W2K and XP SECURITY

Windows 2000 and XP Security

The hackers are out to get you. Make no mistake about it. For every publicized event, such as the compromise of Microsoft's infamous "Outlook" and "Passport", and the Windows XP "UPnP" security flaw, thousands of intrusions take place which are either never detected by computer users, or have been detected but never reported to security groups. New viruses, worms and Trojans appear on a seemingly daily basis.

Recently, "Distributed Denial of Service" attacks have been making the news. The "Code Red" and "Code Red II" worms surprised a large number of supposed security professionals. Even after I discovered the "Code Red" trojan on a commercial Web site, their support desk told me it was really my computer that was infected with a virus! And now it appears that users of "Windows XP Home Edition" are in for a painful surprise: their computers may be used by crackers to invade other machines.

What can you do to protect yourself?

Clearly, to cause mischief on your computer, there must be some control exerted over programs on your disk. Consider three ways this can happen:

I) Physical access to your computer: In this case there is little you can do to stop a determined trouble-maker, but keep reading below!

II) Email attachments: Keep your virus scanner active and up to date.

III) Network invasion: There are several ways this compromise can occur, and several ways to combat it.

A. Guard all entry ports

1) ALWAYS have a capable software firewall that prevents both incoming attacks and unrequested outgoing network traffic installed and aggressively configured. "ZoneAlarm" is one of the best, and it is free. I found my computer was being probed even when I was using a dial-up modem!

2) If you are using an "always-on" Internet connection at home, such as DSL or a cable modem, install a router that doubles as Network Address Translation hardware so that your computer's address cannot even be seen outside the router. In the great majority of cases, this step (and an up-to-date anti-virus program) are probably all you need.

3) If applicable, ask your network adminstrator to add the line "ip verify unicast reverse-path" to the configuration of Cisco routers.

B. Plug holes in Windows

1) Avoid Windows XP Home Edition. It has a serious security fault not present in Windows 2000 and XP Pro.

2) In Windows NT4, 2000 (NT5.0) and XP Pro (NT5.1), avoid using any account with full administrative privileges for everyday use. The Administrators group enables user access to "raw sockets", while the Power User and User groups do not. Disabling this access minimizes the chance that anyone who does manage to invade your computer will be able to use it to anonymously attack others.

3) If you must use XP Home or need administrative access on XP Pro or Win2000, install SocketLock to disable the user access to this "feature" which should never have been enabled in the first place.

4) Unless you need it to print over a home network disable "Client for Microsoft Networks" and, if practical on your network, disable "File and Printer Sharing over TCP/IP." Instructions are available for both Win 95/98 and NT4.

5) For very specific Win 2000 instructions, see the detailed FAQs written by Chris Baker. These also appear to apply to XP:

Securing Windows 2000 is actually easier than securing Windows 98 and far easier than securing NT (as no "dummy" loopback adapter is required). However, it is a different procedure than for either 98 or NT.

First right-click "My Network Places" (love that new name) on your desktop and choose "Properties." Select your connection from the dialog by right-clicking it and choose "Properties" again. Select "Internet Protocol (TCP/IP)" and click--you guessed it--"Properties." In the "Internet Protocol (TCP/IP) Properties" dialog that pops up, click on the "Advanced..." button.

Now in the "Advanced TCP/IP Settings" dialog, click the "WINS" tab at the top. Near the bottom there's a radio chooser to select whether you want NetBIOS over TCP/IP or not. Make sure "Disable NetBIOS over TCP/IP" is selected. Hit OK to back out of everything and you're done!

As far as I can tell, it doesn't matter whether you have "File and Printer Sharing for Microsoft Networks" or "Client for Microsoft Networks" installed or not. If TCP/IP is configured to "Enable NetBIOS over TCP/IP," you'll be vulnerable. For the record, I recommend keeping "Client for Microsoft Networks" installed, since I believe removing it has some not so obvious but important consequences for your networking setup. I have it installed and everything is still closed up, as long as you disable NetBIOS over TCP/IP.

Note that the above procedure is for a LAN/Cable/DSL connection may not work with a dial-up. Bob G. provided me with the following information, which he received from a Microsoft tech support engineer:

As for your question about NetBIOS, I want you to look at your dial-up connection properties and tell me which network components you have checked. To do this, right-click on My Network Places and go to Properties. Then right-click on your dial-up connection and go to Properties. Go to the Networking tab and you should see a list of components down at the bottom. The only component that needs to be checked is Internet Protocol (TCP/IP). If you have anything else checked here then you should uncheck it.

The key is to only have TCP/IP selected and not Client for Microsoft Networks.

6) Avoid Microsoft Internet Explorer 5.5 and 6.0 and Outlook, or at least stay up-to-date on their necessary security patches.

7) At this time it appears that the Windows XP "UPnP" flaw will not be a problem if UDP ports 1900 and 5000 are closed, so users of ZoneAlarm and hardware solutions such as routers with NAT are protected. In any case applying the patch named in Microsoft's Security Bulletin MS01-059 to WinXP and WinME systems is advisable. Windows 2000 is not affected.

C. Be vigilant

1) No matter how good you think your security is, test it often with tools like SocketToMe, LeakTest, ShieldsUp, PatchWork and UnPnP -- all free! While some more reserved computer professionals decry Steve Gibson's outspoken and sometimes harsh approach, none have been able to disprove his findings and his integrity has been faultless.

2) Don't forget to keep your virus definition files up to date. Security is a process, not a product. Ongoing vigilance, weekly updating, and carefully configuring the antivirus programs to check for whatever file types the script kiddies are using this week are all necessary parts of protection.

3) This is not a "set it and forget" task!

If you would like to test these defenses, my IPAddress is usually 65.64.155.156. Please let me know what you find!

Visit Dan@Home | More computer links | Comments to dan@landiss.com

A. Guard all entry ports
	1) ALWAYS have a capable software firewall that prevents both incoming attacks and unrequested outgoing network traffic installed and aggressively configured. "ZoneAlarm" is one of the best, and it is free. I found my computer was being probed even when I was using a dial-up modem!
	2) If you are using an "always-on" Internet connection at home, such as DSL or a cable modem, install a router that doubles as Network Address Translation hardware so that your computer's address cannot even be seen outside the router. In the great majority of cases, this step (and an up-to-date anti-virus program) are probably all you need.
	3) If applicable, ask your network adminstrator to add the line "ip verify unicast reverse-path" to the configuration of Cisco routers.
B. Plug holes in Windows
	1) Avoid Windows XP Home Edition. It has a serious security fault not present in Windows 2000 and XP Pro.
	2) In Windows NT4, 2000 (NT5.0) and XP Pro (NT5.1), avoid using any account with full administrative privileges for everyday use. The Administrators group enables user access to "raw sockets", while the Power User and User groups do not. Disabling this access minimizes the chance that anyone who does manage to invade your computer will be able to use it to anonymously attack others.
	3) If you must use XP Home or need administrative access on XP Pro or Win2000, install SocketLock to disable the user access to this "feature" which should never have been enabled in the first place.
	4) Unless you need it to print over a home network disable "Client for Microsoft Networks" and, if practical on your network, disable "File and Printer Sharing over TCP/IP." Instructions are available for both Win 95/98 and NT4.
	5) For very specific Win 2000 instructions, see the detailed FAQs written by Chris Baker. These also appear to apply to XP:
		Securing Windows 2000 is actually easier than securing Windows 98 and far easier than securing NT (as no "dummy" loopback adapter is required). However, it is a different procedure than for either 98 or NT. First right-click "My Network Places" (love that new name) on your desktop and choose "Properties." Select your connection from the dialog by right-clicking it and choose "Properties" again. Select "Internet Protocol (TCP/IP)" and click--you guessed it--"Properties." In the "Internet Protocol (TCP/IP) Properties" dialog that pops up, click on the "Advanced..." button. Now in the "Advanced TCP/IP Settings" dialog, click the "WINS" tab at the top. Near the bottom there's a radio chooser to select whether you want NetBIOS over TCP/IP or not. Make sure "Disable NetBIOS over TCP/IP" is selected. Hit OK to back out of everything and you're done! As far as I can tell, it doesn't matter whether you have "File and Printer Sharing for Microsoft Networks" or "Client for Microsoft Networks" installed or not. If TCP/IP is configured to "Enable NetBIOS over TCP/IP," you'll be vulnerable. For the record, I recommend keeping "Client for Microsoft Networks" installed, since I believe removing it has some not so obvious but important consequences for your networking setup. I have it installed and everything is still closed up, as long as you disable NetBIOS over TCP/IP. Note that the above procedure is for a LAN/Cable/DSL connection may not work with a dial-up. Bob G. provided me with the following information, which he received from a Microsoft tech support engineer: As for your question about NetBIOS, I want you to look at your dial-up connection properties and tell me which network components you have checked. To do this, right-click on My Network Places and go to Properties. Then right-click on your dial-up connection and go to Properties. Go to the Networking tab and you should see a list of components down at the bottom. The only component that needs to be checked is Internet Protocol (TCP/IP). If you have anything else checked here then you should uncheck it. The key is to only have TCP/IP selected and not Client for Microsoft Networks.
	6) Avoid Microsoft Internet Explorer 5.5 and 6.0 and Outlook, or at least stay up-to-date on their necessary security patches.
	7) At this time it appears that the Windows XP "UPnP" flaw will not be a problem if UDP ports 1900 and 5000 are closed, so users of ZoneAlarm and hardware solutions such as routers with NAT are protected. In any case applying the patch named in Microsoft's Security Bulletin MS01-059 to WinXP and WinME systems is advisable. Windows 2000 is not affected.
C. Be vigilant
	1) No matter how good you think your security is, test it often with tools like SocketToMe, LeakTest, ShieldsUp, PatchWork and UnPnP -- all free! While some more reserved computer professionals decry Steve Gibson's outspoken and sometimes harsh approach, none have been able to disprove his findings and his integrity has been faultless.
	2) Don't forget to keep your virus definition files up to date. Security is a process, not a product. Ongoing vigilance, weekly updating, and carefully configuring the antivirus programs to check for whatever file types the script kiddies are using this week are all necessary parts of protection.
	3) This is not a "set it and forget" task!