Microsoft Windows Security
Visit us often. Computer tips updated
daily. Click here to--> "Tell a friend" so they can get updated
computer tips, too. Please visit our clients, as they support the
computer tips page.
If you would like to submit a tip send us an email with
your tip to
Protect your web browser from phishing attacks
- Spoofing is a term used to describe methods of faking
various parts of the browser user interface. This may include the address or
location bar, the status bar, the padlock, or other user interface elements.
Phishing attacks often utilize some form of spoofing to help convince the user
to provide personal information. If a user's browser is vulnerable to
spoofing, they are more likely to fall victim to a phishing attack. You can
search the US-CERT and CERT/CC web sites for malicious scripting and content
vulnerabilities at the following URL: http://search.us-cert.gov (use the
search term browser+spoof). The US-CERT document "Technical Trends in Phishing
Attacks" (available at http://www.us-cert.gov/reading_room/phishing_trends0511.pdf)
has more information about spoofing and phishing techniques.
Use SysKey to protect the SAM database (Microsoft Windows XP/2003)
- The Security Accounts Manager (SAM) database stores local
user account information, including user passwords in hashed form. However,
the system key thatís used to encrypt the database is stored on the local
machine. This poses a security risk because a hacker might be able to access
the encryption key and decrypt the database.
- Microsoft provides a utility called SysKey that you can use
to secure the system key by moving it to a different location or setting a
password that will be required for Windows to decrypt the key and access the
- Hereís how to use SysKey on a Windows NT 4.0, 2000, XP, or
Server 2003 computer:
- 1.Choose Start | Run, type cmd, and click OK to open a
command line window.
- 2.At the command prompt, type syskey and press [Enter].
- 3.A dialog box appears with a warning that once you
enable encryption, it canít be disabled. Click the Update button.
- 4.The Startup Key dialog box appears. To set a password,
select the password Startup option button, and then type and confirm a
password to be entered when the system starts up.
- 5.If you donít want to require the entry of a startup
password, click System Generated Password.
- 6.If you want to move the key off the local disk, click
Store Startup Key On Floppy Disk. Insert a floppy disk, and then click OK.
- If you choose to store the key on a floppy disk, make a
backup (or two) of the disk. Note that when you implement Syskey security,
youíll have to enter the startup password or insert the floppy disk to start
Windows, so itís very important that you donít forget the password or lose the
- Also, note that you wonít be able to start the computer
remotely unless someone is present at the console to type the password or
insert the floppy disk.
Easily generate a new encryption key to replace one thatís been
compromised (Microsoft Windows XP/Server 2003)
- As you know, the Encrypting File System (EFS) can protect
your data from unauthorized access by encrypting it at the file or folder
level. You can easily encrypt your files or folders through the Microsoft
- Under the hood, however, EFS is a bit more complicated.
Itís based on encryption keys that are in turn based on digital certificates.
The first time a user attempts to encrypt a file or folder, the system
automatically issues an EFS certificate for that user.
- But, what if the userís encryption key is compromised?
Fortunately, thereís a way to generate a new key, using the cipher.exe utility
included with Microsoft Windows XP and Server 2003.
- To generate a new encryption key, log in using the user
account that requires the new key. Then, at the command prompt, enter cipher
/k. In a moment, you should see a message notifying you of the thumbprint
information for the new encryption certificate. Itís that easy!
Implement the best security measuresówith the right guidance
- Keeping up with security measures to protect your
workstations and servers can be extremely time consuming. Rather than chasing
down vulnerabilities as they crop up, it may make more sense for you to step
back and take a more global approach. Microsoft's Security Guidance For
Windows Server 2003, which is available at http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx,
can help you get started. Here you'll find guides that address specific
Windows technologies as well as links to security resources that are more
global in nature.
Protect Windows systems against SYN flood attacks
- A SYN flood is a type of Denial of Service (DoS) attack
that overwhelms a server by sending it repeated synchronization (SYN) packets,
usually making these packets appear to come from fake or forged (spoofed)
source IP addresses. The SYN packet is normally used to establish a TCP/IP
connection as the first part of the TCP/IP handshake process. Attackers can
exploit this characteristic of the TCP/IP protocol. When the serverís
connection table is full, legitimate users wonít be able to connect to it.
A common defense against SYN floods is to decrease the timeout so that
connection responses time out more quickly. You can configure Windows 2000/XP
computers to do this by creating a new registry setting, as follows:
- 1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
- 2. Create a REG_DWORD value called SynAttackProtect.
- 3. Set the value data field to 2 for best protection
against SYN flood attacks.
Guidelines for protecting files on XP systems
- There are a number of ways to protect files stored on
Windows XP computers, but the available options vary with the edition of the
operating system and arenít always implemented by default. To protect files
stored on a computer running Windows XP, follow these guidelines:
- Use the NTFS file system. Both Windows XP Home and
Professional Editions support the NTFS file system, which is a more secure
and more stable file system than FAT or FAT32. To take advantage of its
security features, ensure that all partitions are formatted with NTFS.
- Use file level security to control who can access your
files from the local machine as well as across the network. Windows XP Home
doesnít support file level security by default. When logged on normally to
an XP Home computer, you wonít see the Security tab on the properties sheet.
You can set NTFS permissions in XP Home by logging on as Administrator in
- Disable Simple File Sharing on standaone computers so
users must authenticate to log onto the computer across the network.
- Encrypt sensitive files with the Encrypting File System (EFS).
- The last two measures can be taken only in Windows XP
Professional Edition. In addition, Windows XP Home Edition computers canít be
members of Windows domains, which means they canít be managed through Active
Directory Users And Computers. For that reason, companies should not try to
save money by installing Home Edition instead of Professional Edition on
Streamline workgroup collaboration on your intranet with SharePoint
- The cost of creating and maintaining a secure, internal
company website from scratch is beyond the reach of most small businesses.
Fortunately, Windows Small Business Server 2003 includes SharePoint Services,
which automatically generates an elaborate company site that's easy to
customize and maintain--all without incurring any additional cost.
- To help promote collaboration and teamwork through a
SharePoint Services company website, we'll:
- List the requirements for the use of SharePoint Services.
- Describe methods to make the company site safe and
- Explore the main features of SharePoint Services so you
can confirm it meets your needs.
- Walk you through the steps to share documents on
- Demonstrate ways to organize your shared files so they're
easily accessible to visitors.
Divide administrative responsibilities for best security
- Regardless of how trustworthy your network administrator
is, the best security practice is to divide administrative tasks and
responsibilities between several people. This provides a system of checks and
balances and avoids a situation in which one person has too much power. No one
should use the built-in Administrator account to perform administrative tasks.
Instead, each administrator should be given an account with administrative
privileges. This allows you to track who made particular changes or accessed
particular files or programs. In Windows domains, you can use role-based
administration and the Delegation Of Control wizard to assign permissions for
specific administrative tasks. You should establish an incident response team
to handle security breaches that occur, instead of leaving this task to one
person or to the network administrators.
Authenticate digital signatures with PGP
- Electronic documents and email messages are becoming a commonplace way to
conduct business transactions, but itís important to be able to verify that
the author of a document or message is really the person he or she claims to
- You can use digital signatures to verify identity. This is easy to do with
programs such as Pretty Good Privacy (PGP). PGP is based on a public/private
key pair; you sign the document by encrypting it with your private key, to
which only you have access. The recipient uses your public key to decrypt it.
Note that this doesnít provide data confidentiality because the public key is
available to everyone. It does, however, ensure that it was really you who
signed it, because no one but you has the private key thatís paired with that
- PGP is available in both freeware and commercial versions. You can get the
commercial version at http://www.pgp.com or the free version at http://www.pgpi.org/products/.
Validate your LAN-to-LAN VPN internally
prior to its final deployment
- Setting up a virtual private network between
your main and remote offices can be challenging because it requires a detailed
map of the IP address space used on both ends of the tunnel. By simulating the
connection internally, you can resolve any potential conflicts prior to an
- To help you interconnect two private
- Describe a network topology you can use to
set up a VPN tunnel internally prior to rollout.
- Discuss the encryption and authentication
protocols that IPSec VPNs support.
- Walk you through configuring gateway and
network policies at the endpoints of an IPSec VPN tunnel.
- Show you how to test connectivity between
the local and remote private networks.
Tip: Use Group Policy to set
permissions for registry keys
- You can use Group Policy to define access
permissions and audit settings for individual registry keys, and you can also
take or assign ownership of keys. Open the appropriate Group Policy Object
(for example, the Default Domain Policy) in the GPO Editor and expand the
Computer Configuration node, then Windows Settings, then Security Settings.
Click on Registry. Note that the Registry setting is missing from the local
computer GPO. By default, administrators and the system have full control
permissions for all keys, users have read-only permission, and the
creator/owner can assign ownership of the key.
Tip: Whatís new with EFS in Windows
- When the Encrypting File System (EFS) was
introduced in Windows 2000, users were happy to have built-in support for
encrypting data on the disk, but it left a bit to be desired. Microsoft has
upgraded EFS in Windows XP and Server 2003 to allow you to share encrypted
files with other authorized users on the local machine, in the domain or in a
trusted domain. There's a catch, though: You can only share encrypted files
with users who have been issued EFS certificates. A user is issued an EFS
certificate the first time she encrypts a file or folder with EFS.
Tip: Use Group Policy to rename the
- Itís a best security practice to rename the
built-in administrator and guest accounts. Did you know you can use Microsoft
Windows Server 2003 Group Policy to rename them? First, youíll need to create
a Group Policy Object (GPO). Next, edit the GPOís properties: In the GPO
Editor, expand the Computer Configuration node, then Windows Settings, then
Security Settings, then Local Policies, and then select Security Options. In
the right pane, doubleĖclick on Accounts: Rename Administrator Account. Select
the Define This Policy Setting check box and enter the new name for the
account. Then, click OK. You can do the same with the Accounts: Rename Guest
Tip: Quickly undo changes made by the
Security Configuration Wizard (Microsoft Windows Server 2003 with Service Pack 1
- The Security Configuration Wizard (SCW)
included in Service Pack 1 for Windows Server 2003 makes it easy for you to
create and apply security templates to tighten the security of your servers.
If you make a mistake, though, it can be difficult to figure out exactly the
changes SCW made to your servers. Your first thought might be to try to use
your serverís Last Known Good Configuration, but if youíve already logged on
successfully, this option will no longer undo the SCWís changes. The good news
is that you can easily undo the changes made by the SCW and your policy by
using the SCW command line utility, Scwcmd.
- To roll back the changes made by the SCW:
- 1.Open a Command Prompt window on a
computer with the SCW installed.
- 2.Enter scwcmd rollback /m:computer. You
can identify the computer by using its NetBIOS name, DNS host name, fully
qualified domain name, or its IP address.
- Note: By default, Scwcmd logs you on to the
computer you specify with the /m parameter using your current logon
credentials. If you want to specify a different username, add the parameter /u:username
to the Scwcmd syntax above.
Tip: Make security an integral part of
your organization's business goals
- Many business principals find the whole
issue of organizational security rather esoteric and are generally reluctant
to allocate resources to it unless they can see a return on their investment.
At the same time, technical staff charged with managing organizational
security often finds itself fighting an uphill battle because, without the
appropriate resources, they canít do their jobs. As a result, both parties
fall into a reactive rather than a proactive role, responding to incidents
only when they affect critical operations.
- In communicating your needs to upper
management, it can be helpful to discuss security in terms of three distinct
stages, as described here:
- Passive. At this stage, the security team
and the business principals cooperatively develop the policies and
guidelines needed to protect the organizationís information.
- Active. At this stage, the security team
implements the technologies needed to support the Security Life Cycle:
Detect, Assess, Respond, and protect. This stage typically requires the most
- Integrative. At this stage, security is an
integral part of business decisions. To support the organizationís business
goals, existing policies are revised and new security technologies are
Tip: Easily generate a new encryption
key to replace one that's been compromised (Microsoft Windows XP/Server 2003)
- As you know, the Encrypting File System (EFS)
can protect your data from unauthorized access by encrypting it at the file or
folder level. You can easily encrypt your files or folders through the
Microsoft Windows GUI.
- Under the hood, however, EFS is a bit more
complicated. Itís based on encryption keys that are in turn based on digital
certificates. The first time a user attempts to encrypt a file or folder, the
system automatically issues an EFS certificate for that user.
- But, what if the userís encryption key is
compromised? Fortunately, thereís a way to generate a new key, using the
cipher.exe utility included with Microsoft Windows XP and Server 2003.
- To generate a new encryption key, log in
using the user account that requires the new key. Then, at the command prompt,
enter cipher /k. In a moment, you should see a message notifying you of the
thumbprint information for the new encryption certificate. Itís that easy!
Tip: Protect your web browser from
- Spoofing is a term used to describe methods
of faking various parts of the browser user interface. This may include the
address or location bar, the status bar, the padlock, or other user interface
elements. Phishing attacks often utilize some form of spoofing to help
convince the user to provide personal information. If a user's browser is
vulnerable to spoofing, they are more likely to fall victim to a phishing
attack. You can search the US-CERT and CERT/CC web sites for malicious
scripting and content vulnerabilities at the following URLs:
- The US-CERT document ďTechnical
Trends in Phishing AttacksĒ (available at
has more information about spoofing and phishing techniques.
Tip: Don't save encrypted web pages to
- When you exchange information with a secure
(SSL-encrypted) web site, such as entering a username and credentials, or
typing in your social security number or credit card number, this information
may be saved on the local hard disk. If you're using Microsoft Internet
Explorer, it's saved in your Temporary Internet Files folder. Even though the
information is encrypted, if you share the computer or someone else has
physical access, best security practice is not to save this information to
- You can configure IE not to save encrypted
pages to disk by clicking Tools | Internet Options, clicking the Advanced tab,
and scrolling down in the Settings list to check the box labeled "Do not save
encrypted pages to disk." This setting is not enabled by default.
TO VISIT BUSINESS WEBSITE LINKS'
Home | Company Info | Pricing | Contacts |
Client Directory | Computer
Tips | News |
Business Website Links, LLC
ē 8041 Via Hacienda
Palm Beach Gardens
Copyright ©2005 all rights reserved by
Business Website Links, LLC
Web Host and Design by Business Website Links, LLC