XP Security Issues Myth and Reality

1
XP Security Issues Myth and Reality

• Roberta Bragg

2
Plug in it and it Preys

• Myth Plug and Play allows hackers to use XP to
  take over the world
• Reality
• MS01-54 11/01 invalid request can disrupt
  system
• MS01-59 12/01 unchecked buffer in UPnP
• Install the patch
• Configure
• And where valid disable SSDP Discovery Service
• Ports 1900 and 5000 blocked by firewall

3
XP Phone Home.

• Myth XP is in constant connection with
  Microsoft sending them your private information
• Reality
• Activation? So activate already, requires no
  personal info
• Companies can use Volume licensing to obtain
  version which does not require activation
• Passport is not necessary to run XP
• Shut off Automatic Windows Update Service

4
XP in the RAW

• Myth RAW Sockets will allow hackers to create
  DDoS attacks and take over the world
• Reality
• RAW sockets allow the building of IP packets
  yes, someone could put in incorrect info
• But, this capability has been available in UNIX,
  OS2, other versions of Windows for a long time

5
XP is for Home Users

• Myth XP is Windows 98 with W2K Interface
• Reality
• Hundreds of policy settings to control user
  activity
• Personal firewall
• NTFS
• EFS
• Restore Points
• Device Driver Roll back

6
EFS 1

• Myth EFS causes loss of data, I reformatted my
  disk and now I cannot decrypt my encrypted files
• Reality
• EFS requires user related key to decrypt, if
  anyone could decrypt how secure would it be?
• Keys require protection of encryption keys to
  ensure decryption
• Recovery agents
• Back up user keys!

7
EFS 2

• Myth In XP encrypted files are shared - anyone
  can decrypt them
• Reality
• You must give others permission to decrypt and
  encrypt your files
• However, once they have that permission they can
  give it to others
• Unless you, or someone you approved, gives
  permission, other users cannot decrypt
• Control by using NTFS permissions!

8
EFS 3

• Myth Dont worry - the File Recovery Agent can
  decrypt any encrypted file
• Reality
• true, but in XP files can be encrypted without a
  valid File Recovery Agent.
• No File Recovery Agent, no recovery

9
EFS-4

• Myth I reset my password, now I cant decrypt
  my files
• Reality
• when an administrator resets a user password this
  is true
• When a user changes his password it is not
• Users should have password recover disks
• An EFS recovery agent should exist

10
Locking XP

• Myth I cant lock my XP machine like I could in
  W2K and NT
• Reality
• XP interface, workgroup windows key 1
• Change to W2K interface
• XP in domain works like before

11
Administrators and Network Permissions

• Myth I connect to an XP machine and Im
  administrator but I cant administer the machine.
• Reality
• XP in a workgroup, by default all network
  connections only have the permissions and access
  given to the guest account
• This can be turned off
• This is only applicable to local accounts

12
Driver blocking

• Myth XP wont let me load a device driver for a
  non-Microsoft device
• Reality
• Driver blocking is the ability of XP to recognize
  drivers which are incompatible with XP and not
  allow them to load
• When A vendor supplies a new, compatible driver
  it will load
• http//www.microsoft.com/hwdev/driver/drv_protect.
  htm

13
Cant Remove TCP/IP

• Myth My TCP/IP is corrupt but XP wont let me
  fix it
• Reality
• TCP/IP cannot be removed and then reloaded,
  instead you repair
• netsh int ip reset log_file_name
• http//support.microsoft.com/default.aspx?scidkb
  en-usQ299357

14
My software/hardware wont work, crashes XP

• Myth Microsoft made XP incompatible with lots
  of software so Id have to buy new stuff
• Reality
• You should check before upgrading
• Documentation available on how to get products to
  work with XP
• Windows Update has some updates
• System Restore Points
• Device Driver Roll back
• Backup / Automated System Recover disk

15
What are restore points?

• Registry and key dynamic system files are copied
  by system before changes made
• Can be requested manually
• Triggered by
• Application installation if ap is systemrestore
  api compliant
• Autoupdate
• Restore operation
• Ms backup utility recovery
• Unsigned driver installation
• Every 24 hours of calendar time

16
Restored -------Not Restored

• Registry
• Local profiles
• Com db
• Wfp.dll cache
• Wmi database
• Iis metabase
• Files with extensions listed in sdk

• Drm setting
• SAM (passwords)
• WPA (authentication)
• Some exclusions to file extensions listed in sdk
• Redirected folders
• Files excluded from backup in registry
• User created data in user profile

17
When to Do System Restore vs ASR

• System restore require boot into safe mode or
  normal mode
• ASR and conventional backup recover can work when
  system restore doesnt

18
Two Final Notes

• Other Windows Issues
• Workgroup/domain issues

19
Forget XP Other Windows Issues Apply

• I.E. vulnerabilities MS 01-051
• Create files on users computer
• Send commands to another web site
• Web pages rendered using improper security
  settings
• I.E cumulative patch MS01-058
• Content disposition and content type (I.e.
  disguise executable as something ok to open
• MS-01-15 web site read files on user s
  computer
• Attacker mis-represent file type either in I.e.
  download or in email
• Media Player unchecked buffer q308567 MS00-090

20
Confusing Workgroup/Domain Issues

• Automatic Logon
• Simple sharing
• Force Guest
• Fast User Switching