Short List of Security Questions

As a Programmer and an End User one of my biggest frustrations is getting
"WHAT YOU SHOULD DO" Security Information related to Windows
I can write code all day long, but when it comes to securing Windows I knock
my head against the wall.

A short list of my questions are:

For each OS (Win98 through XP) and each version (Home and Pro):

1) Is default best?
No matter what OS you use, where do you get a detailed explanation regarding
what all the switches do in Internet Explorer and whether you should set
them or not. The #$%^% poor explanation you get when you right click on the
checkbox is useless as far as I'm concerned.

2) How do you keep an installed program from having access to other
programs or other parts of the system in a standalone home computer (here I
refer to file permissions and other security measures) ?

3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
type of or similar issues?

4) After I go to Windows Update and download the security patches, what
changes have been made to my system ?

5) What are the security differences between Home Edition and Pro Editions
(IMHO MS needs to include all security capability in Home as well as Pro)?

--------------------------------------------------------------
If anyone knows of an EXCELLENT book or a website that explains this by OS,
it would be appreciated.

Thanks
l

Roger
Thu Jul 13 21:07:33 CDT 2006

I will float a baloon toward a partial response . . .

"dw85745" <dw85745_NOT@earthlink.net> wrote in message
news:uvwH21tpGHA.516@TK2MSFTNGP05.phx.gbl...
> As a Programmer and an End User one of my biggest frustrations is getting
> "WHAT YOU SHOULD DO" Security Information related to Windows
> I can write code all day long, but when it comes to securing Windows I
> knock
> my head against the wall.
>

And the code you write is defensively secure code ??
If so it is only so because you have done your homework over time.
Configuring a system has similar requirements.

> A short list of my questions are:
>
> For each OS (Win98 through XP) and each version (Home and Pro):
>
I take this to mean Windows 2000 Professional, and Windows XP (Home and
Pro).
Any DOS family OS is, intrinsicaly, not securable, and NT 4 and earlier are
not
capable of resisting what today's networked environment can throw at them.

> 1) Is default best?
Best? You mean better? Compared to??
One can always configure one of the OSs to which I have limited these
comments
better relative to their security stance than they are found in their
install default state.
This is largely because the install defaults must be a best guess of what
fits well for
99% of the reasonably sane use cases that exist. They are sort of a lowest
common
denominator, except one factored so that it does not lower the bar below
some
"its the right thing" or "it really is in your better interests" threshold.
What is better can only be determined relative to both the reference and the
usages that are to be made of the system. For example, if that XP Pro is to
act as
the house's little fileserver, then having the firewall on with no
exceptions is not right.
However, defining the defaults to be otherwise and allow unrestricted file
and print
sharing would not be right.

> No matter what OS you use, where do you get a detailed explanation
> regarding
> what all the switches do in Internet Explorer and whether you should set
> them or not. The #$%^% poor explanation you get when you right click on
> the
> checkbox is useless as far as I'm concerned.

Search for the Internet Exlorer Administration Kit if you want the detailed
docs.
Else, use something else.

>
> 2) How do you keep an installed program from having access to other
> programs or other parts of the system in a standalone home computer (here
> I
> refer to file permissions and other security measures) ?
>

Programs (with specific exceptions now in the .Net runtime era) do not have
access to anything. The accounts running the programs have or are denied
the accesses, even when those accesses are done by the programs.
Hence, you segment the machine's resources based on the principals that
you want to segregate from one resource/capability and the other.

You need a plan based on what you want "protected" and what is a "don't
care" so that you may focus your effort on what is important. Then normally
one defines custom groups that are used to make grants (and sometimes
denials)
strategically in order to carve off areas of resource/capability to only
specific
groups of accounts. There is more that may be done, like software
restriction
policies, etc. but those measures are advanced and normally used to build
upon
an initial basis built with basic control via grants of permissions and
rights.

> 3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
> type of or similar issues?
>
I don't know, never used NetBEUI and always shut if off and uninstalled it
if I found it installed. In all versions of OS to which my comments are
limited
one has to go well out of one's way to install NetBEUI and I can think of no
good reason why one would do so.

> 4) After I go to Windows Update and download the security patches, what
> changes have been made to my system ?
>
Today you get mostly incremental code that is patched into the binaries to
version them to the new, safe versions. One also gets updates to the client
end of autoupdate, the most recent malicious software remover, and lately
genuine Windows check code, . Beyond these you are offered non-critical,
non-security updates/upgrades (ex. the latest .Net frramework, the latest
MediaPlayer), and updated drivers for hardware from vendors that have
elected to participate in the means of distribution (that offer has also
been
made to software vendors, but until just recently I do not recall seeing any
releases for non-MS software).

> 5) What are the security differences between Home Edition and Pro
> Editions
> (IMHO MS needs to include all security capability in Home as well as Pro)?
>

Very little. The difference are more in configurability.
Home does not have EFS, does not let one shift out from "simple file
sharing" mode,
has a slightly more restricted amount of concurrent network connections
allowed,
does not allow for direct editing of the local group policy, has some of the
utilities
removed, etc. etc.
Under all of these differences the code is the same. Some defaults are
different,
and some of these cannot be made to be otherwise; some things are ripped
out,
but what code is there is the same in both versions.



> --------------------------------------------------------------
> If anyone knows of an EXCELLENT book or a website that explains this by
> OS,
> it would be appreciated.
>
> Thanks
> l
>
>

Karl
Thu Jul 13 21:33:13 CDT 2006


"dw85745" <dw85745_NOT@earthlink.net> wrote in message
news:uvwH21tpGHA.516@TK2MSFTNGP05.phx.gbl...
> As a Programmer and an End User one of my biggest frustrations is getting
> "WHAT YOU SHOULD DO" Security Information related to Windows
> I can write code all day long, but when it comes to securing Windows I
> knock
> my head against the wall.
>
> A short list of my questions are:
>
> For each OS (Win98 through XP) and each version (Home and Pro):
>
> 1) Is default best?
> No matter what OS you use, where do you get a detailed explanation
> regarding
> what all the switches do in Internet Explorer and whether you should set
> them or not. The #$%^% poor explanation you get when you right click on
> the
> checkbox is useless as far as I'm concerned.

www.microsoft.com/technet/security

Look for the Windows Security Guides for the appropriate version of Windows,
and also the documentation on XP Service Pack 2. Windows XP SP2 and 2003
have made the default settings for IE and many other things much more sane
and secure by default.

> 2) How do you keep an installed program from having access to other
> programs or other parts of the system in a standalone home computer (here
> I
> refer to file permissions and other security measures) ?

This level of security [like a chroot jail] is not widely implemented in
home user workstations on any operating system, unless there's an expert
admin at home that can manage the administrative overhead and knowhow
required. But on XP and newer, you can use the limited NetworkService and
LocalService security contexts... and log in as a low privileged user and
use the Runas feature for software installation and system administration.
You can also use the method utilized by Michael Howard's DropMyRights
utility to remove privileges when executing a process. However, I'm not
necessarily advocating any of these methods as being necessary or desirable.
DropMyRights is interesting, but does it make your computer more secure?
I'm not so sure. IE vulns are not as great a risk to your computer as the
media makes it sound. Three of the biggest recent IE vulns were
Download.Ject, the so-called "IFRAME" overflow and Qhosts, and they really
didn't infect very many systems compared to say, the RPC Blaster worm.
DropMyRights and the other methods you're asking about don't protect you at
all from network vulnerability worms like Blaster.

> 3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
> type of or similar issues?

Define "big problem." Most networked, multitasking, GUI-based OSes in 1998
used chatty network protocols to communicate. OS2, Novell NetWare /
IPX/SPX, and especially Mac AppleTalk are no exceptions. Windows Me was
very similar to Me. Neither 98 nor Me required you to use NetBEUI. You
could and did use IPX/SPX and TCP/IP to communicate to various servers, and
you could disable NetBEUI. NetBEUI cannot natively be routed beyond the
local subnet past a router. You may be thinking of NBT, NetBIOS over
TCP/IP, which is not NetBEUI. Neither of these are what I would call "big
problems." Windows 2000 was the first OS to allow Windows clients to talk
to Windows servers without using NetBIOS. Or maybe you're thinking of the
NetBIOS share worms that spread mostly under Windows 98. Again, not
NetBEUI, and things like missing patches and weak passwords were at least
partly to blame.

> 4) After I go to Windows Update and download the security patches, what
> changes have been made to my system ?

That depends on the patch. WU doesn't really change your system, the
patches do, and each one is different. If you really want to know, you'd
have to read the documentation before you install the patch. I don't see
this as being terribly useful in reducing your risk of experiencing
problems, however. Even after reading the bulletins, you'd know what files
were modified, but no one on the planet really knows all of the possible
ramifications of the code changes made in that file. As a home user, you'd
spend more time reading all the bulletins than you would spend fixing
problems due to patching. A common strategy is to wait a week and see if
problems are reported before installing patches. If you are really
concerned about downtime, then nothing can replace testing the patch in your
environment, though, because each environment is unique.

> 5) What are the security differences between Home Edition and Pro
> Editions
> (IMHO MS needs to include all security capability in Home as well as Pro)?

Microsoft doesn't need to do anything. Many of the vendors you buy from
offer different levels of products, like the cheaper Intel CPU chips that
intentionally had the L2 cache burned out, or like cars where you have to
pay a la carte to pick and choose which bonus features you want to add.
Windows XP Home is safe enough for a home user, but if you feel you need
more, you pay for more. Most of the security changes in XP Home have to do
with automated remote management that is most useful for enterprises. Group
Policy isn't in XP Home, for example, and you can only use CACLS at the
command line to edit NTFS file permissions, there is no GUI security tab for
file permissions. A google search tells you all you need to know:

http://www.google.com/search?q=xp-home+xp-pro+OR+xp-professional+group-policy
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/z04d621675.mspx
"The following security features are not included with Windows XP Home
Edition:

. Encrypting File System (EFS)

. Computer domain account support

. Access Control List (ACL) Editor

. Administrative shares (available only when joined to a domain)

. Log on using dial-up connection option in Log On to Windows dialog
box

. Security-related Group Policy settings"




> --------------------------------------------------------------
> If anyone knows of an EXCELLENT book or a website that explains this by
> OS,
> it would be appreciated.

There aren't that many differences, so I don't think a book is needed.

This isn't a homework assignment, is it? I hate doing people's homework for
them.

Ian
Fri Jul 14 03:55:02 CDT 2006

The security of any OS is directly proportional to its age. The downside of
that, of course, is that the older the platform, the less likely it is to be
compatible with your hardware or apps.

Despite its somewhat poorer stability and lack of proper user-permissions,
even in its heyday the Win95/98 product line suffered far fewer
security-problems than the NT-based line. Likewise NT4 is still used in a
server role by many compaines who feel happier with it as a known quantity,
securitywise, than Server 2003.

I don't need to add that while many of the latest vulnerabilities DO apply
to Windows 2000, nevertheless W2000 users have on numerous occasions been
able to suit back with smug grins on their faces while their XP-toting
colleagues run round in panic at the latest Internet-worm scare.

The fact that Linux is relatively secure is no doubt largely due to its
being based on a truly ancient core, one whose vulnerabilities have long been
identified and understood.

dw85745
Fri Jul 14 06:07:29 CDT 2006

Thanks to all (Roger, Karl, and Ian) for the excellent input. This now
gives me a beginning.

Karl: This is NOT a homework assignment. Just a long time user who wants
to understand security -- especially since XP seems to get hacked (viruses,
trojans, etc.) every couple of weeks. Have been dragging my feet for Vista,
but with all the security and/or related issues with XP, will it be worse?
I (like I;m sure most) believe if MS did their job on the front end, the
amount of man-hours that could be saved dealing with Window problems could
be put to productive use. Where do I send my bill to MS for lost
productivity? I personally say hang all hackers -- no chance of repeat --
but with countries doing economic sabotage, I don't see it getting better.

Ian: Your point is well taken regarding NT4, security, and fact it has been
around awhile.
However, when I loaded Win2000 Pro on my system I had nothing but problems.
Ran fine until I download the latest patch, then locked up. After several
attempts, gave it up.

David


"Ian" <Ian@discussions.microsoft.com> wrote in message
news:83C4C597-8B45-4F37-8AD2-B29DD9866723@microsoft.com...
> The security of any OS is directly proportional to its age. The downside
of
> that, of course, is that the older the platform, the less likely it is to
be
> compatible with your hardware or apps.
>
> Despite its somewhat poorer stability and lack of proper user-permissions,
> even in its heyday the Win95/98 product line suffered far fewer
> security-problems than the NT-based line. Likewise NT4 is still used in a
> server role by many compaines who feel happier with it as a known
quantity,
> securitywise, than Server 2003.
>
> I don't need to add that while many of the latest vulnerabilities DO apply
> to Windows 2000, nevertheless W2000 users have on numerous occasions been
> able to suit back with smug grins on their faces while their XP-toting
> colleagues run round in panic at the latest Internet-worm scare.
>
> The fact that Linux is relatively secure is no doubt largely due to its
> being based on a truly ancient core, one whose vulnerabilities have long
been
> identified and understood.
>
>
>

Karl
Fri Jul 14 06:21:35 CDT 2006


"Ian" <Ian@discussions.microsoft.com> wrote in message
news:83C4C597-8B45-4F37-8AD2-B29DD9866723@microsoft.com...
> The security of any OS is directly proportional to its age.

... and the way it's configured. The insecure default settings of Windows
98 and Linux of the same period, and the resulting hackings, are partly the
manufacturer's fault, and partly the user's fault. The user is more and
more at fault as the optimal settings and countermeasures [e.g. installing
patches, running antivirus and firewall] become more widely known and
advertized, and as people continue to knowingly use OSes like 98 that are no
longer being supported with security updates.

> Despite its somewhat poorer stability and lack of proper user-permissions,
> even in its heyday the Win95/98 product line suffered far fewer
> security-problems than the NT-based line.

... despite the fact that Windows 98 was a home user product never intended
for security. It seems silly to have to answer questions about the security
of Windows 98 after it's retired. I'm not sure what the OP's goal was in
asking these questions, but if this is part of a decision as to whether to
continue to buy Microsoft Windows, Windows 98 isn't at all relevant to that
discussion.

> The fact that Linux is relatively secure is no doubt largely due to its
> being based on a truly ancient core, one whose vulnerabilities have long
> been
> identified and understood.

Linux is doing something right [although to be fair, Windows includes a lot
of functionality intended for enterprise system interoperability that Linux
doesn't have]. But before we call them relatively secure, consider that
Linux far outnumbers Windows in the number of web servers hacked as reported
at web sites that track such things.

Modern distros of Linux has a lot more things disabled by default, which is
partly a security decision, and partly just the way Linux is distributed -
it's a very small core with additional functionality provided by a variety
of third party add-ons. If a user wants to enable FTP services, Linux
distros come with several different ones for the user to choose. With
Windows, pretty much everything that comes with Windows is provided by
Microsoft and is the de facto default, making it easy to target large
numbers of users by knowing what's running on their systems. Of course,
Microsoft argues that this standardized monolithic design makes it easier to
support Windows in an enterprise, and there are pros and cons to that
assertion.

dw85745
Fri Jul 14 08:35:59 CDT 2006

Karl no hidden agenda re Linux vs MS.

My only objective is understanding security better. What I was HOPING for
(Utopia) was some kind of grid that would list all security features and
identify whether each feature was applicable to which OS.

From my understanding Windows ships with most things ON not OFF, and hence
it becomes the user responsibilty to turn things off. Yet finding out (1)
what X is; (2) why you want to turn X On/Off, and (3) where to locate X in
Windows is in a lot of cases is a major effort.

The home user has a special problem in that they want a secure system, yet
they normally don't have access to MS resources to make an informed
decision. Even those of us who consider ourselves fairly knowledgable
recognize that "Windows" delves into many many areas of functionabiliity and
climbing the learning curve is sometimes a challenge.

What I personally would like to see is have MS provide at Startup, a Master
list of functionability with a checkbox in front of each so you can toggle
the functionability on/off and along with this either a direct link (such as
a right click) to help which would explain in depth what's going on. This
Master functionability list would be a treeview so you could tier down for
all options which relate to that functionability.
Where do I send my bill for this idea?

David


"Karl Levinson" <levinson_k@securityadmin.info> wrote in message
news:eJ19%23ezpGHA.1600@TK2MSFTNGP04.phx.gbl...
>
> "Ian" <Ian@discussions.microsoft.com> wrote in message
> news:83C4C597-8B45-4F37-8AD2-B29DD9866723@microsoft.com...
> > The security of any OS is directly proportional to its age.
>
> ... and the way it's configured. The insecure default settings of Windows
> 98 and Linux of the same period, and the resulting hackings, are partly
the
> manufacturer's fault, and partly the user's fault. The user is more and
> more at fault as the optimal settings and countermeasures [e.g. installing
> patches, running antivirus and firewall] become more widely known and
> advertized, and as people continue to knowingly use OSes like 98 that are
no
> longer being supported with security updates.
>
> > Despite its somewhat poorer stability and lack of proper
user-permissions,
> > even in its heyday the Win95/98 product line suffered far fewer
> > security-problems than the NT-based line.
>
> ... despite the fact that Windows 98 was a home user product never
intended
> for security. It seems silly to have to answer questions about the
security
> of Windows 98 after it's retired. I'm not sure what the OP's goal was in
> asking these questions, but if this is part of a decision as to whether to
> continue to buy Microsoft Windows, Windows 98 isn't at all relevant to
that
> discussion.
>
> > The fact that Linux is relatively secure is no doubt largely due to its
> > being based on a truly ancient core, one whose vulnerabilities have long
> > been
> > identified and understood.
>
> Linux is doing something right [although to be fair, Windows includes a
lot
> of functionality intended for enterprise system interoperability that
Linux
> doesn't have]. But before we call them relatively secure, consider that
> Linux far outnumbers Windows in the number of web servers hacked as
reported
> at web sites that track such things.
>
> Modern distros of Linux has a lot more things disabled by default, which
is
> partly a security decision, and partly just the way Linux is distributed -
> it's a very small core with additional functionality provided by a variety
> of third party add-ons. If a user wants to enable FTP services, Linux
> distros come with several different ones for the user to choose. With
> Windows, pretty much everything that comes with Windows is provided by
> Microsoft and is the de facto default, making it easy to target large
> numbers of users by knowing what's running on their systems. Of course,
> Microsoft argues that this standardized monolithic design makes it easier
to
> support Windows in an enterprise, and there are pros and cons to that
> assertion.
>
>

BC
Fri Jul 14 09:05:32 CDT 2006

dw85745 wrote:
> As a Programmer and an End User one of my biggest frustrations is getting
> "WHAT YOU SHOULD DO" Security Information related to Windows
> I can write code all day long, but when it comes to securing Windows I knock
> my head against the wall.
>
> A short list of my questions are:
>
> For each OS (Win98 through XP) and each version (Home and Pro):
>
> 1) Is default best?
> No matter what OS you use, where do you get a detailed explanation regarding
> what all the switches do in Internet Explorer and whether you should set
> them or not. The #$%^% poor explanation you get when you right click on the
> checkbox is useless as far as I'm concerned.

The default is usually the best in the newer Linux distros,
but never in Windows. The most secure thing you can do
in Windows is immediately download and install Firefox
and/or Opera and avoid the blue "e" as much as possible,
as well as other programs that use it, like Outlook and
Outlook Express.

Also in the case of Windows, each new version has been
more bloated, complex and with more points of exploit
than the prior versions, with any new security enhancements
more than offset by greater risks. Win3.11/Win95/Win98
were easy to secure with a couple well-chosen 3rd party
programs, but Win2k and especially XP are much more
problematic to both secure and to clean-up. Look at this
one guide covering Win2k/Xp:
http://www.markusjansson.net/exp.html

Even the file system is suspect -- while it's been touted
that NTFS is more secure and robust than Fat32, but in
real life it's very easy to bypass NTFS security and a
bad spot on the hard drive will mess up Windows
regardless, and more so, some of the newer worms
actually take advantage of NTFS to hide themselves:
http://www.f-secure.com/v-descs/potok.shtml

>
> 2) How do you keep an installed program from having access to other
> programs or other parts of the system in a standalone home computer (here I
> refer to file permissions and other security measures) ?

Windows never had that fine a level of security, but
Linux and other OS's have. Supposedly VIsta will have
some of this type of security.

>
> 3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
> type of or similar issues?

Well, TCP/IP has quite a number of security issues
in itself, so that's universal:
http://oldwww.cs.umu.se/local/kurser/TDBD03/vt96/lect/sec+fw2.html

>
> 4) After I go to Windows Update and download the security patches, what
> changes have been made to my system ?

Mostly stuff Microsoft is not going to reveal the details
about. The bulk of the patches seem to be workarounds,
often of temporary effect, for exploits taking advantage of
highly problematic, ill-conceived design "features" often
involving Internet Explorer.

If Microsoft was truly serious about security, they would
have long ago rewritten IE to be a standard, standalone
application with no artificially elevated privileges and gotten
rid of ActiveX altogether.

>
> 5) What are the security differences between Home Edition and Pro Editions
> (IMHO MS needs to include all security capability in Home as well as Pro)?

Think of Home as "Crippled Pro". There are differences in
what you can control, but the main security difference is
that the Administrator password in Home is blank and
is normally always left blank because you need to
restart in Safe mode to access the Administrator
account, which most Home users have no clue about
doing.

>
> --------------------------------------------------------------
> If anyone knows of an EXCELLENT book or a website that explains this by OS,
> it would be appreciated.
>
> Thanks
> l

That's actually a can of worms. You can find all sorts of
reports claiming blah-blah has superior security because
of blah-blah-blah, and if you use this, this, and this
measure of security then blah, blah, blah.... But often
there are agendas behind such stuff.

With that said, here are some things to peruse:
http://www.theregister.co.uk/security/security_report_windows_vs_linux/
http://www.itjungle.com/two/two110304-story03.html
http://en.wikipedia.org/wiki/Comparison_of_operating_systems

FYI.

-BC

levinson_k
Fri Jul 14 09:33:02 CDT 2006


"dw85745" wrote:

> What I personally would like to see is have MS provide at Startup, a Master
> list of functionability with a checkbox in front of each so you can toggle
> the functionability on/off and along with this either a direct link (such as
> a right click) to help which would explain in depth what's going on. This
> Master functionability list would be a treeview so you could tier down for
> all options which relate to that functionability.
> Where do I send my bill for this idea?

I've made that suggestion to them as well, a security profile wizard with
sufficient online documentation. I think they may be doing something similar
in the next version of Windows. Wherever possible, their focus has been on
making the default settings secure, so that you don't need to read a lot of
readmes to get secure, and it's usually easier to figure out what features
you need to turn on rather than than trying to figure out what you need to
turn off, because you get an error message or lack of functionality that
should lead you to where the problem is.

But really, I think the Windows XP Security Guide at
www.microsoft.com/technet/security is Microsoft's attempt at explaining what
you need to know. Those settings, and Microsoft's recommendations, change
over time, so it makes sense that you have to get the latest version of that
documentation from their web site.

The XP Service Pack 2 documentation is helpful as well. It's a lot of
reading, but there are a lot of settings you can tweak, if you feel you need
to do so. The XP SP2 default settings for home users are really pretty close
to what you probably want. As long as home users keep patched, use a
firewall and antivirus, they should be pretty safe.

Changing default IE settings really doesn't increase your security very
much... your risk of being compromised via a browser vulnerability is much
lower than you might think from reading news articles.

levinson_k
Fri Jul 14 10:44:02 CDT 2006


"BC" wrote:

> The default is usually the best in the newer Linux distros,
> but never in Windows.

Right. Linux gets hacked when people start enabling features, like trying
to use it as a web server. IIS 6 on Windows Server 2003 is hacked far less
frequently than Apache on Linux. A significant problem in Linux and Windows
security is the user not knowing how to safely configure and use their OS.

The defaults in Windows XP SP2 and 2003 are pretty secure. Windows XP was
released in 2001 and programmed in the years before that, so for a true
apples to apples comparison, you would have to compare its default settings
to a *nix distro from five years ago. A lot of the threats we're seeing
today weren't really around back then.

> The most secure thing you can do
> in Windows is immediately download and install Firefox
> and/or Opera and avoid the blue "e" as much as possible,
> as well as other programs that use it, like Outlook and
> Outlook Express.

People are rarely hacked via web browsers.

People do get adware via browsers, but then they also get adware and spyware
from installing freeware, including "Firefox with the Google Toolbar."

> Also in the case of Windows, each new version has been
> more bloated, complex and with more points of exploit
> than the prior versions, with any new security enhancements
> more than offset by greater risks. Win3.11/Win95/Win98
> were easy to secure with a couple well-chosen 3rd party
> programs,

You have it reverse. Windows 3.x, 95 and 98 were wildly insecure and not
securable. They didn't even have user accounts, ACLs, permissions or
auditing to control access to your system. Antivirus added to XP SP2, or
antivirus and firewall added to Windows 2000, makes a system secure enough
for home use.

> but Win2k and especially XP are much more
> problematic to both secure and to clean-up. Look at this
> one guide covering Win2k/Xp:
> http://www.markusjansson.net/exp.html

Most of those settings are either default in XP or don't help your security
much on a home workstation. Jesper J and Steve Riley of Microsoft have a
different hardening guide for 2000 / XP that only includes about five tweaks,
and it survived a hacking contest.

> Even the file system is suspect -- while it's been touted
> that NTFS is more secure and robust than Fat32, but in
> real life it's very easy to bypass NTFS security and a

Whereas with Fat32 there's no security at all to bypass. No ACLs,
permissions or passwords.

> bad spot on the hard drive will mess up Windows
> regardless,

Rarely will a bad sector mess up Windows... And that's different from *nix
file systems like ext2 / ext3 how? Is NTFS any more likely to be screwed up
by a power failure than *nix file systems?

> and more so, some of the newer worms
> actually take advantage of NTFS to hide themselves:
> http://www.f-secure.com/v-descs/potok.shtml

I don't like the way the Windows GUI handles NTFS streams either. But this
is similar to setting a file attribute to hidden via the ATTRIB +H command.
Users can see NTFS file streams if they want, as can trustworthy antivirus
programs.

> > 2) How do you keep an installed program from having access to other
> > programs or other parts of the system in a standalone home computer (here I
> > refer to file permissions and other security measures) ?
>
> Windows never had that fine a level of security, but
> Linux and other OS's have. Supposedly VIsta will have
> some of this type of security.

Not exactly. Windows doesn't yet natively have a chroot jail, but there are
a variety of methods in Windows 2000 and newer to control what an application
can and can't see. DropMyRights is one example, Runas is another, the lower
privileged NetworkService and LocalService security contexts used by Windows
services is another. With any of those methods, you can change NTFS file and
registry permissions to control what any application running in that security
context can see, similar to a chroot jail.

Note that many *nix OSes are lacking in the concept of role-based access
control. With Windows, you can take any file and give every user account
different permissions to that file. Linux OSes by default have up to three
security contexts [Owner, Group and Other] for making file ACLs. The NSA's
SELinux tries to improve on this shortcoming. It's fortunate that Linux has
the chroot jail concept, because it would be difficult otherwise to control
what files the DNS daemon's account can and cannot see.

There are also a variety of third party utilities for both Windows and *nix
that will set up a virtualized sandbox for apps to run in safely. It's not
really logical to compare the security of Linux with all of its various third
party add-ons [Apache, SELinux, Bastille, IPTables, etc.] but not allow third
party apps to be considered when evaluating Windows security, just as it
wouldn't be fair to consider Linux security without allowing IPTables to be
used.

> > 3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
> > type of or similar issues?
>
> Well, TCP/IP has quite a number of security issues
> in itself, so that's universal:
> http://oldwww.cs.umu.se/local/kurser/TDBD03/vt96/lect/sec+fw2.html

That's an excellent point. No matter how you secure your OS, and whatever
OS you choose, it's still generally reliant on and vulnerable to the
shortcomings of the aging TCP/IP suite, such as threats like DNS spoofing,
ARP spoofing, man in the middle session hijacking, SSL, SSH, etc.

> > 4) After I go to Windows Update and download the security patches, what
> > changes have been made to my system ?
>
> Mostly stuff Microsoft is not going to reveal the details
> about. The bulk of the patches seem to be workarounds,
> often of temporary effect

What makes you say that? You seem to be saying "but I just installed an IE
patch last month, why didn't that fix this new vulnerability from this
month?" Vulns patched this month are usually unrelated to vulns patched in
the past.

> If Microsoft was truly serious about security, they would
> have long ago rewritten IE to be a standard, standalone
> application with no artificially elevated privileges

What artificially elevated privileges does IE have? Unless you use
DropMyRights, IE by default runs in the context of the logged in user, only
with a variety of restrictions, so that IE can't do a lot of things the user
can do.

IE 6 has security problems, and I really wish it wasn't integrated into
Windows, because it means switching to Firefox doesn't remove IE vulns from
Windows. However, I don't believe integrating IE into Windows is the reason
why IE has had security problems. Vulns in Winzip, MS Office, etc. are just
as dangerous as IE vulns, because those apps can do just about anything IE
can do, without being integrated into Windows.

Steve
Fri Jul 14 13:37:37 CDT 2006

"Karl Levinson, mvp" <levinson_k@securityadmin.info> wrote in message
news:12272875-7862-4F34-93FA-74EE8A173344@microsoft.com...
>.
> There are also a variety of third party utilities for both Windows and
> *nix
> that will set up a virtualized sandbox for apps to run in safely.

Can you give some links.

Thank you for the discussion,
steve

BC
Fri Jul 14 14:22:01 CDT 2006

Karl wrote:
> "BC" wrote:
>
> > The default is usually the best in the newer Linux distros,
> > but never in Windows.
>
> Right. Linux gets hacked when people start enabling features, like trying
> to use it as a web server. IIS 6 on Windows Server 2003 is hacked far less
> frequently than Apache on Linux. A significant problem in Linux and Windows
> security is the user not knowing how to safely configure and use their OS.

No: http://www.dgl.com/itinfo/2001/it010723.html


>
> The defaults in Windows XP SP2 and 2003 are pretty secure.

No: http://www.security.duke.edu/securepc-xp.html
http://tech.msn.com/guides/itdecision/article.aspx?cp-documentid=103175&HTTP_HOST=tech.msn.com&url=/guides/955450.armx

> Windows XP was
> released in 2001 and programmed in the years before that, so for a true
> apples to apples comparison, you would have to compare its default settings
> to a *nix distro from five years ago. A lot of the threats we're seeing
> today weren't really around back then.

You should go by what you can get *today* rather than 5
years ago.

>
> > The most secure thing you can do
> > in Windows is immediately download and install Firefox
> > and/or Opera and avoid the blue "e" as much as possible,
> > as well as other programs that use it, like Outlook and
> > Outlook Express.
>
> People are rarely hacked via web browsers.

No:
http://www.pcadvisor.co.uk/blogs/index.cfm?entryid=237&blogid=4
http://www.ciol.com/EnterpriseConnect/content/article.asp?artId=86344&secId=1345

>
> People do get adware via browsers, but then they also get adware and spyware
> from installing freeware, including "Firefox with the Google Toolbar."

Much, MUCH less so:
http://www.informationweek.com/windows/showArticle.jhtml?articleID=179102695

>
> > Also in the case of Windows, each new version has been
> > more bloated, complex and with more points of exploit
> > than the prior versions, with any new security enhancements
> > more than offset by greater risks. Win3.11/Win95/Win98
> > were easy to secure with a couple well-chosen 3rd party
> > programs,
>
> You have it reverse. Windows 3.x, 95 and 98 were wildly insecure and not
> securable.

Wrong -- public libraries for years have had great luck securing
their older Windows workstations using 3rd party apps that
offered much greater security control than anything built into
Win2k/XP :
http://www.aclass.com/SOFT/sec.html
http://www.tsl.state.tx.us/ld/pubs/security/paws.html

> They didn't even have user accounts, ACLs, permissions or
> auditing to control access to your system. Antivirus added to XP SP2, or
> antivirus and firewall added to Windows 2000, makes a system secure enough
> for home use.

No. Win2k/XP have many more points of exploit and
using IE 6.0 has been consistently a major vulnerability
regardless of whatever 3rd party apps you might have
running: http://secunia.com/product/11
http://www.us-cert.gov/current
http://www.informationweek.com/news/showArticle.jhtml?articleID=190301059

>
> > but Win2k and especially XP are much more
> > problematic to both secure and to clean-up. Look at this
> > one guide covering Win2k/Xp:
> > http://www.markusjansson.net/exp.html
>
> Most of those settings are either default in XP or don't help your security
> much on a home workstation. Jesper J and Steve Riley of Microsoft have a
> different hardening guide for 2000 / XP that only includes about five tweaks,
> and it survived a hacking contest.

Yeah, buy the book: http://safari.oreilly.com/0321336437
>
> > Even the file system is suspect -- while it's been touted
> > that NTFS is more secure and robust than Fat32, but in
> > real life it's very easy to bypass NTFS security and a
>
> Whereas with Fat32 there's no security at all to bypass. No ACLs,
> permissions or passwords.

It doesn't matter -- the XP Home Administrator account
is blank as the default; and I have had good luck fixing
problem XP PC's with a password-resetting Linux boot
floppy and stuff like Bart PE. Either it prevents you
from accessing stuff or it doesn't. Some of those old
Win3.11/95/98 did a far better job of locking out access
from alternative boot devices.

>
> > bad spot on the hard drive will mess up Windows
> > regardless,
>
> Rarely will a bad sector mess up Windows... And that's different from *nix
> file systems like ext2 / ext3 how? Is NTFS any more likely to be screwed up
> by a power failure than *nix file systems?

Within just the past couple of days, I had to use
Bart PE to fix a system that wouldn't boot up thanks
to some bad spots on the hard drive. And twice
recently before that I had to use a 3rd party NTFS
data recovery app to recover hard drive files. You
compare that to something like Novell's old server
file system which could almost take a bullet. But
compare NTFS to even poor old FAT32:
http://cquirke.blogspot.com/2006/01/bad-file-system-or-incompetent-os.html

>
> > and more so, some of the newer worms
> > actually take advantage of NTFS to hide themselves:
> > http://www.f-secure.com/v-descs/potok.shtml
>
> I don't like the way the Windows GUI handles NTFS streams either. But this
> is similar to setting a file attribute to hidden via the ATTRIB +H command.
> Users can see NTFS file streams if they want, as can trustworthy antivirus
> programs.

FAT32 only allows very, VERY limited amount of
"hiding" whereas NTFS....well:
http://msmvps.com/blogs/harrywaldron/archive/2006/06/22/102509.aspx

>
> > > 2) How do you keep an installed program from having access to other
> > > programs or other parts of the system in a standalone home computer (here I
> > > refer to file permissions and other security measures) ?
> >
> > Windows never had that fine a level of security, but
> > Linux and other OS's have. Supposedly VIsta will have
> > some of this type of security.
>
> Not exactly. Windows doesn't yet natively have a chroot jail, but there are
> a variety of methods in Windows 2000 and newer to control what an application
> can and can't see. DropMyRights is one example, Runas is another, the lower
> privileged NetworkService and LocalService security contexts used by Windows
> services is another. With any of those methods, you can change NTFS file and
> registry permissions to control what any application running in that security
> context can see, similar to a chroot jail.

Hmm...I had heard that Vista was going to finally allow
security controls on applications, but it appears I heard
wrong -- it's just going to be "run as" privilege control
so that non-Administrator users can run programs that
normally need Administrator user rights.
http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx
That blows.

"DropMyRights" is no more than another privilege control:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

It's better than nothing, but doesn't at all compare with
the fine grain control that Linux offers


>
> Note that many *nix OSes are lacking in the concept of role-based access
> control. With Windows, you can take any file and give every user account
> different permissions to that file. Linux OSes by default have up to three
> security contexts [Owner, Group and Other] for making file ACLs. The NSA's
> SELinux tries to improve on this shortcoming. It's fortunate that Linux has
> the chroot jail concept, because it would be difficult otherwise to control
> what files the DNS daemon's account can and cannot see.

The newer Linux distros come with Root access disabled, and
with far more security options that Windows:
http://www.ameinfo.com/75175.html
And it that wasn't enough, Novell has a nice little freebie app:
http://www.novell.com/linux/security/apparmor

>
> There are also a variety of third party utilities for both Windows and *nix
> that will set up a virtualized sandbox for apps to run in safely. It's not
> really logical to compare the security of Linux with all of its various third
> party add-ons [Apache, SELinux, Bastille, IPTables, etc.] but not allow third
> party apps to be considered when evaluating Windows security, just as it
> wouldn't be fair to consider Linux security without allowing IPTables to be
> used.

If you go by what system allows for easy security without
a lot of hard work and gotcha's, Windows loses every time.

>
> > > 3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
> > > type of or similar issues?
> >
> > Well, TCP/IP has quite a number of security issues
> > in itself, so that's universal:
> > http://oldwww.cs.umu.se/local/kurser/TDBD03/vt96/lect/sec+fw2.html
>
> That's an excellent point. No matter how you secure your OS, and whatever
> OS you choose, it's still generally reliant on and vulnerable to the
> shortcomings of the aging TCP/IP suite, such as threats like DNS spoofing,
> ARP spoofing, man in the middle session hijacking, SSL, SSH, etc.

True, but Linux has a huge amount of TCP/IP security
built in, which is why Linux boxes make such dandy
firewalls (just ask Microsoft:
http://www.newsfactor.com/perl/story/22171.html)

>
> > > 4) After I go to Windows Update and download the security patches, what
> > > changes have been made to my system ?
> >
> > Mostly stuff Microsoft is not going to reveal the details
> > about. The bulk of the patches seem to be workarounds,
> > often of temporary effect
>
> What makes you say that? You seem to be saying "but I just installed an IE
> patch last month, why didn't that fix this new vulnerability from this
> month?" Vulns patched this month are usually unrelated to vulns patched in
> the past.

Have you ever looked at the details of those patches and
updates when you download them? Look for the instances
of "take control" and "take complete control" -- seeing
frequently recurring almost identical desciptions for
supposedly different security issues, especially when
involving the same application like Internet Exporer is
very indicative of a fundamental design flaw rather than
isolated issues.

>
> > If Microsoft was truly serious about security, they would
> > have long ago rewritten IE to be a standard, standalone
> > application with no artificially elevated privileges
>
> What artificially elevated privileges does IE have?

!!!!

>Unless you use
> DropMyRights, IE by default runs in the context of the logged in user, only
> with a variety of restrictions, so that IE can't do a lot of things the user
> can do.

See: http://www.eweek.com/article2/0,1895,1826269,00.asp

>
> IE 6 has security problems, and I really wish it wasn't integrated into
> Windows, because it means switching to Firefox doesn't remove IE vulns from
> Windows. However, I don't believe integrating IE into Windows is the reason
> why IE has had security problems.

Microsoft wholly artificial bundling of IE to Windows essentially
gives IE the guys to the system -- exploit IE and you exploit
Windows. It is extremely advisable to avoid IE use at all times
and to complain to any company that requires IE to access
their site.
http://news.yahoo.com/s/zd/20060705/tc_zd/182557

> Vulns in Winzip, MS Office, etc. are just
> as dangerous as IE vulns, because those apps can do just about anything IE
> can do, without being integrated into Windows.

No. Microsoft apps have always been in a special category
when it comes to risk since they too have excessive
privileges, often via their use of IE.
http://secunia.com/product/23
http://secunia.com/product/2276

Hope this clarifies.

-BC

Steve
Fri Jul 14 16:21:58 CDT 2006

Hello BC,

Do you have some mercy feelings for newbees trying to study
security? :( :)

Do you have a list of recommendations (practices, software) for windows?

Thank you,
steve

dw85745
Fri Jul 14 16:59:30 CDT 2006

Thanks for input Karl.

Have a nice day.

David

<Karl Levinson>; "mvp" <levinson_k@securityadmin.info> wrote in message
news:007F482A-6B25-42BD-8916-793B0D553821@microsoft.com...
>
> "dw85745" wrote:
>
> > What I personally would like to see is have MS provide at Startup, a
Master
> > list of functionability with a checkbox in front of each so you can
toggle
> > the functionability on/off and along with this either a direct link
(such as
> > a right click) to help which would explain in depth what's going on.
This
> > Master functionability list would be a treeview so you could tier down
for
> > all options which relate to that functionability.
> > Where do I send my bill for this idea?
>
> I've made that suggestion to them as well, a security profile wizard with
> sufficient online documentation. I think they may be doing something
similar
> in the next version of Windows. Wherever possible, their focus has been
on
> making the default settings secure, so that you don't need to read a lot
of
> readmes to get secure, and it's usually easier to figure out what features
> you need to turn on rather than than trying to figure out what you need to
> turn off, because you get an error message or lack of functionality that
> should lead you to where the problem is.
>
> But really, I think the Windows XP Security Guide at
> www.microsoft.com/technet/security is Microsoft's attempt at explaining
what
> you need to know. Those settings, and Microsoft's recommendations, change
> over time, so it makes sense that you have to get the latest version of
that
> documentation from their web site.
>
> The XP Service Pack 2 documentation is helpful as well. It's a lot of
> reading, but there are a lot of settings you can tweak, if you feel you
need
> to do so. The XP SP2 default settings for home users are really pretty
close
> to what you probably want. As long as home users keep patched, use a
> firewall and antivirus, they should be pretty safe.
>
> Changing default IE settings really doesn't increase your security very
> much... your risk of being compromised via a browser vulnerability is much
> lower than you might think from reading news articles.
>
>

BC
Sat Jul 15 08:13:08 CDT 2006


Steve Dassin wrote:
> Hello BC,
>
> Do you have some mercy feelings for newbees trying to study
> security? :( :)
>
> Do you have a list of recommendations (practices, software) for windows?
>
> Thank you,
> steve

Well, I think there are three separate aspects to PC security:

1) Prevention -- blocking bugs and hacks

2) Early detection -- catching a bug or a hack before it
can do real harm

3) Recovery -- ok, so you got whacked; now what do you
do?

All these aspects are tricky -- the easy methods will take
you reasonably far in avoiding the majority of problems,
but if a determined hacker has it in for you particularly,
very eleborate and expensive methods and technology
are needed. Even then, as many a company and
agency painfully knows, one little slip up....

I don't have the time today for a lengthy post, but I do
have specific recommendations for a new WinXp PC

1) If you use dial-up, be aware that this gives you a
very exposed connection to the Internet as opposed
to using a router with DSL or cablemodem connection.
Be sure you have at least the Windows firewall on
and running before connecting with dial-up.

2) Uninstall every preloaded program that comes on your
new PC that you didn't specifically ask for, especially
demos and Norton/McAfee security suites.

3) Google for and download the latest version of
"ccleaner" -- "Crap Cleaner" -- and run that with its
defaults after uninstalling stuff.

4) Once you have your PC the way you want it, go
into Windows Update and get all the latest and
greatest patches

5) After getting patched up, go to Mozilla.com and
get and download the latest Firefox and Thunderbird.

6) If you want to use Outlook for contacts and
schedules, fine, but use Thunderbird for your email.

7) Go to Adobe.com and download and install the
latest Flashplayer. This will make your Firefox
pretty set for general Internet browsing. I also like
changing the cache from 50mb to 10 and customizing
the Toolbar to show the Printer and New Tab icons

8) Go to Microsoft and download and install the latest
IE 7 Beta and Windows Defender. IE 7 is a ripoff of
Firefox but that's a good thing. Still don't use it unless
a site doesn't support non-IE browsers

9) Pony up and get yourself a good European
anti-virus/antispyware package: F-Secure, Kaspersky,
etc. AVG is not bad and its 2 yr license is good for
people who tend to forget to renew such stuff -- a
big, BIG no-no nowadays.

10) Avoid multiple login accounts, especially for
"family " PC's -- that just ends up creating a bazillion
more files to scan and gives computer illitereate kids
a green liight to download junk and screw with the
PC settings.

11) Go Google for some How-to's about making
specific changes to Windows to make it more
secure, like this:
http://www.tweakhound.com/xp/security/page_1.htm

12) Go get a portable hard drive to use as a system
backup using something like Acronis True image
for disaster recovery.

13) Use a USB Flash card to back up important
docs. Go you 2brightsparks.com and get either
the free or cheap commercial version of
SyncBackSE for everyday backups of important
files and email.

In addition to the above, my own personal preference
is to immediatly wipe the hard drive of a new PC
prior to activation and recreate the partitions with
FAT32 system (20-30Gb) fior the boot partition and
the rest NTFS, and then install XP clean. If I want to
use XP -- for everyday use, I much prefer Win98, and
then Win2k for things like video editing where you
need something like NTFS for huge files.

FYI

Gotta run -- hope that was helpful.

-BC

karl
Sat Jul 15 09:58:48 CDT 2006



"BC" wrote:

> > Right. Linux gets hacked when people start enabling features, like
> > trying
> > to use it as a web server. IIS 6 on Windows Server 2003 is hacked far
> > less
> > frequently than Apache on Linux. A significant problem in Linux and
> > Windows
> > security is the user not knowing how to safely configure and use their
> > OS.
>
> No: http://www.dgl.com/itinfo/2001/it010723.html

That article is from 2001, before the release of IIS6 which I was
discussing. "Near weekly security patches" doesn't happen, and there are
automated methods to ease pushing patches, including to critical servers.

Instead of opinion, you need to check out the statistics at www.zone-h.org
in their defacements archive section. Oh, and the top story on the home
page is about the debian.org development server getting hacked, again.

Look, absolutely Windows has security problems, and I'm critical of them.
It just irks me when people criticize Windows security for the wrong
reasons, or try to suggest that Linux, its file system, etc. is perfect and
superior in every way, ignoring limitations like