• 16.1 A quickie guide to securing PCs
• 16.2 General
  • 16.2.1 Use of portable computers
• 16.3 Documentation
• 16.4 Assurance
  • 16.4.1 Virus protection
• 16.5 Accountability
  • 16.5.1 Identification / authorisation
  • 16.5.2 Audit Trail (UC)
• 16.6 Access Control
  • 16.6.1 Discretionary Access Control
  • 16.6.2 Secure System Startup
  • 16.6.3 Object reuse
• 16.7 Secure data exchange / communications
  • 16.7.1 Peer Entity authentication
  • 16.7.2 Data confidentiality
  • 16.7.3 Non repudiation of origin / receipt
• 16.8 Network & Communications
  • 16.8.1 Routing: TCP/IP
• 16.9 Availability
  • 16.9.1 Backup and restore (Win95)
  • 16.9.2 Prevention of Resource Abuse
  • 16.9.3 Patches & Release management
  • 16.9.4 Replication
  • 16.9.5 Redundancy
• 16.16 PC Client Security Tools
  • 16.10.1 Secure access to UNIX servers
  • 16.10.2 File/Directory encryption, secure deleting Tools
  • 16.10.3 Anti-Virus protection

---

16.1 A quickie guide to securing PCs

• Don't expect a high security from these systems, switch to NT or UNIX, or buy 3rd party security produsts if sensitive data is handled by DOS/Windows/Win95/Win98.
• Update your Win95 & WfW clients with the password security patch, even better disable caching!
• Win95 Dialup networking: don't save passwords locally.
• Teach users to choose strong passwords, to change them regularly and to lock screens or stop machines when not is use.
• Run viral scanners regularly and teach users to use the scanner on all floppy disks. Ensure that clear organisation procedures are in place to deal with a "viral outbreak".
• Don't store confidential information on the PC.
• If PCs access confidential servers, consider physically locking their casings and attaching them to their desks.
• Don't use workgroups to share confidential data.
• Don't use workgroups to share high availability data.

16.2 General

• Scope: 3^rd party connectivity products/protocols such as Netware, DECnet, Vines or NFS are not covered here
• Windows '95 is just a shinier version of Windows for workgroups. It is based on (primitive) 16-bit DOS and should not be relied up for much security. Although Windows 95 offers more security than it's predecessors, these security features should not be regarded as an effective barrier to the knowledgeable hacker.
• Win98 is almost identical to Win95, it just has a few new feature, different GUI and support for new hardware such as USB.
• No data is to be kept on PC workstations.
• Use an disk controller which encrypts data on the fly. Normally the controller asks for a password during PC boot.

16.2.1 Use of portable computers

The use of laptops is to be minimised, as they represent a serious security risk - even if the trend is more and more towards mobile computing. They allow uncontrolled exchange of large amounts of data.

• Use an EPROM boot password (although it offers little protection).
• When transporting a Laptop via public transport, carry as hand baggage.
• An anti-virus program must be installed.
• Data should be encrypted with a suitable software (see the Tools section at the end of this chapter).

16.3 Documentation

See the Windows 95 Resource kit and the WfW 3.11 Resource kit.

16.4 Assurance

These operating systems cannot be certified to ITSEC or TCSEC standards. See the Operating System overview section.

16.4.1 Virus protection

Viruses are programs that attempt to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (changing screen contents, printing messages). Viruses are a mostly PC (and more recently Macintosh) phenomenon. To combat viruses, the following measures are to be taken:

• Educate users: if they understand what viruses do, how they are propagated, users will be more careful.
• A Standard virus detection tool should be installed on all PCs. If possible it's virus signature list should be updated every few months from a central location.
• The scanner should detect macro viruses and stay resident in memory, watch all file operations.
• If a virus is found, notify the Helpdesk/support personnel immediately. The workstation should be disconnected from the network.
• Consider membership of an organisation such as the NCSA  http://www.ncsa.com/ or CIAC (U.S. Govt. only) to keep abreast of Virus/security issues and to have help available in case of a major virus threat.

In addition:

• Install applications on servers and mount them read-only from workstations.
• Install applications on a test machine, check for viruses, then install on servers.
• Do regular system backups of servers. Keep backups for up to a year.
• Restrict user access to floppy drives (but email & the web still provides a way of downloading dangerous software.
• See also the MS-Office section for tips regarding Word/Excel.

Hoax virus protection:

The many "hoax" viruses (false warnings, jokes) may waste much of support personnel's time. It's difficult to protect against them, but the following may help:

• Make it a policy that users who report "virus warnings", do so to the Security Administrator /support personnel and not forward to other users, unless they have been verified by the local Security Administrator (avoid hoaxes)..
• Check so of the following sites: http://ciac.llnl.gov/ciac/CIACHoaxes,html http://www.kumite.com/myths
  Or a few vendor sites: http://www.datafellows.com/ http://www.drsolomom.com/

16.5 Accountability

16.5.1 Identification / authorisation

Recommended for sensitive hosts: Windows 95 can be configured so that a user must log into an NT domain (i.e. the user cannot log in locally) with the Profile Editor (see Access Control section).

16.5.2 Audit Trail

A secure Audit trail is almost impossible on a non DAC system.

WfW 3.11: Enable the event log from the Network Section of the Control panel. Security events are recorded in audit.log and may be examined using the Net Watcher tool.
Win'95: TBD

16.6 Access Control

DOS

• Mark autoexec.bat, config.sys and important .ini files as read-only (using attrib -r). (This may cause administration hassle though...)
• Remove intersrv.exe and interlnk.exe to prevent the use of serial communications.

Windows for Workgroups

• Using admincfg.exe, Configure wfwsys.cfg on each workstation. File, Printer and DDE sharing should be disabled. In the "Security Settings" , password caching should be disabled, "require validated logon to NT" should be enabled. "Update security configuration from server" and protect the config file with a password (perhaps one password for each domain).
• The logon banner should also be used to warn the user that he is connecting to sensitive data.
• Remove unneeded icons from the user desktop (Network install, windows setup, telnet, ftp...)
• Restrict program manager functionality. e.g. No file menu, no "run" option, no personalisation. (see progman.ini entries: NoSaveSettings, NoRun, NoClose, NoFileMenu, Editlevel)

Win95

• Set up a system policy via the policy editor (install poledit.exe in admin\Apptools on the Win95 CD). The policy editor should not be installed on user workstations. There are three different types of profiles:
  1. A user profile consists of user-specific information contained in the file USER.DAT, one of the two files in the Windows 95 Registry. User profiles need to be enabled (see control panel -> passwords) only for the computers where they will be used.
     * Multiple users on a computer can retain their personal settings.
     * "Roving" users can log on to the network from any computer and work with the same desktop settings (if the profiles are stored in NETLOGON).
     * Windows 95 automatically maintains each user's profile.
  2. Mandatory profiles can be used to enforce consistent desktops. This is useful for novice users, for reducing training costs and support costs.
  3. System policies allow you to override local Registry values for user or computer settings. Policies are defined in a policy (.POL) file, usually called config.pol. When a user logs on, system policy settings overwrite default settings in the Registry. You can also set system policies to contain additional custom settings specific to the network.
     
     Unlike SYSTEM.DAT and USER.DAT (the two files that make up the Registry), CONFIG.POL is not a required component of Windows 95 Setup and, when implemented, is stored on the logon server, not the local computer.
     
     System policies can be used to enforce system configuration (what users are allowed to do from the desktop, what they are allowed to configure using Control Panel, centrally configure network settings and to customise certain parts of the desktop, such as Network Neighbourhood or the Programs folder.
     To set up automatic downloading of the policy from a Windows NT server on login:
     1 On the File menu, click Open Registry.
     2 Double-click Local Computer.
     3 Click the plus sign beside Network.
     4 Click the plus sign beside Microsoft Client For Windows Networks, and then click Log On To Windows NT.
     5 Type the Windows NT domain name.
     6 On the primary domain controller, create a folder named NETLOGON, and then share it.
     7 Save the policy file in this folder. Make sure the policy file has a .pol extension.
     
     TBD:- what should be defined in config.pol for each security level, per user & computer (e.g. logon banner, force logon to NT domain, disable file/printer sharing, disable registry editors, disable password caching, disable dial-in networking, desktop settings...)? Can the user delete/change his config.pol (NETLOGON permissions? This must be prevented).

16.6.1 Discretionary Access Control

Discretionary access control is not possible, mainly due to the FAT filesystem.

16.6.2 Secure System Startup

Lock the PC housing where possible.
Use boot passwords. If possible use separate user and administrator passwords.
For secure(ish) Win95 startup, disable the functions keys F5,F6 and F8 by setting Bootkeys=0 in msdos.sys. This will make debugging of startup problems more difficult, however.

16.6.3 Object reuse

A special utility should be installed on all PCs to erase files completely (e.g. F-Secure Desktop, see below).

16.7 Secure data exchange / communications

16.7.1 Peer Entity authentication

Workgroups: WfW 3.11 supports share-level security, but not user-level security.

AVOID using Workgroups, use Domains (Lan-Manager, NT) or NFS instead.
Disable Workgroups

16.7.2 Data confidentiality

Do not use as a RAS server.
PC clients should not be used as ftp or http servers.
Disable floppy boot in BIOS setup.

16.7.3 Non repudiation of origin / receipt

not supported.

16.8 Network & Communications

Install a minimum of network protocols. If possible do not install NetBEUI on subnetted networks - use TCP/IP & WINS servers instead.

16.8.1 Routing: TCP/IP

PCs should not be used for routing. A default gateway should be defined (Control Panel->Networks-> TCP/IP) and all TCP/IP packets for machines outside the current subnet will be forwarded to this gateway. Normally the default gateway is the router.

16.9 Availability

16.9.1 Backup and restore (Win95)

• Registry Backups: The registry should be an integral part of tape backups.
• Repair diskette: keep in a locked, fireproof safe. Also copy system.dat, config.sys, autoexec.dat, win.ini and system.ini to a subdirectory on the repair diskette.
• Recovery:
  • Every time WIn95 successfully boots, it creates a backup of the registry files with a .da0 extension. If the .dat seems corrupt on startup, WIn95 uses the backup .dao.
  • When booted in safe mode, the registry is not backed up, it assumes thay are damaged. If you have manual backups of the registry, they can be restored in safe mode.
  • The system.1st in the root directory is a copy of the first registry at setup time. A damaged registry can be restored by changing the attributes and copying this file to system.dat. Also if a machine is hanging on startup, use F8 to select logging and continue booting When it blocks, boot with a floppy disk and examine bootlog.txt to see what device/driver is causing the problem.

16.9.2 Prevention of Resource Abuse

Quotas etc. are not supported, but are not really necessary on client machines.

16.9.3 Patches & Release management (winter 1996)

• Install PCs from the network. The advantages are:
  1. The OS is installed from a secure master copy with the latest patches.
  2. The OS is preconfigured according to your needs.
  3. Standard applications are automatically installed.
  4. Much faster.
  The disadvantage is that it is very sifficult to setup, especially when many different types of hardware are used.
• SMS offers a disciplined change control system for (50 or more) Windows clients.
• Windows for Workgroups has serious security bugs!
• Win95 has serious security bugs, they can be fixed by downloading the fixes from http://www.microsoft.com/windows/download/ . But the fixes are frequent and need to be tested.
• Consider moving sensitive clients to NT.
  

Date	Problem	Fix archive
13.12.95	The password cache has weak encryption (exposes all server systems used by a Win95 client).	mspwlupd.exe
20.10.95	Problem with NetWare file sharing (read access to local files)	nwsrvupd.exe
20.10.95	Problem with Microsoft networks file sharing (can read entire disk).	vservupd.exe
6.12.95	OLE can hide parts of deleted files in Office 95 files (i.e. Winword, Excel, PowerPoint). These parts are visible via a plain-text editor, for example, notepad.	ole32upd.exe

• The above patches are available as a "Service Pack 1" for Win 95.
• May'96 update: A new batch of updates need to be installed over Service Pack 1 to fix new bugs. See:

File name size
krnlupd.exe 296,960
mspwlupd2.exe 284,160
krnltoys.exe 54,586
oleupd.exe 404,992
cover_pg.exe 147,456
inetmail.exe 241,152
dlc32upd.exe 180,224

• Microsoft weren't intelligent enough to release a new, clean, Service Pack, that would have made life too easy for administrators!

16.9.4 Replication

The Win95 Briefcase utility is useful for synchronising Laptops and servers. However, be aware that if the filesystem on the server is a compressed NTFS directory, the briefcase will only be "partially" synchronised.

16.9.5 Redundancy

HW RAID is a possibility, but it is better to simply store data on a server.

16.10 PC Client Security Tools

WfW 3.11 has a utility called admincfg.exe which may be used to configure several network security options.

Secure Email:
There is a 32 bit version of PGP and a graphical front end for Win95 (See chapter 7). See also S/MIME.

16.10.1 Diverse

• F-Secure SSH (Secure Shell) offers secured access to UNIX servers and limited VPN tunnelline. Recommended. See the analysis in the mechanisms chapter.
• Gemplus provides GemSAFE (at about $99), for email authtntication. It includes a smart card reader, a voucher for a verisign certs and software that supports Microsoft's and Netscape's browsers. http://www.gemplus.com/

16.10.2 File/Directory encryption, secure deleting Tools

• F-Secure Desktop: This product, exported from Datafellows in Finland, allows military strength encryption of files on Windows systems with an easy-to-use GUI.  Recomended. See the analysis in the mechanisms chapter.
• Ironware from AEC Ltd. in the Czech Republic (http://www.aec-security.com/) offers secure file deletion, strong file encryption with compression, secure file transfer, file signing with SHA, email encryption and FTP encryption. Price ~$140.
• Secrets is a Winows based file encryption program with group keys and data recovery. http://www.sapher.co.uk/
• CyberAngel by Sentry Software ( http://www.sentryinc.com/ ) offers file encryption, from DES to 448bit blowfish.
• Latches from Rhea international, U.K. ( http://www.rheagroup.com/ ) offers secure logon, audit logs, silent alarms, file encryption DAC& MAC, boot protection, role based access control and supports physical access tokens.
• Destroy: This free utility allows files to be securely deleted under DOS:

  DESTROY - A file deletion and security utility for MSDOS. When you use "del" to delete a file, it can often be recovered by use of "undelete" or other tools. DESTROY is different. It wipes the file before deleting it. It also destroys the directory entry. Recovery tools will only recover a small file full of zeros.

• StopLight: StopLight for DOS, Windows and Win95 controls access to files, drives, directories with Read/Write/Create/delete/Execute privileges, by providing security at the OS level. Even if a computer is booted with a DOS diskette it is protected. Full disk encryption (real time encryption is an option) for laptops, in addition to optional boot sector encryption. Logging and auditing are included too. Most network types are supported. See also http://www.safe.net/
• Stoplock V
• Raxco EAC, SECUREcard
• RSA Secure (for Windows 3)
  A frequent requirement when protecting file confidentiality via encryption is Emergency File Access. If the file owner encrypts an important file and forgets the key, what happens? A second key is created, split into five parts such that any two of the five (partial) keys, when combined, could be used as a decryption key. The five (partial) keys could be kept by separate people, only to be used if the original owner was not able to decrypt the important file.
  • RSA provide a package for Windows based on the above (RSA Secure). It works well together with Window's FileManager, but is not yet integrated into Win95's Explorer (Jan.1995). This product seems to have died, having disappeared from http://www.rsa.com/ .
  • It is not known how strong the encryption is, but the export version may only be 40bits, which more-or-less destroys the product.

16.10.3 Anti-Virus protection

No PC should be without a virus protection.
Virus tools tend to have three functions: 1. Generic monitoring (prevention). 2. Scanning (looking for viral signatures). 3. Integrity checkers (looking for changes files).
There are literally hundreds of anti-virus programs available. Typically an enterprise buys a site wide license for all machines with regular (e.g. monthly) automatic updates.
If you're shopping for a new anti-virus:

• make sure that it works with DOS, NT, Win95 and conventional Windows (each have special requirements).
• It should also protect against macro viruses (i.e. viruses in MS-Office documents or other desktop applications which may contains macros) and possible ActiveX viruses..
• It's user interface should be friendly and easy to use (minimum user education necessary).
• It should also be possible to upgrade the anti-virus from a server quickly, regularly and easily.
• Some examples of current products (there are many, many products on the market): McAfee, Norton Anti-virus (maybe expensive for large sites), IBM AV (Anti-Virus), TBAV (Thunderbyte Anti-Virus from ESaSS B.V), Norman (http://www.normanuk.com/), VirusNet (Safetynet Inc.) and also the DataFellows product.
• See also the list of products certified to Secure Computing Magazines "checkmark" standard at www.westcoast.com/checkmark .