Re: Short List of Security Questions

---

• From: "Karl Levinson" <levinson_k@xxxxxxxxxxxxxxxxxx>
• Date: Thu, 13 Jul 2006 22:33:13 -0400

---

"dw85745" <dw85745_NOT@xxxxxxxxxxxxx> wrote in message
news:uvwH21tpGHA.516@xxxxxxxxxxxxxxxxxxxxxxx

As a Programmer and an End User one of my biggest frustrations is getting
"WHAT YOU SHOULD DO" Security Information related to Windows
I can write code all day long, but when it comes to securing Windows I
knock
my head against the wall.

A short list of my questions are:

For each OS (Win98 through XP) and each version (Home and Pro):

1) Is default best?
No matter what OS you use, where do you get a detailed explanation
regarding
what all the switches do in Internet Explorer and whether you should set
them or not. The #$%^% poor explanation you get when you right click on
the
checkbox is useless as far as I'm concerned.

www.microsoft.com/technet/security

Look for the Windows Security Guides for the appropriate version of Windows,
and also the documentation on XP Service Pack 2. Windows XP SP2 and 2003
have made the default settings for IE and many other things much more sane
and secure by default.

2) How do you keep an installed program from having access to other
programs or other parts of the system in a standalone home computer (here
I
refer to file permissions and other security measures) ?

This level of security [like a chroot jail] is not widely implemented in
home user workstations on any operating system, unless there's an expert
admin at home that can manage the administrative overhead and knowhow
required. But on XP and newer, you can use the limited NetworkService and
LocalService security contexts... and log in as a low privileged user and
use the Runas feature for software installation and system administration.
You can also use the method utilized by Michael Howard's DropMyRights
utility to remove privileges when executing a process. However, I'm not
necessarily advocating any of these methods as being necessary or desirable.
DropMyRights is interesting, but does it make your computer more secure?
I'm not so sure. IE vulns are not as great a risk to your computer as the
media makes it sound. Three of the biggest recent IE vulns were
Download.Ject, the so-called "IFRAME" overflow and Qhosts, and they really
didn't infect very many systems compared to say, the RPC Blaster worm.
DropMyRights and the other methods you're asking about don't protect you at
all from network vulnerability worms like Blaster.

3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
type of or similar issues?

Define "big problem." Most networked, multitasking, GUI-based OSes in 1998
used chatty network protocols to communicate. OS2, Novell NetWare /
IPX/SPX, and especially Mac AppleTalk are no exceptions. Windows Me was
very similar to Me. Neither 98 nor Me required you to use NetBEUI. You
could and did use IPX/SPX and TCP/IP to communicate to various servers, and
you could disable NetBEUI. NetBEUI cannot natively be routed beyond the
local subnet past a router. You may be thinking of NBT, NetBIOS over
TCP/IP, which is not NetBEUI. Neither of these are what I would call "big
problems." Windows 2000 was the first OS to allow Windows clients to talk
to Windows servers without using NetBIOS. Or maybe you're thinking of the
NetBIOS share worms that spread mostly under Windows 98. Again, not
NetBEUI, and things like missing patches and weak passwords were at least
partly to blame.

4) After I go to Windows Update and download the security patches, what
changes have been made to my system ?

That depends on the patch. WU doesn't really change your system, the
patches do, and each one is different. If you really want to know, you'd
have to read the documentation before you install the patch. I don't see
this as being terribly useful in reducing your risk of experiencing
problems, however. Even after reading the bulletins, you'd know what files
were modified, but no one on the planet really knows all of the possible
ramifications of the code changes made in that file. As a home user, you'd
spend more time reading all the bulletins than you would spend fixing
problems due to patching. A common strategy is to wait a week and see if
problems are reported before installing patches. If you are really
concerned about downtime, then nothing can replace testing the patch in your
environment, though, because each environment is unique.

5) What are the security differences between Home Edition and Pro
Editions
(IMHO MS needs to include all security capability in Home as well as Pro)?

Microsoft doesn't need to do anything. Many of the vendors you buy from
offer different levels of products, like the cheaper Intel CPU chips that
intentionally had the L2 cache burned out, or like cars where you have to
pay a la carte to pick and choose which bonus features you want to add.
Windows XP Home is safe enough for a home user, but if you feel you need
more, you pay for more. Most of the security changes in XP Home have to do
with automated remote management that is most useful for enterprises. Group
Policy isn't in XP Home, for example, and you can only use CACLS at the
command line to edit NTFS file permissions, there is no GUI security tab for
file permissions. A google search tells you all you need to know:

http://www.google.com/search?q=xp-home+xp-pro+OR+xp-professional+group-policy
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/z04d621675.mspx
"The following security features are not included with Windows XP Home
Edition:

. Encrypting File System (EFS)

. Computer domain account support

. Access Control List (ACL) Editor

. Administrative shares (available only when joined to a domain)

. Log on using dial-up connection option in Log On to Windows dialog
box

. Security-related Group Policy settings"

--------------------------------------------------------------
If anyone knows of an EXCELLENT book or a website that explains this by
OS,
it would be appreciated.

There aren't that many differences, so I don't think a book is needed.

This isn't a homework assignment, is it? I hate doing people's homework for
them.


.

---

• References:
  • Short List of Security Questions
    • From: dw85745

• Prev by Date: Re: Short List of Security Questions
• Next by Date: Re: E-mail
• Previous by thread: Re: Short List of Security Questions
• Next by thread: Thank you to all who responded
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NT] Cumulative Security Update for Internet Explorer (MS04-025) ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ... (Securiteam) [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... (Securiteam) Re: The Myth of the secure Mac ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ... (comp.sys.mac.advocacy) SecurityFocus Microsoft Newsletter # 149 ... MICROSOFT VULNERABILITY SUMMARY ... EveryBuddy Long Message Denial Of Service Vulnerability ... Intellitactics Network Security Manager ... Windows operating systems. ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #120 ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ... (Focus-Microsoft)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2006-07