March 4th, 2004, 08:40 AM
Windows XP Security Guide (phase two)
Windows XP Pro(Home compatible) SP1 Remote Security Guide - Phase two
This is part two of my Windows XP security guides, and I demand that you read Phase One before continuing. Reading only half a guide results in half-done security. Nothing too formal for an introduction, as I have said it all in the first release!
Phase two: Firewall installation/configuration and understanding Windows Update
1. Pre Windows Updates - Getting a firewall installed
First thing is first, and even before Windows Updates. Install a firewall. The reason for this is because windows updating takes time, and in that time frame you are vunerable. I have already tried and tested multiple firewalls and would like to offer my opinions on to which is best suited for the upmost security. Keep in mind, that I am reviewing only freeware so that it does not pose a financial burden to both a single user or company. While non-free versions may be better than their free counterparts, I want to show people what can be done for optimal security while not draining their wallet. If you just want to quickly get through this without reading my reviews, then too bad. Read to learn and better understand what is good and bad, so that you can replace experience with wisdom.
Remember, you have a seperate partition for 3rd party programs to install. However, since it is not formatted yet go ahead and install it on your primary partition alongside the Windows OS. I can't forsee any problems, but of course for saftey reasons you can always uninstall it to reinstall it on the program-dedicated partition later.
A. - ICF (Internet Connection Firewall): This firewall comes preinstalled on Windows XP, but is not turned on by default on some XP installations (depends on XP release version). While it offers limited configurability in regards to firewalling incoming traffic, it offers no security in regards to outbound firewalling. It offers minor port ruleset configurations, minor ICMP rulset configurations, and a very limited logging ability. You could combine this with the TCP/IP filtering we discussed in Phase One, but in the end there ends up being far too many things to configure and reconfigure, that confusion and lack of more control ends up being this firewall's downfall. While the SP2 future release of Windows XP will offer much more configuration, SP1 is obviously meant more for the typical users protection than what non end-users expect. In short, you won't find keyhole locks(ICF) at Fort Knox, but you will find fingerprint recognition along with deadbolt locking (other Firewalls). I recommend turning this off so that it will not conflict with future 3rd party firewalls.
How to obtain: Start Button > Control Panel > Network Connections > Right click on the connection you want to protect, then choose properties > Advanced Tab > Enable Firewall checkbox and then click Settings button.
B. - ZoneAlarm Firewall: This is the free version of Zonealarm, which allows the basic program of firewall protection. Installation is reativly easy so long as you read the text. However, the free version is signifigantly crippled when compared to the Pro version. The firewall itself allows three general settings:
1. High: Stealth mode. Your computer is hidden and protected from hackers. Sharing is not allowed.
2. Medium: Visuble but protected mode. Computers can see your computer but cannot share its resources. Incoming NetBIOS is blocked.
3. Low: Caution! Firewall is off.
And that is it. That is the limit of firewall configuration. The only additional rulesets that are able to be defined include adding IP/hostnames to the trusted zone. No in depth port blocking, fragment protection, finer ruleset handling. While it does include it's very handy Program Control feature, which alerts you when a program is attempting to access the internet, the overall feel of this free version is disgusting. Log control is even more minimal than ICF, and there is no indepth E-mail protection configuration. All in all, a horrible firewall. Don't touch it. Treat it like the plague.
How to obtain: http://www.zonelabs.com/store/conten...id=zadb_zadown
C. - Kerio Personal Firewall: Talk about a firewall that packs a punch. By far the most feature filled and secure free-based firewall I have ever had my hands on. It offers everything from current connection monitoring (per process name and it's protocol) to statistics logging. It has password protection that can be enabled if you wish to have local-level security, as well as the ability to allow remote administration of the firewall via that password. In terms of network security, it offers very detailed and fine-tuned settings in multiple forms. Deep level application control handling, in which you can specify both ingoing and outgoing connection limitations, as well as the typical "This program is attempting to access the internet" warning dialogs. The warning dialogs also have tabs which allow you to view in even more depth what is calling upon the program.
Might I also mention that the free version allows a built in packet filter for very fine tuned ruleset controls. From protocol to port, application name to hostname, the ability to fine-tune your permission settings on the firewall is a joy to see.
It also has a feature that I have yet to see in other firewalls, and that is System security on an application level. With each and every process/program on the computer, you can set permissions for "starting", "Modifying", and "Lauching Others". Not only does this mean you can control what programs you want to deny on a system launching level, but on a finer detail of setting it to "use existing system security rules or ask me", which will ask you for each and every process/program that runs on your computer. After it gets the programs you want to allow, it is much easier to identify a suspicious process.
How to obtain: http://www.kerio.com/us/kpf_download.html
2. Windows Updates - Do it right the first time
There are three kind of Windows Update people in this world. Those that never update, those who apply each and every single patch without knowing what those patches do, and finally the geeks who sit and read each and every patch release notes so they can better decide what their system actually needs. We needs more of the third kind in this world.
Using it is simple: Open Internet Explorer, click the Tools menu and then choose "Windows Update". When it asks you if you want the Windows Update ActiveX to install, of course click yes, but do not check the box that allows your system to always trust Microsoft. This is a good thing to remember for any ActiveX dialog box. Allow or dissallow per event and situation, instead of chosing to to always say yes with trust towards the company or program that wishes to install. While it may take a second or two extra because of the one button that must be pressed, it will allow a signifigant amount of program control/monitoring to slide back into your hands. You never know when something may demand access under the name of any company, and if then being automagically allowed, install some form of software that would compromise your security.
Below are some basic rules to follow when updating your Windows XP installation:
A. - Read, read, and read again what each update does. Be it a Critical System update or a Recommended Update, read the information provided on the Windows Update site (info link is usually right beside the package on the lists). Not only does this make you more confident of what patches you have installed, but it helps you to become more knowledgable about the system on a whole. For example, what would you rather hear an admin say?
"Well... I installed a lot of patches. Not sure what they did. Oh, i remember one had something to do with media player".
"I installed only 16 of the 18 updates, because 2 were simply unnessessary on my system. I do remember that DCOM was patched, and so was the URL bug in IE. blah blah blah blah blah.."
The answer is simple. Choose to learn Windows rather than just "let it be". Not only will you actually learn something, but it brings that chance of user error screaming "WINDOWZ nevr works!!11" down a large degree.
B. - Do not install updates that do not apply to you. If there is an update for a TabletPC on the Windows Update screen, in which it does not deal with the security of the existing software but merely offers more features in a program you do not use, then do not download it. This especially applies if you do not even own a TabletPC. This is simple to understand and follow. However, it requires following rule A so that you can decide if it is a needed security patch, a needed feature patch/upgrade, or an unneeded feature patch/upgrade. This will not only save you diskspace, but prevent the possibility of a future exploit on software you never use. On a side note, I would never ignore the installation of an upgrade on the "Critical Update and Service Pack" section. They are called 'critical' for a reason, which you will find out why once you read the information on each one.
If and when you come across an update that you wish to never install, use the "Personalize Windows Update" link on the far left side of the Windows Update webpage. From there you can check select packages to never show and bother you again.
C. - Check for updates manually. Until the future SP2 is released, the limited capability of Windows Automatic Update can be hazardous. Not only will it install every single patch avaliable (breaking rule A and B), but if you are in the middle of testing a certain setup configuration and the automatic update decides to alter that via a recent patch... you are going to want to kill it.
D. - When it comes to the "Driver Updates" section, if you see any avaliable driver updates for your software thenI suggest downloading them. They may not be the latest and greatest drivers, but they are certified to work with XP right off the bat. This will also give you time to use drivers you know work, while searching for newer drivers.
E. - Do not install anything while preforming upgrades. Certain processes need to be 100% free in order for Windows Update to recognize it as *safe* to install. So, after the firewall is installed and after that the upgrades have begun, just let it go. Stay nearbye, however, as my above recommended firewall will be asking for permission, several times, for certain Windows Update packages to install and connect to the internet for updating. Those, of course, you need to allow past the firewall.
3. Post Windows Updates - Firewall Security Configuration
After the few reboots needed for the Windows Update process, we can now sit comfortably in a partially secure system. At least for a moment or two. We have a decent level of security already because of the default firewall settings installed on Kerio (you did use Kerio after reading my report, right?) and running on the newest Windows updates. (carefully updated through what we read on their information). So let's start furthering out security by properly configuring our Kerio Personal Firewall. Know that Kerio has a lot of the best security options already turned on. Thus, I will only be focusing on the parts that need to be changed in order to make the system more secure. You need to take your own time to fully understand the parts of the firewall so you can use it to a better degree. This means don't hesitate to click the large "Help" button on the bottom right part of the Kerio GUI.
Kerio Firewall Settings:
A. - Overview left-tab: I first off recommend leaving update checking as Avaliable, but not checking for the beta releases. The reason why I feel this it would be secure is because there is only one update to worry with, and one we know will be needed each and everytime there is an avaliable update. Under the Preferences top-tab, notice the "Enable gateway mode" checkbox. This is used, as the description says, if this computer is using Internet access sharing, and is the primary computer from which the internet is shared. Check it if you that primary computer and your network does use Internet Access Sharing. Otherwise, leave it alone.
I would recommend leaving "Generate crash dump" checked, as even though it does take up a small degree of disk space, the output given in the crash log can be invaluable to analyzing what an attacker did as well as how to prevent it next time. For those worrying about a possible DoS by continuously causing the firewall to generate a new crashdump, it's a choice between having this partition filled up (thus the positive side to having installed or reinstalled the firewall onto partition 2, or 3 if you are using the 3 partition setup)
While we are here, you can choose to setup a password or not with the Password Protection checkbox. I recommend using a password for local security reasons. For information on proper password creation, see my Windows XP Security Guide (Phase One). I do not, however recommend turing on remote administration. This is only asking for trouble since it is a vunerable port to attackers, leading straight into the heart of your defense system.
B. - Network Security left-tab: On the Applications top-tab there is very little we need to worry about configuring right now. As you can tell, this is where we control the access programs have to the internet. Also, due to the multitide of eventual applications that you will install, I can not go over each and every secure setting. You need to just play common sense here. However, notice the "Packet Filter" button. Once clicking it you are taken into the ruleset configuration, where you can fine-tune the firewall policy. Be it allowing certain ports, banning certain IP's, etc etc.. it can all be done right here. We don't need to change anything there just yet, but now you know.
On the Predefined top-tab, we see a simple list of firewall rules predefined for us to work with. The default settings on these are fine for the most part, however I recommend a few changes:
1. Change the "permit" in the trusted zone to "deny" on "Ping and Tracert in". This way we can avoid an ICMP even if someone spoofs an IP to something they know is on your trusted network settings.
2. If you do not use VPN (virtual private networking) connections then I suggest turning both "permit" checks to deny, on the Virtual Private Network settings. No need to allow any sort of inbound/outbound connections if you are not using them.
3. Change the "permit" in the trusted zone to "deny" on "Other ICMP packets". This way we can avoid an ICMP fragmented or changed packet even if someone spoofs a trusted IP.
Also, on the Settings top-tab we have a few more choices. There is only one to worry about, but itsimpact is quite significant. Under the section "When application is about to start". By default, Kerio allows all programs to at least start without your input. However, we can tell it to notify us each and every time there is a program about to start that does not have our permission. While this may create a ton of Warnings and "Do you want this program to start?" at first, so long as you keep clicking the "remember this choice" when allowing or not allowing the program, then they will eventually all go away. This leaves programs you did not personally execute wide open, as you will suddenly notice a warning for an application you never opened in the first place.
However, changing this settings to notify you requires a lot of patience and time, as it will take a lot of mouse clicks to get Kerio to go through each program you execute and gain your permissions. The choice is ultimately up to you.
C. - Intrusions left-tab: Ah, the good old IDS configuration. Everything is for the most part in top shape, but change the "Low Priority Intrusions" from "permit" to "deny". Simply because we don't wan't intrusions of any level allowed in.
After this, your firewall is configured for high-level security, without causing too much of a hassle for it to be an annoyance. From here on out, it is up to you to configure it as needed in the future. Be it to deny an IP because the IDS reports them port scanning, or redefine how you want a certain program to interact with the internet. And this ends the second part of my Windows XP security tutorial. I will be writing them as quickly as possible so people who want to get into a secure XP system can do so. I thank you for reading, having an open mind, and a willingness to learn. If you have any comments, suggestions for improvements, or flames, please let me know. Also, if you are finding it difficult to read, let me know. I want to make this easy on the eyes, so people can worry more about reading than *trying* to read it.
Next phase: Securing windows through it's own configurations/services and server software security tips (say that last part 5 times fast)