Most versions of Windows are known for their conveniences, with security coming second. It's often said -- and rightly so -- that convenience is the enemy of security. While the latest versions of Windows on the desktop and server have been more secure by default, there are still some areas where convenience trumps security. In those circumstances, a secure initial configuration is still the administrator's responsibility.
Here are some features and services where I believe the risk from leaving them on outweighs the reward or convenience.
Lock down Remote Administration/Remote Desktop. The ability to transport entire desktops and user interactions around a network is great. And, it's useful when you can do such transporting out across the entire Internet as well. Looking at that feature with an eye to security, however, you'll see that the potential for abuse is rampant. Locking down remote administration -- which is decidedly open out of the box -- is a good idea.
How to do this:
- Use IPsec. IPsec protects and encrypts communication between machines. And you can set up rules -- much like firewall rules -- that deny everything and then accept only specific, granular exceptions that you define. For example, you could allow certain administrative workstations, or your help desk machines, access to the RDP ports -- but only those machines. The Remote Desktop port is 3389.
- Ensure that only authorized members or groups can access RDP and Terminal Services connections. Within Local Security Policy, double click on the Allow logon through Terminal Services right, and make sure the list of authorized users/groups is only populated with a secure membership. The Server Operators group would be a good choice, or any custom group you construct.
- Kill Remote Assistance. It's good to instill a sense of camaraderie in your users, but from a security standpoint, you really don't want them connecting to each other to try and solve each other's problems. Worse still, crackers can take advantage of these remote assistance invitations to make unauthorized connections to machines. You can kill Remote Assistance using a GPO -- it's under Computer Configuration, Administrative Templates, System, Remote Assistance, Solicited Remote Assistance.
Stop using the AutoLogon feature. You might have seen this feature in action when you've turned on a supposedly secured Windows NT, 2000, XP or Server 2003 machine and were surprised to see that it didn't require you to log on -- the machine automatically popped up with a desktop, ready to accept any command you gave it. AutoLogon is a convenience feature meant only to be used when you're installing software directly on a machine that requires multiple restarts -- you set it to log you in so you don't have to repeatedly enter credentials. Unfortunately, some users either forget to turn off this feature when their software installation process is finally complete, or they become so enamored with the feature that they leave it on to make Monday mornings that much easier. This is a big security hole. Let's turn it off.
How to do this:
- Open Registry Editor and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\.
- Set the AutoAdminLogon value to zero to disable automatic administrator login.
Unless you are confident you have securely implemented the Encrypting File System (EFS), disable it. Check out this advice from the "security isn't always the de-facto best answer" department: A lot of administrators think that EFS provides another layer of security for their sensitive data -- and they're right.
If you use only NTFS on your data partitions, all the file and group security in the world won't protect you if a nefarious user takes the physical drive and uses it under Linux or another operating system. The data is all there. So EFS certainly has a place. But I've seen a number of situations and scenarios in which EFS gave administrators a false sense of security because they hadn't deployed it properly. And worse, they put their users at serious risk of losing their data because the recovery and keying mechanisms for the encryption hadn't been correctly set up.
My recommendation: Get all the other pieces of the security puzzle right before turning to EFS. And don't use it until it's properly deployed and operational. Here's how to turn it off if you've gone too far too fast:
- In a Windows 2000-based domain, open up Group Policy through your preferred tool and expand the node tree through Computer Configuration, Windows Settings, Security Settings, Public Key Policies. Select the Encrypting Data Recovery Agents folder, and right-click on the certificate displayed in the right pane (it should indicate File Recovery). Delete it. Then delete the policy.
- In a Windows Server 2003-based domain, open up Group Policy through your preferred tool and expand the node tree through Computer Configuration, Windows Settings, Security Settings, Public Key Policies. Right-click on Encrypting File System and select Properties. Uncheck the sole box on the sheet, and click OK. Then, right-click the Encrypting File System folder and select Delete Policy from the All Tasks sub-menu.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.