1 - 1
Windows 98/Me Security - SANS
©2001
1
Windows 2000/XP Professional
The upgrade to Windows 2000 Professional is Windows XP Professional. The upgrade to Windows
2000 Server will be Windows Server .NET. Windows 2000 and XP Professional are very similar.
They both inherit multiple security configuration tools from the Windows 2000 platform – but XP
adds some new security features as well. Any study of Windows 2000/XP Professional should keep
in mind the numerous Windows 2000 platform security features.
1 - 2
Windows Legacy Desktop Security - SANS
©2001
2
Goals
• Distinguish between ‘Professional’ and
Server versions of Windows 2000
• Learn the new security features of
Windows XP
• Map strategy for securing these
workstations, both as domain members,
and as standalone systems
Its important to distinguish between the Professional, or desktop edition of Windows 2000, and
Windows 2000 Server. While many of the security features mentioned in the previous discussion are
relevant here, this section looks at security from the desktop system perspective.
1 - 3
Windows Legacy Desktop Security - SANS
©2001
3
Professional vs. Server
• Similar code base and architecture

• Server is meant to be server
• Professional meant for desktop
system
Its important to note that a special version of Windows 2000, Windows 2000 Professional, is
available for desktop use. Although the code base and architecture is similar, Professional is tuned
for foreground application processing and lacks many of the server features and tools. The security
features available parallel those available to Windows 2000 standalone servers. In fact, distinct
security policies for ‘secure’ and ‘high security’ workstation and server versions do not exist.
Instead, one security policy template exists to enable the application of like features to both.
1 - 4
Windows Legacy Desktop Security - SANS
©2001
4
Home vs. Professional
Home Edition
•ICS
•ICF
•NTFS
XP Professional
•ICS
•ICF
•NTFS
•EFS
• Ability to join
domain
XP also exists in a ‘Home’ edition. Many features of XP are not available in the Home Edition. It is
meant to be used in a ‘standalone’ non-business-networked, home use environment. XP Home
Edition does not support EFS or Group Policy.
Although XP Home Edition systems cannot join a Windows domain, they can participate in a
network environment by using the built in Internet Connection Sharing feature. They can protect

themselves, and computers connecting through this feature to the Internet, by using their Internet
Connection Firewall.
They cannot encrypt files using the Encrypting File System (EFS).
1 - 5
Windows Legacy Desktop Security - SANS
©2001
5
Workgroup vs. Domain
Workgroup
• Local account database
• Logon using local
account
• User rights assigned
locally
• Access to local
resources via local
group or account
Domain member
• Local account database
• Logon using domain
account
• User rights assigned to
domain accounts and
groups
• Access to local
resources
should
be
controlled by
membership in domain

groups
The task of securing a Windows desktop system depends in part on whether the system is joined in a
domain. W2K Professional and XP can exist as desktop systems which are either workgroup or
domain members. As a standalone or workgroup member, each machine has its own security
account database. Access to the system itself is controlled via logon accounts, unless automatic
logon is desired. As a member of a domain, system access can be via local account database
account, or domain account. The best practice is via a domain account. Access to the system files,
registry, and local printer can be controlled by setting Discretionary Access Controls Lists (DACLs)
on the resource. In a domain environment, access to domain resources is controlled via domain
account membership in groups which are granted access via DACLs on resources.
1 - 6
Windows Legacy Desktop Security - SANS
©2001
6
Professional/XP Security
Features
• Security Templates
• Security Configuration and Analysis
•Local Security Policy
• NTFS File System
• Encrypting File System
• Central Control through Group
Policy
Regardless of domain membership, security settings for each Professional system can be set by
applying a security template using Security Configuration and Analysis or by configuring a Local
Security Policy. Domain membership provides the ability to set security policy via group policies.
Domain policy will win where conflicts arise.
While the implementation is different, Windows 2000/XP systems that use NTFS, support file
encryption.
While use of NTFS is recommended, both systems support FAT and FAT32 file systems.

1 - 7
Windows Legacy Desktop Security - SANS
©2001
7
Managing Clients in a Domain
While Windows 2000/XP can join a Windows NT domain, adding them to a Windows 2000 domain
provides additional centralized control. Windows 2000 Site, Domain, and OU Group Policies can be
created to manage security policy settings, as well as provide administrative control of application
installation, logon and logoff scripts, and desktop application restrictions and utility management.
Administrative authority can be delegated, allowing ordinary users who require a few administrative
rights to have them without making these users full administrators.
When Windows .NET server is available, it will also provide centralized management and control of
Windows 2000/XP Professional systems.
Windows XP adds the ability to view the resultant set of policies for any user on a computer. This
tool can be used to troubleshoot policy problems.
1 - 8
Windows Legacy Desktop Security - SANS
©2001
8
Operating System Reliability
Improvements
• Compatibility
• Device and Driver Issues
• Shutdown Event Tracker
• Crash Recovery and Analysis
Windows XP includes and expands Windows 2000 system reliability improvements. This includes
improved compatibility, increased device and hardware support, and crash recovery and analysis
features.
Windows XP represents convergence between home user/desktop systems from the Windows 9x
family to the business Windows 2000 systems. Availability is a part of security. Windows XP

improves reliability over Windows 9x via compatibility, device and hardware support, shared dll
support, the Shutdown Event tracker, online crash analysis, windows driver protection, and device
driver rollback.
1 - 9
Windows Legacy Desktop Security - SANS
©2001
9
Compatibility
• Compatibility
• Safe sharing of DLL’s
Compatibility - approximately 1000 major programs, currently compatible with Windows 9x and
most Windows 2000 applications. The exceptions are virus and backup programs. These programs
must be explicitly written for Windows XP. A compatibility wizard can also be used to assist the
administrator in providing additional application compatibility.
Safe sharing of dll’s – the effects of DLL hell are mitigated by the ability to use side-by-side
component sharing. Prior to Windows 2000, system and application dll’s were often overwritten
when new applications were installed. This resulted in poor system stability and the ability of a
newly installed application to prevent an existing application from running well or at all. Side-by-
side component sharing means multiple versions of a component can run at the same time. In XP,
this means that Win32 components and applications use the exact version of components that they
require.
1 - 10
Windows Legacy Desktop Security - SANS
©2001
10
Device and Driver Issues
• Device and Hardware Support
• Windows Driver Protection
• Device Driver Rollback
Many compatibility and system reliability issues are the result of poorly written device drivers.

Windows XP offers support for many new device drivers.
Windows Driver Protection – A defective driver database allows XP to prevent the installation of
known problem device drivers when the Add Hardware Wizard is used. If other methods of
installation (programmatic or manual registry modification) are used, they may allow the installation
of these drivers. However, use of the update site will reveal problem issues that may exist on the
machine.
Device Driver Rollback – Copies of existing drivers are automatically saved when an update is
installed. If a malfunctioning device driver is loaded, the system can be rolled back to the previous
driver. No reinstallation is necessary.
1 - 11
Shutdown Event Tracker –The Shutdown Event Tracker allows you to document the reasons for
system shutdown. You can record the reason for a normal system shutdown in the systems log and
thus keep a maintenance record. Should you have an unexpected crash, information must be
collected at system reboot. (If the information is not collected, the user is logged off.) To add this
option, you must edit the registry. Locate the key:
HKEYLocalMachine\Software\Microsoft\Windows\CurrentVersion\Reliability
And change the value of ShutdownReasonUI 1
1 - 12
Windows Legacy Desktop Security - SANS
©2001
12
Crash Recovery and Analysis
• Online crash analysis
• Unresponsive application closure
Online Crash Analysis – After a Stop error (blue screen crash event), Windows XP can be rebooted
and a browser can be used to upload system log details of the shutdown to Microsoft Product
services for analysis by Microsoft. Within 24 hours, an analysis report (any known information on
the cause and how to avoid it) will be returned to you. Visit
for more information.
Unresponsive application closure - now available from the application window in Windows XP.

Windows 2000 Professional requires access to Task Manager.
1 - 13
In addition to service packs, which must be downloaded and manually applied, Windows XP allows
automatic update.
Dynamic update – Updated system files can be downloaded from Microsoft during system
installation by choosing the Dynamic Update option in setup.
Automatic Updates – By default, Windows XP is configured to automatically download updates
and notify the user that they are ready to be installed.
Windows Update – The Windows Update site provides a central location for security / reliability
and system updates. Consumer updates are available from windowsupdate.microsoft.com.
Administrators can download a Dynamic Update package for use by computers on their network.
Corporate updates are available from corporate.windowsupdate.microsoft.com.
1 - 14
Windows XP provides new functionality for backing up and restoring the system state. These
include:.
Shadow Copy – Exact, point-in-time copies of files (including open files) can be made without
interrupting user activity. Even open files and files in-use can be backed up.
Last Known Good – Windows NT and Windows 2000 Professional allow the startup using essential
registry information from a previous successful system startup. XP adds the ability to also restore at
this time the last known good device drivers. Recovery from problems with newly installed device
drivers is now possible without reinstalling previous device drivers.
Automated System Recovery(ASR) – This is a replacement for the Windows NT/2000 emergency
repair disk. Applications, system state, critical files, and Plug and Play portions of the registry are
backed up by using the ASR wizard in Backup to produce an ASR disk. Recovery can be
accomplished by pressing F2 during the text portion of system boot and selecting recovery. ASR
reads disk configuration from its files, replaces disk signatures on the disk for volumes required to
restart the system, starts a simple installation of Windows XP and restores system data from its disk.
System Restore Enhancements – This system function, first available in Windows ME, monitors
and records key system changes. Changes can thus be undone, or a previous configuration can be
reverted to. User data (documents, drawings, e-mail) are not changed. Restore points are created

each day, by default, as well as at signification system events such as device or application
installation. Users can also create restore points. Improvements over Windows ME include:
Selective drive monitoring, support for NTFS compressions, Group Policy application, better
performance, and the ability to remove all but the latest restore point.
System Restore can be accomplished and a restore point created at Start\All
Programs\Accessories\System Tools\System Restore
1 - 15
The Internet Connection Firewall (ICF) is designed for use by homes and small businesses, and for
corporate users who telecommute or travel with laptop computers. Active packet filtering (the
dynamic opening and closing of ports) allows access to the services on a network you wish to use,
while protecting your system against intrusions. Ports and resources (including printer and network
shares) cannot be scanned. No personal firewall can guarantee system invulnerability to an attack,
but ICF significantly reduces the threat of an external attack.
ICF can be used on a LAN, Point-to-Point Protocol over Ethernet (PPPoE, an IETF draft standard for
cable and DSL connections).
Information on traffic generated by the local computer, or by computers on the internal network
which are using Internet Connection Sharing is kept in a table on the ICF computer, thus responses to
these outward bound requests are allowed through the firewall. While unsolicited in-bound traffic is
dropped without user notification, a log can be kept for review. In addition, port mapping, or the
opening of specific ports for external access, can be configured. Thus, a Windows XP computer can
host a web site if appropriately configured.
1 - 16
Windows Legacy Desktop Security - SANS
©2001
16
Security for the Home User
XP Home edition security features provide advanced security for the home user. This includes individual
logon, profiles, web privacy preferences, cookie management, protection of other systems on home
networks, Internet Connection Sharing, Internet Connection Firewall, shared document folders,
separate, protectable file storage.

Policy settings protect users from themselves, including limiting the use of accounts with blank passwords
to console logon.
While users of Windows NT Workstation and Windows 2000 Professional also benefit from individual
logon and the ability to prevent private file access by other users, this is a real increase in security for
most home users who previously used Windows 9x or ME. Since each user has their own account,
they each rely on individual profiles within which can be set internet site access restrictions. Each user
has their own Documents folder which can be automatically configured so that only they can access it.
Items which need to be shared by multiple users can be placed in shared folders. Setup of these
features is easier than it is in Windows 2000 or NT.
If multiple computers are present in a home network, the internet connected system can be used to provide
internet connectivity for all. Windows XP’s Internet Connection Sharing (ICS) uses DHCP to
internally accessible IP addresses for these systems and Network Address Translation (NAT) to allow
them connectivity to the Internet. Only the computer connected to the Internet is visible on the
Internet. The Internet Connection Firewall on this computer can be used to protect it.
Users of Windows XP (and of Windows XP Professional in a standalone or workgroup setting) can use
Fast User Switching to change between user accounts without logging off and then logon again.
1 - 17
Windows Legacy Desktop Security - SANS
©2001
17
XP Product Activation
• What information does Product
Activation send to Microsoft?
• When might it be reactivated?
Packaged product (Home version and retail and single system Professional purchase) XP requires
product activation within 30 days of installation. Activation requires the owner or user of the system
to contact Microsoft, either over the Internet (silent) or via telephone. Activation is not registration.
Activation does not require the divulgence of personal information. However, without activation, the
product will cease to work, and product activation can be re-triggerd if substantial hardware changes
(either at one time or cumulatively) are made to the system. The XP system may be activated if the

system has ceased functioning.
Mandatory information is the product ID (unique to the application) and a hardware hash (a non-
unique representation of the PC). (Office and Visio also require the name of the country).
Volume licensed product (5 or more licenses acquired through the volume licensing program) do not
require activation.
1 - 18
Windows Legacy Desktop Security - SANS
©2001
18
XP Professional System
Security
• Encrypting File System
• Centralized Control of Security
Policy
In addition to Home edition security features, Windows XP Professional is able to benefit from
Windows 2000 domain based security features, such as the centralized control of security policy and
the Encrypting File System.
1 - 19
Like Windows 2000, XP has the built-in ability for file encryption. However, Windows XP offers
unique functionality and additional capabilities, which may make the system more vulnerable to
data loss. Differences include:
1. DESX (the expanded Data Encryption Standard) or Triple-DES (3DES) can be used as the
encryption algorithm.
2. Windows XP EFS does not require a Data Recovery Agent to be available in order for files to be
encrypted. If no Data Recovery Agent exists, a self-signed certificate is generated and used. If
the certificate is corrupted or lost, the encrypted files are unrecoverable.
3. To disable EFS on Windows XP, uncheck Local Securty Policy\Public Key Policies\Encrypting
File System properties page ‘Allow users to encrypt files using Encrypting File System’. Even in
a domain environment in which the EFS policy has been deleted, file encryption on Windows XP
is possible. When .NET server is available, it is expected to have the ability for key recovery vs

file recovery.
4. XP encrypted files may be shared by the user who encrypts the file. This user selects additional
users and the system adds additional Data Decryption fields using the added user’s certificate.
This can be a problem, as every added user also has the ability to share these files with other
users.
5. Offline files can be encrypted. This will allow the protection of sensitive files that are cached on
local systems.
6. Encrypted files can be safely stored on networked computers using Web Distributed Authoring
and Versioning (WebDAV) web folders. These files will not be decrypted and travel the network
in clear text. They remain encrypted.
1 - 20
Windows 2000 offers additional Local Security Policy settings and its defaults are different. Guest only security model.
Connection from the network to Windows XP by the use of a local account, reduces the account to the security
status of guest. This prevents attackers from using hacked or guessed passwords for privileged local accounts. Even
if the local Administrator account is left blank – an attacker successfully connecting across the network will have
only guest privileges. (In Windows 2000 and previous Windows operating systems, a user connecting across the
network has the privileges associated with the local account. Connection using a domain account will operate in the
normal manner. This ‘force network logon using local accounts to authenticate as Guest’ policy can be modified.
User accounts (local Windows XP Professional accounts) without passwords, can only be used to log on at the physical
computer console. You cannot use the RunAs secondary logon service to logon using these accounts.
Keyring - credentials (stored user names and passwords) from applications and web sites can be stored and managed
through this utility in User Accounts/ Control Panel. This can be enabled or disabled via group policy.
Internet Connection Sharing and Internet Connection Firewall have location-aware group policies. This allows domain
member computers to be denied the ability to use ICS and/or ICF via group policy and yet these same computers,
when used at home, can use ICS and/or ICF. This is especially important for traveling laptops who need ICF when
connecting to the Internet from hotels, airports, and other non-corporate firewall-protected spots.
Software Restriction Policies controls the ability of software to run in a domain environment. This allows an
administrator to prevent unwanted applications (including Trojans and viruses) from running. The policy can
restrict applications identified by path, file hash, certificate, or Internet Zone. Scripts can also be controlled by
allowing only those signed by the IT organization to run. Software restriction is available in Local Security Policy

and Group Policy settings.
Internet Protocol Security (IPSec) – Like Windows 2000 Professional, XP can use IPSec policies to block protocols and
to protect communications between machines.
1 - 21
Windows Legacy Desktop Security - SANS
©2001
21
Best Practices
• System Updates
• System Access
• Resource Access
• Using Built-in Security Devices
• Policy Settings
To conclude, lets review some Windows Professional/XP system best practices. In order to give
these systems the best possible security, we should consider the following best practices:
1. Ensure that systems are updated consistently with available service packs and security patches.
Use the update site. (Business systems should be updated via company policy and under
administrative control.)
2. Control system access by the use of individual user accounts and strong passwords.
3. Control access to resources by using the NTFS file system and limiting access to those with a
need to know.
4. Use built-in security devices and recovery features, such as Internet Connection Firewall,
Windows Driver Protection and rollback, shutdown event tracker and crash recovery and
analysis. Backup, including shadow backup, should be managed and controlled.
5. Accept default security policy settings, such as the ‘Guest only Security Policy’. Learn and set
strong account controls on local accounts. Account controls are items such as password length
and account lockout.
6. Make frequent ASR disks.
7. Never logon as an administrator except to do administrator-only chores such as:
• Install the operating system and components (such as hardware drivers, system services,

and so on).
• Install Service Packs and Windows Packs.
• Upgrade the operating system.
• Repair the operating system.
• Configure critical operating system parameters (such as password policy, access control,
audit policy, kernel mode driver configuration, and so on).
• Take ownership of files that have become inaccessible.
• Manage the security and auditing logs.
• Back up and restore the system.
1 - 22
Windows Legacy Desktop Security - SANS
©2001
22
Course History
v 1.0 12/23/2001 - Roberta Bragg
v1.1 1/10/2001 – Carla Wendt – edited and audio recorded