CIS 106a: Introduction to Operating System Concepts

Chapter 10: Securing Your PC and LAN

 

Objectives:

This chapter is about computer security. Objectives important to this chapter are:

  1. Securing desktops and laptops
  2. Securing LANs
  3. Recognizing malware and cleaning infections
Concepts:

Students should be aware that this chapter does not contain all the knowledge they will ever need to protect PCs or networks, but it is a good start.

The text offers suggestions right away that will be of benefit to most technicians:

  • Limit use of the administrator accounts - accounts with general rights to the network or computers should only be used when doing that kind of work; administrators should have "normal" accounts to use when they are not engaged in admin work
  • Keep Windows updates current - configure workstations to automatically download updates, automatically notify you of updates, or set a ritual of checking for them on a regular basis
  • Physically protect your equipment - servers should be locked in a server room, laptops should be locked away when not in use, and people should watch for anyone taking equipment out the door
  • Keep good backups of user data - Do you remember the chapters about resolving a problem by reformatting the hard drive? Do you know where your data is?
  • Destroy trash that might contain sensitive data - some companies have a policy of destroying old hard drives; it is extreme, but it protects you from data harvesters

Authentication is any process used to prove identity to network security programs. Some texts say it is a method of proving a user's true identity, but we all know of instances of users who share IDs and passwords. Authentication systems only work as intended when users keep their authentication information private.

Authorization is the process of granting rights and permissions to users.

An authorized user will not be able to get to resources if they do not authenticate (prove identity) to the system. An authenticated user will not be able to get to resources if they have not been authorized to do so.

Passwords can exist at many levels for a computer user:

  • a password can be stored in most computers' CMOS systems, requiring the user to log in before the OS is even loaded
  • a Windows local or domain account may have a password
  • passwords may exist for access to specific programs or databases
  • passwords are commonly assigned to accounts at vendor web sites

Windows domains typically use a concept called password complexity, which illustrates some good ideas about secure passwords. If turned on, complexity requires several conditions be met by a password. It can't contain a portion of the user's logon name. It must contain three of these characteristics: upper case letters, lower case letters, numbers, and characters that are neither letters nor numbers (symbols and punctuation marks other than wildcards). It is a bad idea to actually use a real word for a password, since there are programs that will attack a system by trying to log in to a known account, using every word in a dictionary file as the password,one after another.

In general, users should be given accounts on a network, and the accounts should have required passwords. The user accounts should be assigned permissions to the resources the users need, and only to those resources. When you grant permission to a resource, e.g. a folder, you are modifying the Access Control List property of the resource. The text tells us that an administrator can run the command cacls to configure access control lists of files and folders.

The text repeats some material already covered in other chapters:

  • Three commonly used types of accounts in Windows networks are Administrator, Guest, and Limited User.
  • People who work as administrators should have two accounts: a Limited User account for their daily work, and an Administrator account to be used only when they do work that affects the system
  • The desktop used for each account should look different, so the user knows which account they are in instantly.
  • Administrator accounts Limited User accounts for the same user should have different passwords. The password on the Administrator account should have stronger restrictions and expire more frequently than the User account. Microsoft recommends requiring password changes on User accounts every 90 days, and on Administrator accounts every 60 days.

The text moves on to firewalls, another repeated topic. A firewall is most important when a system is attached to the Internet every time it is turned on. It is important even without Internet access, if we remember that most system attacks in corporate environments originate inside your environment.

Firewalls can be implemented with software, hardware, or both. A Windows version of a firewall is included with XP Service Pack 2.

The text repeats its advice about using anti-virus software. Update it frequently, configure it to use its firewall (if it has one), configure it to scan files when they are opened, and scan email as well. The text recommends using Ad-Aware, a fine product for removing adware and spyware. Note, however, something that most users seem to never notice: Ad-Aware is not free for anything but home use. Users in corporate, business, government, educational, and other environments must pay for this software.

We are again reminded to keep our Windows operating systems and Microsoft applications up to date on security patches. As already discussed, you can configure your workstations to automatically check for updates, automatically download updates, or automatically install updates. Personally, I like the first option best, because I really hate the system slowing down (while downloading or installing) or rebooting automatically (due to an installation) when I am trying to work. A system that does not tell the user it is about to become very busy or unavailable is not a user friendly system.

The text discusses security related options available in Internet Explorer. More detail is given this time. Options include:

  • Pop-up blocker
  • The ability to manage add-ons
  • The ability to block scripts
  • The ability to disable scripts embedded in Web pages
  • The ability to set the general security level (Medium is recommended)

Lest we think that the text is promoting only Microsoft products, we are reminded that there are some good reasons to use alternative software. Hackers and virus writers tend to write specifically for Internet Explorer and Outlook because they are so widespread. There have been times that my work environment has avoided email viruses because we were on a different platform.

The text moves on to recommend using the Microsoft Shared Computer Toolkit for Windows XP, to prevent any changes to a hard drive that Windows is loaded on. This product has been replaced by Windows SteadyState, which does the same thing.

  • Why would you want to use this?
  • Consider it useful in any environment where the average user is likely to change the operating system in a way that you don't want. In an airport, in a retail store, or a demonstration area, you want the same look and feel with every restart.
  • Baker uses a product like this to put a student workstation back in the same state every time it is rebooted. This makes the workstations behave the same way for each student.
  • Would I use this at home? Never. My computer is the way I want it and is unlikely to be changed by another user.
  • Would I use it in a corporate environment? Probably. It is meant to keep things the way they are intended to be, which makes it possible to support thousands of users the same way without having to investigate their workstation every time a problem is called in.

The text describes Windows 2000/XP Encrypted File System (EFS) which lets you encrypt the contents of files and folders. This kind of feature is recommended for laptops, since they are lost or stolen more often than desktop. It is also a good idea if a desktop user frequently deals with sensitive information.

The text moves on to discuss general physical security ideas:

  • Donít move your computer when itís turned on - you are more likely to damage the hard drive if the computer is moved while running
  • Donít smoke around your computer - computers suck in air to cool themselves; sucking in smoke will damage electronic components
  • If your data is private, keep it under lock and key - encrypt, deny permissions, and lock the door
  • Keep magnets away from your computer - hard drives, floppies, and CRT screens all react badly to magnetic fields
  • Lock down the computer case - it doesn't take long to install components, and it takes less time to remove them

The text turns to the interesting topic of social engineering. The link I placed on that term goes to a good article about using social skills to gain access to things you shouldn't have access to. People who use these techniques are always thinking up new ones, but the old ones keep popping up, too. So the text offers basic advice to avoid this sort of con artist:

  • Phishing is sending a e-mail request for a person's financial data - before you think about responding to such a message, ask yourself why they need what they are asking for, and why they did not use a more believable procedure
  • Scam e-mail can be an offer to join phony ventures, like the classic Nigerian Bank Manager scam. If someone sends you an e-mail offering huge rewards for access to your bank account, trash it immediately.
  • Virus (e-mail) hoaxes clog up e-mail systems - and not just viruses, but chain letter hoaxes as well. When you get an e-mail like this, Google it. (Yes, that's a verb now.) Look on the Snopes.com web site, the anti-virus vendor web sites, and find the truth before you pass along an e-mail that will make you look foolish and waste time and resources.
  • Do not click links inside e-mail messages without knowing where they will go.
  • Investigate a Web site before downloading software or giving it your credit card number.

The text repeats its thoughts about making backups and refers us to chapter 4. (The notes for chapter 4 were revised as this page was being written to include more detail about backups in one place on this site.)

At sites where secure and sensitive data are kept, users should be encouraged, if not required, to submit incident reports when they think a security breach may have taken place. Such a report should be taken and investigated by a computer security officer of that entity.

Trash is a common avenue for the loss of important data. In general:

  • If you are throwing out sensitive documents, shred or burn them
  • If you are throwing out data storage media, destroy it: break CDs, smash hard drive disks, have lots of fun
  • If you are re-using hard drives, don't just delete the files, overwrite them with all 0s (there is software to do this)

Administrators should regularly check their environments for trouble. This includes everything we have said about PCs, and means we should apply the ideas to servers and our network as well.

The text finally moves on to protecting networks and wireless installations. As explained in a previous chapter, installing a router to make a LAN at a home office (or small regular office) can give you some security advantages:

  • Limit communication from outside the network
  • Limit communication from within the network
  • Secure a wireless access point
  • Implement a virtual private network (VPN)

The text discusses some authentication methods that are frequently used by remote users who connect to your network through a public network like the Internet. This makes their connection a virtual private network (VPN):

  • password encryption
  • data encryption
  • secure authentication protocols, like CHAP and Kerberos
  • two factor identification - the most common methods use something you have and something you know
    • the thing you know is usually a password
    • the thing you have may be a fingerprint, an iris-scan, or the ever changing number on a SecurID card

Malicious software is a general name for viruses, worms, and any other software that is damaging to your computer or network. It is often shortened to malware.

The list of malware symptoms offered by the text is too long and varied to memorize. Unfortunately, some of the symptoms can be caused by other factors. It may be better to consider malware as a possible cause whenever any unexplained behaviors are noticed in computers.

As a caution to users and technicians alike, the text offers a list of kinds of malware. Note, the list is not exhaustive:

  • Virus - a program that replicates by attaching to other programs
    • Infected program must execute for virus to run
    • Boot sector virus hides in the boot sector program
    • File virus hides in executable (.exe, .com, or .sys)
    • Multipartite virus is a combined boot sector and file virus
    • Macro virus hides in documents with macro files
    • Script virus is a virus that hides in a script
    • Protection: run AV software in the background
  • Adware - produces unwanted pop-up ads
  • Spam - junk e-mail that you do not want
  • Spyware - program installed to spy on you
  • Worm - self-replicating program that overloads network
  • Browser hijacker - alters home page/browser settings
  • Dialer - dials phone number(s) without your knowledge
  • Keylogger - tracks all your keystrokes; may save them in a file or transmit them to someone
  • Logic bomb - dormant code triggered by an event, such as executing on a particular date
  • Trojan horse - disguises itself as a legitimate program, executes when the user runs it

The chapter ends with advice to invest in reliable, reputable anti-virus programs. If you have a suspected infestation, run the anti-virus product and clean the environment. If you find and infection:

  • Clean it
  • Respond to any startup errors
  • Delete malicious files
  • Purge restore points (because they could contain copies of the virus)
  • Clean the registry (difficult to dangerous; check the anti-virus vendor web sites for specific instructions