing

By default, Windows 95 and 98 come with file sharing turned on. Assuming this is your Internet connected machine, this feature allows you to share files with other users on the Internet. File sharing is a mechanism that gives other PCs access to your PC's directories and printers. File sharing is the principle behind such services as Napster and Gnutella. Users share files on their computer that anyone can have access to. Quite often, people turn on this feature and inadvertently allow remote access to the contents of their entire hard drive. Unintentional access to printers can allow malicious people to waste resources such as paper and toner by sending large print jobs to your printer. You can disable this feature by selecting Start, Settings, Control Panel, Network and then clicking the File and Print Sharing button (see Figure 10.5). The options for File and Print sharing should be turned off. The Client for Microsoft Networks should also be removed.

Sharing your locally attached printer might not be wise. For cable modem users, this sharing can be especially dangerous. If that feature has been enabled, an unauthorized user can identify and connect to that printer by merely clicking Network Neighborhood. At that point, the person can send print jobs to that printer. The damage can be anything from printing an innocent note saying “I hacked your printer!” to sending a 1,000-page print job using up the printer's toner and paper.

If you need the functionality of multiple people having access to the same files on a computer, a server operating system such as Windows 2000 Server should be installed. Even Windows 2000 Professional can act as a server, and it has more robust security features than Windows 9x. These operating systems allow the functionality but give you much greater control over who can do what with those files. They also protect against individual PCs being compromised.

PWL Files

Windows 95 network procedures contain built-in password caching and store the passwords in a file called username.pwl, where username is the name of the user whose passwords it contains. Windows creates this file so that passwords can be cached. Typically, caches contain information so that you don't have to retype it. Passwords are frequently cached—you type them once at login time and then your computer remembers them. Whenever you require access to a password-protected resource, the password is read from the cache and you are not prompted each time. Therefore, whenever you connect to another domain and use your dial-up networking dialer, your password might be cached in this file. Also, if you check Save Password (see Figure 10.6), your password is really being stored in your password list (PWL) file.

The PWL is actually a database file. It contains information representing the resource name, type, and an encrypted version of the actual password. These PWL files are stored in C:Windows with a filename of username.pwl. Using a tool called pwledit, we can actually view the password cache. Pwledit is available on the installation Windows 98 CD-ROM under ools eskit etadminpwledit. On the Windows 95 CD-ROM, it can be found in the adminapptoolspwledit folder. The Pwledit program allows for the removal of individual resources from the computer, as shown in Figure 10.7.

Shortly after the release of Windows 95, a program called Glide surfaced on the Internet. This program decrypted the contents of the PWL file and reduced the security of Windows 95 significantly. Using Glide and similar programs such as Cain, shown in Figure 10.8, you can launch attacks against passwords in an attempt to decrypt them. (Both Glide and Cain can be found on the Packetstorm Web site http://packetstormsecurity.org.) Dictionary-based password attacks could then be set against these PWL files. In its most basic form, a dictionary-based attack takes a word, encrypts it, and compares it to the encrypted version. In our case, it is compared to the entry in the PWL file. If the encrypted version matches, you have found the password.

How do you protect yourself from this type of password decryption? The most basic thing to do is disable password caching by adding the following Registry key using the regedit command. The Registry controls many Windows functions and stores information about the system. To use the regedit command; select Start, Run; type regedit in the Run box; and click OK. Then find the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesNetworkDisablePwdCaching key and set the value of DisablePwdCaching to "1", as shown in Figure 10.9. Keys store values that can allow the computer to perform certain functions. Double-clicking the DisablePwdCaching value allows you to set its value.

After setting the system to stop caching passwords, you must remove all the PWL files from the system so they will not be created again. Disabling password caching and never making use of Save Password features protects your passwords from being discovered should some attacker gain access to your computer.