Sharing an Internet Connection Through Software
You don't have to invest in a dedicated router or residential gateway to share a single Internet connection and simultaneously protect your network. Using Internet Connection Sharing, you can turn a single computer with an active Internet connection into the functional equivalent of a router. The connected computer acts as the ICS host and shares its Internet connection. All other computers on the network route their Internet traffic through the ICS host computer.

ICS is most effective with high-speed (cable or DSL) connections, although it works acceptably with dial-up Internet connections. To share a broadband connection, the ICS host computer must have separate network adapters for the Internet connection and the LAN connection. The single biggest drawback of ICS, of course, is that the shared connection is available only if the ICS host computer is turned on.

Although ICS is included as a feature in Windows 98 Second Edition, Windows Me, and Windows 2000, we strongly recommend that you use a computer running Windows XP (Home Edition or Professional) as your ICS host. The security and usability features of this version of ICS are head and shoulders above those found in earlier versions of Windows. Most notably, the Internet Connection Firewall, found only in Windows XP, is tightly integrated with ICS and adds a measure of security that is unmatched in earlier versions.

NOTE
--------------------------------------------------------------------------------

The Network Setup Wizard, which runs from CD or floppy disk to set up ICS on client computers, does not work with Windows 95 or Windows 3.1. If computers running either of these operating systems are present on your network, you must configure the networking components manually to take advantage of an ICS host.
Do not use ICS on any network that includes a Windows 2000 Server (or Windows .NET Server) domain controller or any other computers running a DNS server, DHCP server, or Internet gateway. In addition, if any computers on the network are configured with static IP addresses, you may need to reconfigure them to be in the private address range that is automatically assigned by ICS.

Using ICS does not expose your computer to any security risks different from those that you should be concerned about on a computer that is directly connected to the Internet. If you're using the original release of Windows XP, however, be certain you install the security patches referred to in two Microsoft Security Bulletins: MS01-54, "Invalid Universal Plug and Play Request can Disrupt System Operation" (http://www.microsoft.com/technet/security/bulletin/MS01-054.asp) and MS01-059, "Unchecked Buffer in Universal Plug and Play can Lead to System Compromise" (http://www.microsoft.com/technet/security/bulletin/MS01-059.asp). These patches, which are also included in Windows XP Service Pack 1, fix serious security holes that could allow an attacker to exploit a weakness in the Universal Plug and Play service and shut down your computer or install a Trojan horse program. Note that any client machines that were set up on ICS by using this early release of Windows XP will also need to be patched; see the referenced bulletins for access to those patches.

Libellés : Connection, Internet, Sharing, Software, Through

Tightening Security on a Router
Adding a router to your network isn't a panacea. Simple NAT and packet-filtering capabilities can provide a baseline level of security for your network, but don't underestimate the resourcefulness and tenacity of outside attackers. A determined intruder who figures out that you're using a specific type of router can craft an attack against the router and may succeed if you aren't thorough in your preparation. To increase the security of the network, follow these tips:

Set a strong password for the router. Out of the box, every router uses a simple default password, and you can bet that every one of those default passwords is on a list that would-be attackers try right away.
Disable remote administration capabilities. Many routers allow you to connect to the router's configuration utility from inside your local network or from the outside. To block a major avenue of attack, disable the capability to manage the router from the Internet.
Configure how the router responds to unsolicited outside traffic. If you're running a server inside your network, forwarding specific ports to the IP address of the computer running the server software, you need to allow outside access to the computer. But you should disable all other unsolicited outside traffic. In particular, if you can configure the router to discard Internet Control Message Protocol (ICMP) packets from the Internet, you should do so. This step prevents outsiders from "pinging" your network and determining that the IP address exists. It also prevents an entire class of attacks that use malformed ICMP packets to cause havoc to the network.
Enable firewall or antivirus features, if available. Some routers integrate with specific antivirus and personal firewall programs. Linksys routers, for instance, work with the ZoneAlarm Pro personal firewall and Trend Micro's PC-Cillin antivirus software. Using this capability, you can enforce a security policy that allows Internet access through the router only to computers that are running either or both of these programs. Figure 15-6 shows the configuration options for this feature on an 8-port Linksys router. (Note that in this example the software does not run on the router itself, only on the client computers. Hardware firewalls that include built-in antivirus software are available, but they typically cost far more than a router intended for use on a home or small business network.)

Figure 15-6. Some routers for home networks, like this Linksys model, allow you to enforce security policies requiring antivirus or personal firewall software.
Carefully configure advanced firewall options. Every router is different. Depending on the specific capabilities of your router, you may be able to block specific incoming ports or block access to particular ports by time of day. The latter capability can be especially useful if you want to prevent kids from browsing the Web after 10:00 PM, for instance.
CAUTION
--------------------------------------------------------------------------------

Many routers include an option to place one or more computers on the local network in a DMZ—an acronym from the military term demilitarized zone. Putting a computer in this zone bypasses the router, giving it direct access to the Internet. Using this option may be the only way to make some types of connections, such as those used in multiplayer games. Just be aware that bypassing the router also gives outsiders unfiltered access to the computer in the DMZ. If you must use this option, we recommend enabling it only when you need it, and removing the local computer from the DMZ when it's no longer required.

Libellés : Router, Security, Tightening

Configuring a Router or Residential Gateway
Connecting a router to your network isn't a particularly difficult task. First plug your cable or DSL modem into the WAN port on the router; then plug the hub or switch that connects computers on your local network into the LAN port on the router. (If your router includes an integrated hub or switch, you can plug computers on your network directly into the LAN ports on the router.)

Most routers include a configuration utility, typically accessed through a Web-based interface. With the popular Linksys BEFSR41 and BEFSR81 routers, for instance, you load the configuration page shown in Figure 15-5 by typing the URL http://192.168.1.1 and entering the default password, admin.


Figure 15-5. Most routers, like this Linksys model, use a Web-based configuration utility.
The first step is to establish your Internet connection. If you normally acquire an IP address automatically through DHCP, choose this option for your router. Depending on your ISP, you might need to supply a fixed IP address, enter the addresses of DNS servers, or both. You might also have to perform additional steps, such as setting up a PPP Over Ethernet (PPPoE) logon for the router or changing the MAC (media access control) address of your router so that it matches the MAC address of your primary computer.

Troubleshooting
--------------------------------------------------------------------------------

You can't connect to the configuration page for your router

When setting up a router, you need to supply its IP address, typically by typing it into the Address bar of Internet Explorer. If your computer and the router have IP addresses on different subnets, you'll be unable to connect. Your computer should acquire an IP address automatically from the DHCP server on the router. This option will fail if the router's DHCP capabilities have been previously disabled, or if another DHCP server is running elsewhere on the network. Try any of these strategies to solve the problem:

Disconnect all other computers from the network, leaving only the LAN connection for your computer and the WAN connection enabled. Make sure your computer is set to acquire an IP address automatically and try again.
Operate the router's reset switch to apply the default settings. This should enable the DHCP capabilities again.
If all else fails, assign a temporary static IP address to your computer. Make sure this address is on the same subnet as the router, and specify the router's IP address as the gateway. For instance, if the router's address is 192.168.1.1, assign your computer the address 192.168.1.2, with a subnet mask of 255.255.255.0 and a gateway of 192.168.1.1.
Next set up the router's internal DHCP server. When this feature is enabled, the router responds to requests for an IP address from computers on your local network. You can typically specify a range of private IP addresses. Depending on the router, you may be able to map specific IP addresses to specific MAC addresses so that each computer on your network always receives the same IP address when connecting to the network.

Finally, close the configuration utility and configure each computer on the network to acquire an IP address automatically. (For computers running Windows XP, you should use the Network Setup Wizard for this task.) After confirming that the router is doing its job, you can set up advanced features, such as packet filtering and port forwarding.

INSIDEOUT
--------------------------------------------------------------------------------

Bypass ISP restrictions on servers

Some routers allow you to create virtual servers inside your network, passing specific ports through the router to a designated IP address. This capability can be a useful (but potentially dangerous) way to get around the blocks that many Internet service providers place on Web and FTP servers. You might want to run a personal Web server on which you can share photos with other family members, but access from the outside will fail if your ISP blocks port 80, the standard port used by Web servers. The solution is to configure the Web server to use a port that isn't blocked, such as 8080, and then use the router's port-forwarding features to pass all outside traffic on port 8080 directly to the IP address of the computer running the Web server. Anyone making a connection to the server will need to specify the public IP address of the router, followed by a colon and the port number. If you choose this option, be certain that you update the Web server software regularly with the latest security patches. And don't try to use this "under the radar" capability for a high-volume Web site unless you're prepared for a confrontation with your ISP.

Libellés : Configuring, Gateway, Residential, Router

Sharing an Internet Connection Through Hardware
The single most effective way to protect your local network from outside intruders is to place a barrier between the Internet and your LAN. Although businesses can justify sinking thousands of dollars into sophisticated hardware firewalls, you can protect your home or small business network for a fraction of that amount by installing a simple hardware router (sometimes referred to as a residential gateway). This piece of hardware sits between your network and your Internet connection (usually an external DSL or cable modem, although you can also use a conventional modem in this configuration). To the outside world, this gateway device looks like just another computer, although it's considerably more secure because it does not have any running programs or disk storage that can be attacked. Because it's always on, any computer can access the Internet at any time through the gateway device.

NOTE
--------------------------------------------------------------------------------

What's the difference between a router and a residential gateway? Very little, at least for today. A router is designed primarily for computer networks; its role is to sit at the edge of the network and serve as the secure interface between a local network and the rest of the world. Most products currently sold as residential gateways are nothing more than routers aimed at home users. Someday, residential gateways may take on more ambitious assignments and live up to their high-falutin' name by integrating video, telephony, and home control systems with PC-based home networks. For now, though, you can consider the terms essentially interchangeable.
Routers and residential gateways typically use NAT to assign private IP addresses to computers on your network, although you can also assign static IP addresses that are within the IANA-approved private IP address ranges.

INSIDEOUT
--------------------------------------------------------------------------------

Mix and match IP addresses

By default, most routers have DHCP enabled, allowing the router to dynamically assign IP addresses to computers on your network. This removes some of the hassles of administering a network, but it also creates problems if you want to allow certain ports to pass through the router and be sent directly to a specific local computer. If you power down the local computer for a few days, it may acquire a new address the next time it's turned on. To work around this problem, you can assign static IP addresses to one or more computers on your network. Be sure the addresses are in the same range and on the same subnet as those assigned dynamically by your router, and be sure to exclude the fixed addresses from the list used by the router's DHCP server.

Despite what you may read in some advertising literature, a router is not the same as a firewall. A basic router is designed to do exactly what its name implies: route packets between networks. An increasing number of routers sold for use in home and small business networks incorporate features typically found in firewalls, such as packet filtering, port blocking, and NAT. By making the individual computers on your network essentially invisible to the outside world, the router accomplishes one of the key tasks of a firewall; but your network will be much more secure if you combine this hardware solution with a software firewall. (See Blocking Attacks with a Firewall, for more details on the additional layers of protection you can expect.)

Why Your Router Should Be UPnP-Compatible
--------------------------------------------------------------------------------

When you go shopping for a router or residential gateway, you'll encounter a wide variety of options, from simple one-port routers to pricey devices that incorporate software firewalls and virtual private network (VPN) technology. For any router that you intend to use with computers running Windows XP, we recommend that you study the specifications carefully and make certain it supports the Universal Plug and Play (UPnP) standard. The first generation of UPnP routers (including firmware upgrades to add UPnP support to older routers) hit the streets in early 2002. Many hardware makers have been deliberately cautious about introducing this capability, especially after the announcement of a serious security problem with UPnP in the initial release of Windows XP. Linksys (http://www.linksys.com) and D-Link (http://www.dlink.com) were among the first companies to release UPnP-compatible routers. By the time you read this, other manufacturers will no doubt have followed suit.

A router that supports UPnP can offer a variety of features designed to streamline administrative tasks. With UPnP, for instance, other computers on the network can automatically sense that the router is available and configure their Internet connections without any effort on your part. Administrators can also use UPnP features to configure and manage the router without having to remeG15tnmber specific IP addresses or load custom software.

The most important benefit of UPnP, however, is its support for NAT traversal. With a router or residential gateway that doesn't support UPnP, the use of private addresses makes it impossible for communications programs like Remote Assistance to establish a connection. Likewise, the use of NAT makes it impossible for Windows Messenger users to communicate using audio or video features. With UPnP, the router understands how to work seamlessly with private network addresses and can maintain these connections properly.

If you have an older router that doesn't work properly with these types of applications, you may want to replace it with a newer, UPnP-compatible device. Before you go to that trouble, though, be sure to check with the hardware manufacturer. You may be pleasantly surprised to find that UPnP features are available with a simple firmware upgrade.

Libellés : Connection, Hardware, Internet, Sharing, Through

Adding a Direct Internet Connection to Your LAN
Safely sharing an Internet connection requires at least a slight investment in extra hardware. Routers and residential gateways cost more than simple network hubs or switches. The less expensive Internet Connection Sharing option requires that you install a second Ethernet adapter on the computer that will serve as the ICS host. Windows users with a broadband connection and a very tight budget might be tempted to cut corners by plugging a cable or DSL modem directly into the network hub or switch. In this configuration, every user acquires an IP address directly from the ISP and uses the same Ethernet adapter to communicate over the Internet and across the local network.

Without additional precautions, this configuration is horrendously insecure. An intruder who breaks in to any computer on the network has access to the entire network. In Windows XP, the Network Setup Wizard first delivers a warning message (shown in Figure 15-4, earlier in this chapter) and then enables the Internet Connection Firewall. This solution eliminates the threat of outside attack; unfortunately, it also blocks communication with other computers on your LAN. If you insist on using this configuration, you should employ one of the following options to protect yourself:

Disable ICF and install a third-party firewall. (You'll find a list of firewall programs in "Choosing a Third-Party Personal Firewall".) Unlike the bare-bones ICF, a full-featured firewall product typically allows you to define security zones. Configured properly, the firewall should allow you to freely exchange data among computers on the local network while blocking all unsolicited inbound traffic on the Internet connection.
Disable file and printer sharing on the TCP/IP protocol for each computer on your network and instead enable sharing over the NetBEUI or IPX/SPX protocol. (This procedure is documented fully in Protocols and Other Software Components.) By using a protocol other than TCP/IP for local network traffic, you can leave ICF enabled, keeping your Internet connection protected while still sharing files and other resources.

Libellés : Adding, Connection, Direct, Internet, LAN

Adding Firewall Protection
After disabling file and printer sharing services, your next responsibility is to install a personal firewall to block unsolicited inbound traffic on the Internet connection. In Windows 2000, you must use a third-party product for this task because the operating system doesn't include any firewall features. In Windows XP, you can use a third-party product, but you remain perfectly secure with the help of the built-in ICF. We explain the ins and outs of firewalls in Blocking Attacks with a Firewall, so we won't repeat those details here. In this section, we focus instead on how to work around some of the occasionally confusing choices that the Windows XP Network Setup Wizard offers when you add an Internet connection to your LAN.

To start the wizard, open the Network Connections folder and choose File, Network Setup Wizard. After you click through its two introductory screens, the wizard displays the dialog box shown in Figure 15-2. The first two options assume that you're sharing an Internet connection over your network using either a hardware router or a computer running Internet Connection Sharing software. As we explain later in this chapter, this is indeed the safest and simplest way to add Internet access to a LAN.


Figure 15-2. If your computer is connected directly to the Internet and a LAN, choose the Other option.
If your computer has both a direct physical connection to the Internet and a LAN connection, choose the Other option and click Next. In the Other Internet Connection Methods dialog box, shown in Figure 15-3, select the top choice, This Computer Connects To The Internet Directly Or Through An Internet Hub, and click Next to continue.


Figure 15-3. If other network users are not accessing the Internet through your computer, choose the top option from this list.
The wizard next presents a list of available network connections, making its best guess as to which one represents the connection to the Internet. Confirm that the Internet connection is selected (in the example shown here, we've made identification easier by giving each network connection a descriptive name) and click Next to continue.


Before completing its task, the wizard displays the dire warning shown in Figure 15-4.


Figure 15-4. If your Internet connection is firewalled and you're confident that no other network computers have Internet access, you can proceed despite this warning.
Although the warning is generally accurate, you may safely disregard it and continue if you meet either or both of the following conditions:

You are certain that no other computer on your network has an active Internet connection or that all other Internet connections are protected by a firewall.
You have disabled the TCP/IP protocol on your LAN connection and are using a non-routable protocol such as IPX/SPX or NetBEUI.
If there is any chance that another computer on your network can connect to the Internet without the protection of a firewall, you run the risk that an intruder can break in to that computer and then access resources on your computer using your TCP/IP-based LAN connection. If you're confident this can't happen, click Next and finish the wizard. After prompting you for the computer and workgroup names, the wizard enables the ICF on the Internet connection but leaves the network connection open so that you can share resources across your local network.

Libellés : Adding, Firewall, Protection

Configuring a Broadband Connection
With broadband connections, the task of preventing anonymous intruders from browsing shared folders and other resources on your LAN is trickier. In this configuration, you have two Ethernet adapters—one providing connectivity to your LAN, the other connecting you to the Internet. Windows automatically enables file and printer sharing on all Ethernet connections, and even the Network Setup Wizard in Windows XP does not disable sharing. Thus, your first priority should be to shut down this service on the Internet connection, while leaving it in place on the LAN connection. To do so, follow these steps:

Open the Network Connections folder (Windows XP) or the Network And Dial-Up Connections folder (Windows 2000). You should see at least two Local Area Connection icons.
Right-click the icon for your Internet connection and choose Properties from the shortcut menu.
INSIDEOUT
--------------------------------------------------------------------------------

Tell your connections apart

When you have two or more network connections, how can you tell which is which? Windows isn't much help—it applies the generic label Local Area Connection for each one, tacking a number onto the end of the name for the second and subsequent connections. If the network adapter and the IP address don't give you enough information, try this easy shortcut: Right-click one icon and choose Disable from the shortcut menu. Leaving the other icon enabled, try to connect to a Web page. If you see an error message in your browser window, you know that the disabled icon belongs to your Internet connection and the other one goes with your local network. If the page appears, the roles are reversed. Armed with this information, right-click each icon in turn and choose Rename; then enter a descriptive label for each one so that you won't have to go through this rigmarole the next time you visit the Network Connections folder!

On the General tab, clear the check box to the left of File And Printer Sharing For Microsoft Networks.

Click OK to save your changes.

Libellés : Broadband, Configuring, Connection

Using Direct Internet Connections on a LAN
Is the local network connection to your computer physically separate from your Internet connection? Is the Internet connection yours and yours alone? If the answer to both of these questions is yes, your security challenge is simple: Make sure that data packets from outside can't reach your computer (and your network) unless you specifically request them. To be sure your two connections remain separate, you need to disable file sharing and install a firewall on the Internet connection.

Configuring a Dial-Up Connection
By default, both Windows 2000 and Windows XP disable the File And Printer Sharing service when you create a new dial-up connection. To confirm that your existing dial-up connection is secure, follow these steps:

Open the folder that contains your dial-up connections. In Windows 2000, click Start, Settings, Network And Dial-Up Connections. In Windows XP, double-click the Network Connections icon in Control Panel (if you use Category View, look under Network And Internet Connections).
Right-click the icon for your dial-up connection and choose Properties.
On the Networking tab, ensure that the File And Printer Sharing For Microsoft Networks box is not selected. Figure 15-1 shows this dialog box as it appears in Windows 2000; the Windows XP version is nearly identical.

Figure 15-1. Make certain that file and printer sharing is disabled on any dial-up connections.

Libellés : Connections, Direct, Internet, LAN, Using

Connecting Your Network to the Internet
When bringing the Internet into your network, you can choose any of the following configurations:

Each computer has its own physical connection to the Internet. If you're limited to dial-up speeds and each computer has its own modem and access to a telephone line, this option is simple, direct, and quite inexpensive. With broadband connections such as a cable modem or a digital subscriber line (DSL), the cost of multiple physical connections (including hardware for each computer) can be prohibitive, and the task of installing multiple connections can be daunting. In either case, you need to take extra steps to ensure that outsiders are blocked from accessing your network, as we explain in Using Direct Internet Connections on a LAN.

Each computer has a direct connection to the Internet through a network hub or switch. In this configuration, your external DSL or cable modem is plugged into a hub or switch, as are all computers on the network. Microsoft strongly recommends against using this setup, and so do we. For starters, it will work only if your Internet service provider is willing and able to supply separate IP addresses to each computer. (Some ISPs limit customers to a single IP address or charge extra for each additional address.) Because each computer is communicating with the Internet and the local network using the same TCP/IP connection, this configuration has the potential to leave your network wide open to outside attackers. If you understand the risks and choose this configuration anyway, be sure to tighten security by using the techniques we outline in Adding a Direct Internet Connection to Your LAN.

All computers on the network are connected to a router or residential gateway. This configuration is probably the most secure you can choose for a small business or home network and is the one we strongly recommend. The hardware router serves as your gateway to the Internet, using Network Address Translation (NAT) to supply private IP addresses to computers on the local network. The router distributes all TCP/IP traffic from the network to the outside world and then routes the returning packets to their correct destination. To the outside world, your entire network appears as a single computer with its own IP address. We explain the best strategies for securing this network configuration in Sharing an Internet Connection Through Hardware.

All computers on the network are connected to a single computer running Internet Connection Sharing (ICS). ICS, which has been a part of every version of Windows since Windows 98 Second Edition, transforms the computer that is running ICS into the functional equivalent of a hardware router. Like a router, ICS uses NAT to assign private IP addresses to every computer on the network and then manages the flow of TCP/IP traffic to and from the Internet. Using ICS requires that you accept a few compromises, most notably that you leave the ICS host machine turned on at all times. In Windows XP, ICS is tightly integrated with the Internet Connection Firewall (ICF); we explain the configuration do's and don'ts in Sharing an Internet Connection Through Software.

How Network Address Translation Works
--------------------------------------------------------------------------------

When you connect to the Internet directly, using a dial-up modem or broadband connection, your ISP typically assigns you an IP address from a pool of addresses that it owns. These addresses are public; their location is listed in routing tables that are freely available on the Internet to guide packets of data as they move from point to point. When you click on a link to a Web page or check for new messages on your email server, the outgoing packet includes your IP address; the server on the other end of the connection sends the data to that address, and the Internet sees to it that those packets are routed to your computer properly.

On a home or small office network, having a unique public IP address for every computer is unnecessary and possibly dangerous. By sharing an Internet connection instead, you can get by with a single public IP address assigned to a single hardware device (a computer running ICS or a router or residential gateway). Each of the computers on the local network has a private IP address that is not reachable from the outside world but is known to other computers on the local network. To communicate with Web sites, email servers, and other Internet hosts, computers on the network funnel their requests through the computer or router on the edge of the network—the one with a public IP address. As each packet goes out onto the Internet, the gateway machine makes a note of where it came from. When the return packets arrive, the gateway machine uses a technology known as Network Address Translation (NAT) to pass those packets back to the correct private IP address on the network.

The Internet Assigned Numbers Authority (IANA) has reserved three blocks of the IP address space for use on private networks that are not directly connected to the Internet:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Routers, switches, and residential gateways that use NAT almost always assign addresses from these private ranges. The Internet Connection Sharing feature in Windows XP (as in previous versions of Windows), for instance, assigns private IP addresses in the 192.168.0.x range (where x is a randomly assigned number between 1 and 255). The RG-1000 residential gateway from Agere Systems assigns addresses in the 10.0.0.x range, and Linksys routers typically assign addresses starting with 192.168.1.x. Unlike public IP addresses, which must be unique across the entire Internet, private IP addresses need be unique only on your local network.

Using private IP addresses offers a significant security advantage because the computer or router that is managing the connection via NAT can inspect each incoming packet and decide whether to forward it or drop it. If a computer on the local network requested the connection, the NAT gateway will forward it; on the other hand, if a computer outside the network is trying to make a hostile (or at least unwanted) connection, the gateway assumes that the traffic is unsolicited and discards it.

Troubleshooting
--------------------------------------------------------------------------------

When you check your IP address, it appears in the range 169.254.x.y and you can't access the Internet.

This range of addresses is assigned by your computer using a feature called Automatic Private IP Addressing (APIPA). APIPA kicks in only when no DHCP server is available. If you're using Internet Connection Sharing or a router or residential gateway that automatically assigns IP addresses, your computer is unable to acquire an IP address from the gateway. This problem is often caused by a faulty network connection or a firewall that is configured incorrectly. Start the Windows Help And Support Center (in Windows 2000, use Windows Help) and run through the troubleshooter to repair your network connection.

If you use Windows 2000, you must set all security and sharing options for your network manually; in Windows XP, the Network Setup Wizard does the grunt work of configuring TCP/IP settings, installing and configuring Internet connections, setting up Internet Connection Sharing (if your network doesn't include a router or residential gateway), and enabling ICF on Internet connections. In most cases, the wizard's default settings are correct and you should avoid tampering with them. In a few unusual configurations, however, you might need to tweak connection settings to achieve the result you want.

34

Libellés : Connecting, Internet, Network

Sharing an Internet Connection
Protecting a local area network in a home or small office is relatively easy. You can sit down in front of each computer to check its security settings, and you can stroll down the hallway and see exactly who's using each computer on the network. But all that changes as soon as you connect your network to the Internet.

Unless you carefully consider security when configuring your Internet connection, you could end up inadvertently extending the borders of your local area network far beyond those you intended. In a worst-case scenario, where your Internet connection is inadequately protected and you haven't installed the latest security patches for Microsoft Windows, a stranger from halfway around the world could join your network, which would then no longer seem nearly so local. Given enough time and motivation, an attacker from the outside could poke around in confidential data, sabotage files, or hijack your connection and use it as a launching pad for attacks on other Internet hosts.

As we explain in this chapter, you can choose from a wide range of options for connecting your local network to the Internet. Cost and complexity are the two considerations that most people focus on first, but we believe security should be at the top of your list.

Security Checklist
--------------------------------------------------------------------------------

Here's a list of steps you should be sure to take in securing your network's Internet connection.

Add a router or residential gateway to your network, or use Internet Connection Sharing. Either solution uses Network Address Translation (NAT) to hide your local computers from the outside world and thereby increase your network's security.
Disable file and printer sharing on your Internet connection.
Add a personal firewall to protect your Internet connection from outside attacks. If you have Windows XP, the Network Setup Wizard performs this task automatically.
If you have a router that doesn't support Universal Plug and Play (UPnP), look for a UPnP-compatible firmware upgrade or consider replacing the hardware.
Set a strong password on your router.
Disable access to Web-based administrative tools from the Internet.

Libellés : Connection, Internet, Sharing

Managing Passwords
Our discussion so far has focused specifically on Windows logon passwords. Indeed, a user's logon password is one of the most important to protect because with it comes access to all the user's certificates, network resources, and Internet passwords as well as access to a local computer and its resources. In other words, if your logon password is compromised, a malicious user instantly has access to virtually all the same resources that are normally yours alone.

However, passwords (sometimes in combination with a user name, sometimes not) are also used to control access to all kinds of information: network resources, Web sites, online accounts, subscription-based data. The list goes on and on.

The cardinal rules of effective passwords—use a strong password and change it frequently—make entering and keeping track of your password for each account hard enough. But another commonly espoused rule—use a different password for each account—exponentially compounds the difficulty of managing passwords. The reason for this rule, of course, is simple: If you use the same password for all your accounts and it is compromised, the person who has your password has access to all your protected information. Rather than advocating strict adherence to this rule, however, we suggest a more manageable three-level approach:

Use a secure password for your Windows logon and for any Web site or account that stores valuable financial or personal information. This would include bank and brokerage accounts, for example. These passwords should follow all the rules for strong passwords detailed earlier in this chapter. Use a separate secure password for each account.
Use a private password for accounts on sites where you shop or have a paid subscription. This password should be relatively strong, but because your personal financial well-being and privacy are not at risk if it's cracked, you don't need to go overboard. (The worst that can happen? Someone sees your shopping history or freeloads off your paid subscription.) You can reuse this password on any site that uses a secure server.
Use a throwaway password for any of the numerous sites that force you to register and log on but retain no personally identifiable or valuable information. Reuse this password for all such sites.
This approach still forces you to keep track of a whole collection of passwords. Avoid the temptation to write them all down and stick them to your monitor! You should also avoid keeping the passwords in an unencrypted file of any type. If someone manages to find the file on your computer (or finds the floppy disk with the file's backup copy), you're in trouble.

A no-cost solution is to keep a master list of all your passwords in a text file (or other document type if you prefer) and encrypt the file. Keep a copy of the file in a secure location away from your computer. (If you use the built-in Encrypting File System to encrypt the file, remember that the file is automatically decrypted when you—but not another user who finds the file on your hard drive—copy the file to a floppy disk. Therefore, if you use a floppy disk or other removable medium to store the backup copy, keep it under lock and key.) A better solution is to use one of the many free or low-cost password-management programs. For example, with Password Corral, a terrific free program from Cygnus Productions, you store a list of user name/password combinations along with descriptive notes, and it scrambles the list using 128-bit encryption. You unlock the list with a master password of your choosing. (You definitely want a strong one here.) As shown in Figure 3-12, this program optionally encrypts the on-screen display to prevent passersby from stealing your passwords.

TIP
--------------------------------------------------------------------------------

Use Stored User Names And Passwords in Windows XP Professional

Windows XP has a feature called Stored User Names And Passwords that helps to manage logon credentials for various resources, such as a shared folder in an untrusted domain or a Web site that requires a password or certificate. When you attempt to connect to such a resource, Windows offers the logon credentials for that resource as saved in Stored User Names And Passwords. Only if that fails (either because the credentials are invalid or because you haven't previously saved credentials for the resource) does Windows prompt you to enter your user name and password. For this reason, users of computers running Windows XP face far fewer logon prompts than users of Windows 2000, which does not have a comparable credentials manager. By safely storing as part of a user profile the logon credentials for other domains, Web sites, and workgroup computers, Windows XP users approach the goal of a single sign-on experience.

Note that Stored User Names And Passwords offers logon credentials only to target computers that use an integrated authentication package, such as NTLM, Kerberos, or Secure Sockets Layer (SSL). Therefore, it works with Web sites that use SSL, but not with sites that require you to enter a credential through other means. Stored User Names And Passwords also works with Passport.

You can save credentials in Stored User Names And Passwords in either of two ways: Select the Remember My Password check box in the logon dialog box, or enter credentials manually into Stored User Names And Passwords.

To manage your stored credentials, open Stored User Names And Passwords, as follows: If your computer is not joined to a domain, in Control Panel open User Accounts, select your account, and then click Manage My Network Passwords (in the task pane). If your computer is joined to a domain, in Control Panel open User Accounts, click the Advanced tab, and click Manage Passwords. In the Stored User Names And Passwords dialog box, you can add, delete, or review credentials for various resources.

If you use Windows XP Home Edition, you can't add credentials (you can only delete or review credentials that Windows has added automatically) or store logon credentials for domain resources; the primary use of Stored User Names And Passwords in Home Edition is for Passport credentials.


Figure 3-12. Password Corral optionally encrypts the on-screen display of user names and passwords so they can't be gleaned by passersby.
A Web search for "password management" turns up a number of good programs. Here are two that we've tried and recommend:

Password Corral, from Cygnus Productions (http://www.cygnusproductions.com/freeware/pc.asp)
Passphrase Keeper, by Boris Zibrat (http://www.passphrasekeeper.com/)

Libellés : Managing, Passwords

Using Other Methods for Recovering Lost Passwords
If you don't have a Password Reset Disk and you don't know the password for an administrator account, you can resort to various hacker tricks to try to get back into your computer.

The first one offers an easy method for logging on if your computer's system drive is formatted as FAT or FAT32. It relies on the fact that, after the logon screen has been displayed for a while with no keyboard or mouse activity, Windows starts a screen saver named Logon.scr, running that program in the context of the System account. By substituting a different program for Logon.scr, you can use that program without logging on. Here are the steps to perform this exploit:

Boot from a Windows or MS-DOS boot floppy disk.
Enter the following commands to change to the %SystemRoot%\System32 folder, rename Logon.scr, and then make a copy of Cmd.exe (the command processor that normally appears as a Command Prompt window) named Logon.scr:
cd \windows\system32ren logon.scr logon.savcopy cmd.exe logon.scr
Remove the floppy disk and restart your computer.
Wait until the "screen saver" kicks in; you'll see a Command Prompt window instead.
In the Command Prompt window, type net user administrator password (where password is the password you want to assign to the Administrator account).
Log on as Administrator using your new password.
TIP
--------------------------------------------------------------------------------

Use NTFS-formatted volumes

The little trick described here provides just one example of the relative insecurity of FAT32 vs. NTFS volumes. NTFS is the basis of much of the security and reliability of Windows 2000 and Windows XP. If you're interested in security, all your hard disk partitions should be formatted with NTFS.

If your computer's boot volume is formatted as NTFS, using this trick is considerably more difficult. You'll need to purchase a program such as NTFSDOS Professional (http://www.winternals.com/products/repairandrecovery/ntfsdospro.asp), which lets you read and modify files on NTFS volumes while booted into MS-DOS. Even with this utility, an intruder will be unable to access the contents of encrypted files stored on an NTFS volume.

If you're still in need of a password-recovery solution, the next step is to try a password-cracking program. These programs use a variety of methods to try to crack the Security Accounts Manager (SAM), the database in which password information is stored. The programs are most effective if you log on using a different user account (preferably one with administrator privileges), in which case they'll try everything: dictionary attacks; extracting password hashes from the SAM or, better yet, from memory; and brute-force attacks, where every possible combination of characters is tried. But some can work after booting from a floppy disk, after booting into another operating system (if your computer has multiple operating systems installed), or from another computer on the network.

If you need to recover a lost password (or you want to see firsthand how vulnerable your computer is to attack), put on your black hat and try one or more of the following tools, which give an excellent perspective of how hacking tools work.

Winternals Locksmith (http://www.winternals.com/products/repairandrecovery/locksmith.asp)
ElcomSoft Advanced NT Security Explorer (http://www.elcomsoft.com/antexp.html)
LC3, the latest version of L0phtcrack (http://www.atstake.com/research/lc3/)
Offline NT Password & Registry Editor, by Petter Nordahl-Hagen (http://home.eunet.no/~pnordahl/ntpasswd/)
Windows XP / 2000 / NT Key (http://www.lostpassword.com/windows-xp-2000-nt.htm)
John the Ripper (http://www.openwall.com/john/)
Some password-cracking utilities are used by and were even created by some rather unsavory characters, and they certainly won't be branded with Microsoft's "Designed for Windows XP" logo!

We recommend that you try one or more of these programs, even if you haven't forgotten your password. The experience is a real eye-opener, and it might convince you that strong (very strong!) passwords are essential. (An important secondary lesson here is that physical security of your computer is paramount.) Figure 3-11 shows Advanced Security NT Explorer in action.


Figure 3-11. Programs like this one can use brute-force methods to try millions of combinations in short order.
You'll probably be shocked and amazed at how quickly these programs are able to successfully recover passwords. If you can get physical access to a computer and somehow log on, you can crack almost any password in less than a day. Most passwords take only a few hours, and weaker ones are revealed in minutes. The publisher of L0phtcrack reports that in one large company, where strong-password policies were in place, L0phtcrack recovered 18 percent of the passwords in only 10 minutes and had 90 percent of the passwords in 48 hours—running on a lowly 300 MHz Pentium II.

For more information about tools and techniques for recovering passwords, you'll find some excellent information at http://www.password-crackers.com/.

Libellés : Lost, Methods, Passwords, Recovering

Using a Password Reset Disk
If you use Windows XP—and if you do a little advance preparation—recovering from a forgotten password is easy (and secure). Windows XP lets each user create a Password Reset Disk, a floppy disk with which users can log on without knowing their password. To create a Password Reset Disk, you need to know your current password; otherwise, someone could create such a disk at your computer when you've stepped away.

NOTE
--------------------------------------------------------------------------------

You can make a Password Reset Disk only for your local user account. If your computer is joined to a domain, you can't create a Password Reset Disk as a back door to your domain logon password. However, in a domain environment a domain administrator can safely change your password, and you'll still have access to your encrypted files.
To create a Password Reset Disk, follow these steps:

Log on using the account for which you want to create a Password Reset Disk.
In Control Panel, click User Accounts.
If you're logged on as an administrator, click your account name.
Click Prevent A Forgotten Password (in the task pane under Related Tasks) to start the Forgotten Password Wizard.

Because anyone with physical access to your computer can use your Password Reset Disk to usurp your account, be sure to store the disk in a secure location away from the computer. (Not too far away, of course. You never know when you'll need it.)

When you attempt to log on and can't remember your password, Windows XP displays a message that includes a Use Your Password Reset Disk link (if your computer is configured to use the Welcome screen) or a Reset button (if you're not using the Welcome screen). Click the link or button to launch the Password Reset Wizard. The wizard prompts you to insert your Password Reset Disk and then asks you to create a new password. Log on using your new password and return your Password Reset Disk to its safe storage place.

TIP
--------------------------------------------------------------------------------

Even if your computer is joined to a domain, you might want to create a Password Reset Disk for one of your computer's local user accounts. To do that, log on as the local user. Press Ctrl+Alt+Delete to open the Windows Security dialog box. Click Change Password, and then click Backup to launch the Forgotten Password Wizard.

Libellés : Disk, Password, Reset, Using

Recovering a Lost Password
If you can't log on to a computer because you don't know the password, you're not alone. Forgetting passwords is one of the most common problems users face, especially if they've gone to the trouble of creating strong ones. If the computer is yours, finding that password is called "recovering a lost password." If the computer is not yours, the process is called "cracking." Either way, the tools and procedures are much the same. If you find yourself in this situation, you might need to explore the murky underworld of hackers to find the tools and techniques you need.

Traditionally, the best and fastest solution is for an administrator to log on to the computer and reset your password using any of the available account-management tools. This continues to be a viable solution for Windows 2000, but it comes with a huge caveat in Windows XP: If an administrator changes or removes another user's password, that user loses all personal certificates and stored passwords for Web sites and network resources. Without the personal certificates, the user has no access to his or her encrypted files or to e-mail messages encrypted with the user's private key. Windows XP deletes the certificates and passwords to prevent the administrator who makes the password change from gaining access to them.

Troubleshooting
--------------------------------------------------------------------------------

You can't access your encrypted files because an administrator changed your password.

When an administrator removes or changes the password for your local account on a computer running Windows XP, you no longer have access to your encrypted files and e-mail messages. That's because your master key, which unlocks your personal encryption certificate (which, in turn, unlocks your encrypted files), is encrypted with a hash of your password. When the password changes, the master key is no longer accessible. To regain access to the master key (and, by extension, your encrypted files and e-mail messages), change your password back to your old password. Alternatively, use your Password Reset Disk (see the next section) to change your password.

When you change your own password (through User Accounts or with your Password Reset Disk), Windows uses your old password to decrypt the master key and then re-encrypts it with the new password, so your encrypted files and e-mail messages remain accessible.

Microsoft Knowledge Base article Q290260 provides more information about recovering from this situation.

Libellés : Lost, Password, Recovering

Establishing and Enforcing Password Policies
To ensure that you and other users on your network don't leave the password door wide open, you should establish (and follow!) some effective logon password policies and guidelines. As we explain here, you can use security settings in Windows to enforce some of these policies; for others, user education is the key.

For best security, we recommend the following:

A password should be required for all user accounts. At the very least, enforce this rule for members of the Administrators group.
Passwords must be at least eight characters long. Shorter passwords are more easily cracked.
INSIDEOUT
--------------------------------------------------------------------------------

Use at least 15 characters for best security

In Windows XP and Windows 2000, passwords can be up to 127 characters long. (In Microsoft Windows NT, the limit was 14 characters.) Longer passwords become exponentially more difficult to crack, but they have another seldom-documented benefit. The LAN Manager (LM) password hash, a relatively insecure method of storing passwords used in early network operating systems, is stored incorrectly in Windows XP/2000 if the password is at least 15 characters long. An identical LM hash value is used for any password longer than 14 characters. This little-known fact was discovered by Urity of Security Friday (http://www.securityfriday.com).

As a result, any password cracker that relies on LM hash extraction (as do many of those we discuss later in this chapter) will not work. Similarly, if an attacker coaxes your computer to log on using weak LM authentication, your password will not be exposed. (Windows 2000 falls back to LM authentication if Kerberos V5 or NTLM are unavailable; for details, see Controlling the Logon and Authentication Process.)

Unfortunately, you can't use password policies (discussed next) to enforce a 15-character minimum length. You can't specify a minimum length greater than 14 characters.

Passwords must be complex. They should contain characters of at least three of these four types: uppercase letters, lowercase letters, numerals, and symbols. This stymies dictionary attacks, causing password crackers to rely on brute-force methods or other techniques.
TIP
--------------------------------------------------------------------------------

Use spaces

You can use any character in a Windows logon password, including spaces. With one or more spaces in a password, it's easier to come up with a long yet memorable password; you might even incorporate several words separated by spaces and other symbols. Don't use a space as the first or last character of your password, however; some applications trim spaces from these positions.

Passwords should not contain any form of your name or user name. Because so many users have passwords based on this weak scheme, password-cracking programs are trained to try these variants very early in the process.
Passwords should be changed at least every 90 days. The attacker's best friend is time. When dictionary attacks don't work, a determined thief can use brute-force techniques to try every combination of letters, numbers, and characters in the hope of finding one that works. This task can take months, but it will eventually pay off if you never change your password.
Passwords should not be written down and stored in plain view. Not all attacks come from scurrilous characters connected to your computer only by the Internet. If your password is written on a sticky note and stuck to your monitor, anyone who walks by your computer can copy it.
Even if you convince everyone who uses your computer to use passwords, you can be sure that they won't always follow the secure practices of creating strong passwords and changing them often. To be sure that these guidelines are followed (except for the last one, which relies on user education and monitors that repel sticky notes), you can set security policies using the Local Security Settings console.

To start Local Security Settings, type secpol.msc at a command prompt. To see the policies that set password behavior for all accounts, open Security Settings\Account Policies\Password Policy. Double-click a policy to set its value, as shown in Figure 3-10. Table 3-3 explains each policy.


Figure 3-10. Local Security Settings lets you impose password policies on all local user accounts.
Table 3-3. Password Policies
Policy Description
Enforce password history
Specifying a number greater than 0 (the maximum is 24) causes Windows to remember that number of previous passwords and forces users to pick a password different from any of the remembered ones.

Maximum password age
Specifying a number greater than 0 (the maximum is 999) dictates how many days a password remains valid before it expires. (To override this setting for certain user accounts, open the account's properties dialog box in Local Users And Groups and select the Password Never Expires check box.) Selecting 0 means passwords never expire.

Minimum password age
Specifying a number greater than 0 (the maximum is 999) lets you set the number of days a password must be used before a user is allowed to change it. Selecting 0 means that users can change passwords as often as they like.

Minimum password length
Specifying a number greater than 0 (the maximum is 14) forces passwords to be longer than a certain number of characters. Specifying 0 permits users to have no password at all. Note: Changes to the minimum password length setting do not apply to current passwords.

Password must meet complexity requirements
Enabling this policy requires that new passwords be at least six characters long; that the passwords contain a mix of uppercase letters, lowercase letters, numbers, and symbols (at least one character from three of these four classes); and that the passwords not contain the user name or any part of the full name. Note: Enabling password complexity does not affect current passwords.

Store password using reversible encryption for all users in the domain
Enabling this policy effectively stores passwords as clear text instead of encrypting them, which is much more secure. You almost certainly do not want to enable this policy, which is provided only for compatibility with a few older applications.


TIP
--------------------------------------------------------------------------------

If you use password history, you should also set a minimum password age. Otherwise, users can defeat the password history feature by quickly changing the password a number of times and then returning to the current password.

Libellés : Enforcing, Establishing, Password, Policies

Generate strong passwords automatically

You can use the Net User command to randomly generate a strong password and assign it to a user account. In a Command Prompt window, type net user username /random, where username is the account's user name. Similarly, a number of online services and stand-alone programs are available for randomly generating strong passwords of any length you specify. You'll find good ones at the following locations:

http://www.winguides.com/security/password.php

http://javascript.internet.com/passwords/password-generator.html

http://www.segobit.com/apg.htm

http://www.randpass.com

http://www.hirtlesoftware.com

http://www.mark.vcn.com/password/

A Web search for "password generator" turns up many more.

Libellés : automatically, Generate, Passwords, Strong

Creating Strong Passwords
It's a fact: Computer users hate passwords. Some just leave the password blank or are inclined to use an extremely simple (and obvious) password, such as password, test, or their user name. Others attempt to be a little more secure by using a special date or the name of a spouse, pet, or favorite sports team. Still others, thinking they're being more secure, use random words that occur to them. None of these approaches is any match for a sophisticated password-cracking program, which can usually correctly ascertain such passwords in a matter of minutes. (For more information about password cracking, see Recovering a Lost Password.

The following common practices—widely understood and exploited by attackers—must be avoided to maintain security:

Using a word found in any dictionary, including foreign-language dictionaries
Using the names of people, pets, places, sports teams, and so on
Writing down your password on a note stuck to your monitor or placed in your top desk drawer
You can defend against password-cracking programs by using strong passwords. Ultimately, such passwords can also be cracked, but it can take months instead of hours. In the meantime, attackers have moved on to easier targets. And if you're following best security practices, you'll have changed to a new strong password before the current one is cracked. A strong password

Contains at least eight characters
Contains a mixture of uppercase and lowercase letters, numerals, and symbols
Changes periodically and differs significantly from previous passwords
Does not contain your name, user name, or any other words or names
Is not shared with anyone
Unfortunately, such gobbledygook passwords can be as difficult to remember as they are to crack. You can, however, use some mnemonic tricks to create and remember them.

One effective approach is to distill an easy-to-remember phrase into a difficult-to-crack password. For example, you could use the phrase "Security is everyone's business" to come up with this password: Sie1'sbs. History buffs might use the title of the World War I marching song "It's a Long, Long Way to Tipperary" to create the seemingly random, yet memorable, password IaL,LW2T. You get the idea.

Another trick is to take a memorable phrase ("It was the best of times") and intersperse its initial letters with a memorable number (such as your anniversary). Using a date of March 18 (3-18) yields this password: I3w-t1b8ot.

Not everyone agrees that your password must be an unpronounceable collection of apparently random letters, numbers, and symbols. Some experts argue that such cryptic passwords are less secure than ones made up of several words interspersed with numbers and symbols, because you're almost certainly going to write down a cryptic password. You can find an interesting discussion of password security in "Ten Windows Password Myths," an article written for SecurityFocus by Mark Burnett

Libellés : Creating, Passwords, Strong, Windows

Using Passwords Effectively
Do you need to create and use a password for Windows logon? After all, it's certainly easier to simply click your name or just press Enter when you start your computer. And if your computer is in a secure place, such as your home, you might be tempted to forgo the protection a password provides.

Before you decide, consider who has physical access to your computer. At home, your computer might be available only to you and your spouse. What about kids? House guests? Do you have any household employees such as a babysitter or cleaning service? What about repair services or other contractors? Each of these people might pose a different threat: Family members whom you trust completely might be inexperienced computer users who can inadvertently delete or otherwise destroy your data if they can too easily log in as you. Others could conceivably have more malicious intentions.

In a business, it's more likely that someone who shouldn't do so could obtain access to your computer. In addition to business associates and employees (who might at some point become "disgruntled employees"), janitorial crews (and sometimes their accompanying children), security guards, delivery persons, clients, vendors, and door-to-door framed artwork solicitors could reach your computer when you're not there to defend it. In an office environment, you should almost certainly use strong passwords for Windows logon.

You might base your decision on the presumed value of the information on your computer. In a business, of course, you're likely to have financial data, product information, proposals, customer data, and other important files. The loss of these resources, or their discovery by a competitor, might prove devastating. At home, perhaps you have your family finances on one computer that clearly needs to be protected, but you think your other computers don't have anything of "value." Think again: Do they have your photo collection, music collection, kitchen plans, or correspondence with Aunt Mary? Although these types of files might not be of any use to anyone else, remember that some vandals enjoy the perverse satisfaction of destroying your data. Even if you religiously back up your data, you might be faced with restoring your system from scratch, which could take several hours or more.

It is especially important to password-protect any account that is a member of the Administrators group (which is, by default, most accounts you set up in Windows XP) because of the unrestricted power these accounts wield. If someone manages to plant a virus or a Trojan horse on your computer while logged on as an administrator (by logging on to your computer locally, by connecting over a network or the Internet, or by tricking you into running an executable e-mail attachment, for example), that malicious program can do just about anything. Two lessons here: Don't run as an administrator, and password-protect all administrator accounts.

Weak passwords trump strong security. As pointed out in "The Ten Immutable Laws of Security," all your other security measures are for naught if malicious attackers can get past your password defense. (See "The Ten Immutable Laws of Security," reprinted in Appendix A.) Don't let your password selection (or lack thereof) be your weakest link.

INSIDEOUT
--------------------------------------------------------------------------------

Safely use an account with no password

Security enhancements in Windows XP mean that blank passwords aren't quite the risk that they are in earlier versions of Windows, including Windows 2000. In Windows XP, accounts with a blank password can be used only to log on interactively at the computer by using either the Welcome screen or the Log On To Windows dialog box. You can't log on to a non-password-protected account over the network or with Remote Desktop, for example. Nor can you use the Run As feature to run in the context of an account with a blank password. (And because Task Scheduler uses Run As to launch programs, you can't use a password-free account to run scheduled tasks.) These additional restrictions apply only to local accounts with no password; domain accounts are not afforded such protection. (However, sound domain policy would prevent the creation of a domain account with a blank password.)

Although these enhancements mean that if you don't use a password in Windows XP your greatest risk is from people who have physical access to your computer, you can be sure that malicious hackers are working night and day to find a way around these restrictions. Your safest bet: Don't rely on this protection. Use strong passwords—at least for your administrator accounts—even with Windows XP.

Troubleshooting
--------------------------------------------------------------------------------

Windows XP asks for a password, but you haven't set one.

When you upgrade a system to Windows XP, the Setup program assigns temporary passwords for use during setup. Ordinarily, these passwords are removed when setup is completed. If they're not removed for some reason, you're effectively locked out of that account until you determine or change the password.

If you can log on using another administrative account, you can change the password for the affected user account—but be aware of the potential problems and data loss that changing someone else's password can cause.

A better way to solve this problem is to determine the temporary password assigned by Setup, which you can do as follows:

Boot into the Recovery Console by following these steps:
Insert the Windows CD and restart your computer. Follow your computer's prompts to boot from the CD. (You might need to adjust settings in the computer's BIOS to enable the option to boot from a CD.)
Follow the setup prompts to load the basic Windows startup files. At the Welcome To Setup screen, press R to start the Recovery Console.
Enter the number of the Windows installation you want to access from the Recovery Console.
When prompted, type the Administrator password. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.
At the command prompt, type systemroot to change to the %SystemRoot% folder—the folder where Windows XP files are located.
Type more setupact.log to display a file that contains the password information you need.
Scan the file contents for the line that begins "Random password for." Press Spacebar to display the next screen of the file. When you find the line, make a note of the user name and password. (Remember that the password is case sensitive.)
Reboot into Windows XP and log on using the user name and password information you found.
If Windows is installed on a FAT32 volume, you can boot from a Windows 98 or Windows Me boot floppy instead of using Recovery Console. At the command prompt, type edit %windir%\setupact.log to open the file. Use the Edit program's search command to locate the line beginning with "Random password for."

Libellés : Effectively, Passwords, Using, Windows

Review saved passwords and form data in Internet Explorer By default, all versions of Internet Explorer offer to save form data, user names, and passwords for Web sites you visit. This saved information can unintentionally reveal information about you, such as searches you've made, and can allow unauthorized users to access password-protected Web sites that contain confidential information about you. Your browser's history can also divulge sites you've visited. Read Covering Your Tracks, to learn how to configure these features to match your preferences and how to eliminate any stored information.

Obtain a personal certificate for signing and encrypting e-mail Electronic mail is not secure. If you routinely send and receive sensitive mail, consider purchasing and installing a personal digital certificate from a certification authority such as VeriSign or Thawte Technologies. This option allows you to digitally sign and encrypt messages so that they can't be read or tampered with by anyone who intercepts the traffic. We provide full instructions (and a number of important cautions) in Chapters 4 and 9; see Obtaining a Personal Certificate, and Protecting E-Mail from Prying Eyes.

Restrict executable file attachments in e-mail The overwhelming majority of viruses that attack Windows arrive via e-mail. Recent versions of Microsoft Outlook (a component of Microsoft Office) and Outlook Express 6 restrict a user's ability to view, save, or execute file attachments whose extensions are on a restricted list. These features are controversial, and their implementation varies widely, depending on the specific e-mail client you use. In Outlook 2002, for instance, certain file types are automatically blocked, and the user cannot disable or tweak this setting. In Outlook Express, by contrast, the option to block dangerous attachments is turned off by default, as shown here. We explain your options fully in Blocking Dangerous Attachments.


Set up virtual private network connections for remote access If you need to allow remote access to a computer on your network, set up a VPN connection, restrict it to only those users who need access, and protect those accounts with strong passwords. VPN connections encrypt traffic over the Internet and provide dramatically better security than other remote access options. For Windows 2000, the complete set of steps is described in Knowledge Base article Q257333, "How to Configure Windows 2000 Professional to Windows 2000 Professional Virtual Private Network Connections." In Windows XP, you can use the Create A New Connection Wizard in the Network Connections folder to quickly create a VPN connection. To explore VPN connections in depth, read Setting Up a Virtual Private Network.

Set up encryption for wireless networks Do you have a wireless network? Unlike conventional wired networks, wireless networks add security risks. Unless you take special precautions, anyone who roams into the range of your wireless access point can intercept network traffic and potentially break into any computer on the network. You have a number of configuration options; we explain how to tighten wireless security in Chapter 16, "Wireless Networking and Remote Access."

Advanced Security Options
The 11 steps outlined in the previous sections apply to every Windows user. The suggestions in this section include steps that aren't essential but might be useful to advanced users or those with special configurations.

Configure Windows Explorer to show all file name extensions Some viruses and Trojan horse programs use a cheap trick to try to slide past a Windows user's defenses, adding a second, innocent-looking file name extension to disguise the true executable extension. In a default Windows installation, extensions are hidden. As a result, a file with the name Letter.doc.vbs will appear to a casual user as Letter.doc. Sophisticated Windows users will have no trouble seeing through this trick, but a less experienced or distracted user might be fooled long enough to launch a dangerous file. To protect yourself, open Windows Explorer and choose Tools, Folder Options. On the View tab, clear the Hide Extensions For Known File Types box, as shown in Figure 2-13.


Figure 2-13. Display all file name extensions so that you can more easily detect hostile software that tries to hide its true extension.
For a discussion of how hostile software uses multiple file name extensions to attack Windows, see Identifying Malicious Software.

TIP
--------------------------------------------------------------------------------

Selectively show extensions

If you can't stand the clutter caused by the full display of file name extensions, you can customize specific file types so that their extensions are always visible, while still keeping other, less dangerous extensions hidden. If you're concerned about files with the .vbs, .pif, and .scr extensions, for instance, you can ensure that those extensions are always visible by following the steps outlined in Blocking Dangerous Attachments. You can also use a custom script to toggle the display of file name extensions and hidden folders as needed; the CD included with Microsoft Windows XP Inside Out includes one such script, called ToggleHiddenExplorerStuff.

Adjust Internet Explorer security options The zone-based security settings in Internet Explorer 6 provide excellent protection against most garden-variety attacks. Advanced security options allow you to significantly increase the level of security in your browser. We explain these options in full in Chapter 8, "Making Internet Explorer Safer."

Adjust Internet Explorer privacy options Are you concerned that browser cookies are disclosing too much information about you? Internet Explorer 6 uses a fairly complex system to control the information that flows between you and Web sites. You can customize these settings significantly by using the built-in privacy controls in Internet Explorer 6, shown here. If you're willing to roll up your sleeves and work with XML files, you can create and share custom privacy settings as well, as we document in Setting Cookie Preferences in Internet Explorer 6.

Libellés : Advanced, Options, Security

Create a Backup
Accidents happen. Even the most security-conscious Windows user can fall victim to a power failure, a hardware glitch, or an attack that slips through a newly discovered security hole. Regardless of the cause, it's crucial that you have a reliable current backup at all times so that you can quickly recover data that's been damaged or destroyed. We discuss your backup options in detail in Chapter 6, "Preventing Data Loss." Make a backup plan, and then make a backup.

Libellés : Backup, Create

Use Your Screen Saver as a Security Device
With modern monitors, screen savers aren't really needed to prevent images from "burning in" to a CRT or flat-panel display. But a properly configured screen saver can be a valuable security aid, especially in homes and offices where physical security is lacking and you're often away from your desk. Open the Display option in Control Panel and click the Screen Saver tab. Select any screen saver, and then adjust the following two options, as shown in Figure 2-12:

Select the On Resume, Password Protect box (Windows XP) or the Password Protected box (Windows 2000).
In the Wait box, dial the default setting down to the minimum level you can tolerate. For maximum security, make this value no more than 5 minutes. This is the period that Windows will wait following any inactivity before the screen saver kicks in.

Figure 2-12. To make it more difficult for unauthorized users to access your computer when you step away from it, set screen saver options as shown here.

Libellés : Device, Saver, screen, Security

Review All Network Shares
Windows allows you to specify that all files in a particular folder should be available for sharing with other users over the network. You can create a multitude of individual shares on your computer for use with individual projects. If you're not meticulous about cleaning up after each project is finished, however, you could end up with shared folders that are open to view by anyone on the network. Every so often, it's a good idea to review the complete list of network shares and eliminate any that are no longer needed. To see the full list of shares, open Control Panel's Administrative Tools folder and double-click the Computer Management icon. In the Computer Management window, double-click Shared Folders and then click Shares. Figure 2-11 shows one such list.


Figure 2-11. Inspect the list of shares regularly and remove any that are no longer needed.
In Windows 2000, you can right-click any entry in the Shares list and inspect its properties or remove the share. In Windows XP Professional, these options are available only if you've disabled Simple File Sharing; in a default, nondomain installation of Windows XP Professional, this list is read-only. That's also true on a computer running Windows XP Home Edition, where Simple File Sharing cannot be disabled.

In Windows XP Home Edition and Windows XP Professional with Simple File Sharing enabled, you can use Windows Explorer to stop sharing a folder. Right-click the icon of the shared folder, choose Properties, and click the Sharing tab. Under Network Sharing And Security, clear the Share This Folder On The Network box.

INSIDEOUT
--------------------------------------------------------------------------------


Windows XP Professional and Windows 2000 Professional include a long list of administrative shares whose names end with a dollar sign. For instance, every drive includes an administrative share that consists of the drive letter and a dollar sign (C$ for the C drive, for instance); these administrative shares are accessible to anyone in the Administrators group. If you're using Windows 2000 Professional or Windows XP with Simple File Sharing disabled, you can right-click the entry for any default share and choose Stop Sharing. However, Windows will automatically create the share the next time you restart the computer.

To permanently remove an administrative share from Windows XP Professional or Windows 2000 Professional, open Registry Editor (Regedit.exe) and navigate to the registry key HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters. Right-click the key name and choose New, DWORD Value. Give it the name AutoShareWks and use the default value of 0. After making this change, the administrative shares will no longer be re-created after each restart.

Removing the default shares on drives that contain program or data files is a sensible security precaution. Don't delete the ADMIN$ or IPC$ shares, however. These are system-level shares that are invisible to network browsing and are not available for interactive use; they're essential for interprocess communications and remote administration.

Libellés : Network, Review, Shares

Review NTFS Permissions on All Data Directories
Tinkering with NTFS permissions is a tricky business. Unless you fully understand how these permissions work (including how permissions are inherited from higher-level folders and how permissions are transferred when folders or files are moved or copied), you should be wary of changing any permissions. In general, follow these guidelines whenever possible:

Use default storage locations. Install programs in subfolders under the Program Files folder and store personal data in the My Documents folder; in both cases, Windows applies a known set of permissions that you can tighten if necessary. If you have data files that are stored outside the default locations, consider moving them.
On Windows XP installations that are not joined to a domain, use the Simple File Sharing interface and the Network Setup Wizard to establish a baseline set of file and folder permissions. Afterward, you can modify these permissions as needed.
Test the effect of permissions by trying to access protected files from a limited account. Create a limited local account (Windows XP) or an account in the Users group (Windows 2000), log on with that account, and try to access files in the protected locations. (Be sure to eliminate or disable the test accounts when you're finished!)
TIP
--------------------------------------------------------------------------------

Go back to square one

If you (or someone else) has experimented extensively with the default permissions on an existing Windows installation and you're not confident that system and data files are properly protected, you can use a security template to reapply the default permissions to your computer. This procedure is fully documented in Knowledge Base article Q266118, "How to Restore the Default NTFS Permissions for Windows 2000." We discuss the Security Configuration And Analysis snap-in and the built-in Windows security templates in Using Security Templates.

Libellés : Data, Directories, NTFS, Permissions, Review

Use NTFS for All Drives
If you've upgraded from Windows 98 or Windows Me to Windows XP, one or more drives on your system might still be using the FAT32 file system. Even on a clean installation of Windows 2000 or Windows XP, you have the option to choose FAT32 or NTFS. Some users do choose FAT32, either from force of habit or because they want to be able to access the data on that drive from earlier versions of Windows. The security benefits of NTFS are overwhelming in comparison to FAT32 drives, however. Continuing to use FAT32 is justifiable only on computers where data security is less important than the ability to boot into multiple operating systems.

To quickly determine the file system in use on a given drive, open the My Computer window, right-click the icon for any drive, and choose Properties. The current file system is listed on the General tab, as shown here.


To convert a FAT32 drive to NTFS, you must use the command-line Convert utility with the /FS:NTFS switch. If you attempt to run this command on a drive that contains Windows system files or the system paging file, Windows will schedule the conversion to take place at startup after you reboot the computer.

NOTE
--------------------------------------------------------------------------------

Converting a FAT32 drive to NTFS on a computer that was upgraded to Windows XP from an earlier version of Windows can have unintended negative consequences for performance. For a discussion of the best way to carry out this conversion, see Chapter 26, "Managing Disks and Drives," in our earlier book, Microsoft Windows XP Inside Out (Microsoft Press, 2001).

Libellés : Drives, NTFS, Use

Install and Configure a Firewall
A firewall is a system or software that controls the flow of traffic between networks and protects your computer or network from intruders. This extra layer of protection is especially important on any computer with an "always on" Internet connection, such as a DSL line or cable modem. Firewalls vary widely in their cost and features, but in general they consist of hardware, software, or a combination of the two, which prevents unauthorized users from interactively logging on to network resources from the outside. On most networks, a firewall acts as a single point of access to the outside world, making it easier to enforce security settings and to keep a log of intrusion attempts.

Consider one or more of the following additions to increase security on a single computer or a small to medium-sized network:

Configure custom ports The built-in Internet Connection Firewall (ICF) included with Windows XP effectively blocks all incoming traffic from the outside except on ports where you've requested data. The ICF is automatically configured when you run the Network Setup Wizard. Many Windows-based programs can work seamlessly through the firewall (all traffic from the local machine is allowed out), although you might need to configure some ports manually before you can run a third-party program that uses nonstandard ports. To adjust ICF settings, you must burrow deep into the Windows interface. Open the Network Connections option in Control Panel, double-click the icon for your Internet connection, click the Properties button, and click the Advanced tab. After making sure the Internet Connection Firewall option is selected, click the Settings button to display the dialog box shown in Figure 2-10. (For more details about how ICF works and how you can configure it, see Using Internet Connection Firewall in Windows XP.)

Upgrade the firewall software Third-party firewall programs are appropriate for use with Windows 2000, which includes no firewall utility of its own, and for Windows XP administrators who want more protection than ICF provides, such as the capability to block or filter outbound traffic. In addition to intrusion detection and logging, many of these programs supply tools to help you configure traffic on a per-application basis, allow virtual private network connections, and alert you when intrusion attempts are taking place.


Figure 2-10. Selecting any of these preconfigured options in the Windows XP Internet Connection Firewall allows traffic to flow through the firewall. Click the Add button to create custom settings for third-party programs.
Add hardware protection Hardware-based firewall products range from simple routers, which offer Network Address Translation services and port filtering, to complex devices that inspect every packet entering a network to determine whether and how it should be allowed to pass. On small networks, the combination of a simple hardware device and desktop firewall software can be a very effective form of protection. (For a more detailed discussion of hardware-based firewall products, see Using a Hardware Firewall Appliance.)

Libellés : Configure, Firewall, Install

Install and Configure Antivirus Software
Given the pandemic spread of viruses on the Internet in recent years, it's foolhardy to even think of connecting a computer to the Internet without robust, up-to-date antivirus software. Dozens of options are available, most at relatively modest prices. More important than installing the software, of course, is making sure that its virus signatures are current. The best antivirus programs include software agents that handle this chore automatically.

After installing the software and the latest updates, scan your system to ensure that you're virus-free.

Libellés : Antivirus, Configure, Install, Software

Tighten Logon Security for All Users
In Chapter 1, we discussed the tradeoffs between security and convenience. Tipping the balance too heavily in favor of convenience can be catastrophic to your security. Why make life easier for a would-be intruder? Forcing a secure logon can significantly decrease the likelihood that an unauthorized person will be able to break into your computer while you're away.

To disable the Windows XP Welcome screen, open Control Panel and run the User Accounts option. Click Change The Way Users Log On Or Off and then clear the Use The Welcome Screen box. Click Apply Options to make the change effective. (Note that making this change disables the Use Fast User Switching option.)


If you're using the so-called classic logon prompt (the default setting in Windows 2000 and an option in Windows XP), configure Windows so that every user is required to press Ctrl+Alt+Delete and provide his or her password to log on. The Secure Logon option is available on the Advanced tab of the User Accounts dialog box, shown in Figure 2-9. Windows 2000 users can access these settings from the Users And Passwords option in Control Panel; if you're using Windows XP in workgroup or stand-alone mode, enter the command control userpasswords2 to open this dialog box.


Figure 2-9. For additional logon security, select the option at the bottom of this dialog box so that every user must press Ctrl+Alt+Del to log on.
Finally, make sure that the autologon feature is not enabled. Open the Users And Passwords dialog box as described in the previous paragraph, click the Users tab, and select the Users Must Enter A User Name And Password To Use This Computer option.

For many more details about removing vulnerabilities in the logon process, see Configuring the Logon Process for Security.

Libellés : Logon, Security, Tighten, Users

Set Strong Passwords for All User Accounts
Weak passwords are the would-be intruder's best friend—a point we make repeatedly in this book. By default, all new accounts created in Windows XP have a blank password and belong to the Administrators group. If you're serious about security, assign a password to every account; your password should be at least eight characters long and composed of a random selection of letters, numbers, and symbols that can't be found in any dictionary. For details, see Creating Strong Passwords.

Libellés : Accounts, Passwords, Set, Strong, User

Eliminate or Disable Unused Accounts
One common avenue that intruders use to attack Windows is to look for user accounts that are poorly secured. On business networks, an all-too-common mistake is to fail to remove a user account after an employee quits or is fired. If the account remains active and the password is unchanged, a disgruntled ex-worker can break into the computer and steal data or sabotage the system. The potential for damage is even worse if the former employee has remote access privileges that haven't been promptly revoked. To view the complete list of user accounts in Windows XP Professional or Windows 2000 Professional, open the Local Users And Groups snap-in from the Computer Management console (Control Panel, Administrative Tools, Computer Management).

TIP
--------------------------------------------------------------------------------

See the complete list

Don't rely on the abbreviated list of user accounts that appears when you open Control Panel and choose User Accounts (Windows XP) or Users And Passwords (Windows 2000). This list shows only accounts that are available for local logon. Other accounts, such as those created by a FrontPage-enabled Web server or a virtual private network (VPN) connection, are hidden.

Figure 2-8 shows the list of accounts on a computer running Windows XP Professional. To remove an account, right-click its entry in the Users list and choose Delete from the shortcut menu. To temporarily disable an account without removing its associated files and permissions, double-click its entry in the Users list and select the Account Is Disabled option on the General tab of the properties dialog box.


Figure 2-8. Use the Computer Management console to identify and eliminate unused accounts so that they can't be accessed by intruders.
Unfortunately, if you use Windows XP Home Edition, the Local Users And Groups option is missing from the Computer Management console, and trying to run it manually (either by adding the Local Users And Groups snap-in to an MMC console or entering the lusrmgr.msc command) produces only an error message. To work with the complete list of user accounts, try the net user command; you'll find full details in Disabling or Deleting User Accounts.

Libellés : Accounts, Disable, Eliminate, Unused

Eliminate or Disable Unused Accounts
One common avenue that intruders use to attack Windows is to look for user accounts that are poorly secured. On business networks, an all-too-common mistake is to fail to remove a user account after an employee quits or is fired. If the account remains active and the password is unchanged, a disgruntled ex-worker can break into the computer and steal data or sabotage the system. The potential for damage is even worse if the former employee has remote access privileges that haven't been promptly revoked. To view the complete list of user accounts in Windows XP Professional or Windows 2000 Professional, open the Local Users And Groups snap-in from the Computer Management console (Control Panel, Administrative Tools, Computer Management).

TIP
--------------------------------------------------------------------------------

See the complete list

Don't rely on the abbreviated list of user accounts that appears when you open Control Panel and choose User Accounts (Windows XP) or Users And Passwords (Windows 2000). This list shows only accounts that are available for local logon. Other accounts, such as those created by a FrontPage-enabled Web server or a virtual private network (VPN) connection, are hidden.

Figure 2-8 shows the list of accounts on a computer running Windows XP Professional. To remove an account, right-click its entry in the Users list and choose Delete from the shortcut menu. To temporarily disable an account without removing its associated files and permissions, double-click its entry in the Users list and select the Account Is Disabled option on the General tab of the properties dialog box.


Figure 2-8. Use the Computer Management console to identify and eliminate unused accounts so that they can't be accessed by intruders.
Unfortunately, if you use Windows XP Home Edition, the Local Users And Groups option is missing from the Computer Management console, and trying to run it manually (either by adding the Local Users And Groups snap-in to an MMC console or entering the lusrmgr.msc command) produces only an error message. To work with the complete list of user accounts, try the net user command; you'll find full details in Disabling or Deleting User Accounts.

Libellés : Accounts, Disable, Eliminate, Unused

Install All Windows Security Patches
This task belongs at the top of the list, and for good reason. Without exception, every version of Windows ever released includes bugs and defects that open the door for intruders. Over time, as these security problems are identified, Microsoft's developers release patches and updates (sometimes referred to as hotfixes) that repair the problems. At regular intervals, Microsoft releases service packs, which incorporate all bug fixes and security updates to that point. You can use any or all of the following options to determine which fixes are necessary for your computer:

In Windows XP, configure the Automatic Updates feature to check for critical updates at regular intervals. You can choose to receive notifications only, download the updates automatically, or (if you have Service Pack 1 installed) have Windows update your system files automatically. To configure this feature, open the Systems option in Control Panel (under Performance And Maintenance if you're using Category view) and click the Automatic Updates tab.

Connect to the Windows Update online service manually to download and install all service packs and critical updates that are appropriate for your version of Windows. Point your browser to http://windowsupdate.microsoft.com, or use the shortcut at the top of the Start menu, on the Tools menu in Microsoft Internet Explorer, or in the Help And Support Center in Windows XP. Windows Update scans your system using an ActiveX control and presents a list of suggested updates for point-and-click download and installation. Windows Update works with Windows 2000 and Windows XP as well as Windows 95/98/Me.
Use the Microsoft Network Security Hotfix Checker (Hfnetchk.exe) to perform an inspection of your local computer or multiple computers on your network to identify missing hotfixes and service packs. This command-line utility uses an XML database to scan your operating system files. As the output in Figure 2-7 shows, it identifies all currently installed service packs and patches, and recommends updates that might be appropriate for your computer but that are not currently installed. This utility is especially adept at identifying patches for SQL Server and other commonly used system components not covered by Windows Update.

Figure 2-7. The Network Security Hotfix Checker recommends security patches that are appropriate for your current system setup.
Browse the list of security updates at Microsoft's Hotfix & Security Bulletin Service (http://www.microsoft.com/technet/security/current.asp), and download any patches that are appropriate for your computer or network. You can search the list by product and service pack number, or you can view the entire list in reverse chronological order, beginning with the most recent security bulletins.
Use the Microsoft Baseline Security Analyzer (MBSA) to analyze your local computer or your entire network for missing hotfixes. MBSA, which works with Windows NT 4.0, Windows 2000, and Windows XP, uses the HFNetChk technology and comes with a graphical user interface and command line version. In addition to scanning for missing hotfixes, MBSA scans and report on other system vulnerabilities in Windows, IIS, and SQL Server, including blank user account passwords, the file system type used, all available shares with their configured permissions, and more.
INSIDEOUT
--------------------------------------------------------------------------------

Insist on timely updates

Windows Update is a terrific and useful service, but for extremely security-conscious Windows users it might fall short. Windows Update includes patches for the Windows operating system and related components (including Internet Explorer and IIS); it does not offer updates for non-Windows products like SQL Server. In addition, you'll often find a delay of days or weeks between the time a security bulletin is published and when it is available on Windows Update. If you prefer to receive notification of security updates for all Microsoft products as soon as they're released, subscribe to Microsoft's Security Notification Service. To join the list, send a blank e-mail to securbas@microsoft.com.

For more details about Windows Update, service packs, and hotfixes, see Chapter 7, "Keeping Your System Secure."

Libellés : Install, Patches, Security, Windows