Securing Ports and Protocols
Controlling network access is an important part of system security, and on a network such as the Internet, based on Transmission Control Protocol/Internet Protocol (TCP/IP), that means controlling access to ports. By monitoring and limiting the types of connections that applications and computers make to your system, you can greatly reduce the chances that the system will be compromised.
In this chapter, we first explain how ports and protocols work. We then show you how to determine which ports are being used and, more important, which programs are using them. Armed with that information, you can restrict access to ports other than the ones legitimately used by your programs, as we explain in the next section.
The rest of the chapter covers the topic of services, specialized programs that perform functions to support other programs and services. Many services control, to one degree or another, the use of ports. For this reason—and because services typically run in the context of a privileged user account such as System or Local Service—understanding and managing services are important steps in securing your computer and your network. The final sections of the chapter provide more details about a particular collection of services—Internet Information Services, or IIS—that allow other users to connect to your computer over the Internet. Naturally, you'll want to take extra care in configuring these services.
Security Checklist: Ports, Protocols, and Services
--------------------------------------------------------------------------------
See which ports are open for incoming connections.
Determine which services and applications are using the open ports.
Use TCP/IP filtering to block access to ports other than ones you explicitly need open.
Disable unneeded services.
If you use Internet Information Services (IIS) as a server for Web, FTP, or SMTP access, disable the services you don't need.
Unless you're using IIS for public Internet access, disable anonymous access.
Run the IIS Lockdown tool.
Encrypting Files and Folders
Throughout this book, we explain various methods for keeping snoops away from your data: password-protected user -accounts, restrictive NTFS permissions, prudent network sharing, firewalls, and so on. But what if, despite your best efforts, your files fall into the wrong hands? This is certainly a risk if you travel with a portable computer—a popular target for thieves. But even offices and homes in low-crime neighborhoods are sometimes burglarized, putting your desktop computers at risk. A stealthier thief—perhaps a coworker or someone who manages to penetrate your computer's defenses through the Internet—can also make off with your files.
Nearly every computer, whether it's in a business or a home, contains some sensitive data that must never be available outside your most trusted circle (or, in some cases, to anyone else at all). In addition to financial data—such as your accounting records or personal finance files—your computer might be the repository for marketing plans, trade secrets, medical history, diaries, address books, and similar information. If someone can obtain a file by downloading it from your computer or by borrowing (or stealing) your portable computer, they know your secrets.
In this chapter, we discuss the Encrypting File System (EFS), a feature of Microsoft Windows XP Professional and Windows 2000 that can prevent the loss of such confidential data. EFS encodes your files so that even if thieves are able to obtain a file, they can't read it. The files are readable only when you log on to the computer with your user account (which, presumably, you have protected with a strong password). In fact, even someone else logging on to your computer won't have access to your encrypted files, which provides protection on systems that are shared by more than one user.
If you use Windows 2000, install Service Pack 2 or the High Encryption Pack to enable 128-bit encryption.
Encrypt a file or folder to create a personal encryption certificate.
Export the personal encryption certificate for each account.
If you use Windows XP, be sure you have a Password Reset Disk. Also consider creating and designating a data recovery agent.
Export and protect the private keys for recovery accounts, and then remove them from the computer. This prevents someone from accessing your files using the data recovery agent account.
Encrypt the My Documents folder and any other local folder you use for storing documents.
Always encrypt folders, not files. When a folder is encrypted, all files created in that folder are encrypted. (Many programs save a new copy of the document you are editing. This copy will be encrypted if you encrypt the folder, but it will be not be encrypted if you encrypt only the original file.)
Don't destroy file recovery certificates and private keys when you change data recovery agent policies. Keep them until you are sure that all the files they protect have been updated.
Configure a policy so that the page file is cleared when you shut down your computer. Otherwise, data from files that were decrypted during a working session might remain in the page file, which a thief could peruse. (For details, see Exploring Security Options).
Disable hibernation (a power-saving option you configure in Control Panel, Power Options). If your system goes into hibernation while encrypted files are open (and therefore decrypted), the data is accessible to a thief who views the Hiberfil.sys file.
Using the Encrypting File System
The Encrypting File System allows you to encrypt files on an NTFS volume so that only you can use them. This offers a level of protection beyond that provided by NTFS permissions, which you can use to restrict access to your files by others who log on to your computer. NTFS permissions are vulnerable for a couple of reasons. First, all users with administrative privileges can grant themselves (or others) permission to access your files. What's worse, anyone who gains physical access to your computer can boot from a floppy disk (or from another operating system, if your computer is set up for dual booting) and use a utility such as NTFSDOS (available from Sysinternals, http://www.sysinternals.com) to read the files on your hard disk—without having to provide a user name or password. Portable computers, which are more easily stolen, are especially vulnerable to this type of information loss.
TIP
--------------------------------------------------------------------------------
Require a startup password on portable computers
On most computers, you can use BIOS settings to construct another obstacle for anyone who steals your computer. Set your BIOS so that a password is required to start the computer or to enter the BIOS setup program, and set the boot options so that the computer can't be booted from a floppy disk or CD. Unfortunately, this type of protection can also be circumvented. For example, removing the hard disk and installing it in another computer makes its files available to someone with the proper tools.
A much more effective method is to remove the Syskey startup key from the computer. To start the computer, you'll then need to enter a password (or insert a floppy disk that contains the startup key, depending on how you set up Syskey protection) before you can log on. For details about configuring this protection, see Adding Another Layer of Protection with Syskey.
EFS provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data using this FEK as data is written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK is a symmetric key (that is, the same key is used for encrypting and decrypting data), which is orders of magnitude faster than public key encryption. The FEK, and therefore the data it protects, can be decrypted only with your certificate and its associated private key, which are available only when you log on with your user name and password. (Designated data recovery agents can also decrypt your data. For information about data recovery agents, see Recovering Encrypted Data.) Other individuals who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files.
You can encrypt individual files, folders, or entire drives. We recommend that you encrypt folders instead of individual files. If you have hard disk volumes that contain only data (that is, drives other than the system drive and boot drive), consider encrypting the entire drive. When you encrypt a folder or drive, the existing files it contains are encrypted, and new files that you create in the folder or drive are encrypted automatically, as are temporary files that your applications create in the folder or drive. (For example, Microsoft Word creates a copy of a document in the folder where it's stored when you open the document for editing. If the document's folder isn't encrypted, the temporary copy isn't encrypted—giving prying eyes a potential opportunity to view your data.) For this reason, you should also consider encrypting your %Temp% and %Tmp% folders, which many applications use to store temporary copies of documents that are open for editing. (Note, however, that doing so might slow your system considerably, and it might prevent some installation programs from running properly.)
Before You Begin: Learn the Dangers of EFS
EFS provides secure encryption of your most important information. The encryption is so secure that if you lose the key that allows you to decrypt your data, the information is effectively lost. By default, Windows provides no "back door" if your private key is lost, nor is there any practical way to hack these files. (If there were, it wouldn't be very good encryption.)
You can innocently lose your key in a number of ways. Suppose, for example, that you have stored your data in encrypted folders on a second volume (such as drive D). You notice that your computer is running sluggishly and its hard disk is overflowing with junk files—so you decide to reinstall Windows from scratch. Not worrying about your files on another partition, you format drive C and reinstall Windows. Although it's not apparent, reinstalling Windows creates new security identifiers (SIDs) for each user, even if you do everything exactly the same way as the last time you ran Setup. As a result, each user's encryption certificates are also different from the ones they replaced, and they can't be used to access the encrypted data stored on drive D. Even the Administrator account—which also has a new SID—can't decrypt the files from a different Windows installation.
Fortunately, with a little care, you can prevent these drastic scenarios. To learn about EFS and then begin safely using it for your important files, we recommend that you follow this approach:
Create an empty folder and encrypt it. (For details, see the next section, "Encrypting Your Data.")
Create a nonessential file in the encrypted folder (or copy a file to the folder)—and check to see that you can use it just as you would any ordinary file.
If your computer is not part of a domain, create a data recovery agent, a second user account that can be used to decrypt files should your personal encryption certificate become lost or corrupt. (For details, see Creating a Data Recovery Agent. )
Back up your file recovery certificate and your personal encryption certificate along with their associated private keys. (For details, see Backing Up Your Certificates.)
Note that you won't have a certificate to back up until you have encrypted at least one folder or file. A new Windows installation doesn't have encryption certificates; one is created the first time a user encrypts a folder or file.
Begin using EFS for your important confidential files.
In summary: If you encrypt files on a computer that is not joined to a domain, be sure to set up a data recovery agent. Back up both your personal certificate and the data recovery agent's file recovery certificate.
No comments:
Post a Comment