Business Website Links
Website Design, PR, and Surveys
Your One-Stop Shop for the
Internet & Beyond

Home Company Info Pricing Contact Client Directory Computer Tips News Testimonials


Computer Tips

Microsoft Windows Security

 

 

 

 

 

 

 

 

 
Visit us often.  Computer tips updated daily.  Click here to--> "Tell a friend" so they can get updated computer tips, too.  Please visit our clients, as they support the computer tips page.

If you would like to submit a tip send us an email with your tip to info@businesswebsitelinks.com.
  ______________________________________________________________

Protect your web browser from phishing attacks

  • Spoofing is a term used to describe methods of faking various parts of the browser user interface. This may include the address or location bar, the status bar, the padlock, or other user interface elements. Phishing attacks often utilize some form of spoofing to help convince the user to provide personal information. If a user's browser is vulnerable to spoofing, they are more likely to fall victim to a phishing attack. You can search the US-CERT and CERT/CC web sites for malicious scripting and content vulnerabilities at the following URL: http://search.us-cert.gov (use the search term browser+spoof). The US-CERT document "Technical Trends in Phishing Attacks" (available at http://www.us-cert.gov/reading_room/phishing_trends0511.pdf) has more information about spoofing and phishing techniques.

Use SysKey to protect the SAM database (Microsoft Windows XP/2003)

  • The Security Accounts Manager (SAM) database stores local user account information, including user passwords in hashed form. However, the system key thatís used to encrypt the database is stored on the local machine. This poses a security risk because a hacker might be able to access the encryption key and decrypt the database.
  • Microsoft provides a utility called SysKey that you can use to secure the system key by moving it to a different location or setting a password that will be required for Windows to decrypt the key and access the SAM database.
  • Hereís how to use SysKey on a Windows NT 4.0, 2000, XP, or Server 2003 computer:
    • 1.Choose Start | Run, type cmd, and click OK to open a command line window.
    • 2.At the command prompt, type syskey and press [Enter].
    • 3.A dialog box appears with a warning that once you enable encryption, it canít be disabled. Click the Update button.
    • 4.The Startup Key dialog box appears. To set a password, select the password Startup option button, and then type and confirm a password to be entered when the system starts up.
    • 5.If you donít want to require the entry of a startup password, click System Generated Password.
    • 6.If you want to move the key off the local disk, click Store Startup Key On Floppy Disk. Insert a floppy disk, and then click OK.
  • If you choose to store the key on a floppy disk, make a backup (or two) of the disk. Note that when you implement Syskey security, youíll have to enter the startup password or insert the floppy disk to start Windows, so itís very important that you donít forget the password or lose the disk.
  • Also, note that you wonít be able to start the computer remotely unless someone is present at the console to type the password or insert the floppy disk.

Easily generate a new encryption key to replace one thatís been compromised (Microsoft Windows XP/Server 2003)

  • As you know, the Encrypting File System (EFS) can protect your data from unauthorized access by encrypting it at the file or folder level. You can easily encrypt your files or folders through the Microsoft Windows GUI.
  • Under the hood, however, EFS is a bit more complicated. Itís based on encryption keys that are in turn based on digital certificates. The first time a user attempts to encrypt a file or folder, the system automatically issues an EFS certificate for that user.
  • But, what if the userís encryption key is compromised? Fortunately, thereís a way to generate a new key, using the cipher.exe utility included with Microsoft Windows XP and Server 2003.
  • To generate a new encryption key, log in using the user account that requires the new key. Then, at the command prompt, enter cipher /k. In a moment, you should see a message notifying you of the thumbprint information for the new encryption certificate. Itís that easy!

Implement the best security measuresówith the right guidance

  • Keeping up with security measures to protect your workstations and servers can be extremely time consuming. Rather than chasing down vulnerabilities as they crop up, it may make more sense for you to step back and take a more global approach. Microsoft's Security Guidance For Windows Server 2003, which is available at http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx, can help you get started. Here you'll find guides that address specific Windows technologies as well as links to security resources that are more global in nature.

Protect Windows systems against SYN flood attacks

  • A SYN flood is a type of Denial of Service (DoS) attack that overwhelms a server by sending it repeated synchronization (SYN) packets, usually making these packets appear to come from fake or forged (spoofed) source IP addresses. The SYN packet is normally used to establish a TCP/IP connection as the first part of the TCP/IP handshake process. Attackers can exploit this characteristic of the TCP/IP protocol. When the serverís connection table is full, legitimate users wonít be able to connect to it.
    A common defense against SYN floods is to decrease the timeout so that connection responses time out more quickly. You can configure Windows 2000/XP computers to do this by creating a new registry setting, as follows:
    • 1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    • Tcpip\Parameters.
    • 2. Create a REG_DWORD value called SynAttackProtect.
    • 3. Set the value data field to 2 for best protection against SYN flood attacks.

Guidelines for protecting files on XP systems

  • There are a number of ways to protect files stored on Windows XP computers, but the available options vary with the edition of the operating system and arenít always implemented by default. To protect files stored on a computer running Windows XP, follow these guidelines:
    • Use the NTFS file system. Both Windows XP Home and Professional Editions support the NTFS file system, which is a more secure and more stable file system than FAT or FAT32. To take advantage of its security features, ensure that all partitions are formatted with NTFS.
    • Use file level security to control who can access your files from the local machine as well as across the network. Windows XP Home doesnít support file level security by default. When logged on normally to an XP Home computer, you wonít see the Security tab on the properties sheet. You can set NTFS permissions in XP Home by logging on as Administrator in Safe Mode.
    • Disable Simple File Sharing on standaone computers so users must authenticate to log onto the computer across the network.
    • Encrypt sensitive files with the Encrypting File System (EFS).
  • The last two measures can be taken only in Windows XP Professional Edition. In addition, Windows XP Home Edition computers canít be members of Windows domains, which means they canít be managed through Active Directory Users And Computers. For that reason, companies should not try to save money by installing Home Edition instead of Professional Edition on employeesí computers.

Streamline workgroup collaboration on your intranet with SharePoint Services

  • The cost of creating and maintaining a secure, internal company website from scratch is beyond the reach of most small businesses. Fortunately, Windows Small Business Server 2003 includes SharePoint Services, which automatically generates an elaborate company site that's easy to customize and maintain--all without incurring any additional cost.
  • To help promote collaboration and teamwork through a SharePoint Services company website, we'll:
    • List the requirements for the use of SharePoint Services.
    • Describe methods to make the company site safe and secure.
    • Explore the main features of SharePoint Services so you can confirm it meets your needs.
    • Walk you through the steps to share documents on SharePoint Services.
    • Demonstrate ways to organize your shared files so they're easily accessible to visitors.

Divide administrative responsibilities for best security

  • Regardless of how trustworthy your network administrator is, the best security practice is to divide administrative tasks and responsibilities between several people. This provides a system of checks and balances and avoids a situation in which one person has too much power. No one should use the built-in Administrator account to perform administrative tasks. Instead, each administrator should be given an account with administrative privileges. This allows you to track who made particular changes or accessed particular files or programs. In Windows domains, you can use role-based administration and the Delegation Of Control wizard to assign permissions for specific administrative tasks. You should establish an incident response team to handle security breaches that occur, instead of leaving this task to one person or to the network administrators.

Authenticate digital signatures with PGP

  • Electronic documents and email messages are becoming a commonplace way to conduct business transactions, but itís important to be able to verify that the author of a document or message is really the person he or she claims to be.
  • You can use digital signatures to verify identity. This is easy to do with programs such as Pretty Good Privacy (PGP). PGP is based on a public/private key pair; you sign the document by encrypting it with your private key, to which only you have access. The recipient uses your public key to decrypt it. Note that this doesnít provide data confidentiality because the public key is available to everyone. It does, however, ensure that it was really you who signed it, because no one but you has the private key thatís paired with that public key.
  • PGP is available in both freeware and commercial versions. You can get the commercial version at http://www.pgp.com or the free version at http://www.pgpi.org/products/.

Validate your LAN-to-LAN VPN internally prior to its final deployment

  • Setting up a virtual private network between your main and remote offices can be challenging because it requires a detailed map of the IP address space used on both ends of the tunnel. By simulating the connection internally, you can resolve any potential conflicts prior to an official rollout.
  • To help you interconnect two private networks, we'll:
    • Describe a network topology you can use to set up a VPN tunnel internally prior to rollout.
    • Discuss the encryption and authentication protocols that IPSec VPNs support.
    • Walk you through configuring gateway and network policies at the endpoints of an IPSec VPN tunnel.
    • Show you how to test connectivity between the local and remote private networks.

Tip: Use Group Policy to set permissions for registry keys

  • You can use Group Policy to define access permissions and audit settings for individual registry keys, and you can also take or assign ownership of keys. Open the appropriate Group Policy Object (for example, the Default Domain Policy) in the GPO Editor and expand the Computer Configuration node, then Windows Settings, then Security Settings. Click on Registry. Note that the Registry setting is missing from the local computer GPO. By default, administrators and the system have full control permissions for all keys, users have read-only permission, and the creator/owner can assign ownership of the key.

Tip: Whatís new with EFS in Windows XP/Server 2003

  • When the Encrypting File System (EFS) was introduced in Windows 2000, users were happy to have built-in support for encrypting data on the disk, but it left a bit to be desired. Microsoft has upgraded EFS in Windows XP and Server 2003 to allow you to share encrypted files with other authorized users on the local machine, in the domain or in a trusted domain. There's a catch, though: You can only share encrypted files with users who have been issued EFS certificates. A user is issued an EFS certificate the first time she encrypts a file or folder with EFS.

Tip: Use Group Policy to rename the administrator account

  • Itís a best security practice to rename the built-in administrator and guest accounts. Did you know you can use Microsoft Windows Server 2003 Group Policy to rename them? First, youíll need to create a Group Policy Object (GPO). Next, edit the GPOís properties: In the GPO Editor, expand the Computer Configuration node, then Windows Settings, then Security Settings, then Local Policies, and then select Security Options. In the right pane, doubleĖclick on Accounts: Rename Administrator Account. Select the Define This Policy Setting check box and enter the new name for the account. Then, click OK. You can do the same with the Accounts: Rename Guest Account item.

Tip: Quickly undo changes made by the Security Configuration Wizard (Microsoft Windows Server 2003 with Service Pack 1 )

  • The Security Configuration Wizard (SCW) included in Service Pack 1 for Windows Server 2003 makes it easy for you to create and apply security templates to tighten the security of your servers. If you make a mistake, though, it can be difficult to figure out exactly the changes SCW made to your servers. Your first thought might be to try to use your serverís Last Known Good Configuration, but if youíve already logged on successfully, this option will no longer undo the SCWís changes. The good news is that you can easily undo the changes made by the SCW and your policy by using the SCW command line utility, Scwcmd.
  • To roll back the changes made by the SCW:
    • 1.Open a Command Prompt window on a computer with the SCW installed.
    • 2.Enter scwcmd rollback /m:computer. You can identify the computer by using its NetBIOS name, DNS host name, fully qualified domain name, or its IP address.
  • Note: By default, Scwcmd logs you on to the computer you specify with the /m parameter using your current logon credentials. If you want to specify a different username, add the parameter /u:username to the Scwcmd syntax above.

Tip: Make security an integral part of your organization's business goals

  • Many business principals find the whole issue of organizational security rather esoteric and are generally reluctant to allocate resources to it unless they can see a return on their investment. At the same time, technical staff charged with managing organizational security often finds itself fighting an uphill battle because, without the appropriate resources, they canít do their jobs. As a result, both parties fall into a reactive rather than a proactive role, responding to incidents only when they affect critical operations.
  • In communicating your needs to upper management, it can be helpful to discuss security in terms of three distinct stages, as described here:
    • Passive. At this stage, the security team and the business principals cooperatively develop the policies and guidelines needed to protect the organizationís information.
    • Active. At this stage, the security team implements the technologies needed to support the Security Life Cycle: Detect, Assess, Respond, and protect. This stage typically requires the most resources.
    • Integrative. At this stage, security is an integral part of business decisions. To support the organizationís business goals, existing policies are revised and new security technologies are selected.

Tip: Easily generate a new encryption key to replace one that's been compromised (Microsoft Windows XP/Server 2003)

  • As you know, the Encrypting File System (EFS) can protect your data from unauthorized access by encrypting it at the file or folder level. You can easily encrypt your files or folders through the Microsoft Windows GUI.
  • Under the hood, however, EFS is a bit more complicated. Itís based on encryption keys that are in turn based on digital certificates. The first time a user attempts to encrypt a file or folder, the system automatically issues an EFS certificate for that user.
  • But, what if the userís encryption key is compromised? Fortunately, thereís a way to generate a new key, using the cipher.exe utility included with Microsoft Windows XP and Server 2003.
  • To generate a new encryption key, log in using the user account that requires the new key. Then, at the command prompt, enter cipher /k. In a moment, you should see a message notifying you of the thumbprint information for the new encryption certificate. Itís that easy!

Tip: Protect your web browser from phishing attacks

  • Spoofing is a term used to describe methods of faking various parts of the browser user interface. This may include the address or location bar, the status bar, the padlock, or other user interface elements. Phishing attacks often utilize some form of spoofing to help convince the user to provide personal information. If a user's browser is vulnerable to spoofing, they are more likely to fall victim to a phishing attack. You can search the US-CERT and CERT/CC web sites for malicious scripting and content vulnerabilities at the following URLs:
    •  http://search.us-cert.gov/query.html?qt=browser+spoof and
    •  http://search.cert.org/query.html?qt=browser+spoof.
    •  The US-CERT document ďTechnical Trends in Phishing AttacksĒ (available at
    •  http://www.us-cert.gov/reading_room/phishing_trends0511.pdf) has more information about spoofing and phishing techniques.

Tip: Don't save encrypted web pages to disk

  • When you exchange information with a secure (SSL-encrypted) web site, such as entering a username and credentials, or typing in your social security number or credit card number, this information may be saved on the local hard disk. If you're using Microsoft Internet Explorer, it's saved in your Temporary Internet Files folder. Even though the information is encrypted, if you share the computer or someone else has physical access, best security practice is not to save this information to disk.
  • You can configure IE not to save encrypted pages to disk by clicking Tools | Internet Options, clicking the Advanced tab, and scrolling down in the Settings list to check the box labeled "Do not save encrypted pages to disk." This setting is not enabled by default.

TO VISIT BUSINESS WEBSITE LINKS' INTERNET DIRECTORY
CLICK HERE---->INTERNET DIRECTORY ONLINE.COM

Home | Company Info | Pricing | Contacts | Client Directory | Computer Tips | NewsTestimonials |
Disclaimer | Our Privacy Policy | Terms of Use | Site Map

Business Website Links, LLC ē 8041 Via Hacienda ē Palm Beach Gardens ē Florida ē 33418
(561)-452-0401
ē info@businesswebsitelinks.com

Copyright ©2005 all rights reserved by Business Website Links, LLC
Web Host and Design by Business Website Links, LLC