Security in a Windows World

1
Security in a Windows World

• Ted Lamm
• April 23, 2004

2
Security is a process, not a product.--Bruce
Schneier
3
Security vs. Assurance

• Security
• Typically answered with a yes or no response.
• Are you secure? Why, yes!
• This idea of security doesnt work
• Assurance
• A graded notion about the amount of security
  provided.
• In other words, A may be more or less secure than
  B.
• Avoids generalizations and absolutes typified by
  the standard idea of security

4
Assurance

• Security must be built in
• It cannot be seen as a feature to be added on
  later.
• 4 things that do not lead to assurance
• Closed-source development
• I cant find the flaws
• Challenges and contests
• Impassioned rivers of rhetoric

5
Assurance

• The amount of security you need to sleep well
  at night
• How do you measure?
• Government
• Standard Evaluation Criteria Orange Book
• Windows NT 4.0 Rated as C2 (but)
• http//www.dynamoo.com/orange/summary.htm
• Business
• Evaluation/Analysis
• What do you have
• What is it worth
• Personal

6
Why security is hard

• You cant test for it
• You may be able to find some flaws, but you cant
  assert the absence of flaws
• Complexity and Security are at odds
• We deal with complex systems
• Complex
• Interconnected and Interactive
• Emergent Properties
• Bugs
• The attackers job is easy
• The attacker only needs to find one vulnerability
• The protector has to cover all holes
• People
• Social engineering

7
If you think technology can solve your security
problems, then you dont understand the problems
and you dont understand the technology.--Bruce
Schneier
8
Technologies

• Firewalls
• Antivirus Software
• Cryptography
• VPNs
• Etc
• Technologies are easier to create and discuss.
• This is why we have so many technologies and so
  few secure systems.
• Given the current state of the industry, we must
  leverage the technologies we have to address our
  concerns.

9
Concerns/Threats

• What are your concerns?
• Virus/Worm/Trojan Attacks?
• Hackers?
• Spyware?
• Hardware Failures?
• How can we address these concerns?

10
Recommendations (free)

• Firewall
• Zone Alarm
• Kerio Personal Firewall
• Outpost Firewall
• Antivirus
• AVG Antivirus
• Avast! 4
• Spyware Removal
• Adaware
• Spybot Search and Destroy
• Web Browser and Email Client
• Mozilla

11
Recommendations (not free)

• Firewall
• Blackice Defender
• Antivirus
• Norton Antivirus 2004
• Spyware Removal
• Adaware Pro

12
What now?

• After youve installed your applications
• Configuration management
• Stay current!
• AV definitions
• Spyware definitions
• Configure the application
• Firewall Rules
• Consider your needs
• For example unless you are running a web
  server, no one should be connecting to you on
  port 80. Block it!
• Antivirus
• Set up automatic scans if possible (Weekly)
• Automatically update definitions if possible

13
Security is a process

• After you have configured your applications
• Remember that the world is constantly changing
• You may have new computing needs
• New vulnerabilities may emerge
• Stay current!
• Revisit/Revise your configurations regularly

14
Keep your Windows closed

• Windows Security Management Tips
• 95/98/ME
• Consider upgrading to 2000/XP
• Why?
• Support
• Ability to stay current with patches, etc

15
Keep your Windows closed

• 2000/XP
• Disable Universal Plug and Play (XP only)
• http//grc.com/UnPnP/UnPnP.htm
• Disable Simple File Sharing (XP only)
• Tools-Folder Options-View
• Show hidden files and folders
• Uncheck Hide File Extensions for Known Types
• Uncheck Hide protected operating system files
• Disable Messanger Service
• Control Panel - Administrative Tools - Services
• Double click Messanger
• Set Startup Type to Disabled
• Click Stop

16
Keep your Windows closed

• 2000/XP
• Disable quick user switching (XP only)
• Require ctrl-alt-delete for logon
• Control Panel - Local Security Policy - Local
  Policies - Security Options
• Disable CtrlAltDelete requirement for login
• Set to disabled
• Enforce a password policy
• Control Panel - Local Security Policy - Account
  Policy - Password Policy
• The policy you set up is up to you

17
Keep your windows closed

• 2000/XP
• Dont login as Administrator
• Create a regular user account for regular use.
  Only use the Admin account when necissary.
• Rename the Administrator account
• You can even go as far as to create a dummy
  Administrator account that has no privs.
• For some really cool ideas about this see
  http//www.arstechnica.com/tweak/win2k/security/be
  gin-2.htmladmin
• Visit windows update regularly
• Setting automatic updates is also ok (but)
• Password protect the screensaver

18
Keep your Windows closed

• Disable shares
• Control Panel - Administrator Tools -Services
• Disable the Server service
• This will disable shares and All other shares
• Disable the Guest Account!
• Control Panel - Administrative Tools

19
For the Truly Paranoid!

• Set a BIOS password
• Stop other users from making configuration
  changes
• Disallow booting from CDs and other media
• Biometrics
• Keyboards/Mice with finger/thumbprint scanners
• Case locks

20
Each box is different

• Settings and Applications
• Differences in these cause differences in the
  amount of security offered
• Weak settings/applications lead to weak security
• Security is a process
• It is also a careful balance

21
Passwords

• Passwords are the key to the system
• Choosing good passwords is important
• Complexity vs. Ability to remember
• These factors must balance to be effective
• Good Passwords
• Not found in a dictionary
• Cannot be linked to a specific user
• Birthday, Dogs name, etc
• Upper and lower case letters
• Numbers
• Special characters (if possible)
• 6-8 characters in length

22
Passwords

• Attacks against passwords
• Dictionary Attacks
• This is why we want to avoid dictionary words
• Also avoid simple substitutions such as l33t or
  Adm1n
• Brute Force
• Length and complexity help to defeat brute force
  attacks
• All passwords could be broken eventually with a
  brute force attack
• Longer, more complex passwords may take too long
  to break for the attacker to stay interested.
• Avoid giving the attacker any low hanging fruit
  to go after.

23
Passwords

• 4 character length lower case only
• 26 4 possibilities
• 456,976
• 4 character length upper/lower/num
• 62 4 possibilities
• 14,776,336
• 8 character length upper/lower/num
• 62 8 possibilities
• 218,340,105,584,896

24
The Future

• To see where we are going in the future, we must
  look to the past.
• Security implemented in hardware and software to
  build secure systems
• Multics 1965-2000
• Reference Monitor
• Trusted Computing Base
• Not - Trustworthy Computing Initiative

25
The Future

• Concerns
• Who is building your security
• Too many people still believe that security is a
  product
• Key Escrow
• Who gets to hold the keys
• Return of the clipper chip
• Malicious Code
• What will the bad guys think of next
• Scams and Social Engineering
• There is no patch for human naivety

26
Were still stuck with insecure door locks,
assailable financial systems, and an imperfect
legal system. None of this has caused the
downfall of civilization yet, and it is unlikely
to. And neither will our digital security
systems, if we refocus on the processes instead
of the technologies.--Bruce Schneier