Jump to content

Windows XP Proffessional Security Concerns

breadandbubbles

By breadandbubbles
in Windows XP

 Share

Recommended Posts

breadandbubbles

breadandbubbles

Posted
Posted

okay, i have windows XP Professional, and with onyl one user account on my pc, i am insterested in making a "Guest account. a long time ago though, a friend told me he had a program on CD that can eliminate the password on any user account.

so...i am SERIOUSLY concerned. will having a guest account really going to make my pc that much more vulnerable. is my account that easy to get into even WITHOUT a guest account?

on a sidenote, i want to know how to seriously limit the accessibility of Guests now only my files, but ANY files. when they go to "My Computer" i dont even want my C: drive to BE THERE. i want to create a small partition that makes up the only hard drive space the Guests can access.

likewise, i want to make sure they cannot install any programs.

now any of you who are going to say "just switch them to Limited"....well....im already aware of that. but they can still acess my C: drive....or....any partition i create for myself. i really, really need that to stop. Securely.

Also, on a sidepoint, im connected to a router. there is one other PC connected to the router loaded with Windows 2000 Professional. is there any way to completely, absolutely block myself from that PC. i dont want to be vulnerable through my network card.

on the otherhand, my Xbox, which i frequently FTP to, is also connected to the router.

i just dont know what to do. anyone have any ideas?

Link to comment
Share on other sites

Ghostrider

Ghostrider

Posted
Posted

Anyone who has physical access to your computer can get into the guts of it, access profiles and change passwords if they know how... I am a service manager for a computer company, i regulary have to access computers which are password protected, I have programs that allow me to add accounts, change passwords or even access the password protected account, do what i need to and return the password to what it was so the user would not even know I had been there.

So, to answer your first question, guest account or not your computer can be comprimised by someone who knows what they are doing, a lay user could not bypass guest login restrictions.

As for the second, restricting access to C drive... well you cant stop access to the whole of C as windows itself needs access, but you can use NTFS file/folder permissions to deny access to certain other folders/files. just right click and select sharing/security then security

And lastly, LAN access... you can make sure you have no shared files/folders on your computer, also use a software firewall that is configurable to deny access from other computer IP/MAC addresses

Best of Luck

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

The easy answer - disconnect it from the internet, pull the plug, and lock it away :).

The better answer - your computer will only be as secure as you can allow it to be and still meet your usability requirements. You can lock a Windows XP machine down so that nothing can be done to it, but that's not very usable, and sort of defeats the purpose of having a computer in the first place.

Windows XP is fairly secure by default, but does need some work to meet "hardcore" security guidelines. Basically, reducing your attack surface will increase the security of your machine, which means disabling any services you (or your computer) do not need, removing all software that you are not going to actually use, and making sure that you have decent security in place *outside* of your machine as well - a good hardware firewall between your PC and the internet connection is a good start, as is possibly having an IDS or other sniffing device on the network as well if you need that level of security auditing.

As to the C: drive issue, assuming it contains your Windows directory, you can't really hide this drive without seriously affecting the stability of the machine. If you need to hide files, you are best served to store them on another partition or volume, formatted for NTFS, and using the encrypting file system along with NTFS permissions to deny other users' access to, and ability to see, your files. Putting your data on an external hard disk that you remove when not at the PC is another very good way to effectively hide your data :).

As to program installation, it is difficult to keep users from installing programs that only write to the HKCU portion of the registry, or can run from the users' own home directory. It can be done, but again, it's not easy to make happen (especially when you are not in an AD domain environment).

Consider reading the following linked documents, for a starter. Also consider downloading the Microsoft Shared Computer Toolkit, as it has some nice resources for configuring a computer that will be shared amongst multiple users.

http://csrc.nist.gov/itsec/guidance_WinXP.html

Link to comment
Share on other sites
breadandbubbles

breadandbubbles

Posted
  • Author
Posted

thanks Cluberti, that shared user toolkit is basically what im looking for to solve most of my problems, but theres still that accessibility issue to my account. Ghostrider, is there honestly nothing i can do?

i understand what Cluberti said about "reducing your attack surface", but other than that, i was hoping for someway to block against attempts to my account. i guess its impossible to block against everything though eh?

i guess ill just have to settle for the simple solutions microsoft gives me. and a decent firewall.

SPEAKING OF WHICH. i have sygate, and the GUI is just AWFUL. it works great, but im starting to think it just isnt worth the terrible gui. does anyone have a reasonable recomendation of a good GUI that still works effectively?

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

To be honest, I've found the XP firewall to be adequate for almost everything, assuming a good hardware firewall is in place. It's configurable via scripts or via the integrated Security Center GUI, it does a good job of blocking inbound attacks, and doesn't require an additional hook driver into your IP stack to work properly. Is it the best software firewall out there, feature-wise? No, it's not, because of the lack of outbound firewalling - but it's still excellent for inbound attacks. If you want a firewall for outbound connections as well, consider ZoneAlarm (http://www.zonelabs.com) or Tiny (http://www.tinysoftware.com).

Link to comment
Share on other sites
Zxian

Zxian

Posted
Posted

BIOS passwords are a godsend when it comes to keeping your computer safe. They prevent someone from booting Knoppix/WinPE/BartPE/Winternals and messing with your system. Sure, they can be bypassed by clearing CMOS, but that takes actually opening up the system. As Ghostrider said, "Anyone who has physical access to your computer can get into the guts of it".

You could set a group policy in the Guest account to only allow the specified programs to run (i.e. web browser, music player, whatever). Installers won't run (if you restrict msiexec from the account) and any programs that aren't specified will be stopped.

Just as a final note, unless you have a need for a guest account, don't make one. If you have a guest account, but can't trust the people who use your computer, don't let them use it. It's as simple as that. If you're talking about a public place where you have little control of what people do, then look into DeepFreeze or RIS installs. They'll restore the computer on a specified schedule for you.

Link to comment
Share on other sites
InTheWayBoy

InTheWayBoy

Posted
Posted

Why not use the new free VMPlayer for something like this. I don't know exactly how you would integrate it into the system, but by providing access to just that you could then let the user do whatever they want to the virutal machine. The idea is that even if they manage to fubar the VM, it won't matter since you can just reboot the VM and all changes are lost. Besides, the VM is just a file so as long as you make a backup then you won't have to worry much.

XP, on it's own, is not made to function with something like you are talking about. You could get better results if you were running a domain, as you can limit access to devices and applications, but that requires more computers and tech knowledge.

Your other option might be to use some kind of boot loader, one with password support. Then setup a dual-boot. That way you could have two options, one regular one (That requires a password) and one limited one. Once either starts booting, the boot loader should 'hide' the other partition so you won't get access to the files. Of course, this too requires more software and tech knowledge.

And finally, what are you wanting the user to do? Just surf the net?

As everyone has mentioned if someone can sit down in front of the PC there isn't a whole lot you can do to prevent access. If you are that worried about it, maybe look into making a seperate workstation just for guest access. Then, depending on what you want to allow them to do, you could limit the box accordingly. Since this would be a guest only workstation, you could even do something 'extreme' and throw linux on there. That would not only keep costs down, but would make most script kiddies or so-called power users left high and dry since most don't know how to effectively use linux. But it can surf the net with the best of em...good luck!

Link to comment
Share on other sites
InTheWayBoy

InTheWayBoy

Posted
Posted

Both Sygate and Kerio are about to be put to bed...Symantec bought Sygate and just today released info that they are discontinuing it...and Kerio has long said they are soon to end the product. That leaves very little choice...basically just the major players. There are some freeware ones popping up, but I don't trust most of them. Firewall and Antivirus is something you can't just figure out and make cheaply...to be effective you need research and development behind it. That doesn't mean the most expensive is the best, but I would rather drop a few bucks for a decent package then pay twice as much later to get the unit fixed. ZoneAlarm is about the last good free one I would suggest.

Link to comment
Share on other sites
Ghostrider

Ghostrider

Posted
Posted (edited)

Got a little busy to be able to reply earlier but anything i would suggest has already been mentioned by others in this post... using a combination of bios boot password, encrypting data folders and configuring a software firewall. If all you want the user to do is access the internet, get a basic computer, no hard drive, build a very basic PEBuilder with firefox and boot from cd or use Knoppix Live. I suspect if we knew what you intended the user to do then we could help further.

P.S The only software firewall i use these days is windows firewall, all the others either crash my computer or use so many resources they bog my computer down. I used to recommend Zonealarm but bloatware comes to mind these days...!!!!!

Edited by Ghostrider
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...