Windows Hardening Expert Advice

Recently, Windows hardening expert Jonathan Hassell answered a series of questions on topics ranging from Internet Explorer security to Windows Firewall to Group Policy. Read his most recent questions and answers here or pose your own question for Jon here.

Security risks in IE 6

I want to take a step back from IE7 and start running IE6 again, but am concerned about the security risks. What do I need to worry about in IE6 that I do not need to worry about in IE7? What steps should I take to limit security risks during such a switch?

As far as what you should consider from IE 6 that IE 7 might take off your mind:

  • IE 6 doesn't run in low privilege mode, so adware and spyware can infiltrate more easily.
  • There is no phishing filter in IE 6, nor are there any obvious warning signs when you're about to enter a phishing site.
  • IE 6 doesn't have tabs out of the box. (Not security related, but it's certainly a convenience factor.)
For more information
Internet Explorer 7: How it can make your life easier
Brien Posey highlights some of the features that should be ready for prime time soon and others that will surface when Vista does.

Make sure you have an antivirus solution installed, watch out for sites that can give you spyware (a popup blocker is necessary here to prevent some automated installs) and check your zone settings to make sure the Internet isn't a trusted place. Or, better yet, install Firefox until you're ready to return to IE 7.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

How do I disable Microsoft Firewall?

I am now running AOL 9.0 SE but my Mcafee Firewall tells me that I must remove Microsoft Firewall. Where & how can I find this file & remove it?

Open Control Panel, double-click on Windows Security Center, and disable the firewall from there. You don't need to actually remove it.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

Managing folders and files on a network share

I am trying to prevent users from deleting and moving folders and files on a network share. They should only be able to create, read, execute and write files and folders.

I have already created the group and deny delete and delete subfolder and files. This option is not working for me.

Once the deny delete and delete subfolder is applied

  1. Users cannot delete files and folder "First task accomplish"
  2. Users cannot move a folder into another folder "Second task accomplish". However it creates an empty folder with the same name of the source folder inside the destination folder. This cannot be deleted and creates confusion for the user and starts filing in the wrong location
  3. All files created under the share respond to the deny option however it's not possible to create excel files. Error message cannot save the "file name". The folder is marked as a read only.
  4. User cannot move or delete files inside the share but they can creates copies on theirs desktop for security could this be control it.

Let me address your issues as best I can. To be honest, it sounds like things are largely performing as you wanted.
  1. This is expected behavior. You mentioned you don't want users deleting folders and files, so I assume this is the way you want this to behave.
  2. Moving a folder is effectively a delete operation with a second create operation (delete the folder at the old destination and recreate it at the new destination), so this won't work with your permissions set the way they are. Of course, this sounds like expected behavior, since you don't want users deleting folders.
  3. Are Excel files the only files that respond in this way when you're trying to save them?
  4. You can't really control copying data from the server if a user has read access to it. You would essentially have the remove any writeable areas on the local computer, which isn't practical.

For more information
Network Access Control Learning Guide
Learn how unauthorized users gain network access, how to block and secure untrusted endpoints, and get Windows-specific and universal access control policies and procedures.
In the future, the RSoP tools in Windows Server 2003 are very helpful at diagnosing permission oddities and figuring out exactly what effect a permissions change will have on your users. You don't mention if you're using Windows Server 2003, so I can't officially recommend that route, but other users will likely find the tool useful.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

Managing user rights in Group Policy

I have a project and don't know how to approach it. We have a special user that needs administrator rights but I don't want him to have access to download programs or software when he is logged on to the domain. I can give him local admin rights but when he logs on to the domain I want to override his permission so he is not able to download any programs. Is there a way to do this?

To my knowledge you can't do this with the functionality included within Group Policy. You also don't mention the version of Windows you're using on the client. If it's Windows XP, you could consider establishing a software restriction policy that eliminates Internet Explorer use, but he could still bring an FTP program in on, say, a USB key and install from that medium. You may need to investigate third-party software for this particular need.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

Dig Deeper on Web browsers and applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.