Security
Security on Windows XP
Contents
By default everyone has virtually full access to all files. Security requires NTFS Filesystem. During setup, XP creates a group of shared folders for all users. These folders are not available if joined to a domain. Full security options available on XP Home only in safe mode. In Simple File Sharing, administrators have access to every users profile by default. My Computer displays a folder for every users my documents folder, plus a folder called shared documents
Controlling Access
Top Bottom- require each user to identify themselves when logging on
- control access to files and folders
- audit system events
Windows XP security is discretionary: each secureable system resource has an owner who has discretion over access. Administrators can take ownership. Security requires use of NTFS filesystem. Each user account has a SID. At logon users are granted a Security Access Token which includes username, SID, plus info about security group membership. Any program you start gets your security access token. Every resource has an ACL: list of SIDs and their access privileges. Permissions: ability to access an object in some defined manner, set via properties box. Rights: ability to perform a particular system-wide action, set via Local Security Policy. Permissions and rights for groups are cumulative
SID: variable length, contains a revision level, a 48-bit identifier authority value, and a number of 32-bit sub-authority values. Each account has a unique SID. Although usernames can be deleted and re-issued, SIDS are never reused. If a permissions list contains a SID for a deleted account, the SID can be removed because it will never be re-assigned. Well-known SIDS are constant among all Windows XP systems (see Resource Kit for full list). Two special accounts:
Administrator: has full rights over the entire system
Guest: by default disabled. Is designed to allow access without a password. Guest account is used for share access when Simple File Sharing is enabled
In workgroup setup, the security database resides on local computer and contains info on accounts and groups. In a domain setup, the domain controllers maintain the database for domain accounts
Computer Administrators (includes groups added during setup
- administer accounts
- install programs
- share folders
- set permissions
- access all files
- take ownership
- grant rights
- install hardware
- logon in safe mode
Limited Accounts (members of Users Group)
- change password, picture, .Net Passport for own account
- use programs
- view permissions
- manage files in their document folders
- view files in shared docs folders
Guest: similar to limited but cannot change their password. Secure guest account: prevent network logon (secpol); prevent shutdown (secpol); prevent access to eventlog (regedit)
Unknown (resulting from an upgrade or specifically created using 'Local Users and Groups' console or 'net localgroup'. User Accounts console automatically adds users to administrators or users
Accounts migrated from NT/2000 maintain group membership and passwords. Accounts migrated from Win98/Me are members of admin group and have no password. Until you assign a password, anyone can login locally by simply selecting a username. Network logon is not possible with a blank password (disabled in secpol). If windows requires a logon password but you don't have one, this occurs because auditing is turned on.
Default Groups
- Backup Operators, backup/restore, use backup utility program
- HelpServicesGroup: can connect with Remote Assistance
- Network Configuration Operators
- Power Users: can share folders, manage printers, create local users and groups
- Replicators: can manage replication
Only Help Services group is included with XP Home
Use User Accounts to change:
- fullname
- passwords
- picture (in '%allusersprofile%\%appdata%\MS\user account\pictures\Default pictures'). Can be bmp, jpg, gif, png
- account type
- .Net Password: own account
- Network password: own account (single sign-on, secure on-line payments, Required for IM, Web publishing, photo-print ordering)
- password reset disk: own account (use Prevent a forgotten password link)
- delete an account: prompts to delete files also
- set password hint
If you delete an account with User Accounts, the users profile remains. If you then re-use the username, XP has to create a new profile folder (username.machine.1, etc.). Longest filename is the most recent. If you change or remove another users password, that user loses access to their encrypted files, certificates, stored passwords and emails. Windows deletes the certificates and passwords, to prevent the administrator gaining access to them. Your master key is encrypted with a hash of your password, when the password is changed, the key is no longer accessible. Change password back to old password or use the password reset disk.
lusrmgr.msc and 'net user' for greater control of accounts. Net user options:
net user:
- /display
- /add
- /random
- /fullname:name
- /comment:text
- /passwordchg:[yes|no]
- /active:[yes|no]
- /expires:[date|never]
- /times:[times|all]
- /delete
'net localgroup 'power users' jan josie /add'. Append /domain to work with accounts from your primary domain.
Password policies can be set with Local Security Policy or via 'net accounts' (uniquepw | maxpwage | minpwage | minpwlen)
Fast User Switching
Top Bottom- Win+L
- Welcome screen must be enabled
- PC not on a domain
- offline files must be disabled
Simple File Sharing
Top Bottom- a stripped down interface allowing easy access to common security arrangements
- combines share and NTFS permissions
- security tab not visible
- permissions set at folder level only
- options limited: share locally, share network or not shared
- Network users connect with Guest only privileges
- Only option in XP home
- Enabled by default on computers that are not part of a domain
- Dis/enable via HKLM\System\CurrentControlSet\Control\LSA\ForceGuest = 1 (enabled)
User Profile
Top Bottom- all desktop settings
- personal registry settings
- cookies
- documents
- shortcuts to network places
Logon: two methods: welcome screen or classic logon. Changed via User Accounts: Change the way users logon. Enable logon via registry or gpedit. With Welcome Screen Ctrl+Alt+Del to logon as admin. Admin can't logon locally on XP Home except in safe mode (press F8 during startup). Administrator account cannot be deleted. Use secpol to rename administrator account.
Limitations of SFS
Top Bottom- make private option only available within user profile space
- privacy applies to all subfolders of a private folder
- setting is either all or nothing
- moved objects take on the permissions of the new container: this behaviour changes if you disable SFS
How SFS works
When account is created, profile is created with user+administrator+system:Full Control and user as Creator Owner. When you make folder private, administrator is removed from acl. Shared folders: administrator:Full, power users: Modify, users:Read and Open. Shared folders located in %allUsersProfile%. When adding a password for an account, XP displays a dialogue to make folders private. If 'make private' option unavailable:
- is drive NTFS
- is folder in user profile
- is this a subfolder of a private folder
turn SFS off using “folder options...view
Permissions
Top BottomPermissions are stored in filesystem as part of acl. Deny aces take precedence.
| Permission | Effect |
|---|---|
| Full Control | Full |
| Modify | all but take ownership and change permissions |
| Read And Execute | view, execute, read and list |
| List Folder | same as Read and Execute, but inherited by subfolders not files |
| Read | list folders, view file attributes, read permissions and synchronise files |
| Write | Read, plus create files and write data |
| Special | Does not match any of the above templates |
Permissions Tips
Top Bottom- start at the top and work down
- organise shared files into common locations
- use groups
- steer clear of special permissions
- grant only level required
- use predefined templates, then go to special permissions if required
- Security tab not visible: SFS in force? NTFS?
- Made changes but check mark not visible
- if permissions apply to anything but default location (files, folders and subfolders) check mark appears against 'special permissions'
- Permissions Unavailable: are you owner? administrator? permissions inherited?
Copy vs Move
Top BottomCopying (same drive) – file inherits permissions from destination, you become owner
Move (same drive) – file keeps its permissions, you become owner
Move (different drive) – same as copy
Special Identities
Top Bottom- Everyone: Everyone except anonymous logins
- Creator Owner: creator or owner
- Authenticated User: does not include Guest. Anyone who logs on with a username and password
- Interactive: Anyone who logs on locally or using Remote Desktop
- Anonymous Logon: Logs on with no credentials, e.g. connections to Web Server
- Dialup
- Network: Anyone who logs on over the network: does not include Remote Desktop
Example permissions
Read&Execute + Write: Users PLUS Full Control: Creator Owner
- in this configuration anyone who creates a folder becomes its owner. Other users can't delete them. Good for shared folders.
Full Control: Authenticated Users: PLUS None: Everyone
- denys access to Guest account
Tampering with the default permissions on the drive that contains windows system files is a bad idea: XP applies specific settings to root, windows, system32 and docs and settings. See Q244600 in MSKB.
Inheritance
Top BottomInheritance: by default any new permissions assigned to a folder are passed on to subfolders. Inheritance designed to make permission management simpler. Inheritance can be turned off on a per-folder basis. As a general rule, if you have to turn off inheritance a lot, you probably have a faulty folder structure. Advanced tab displays an 'inherited from' column. Removing inheritance prompts to copy, remove or cancel. The folder then becomes a new top-level folder or inheritance object for the folders below it. To change inheritance properties use the 'apply onto' dialogue:
- this folder only
- this folder, subfolders and files
- this folder and subfolders
- this folder and files
- subfolders and files only
- subfolders only
- files only
NTFS permissions are cumulative: least restrictive applies. Effective permissions tab lets you view result of changes, but does not include permissions granted to creator owner, anonymous or authenticated users group. Does not account for whether you are logging in interactively or over the network
Special Permissions
Top Bottom| Permission | Effect |
|---|---|
| Traverse Folder, Execute File | |
| List Folder, Read Data | |
| Read Attributes | |
| Read Extended Attributes | |
| Create Files, Write Data | |
| Create Folders, Append Data | append data means write or overwrite data to file |
| Write Attributes | |
| Write Extended Attributes | |
| Delete Subfolders and files | |
| Delete | |
| Read | |
| Change Permissions | |
| Take Ownership | |
| Synchronize |
cacls program can be found at \support\tools\support.cab
Troubleshooting Permissions
Top BottomWhen you copy a file or folder to an NTFS partitions: newly created file takes on permissions from new folder, you become the creator owner
When you move a file or folder to an NTFS partition: moved object retains original permissions, you become creator owner
When you move a file or folder from one NTFS drive to another: moved objects picks up permissions from destination, you become creator owner
When you copy or move from FAT32 to NTFS: object inherits from container, you become the creator owner
When you copy or move from NTFS to FAT32: object loses all permissions
General Rule: copy guarantees inheritance, move only inherits if drive changes.
Don't forget to check inheritance when debugging permission problems
Encryption
Top BottomDisable EFS using a DWORD value of 1 at HKLM\Software\WindowsNT\CurrentVersion\EFS or via group policies.
You can't encrypt compressed files – windows will uncompress them if you choose to encrypt
You can't encrypt files with the system attribute, in a roaming profile or files in %SYTEMROOT%. Encrypted files can still be deleted by oter users. Copying an encrypted file to a volume that does not support EFS (eg NT4 or a FAT partition) will cause the file to lose its encryption. Backups do not remove encryption.
EFS using your public key to create a file encryption key (FEK). Encrypted files can only be decrypted using your personal encryption certificate (PEC) and private key (PK), which is only available on your login. If you copy encrypted files to another computer, you'll need to copy your PEC and PK also. PEC and PK are stored in your roaming profile. These should be backed up! Best to encrypt folders – this way new files in folder are automatically encrypted. To allow others to access the file, right-click, properties, advanced. You'll only be able to select users who already have an EFS key installed on that computer.
EFS not available on XP Home. Encryption is the process of encoding data using a key algorithm. Without the correct key, the data cannot be decrypted. XP uses encryption for
- encrypting files on an NTFS drive
- encrypting web data with SSL
- encrypting data over VPN
- encrypting or signing emails
Encryption protects from weaknesses of NTFS permissions:
- administrators can take ownership
- NTFSDOS
- hard disks transferred to another computer
EFS
- uses your public key to create a randomly generated File Encryption Key
- uses FEK to encrypt data as it is written
- data can be decrypted only with your certificate and private key (automatically available when you logon)
- designated recovery agents can also decrypt your data
- when changing a folder to encrypted, if you select 'this folder only', existing files will not be encrypted
- System files can not be encrypted
- Avoid encrypting files: some applications create temporary files, then save temporary file and delete original
- encrypted files can still be deleted
- copying a file to an encrypted folder encrypts it
- copy an encrypted file to another PC and it remains encrypted, unless EFS is disabled or machine is not running XP/2000
- to use encrypted file on another computer, your certificate and key must be available
- when you backup an encrypted file it remains encrypted
- restorable files from recycle bin retain encryption
- encryption keys stored in (roaming) profile
- encrypted files show letter 'E' in attributes
To allow other users to access your encrypted files, choose Properties: General: Advanced: Details: Add. Only users who have an EFS certificate on your computer can be added
cipher
- /e encrypt
- /d decrypt
- /s folder and subfolder (not files)
- /a specified files and files in subfolders
- /k creates a new key
- /r generates recovery agent
- /u updates encryption key on every file
- /i continue even if errors occur
- /f force encryption: even on already encrypted files
- /q quiet mode
- /h perform operation on hidden files
Recovery Agent
Top BottomDomain administrator is the default recovery agent. Recovery agents can only decrypt files that were encrypted after recovery agents certificate was installed.
To generate a recovery agent certificate:
- logon as administrator
- cipher /r:filename (generates .pfx and .cer files. These files allow anyone to become a recovery agent)
To designate a recovery agent
- logon with data recovery agent account
- launch certmgr.msc (or open an mmc and add certificates snap-in)
- go to certificates: current user\personal
- action: all tasks: import
- enter path of encryption certificate (.pfx: personal information exchange)
- enter password
- select 'mark key as exportable'
- select 'automatically select certificate store'
- click finish
- goto secpol, security settings\public key policies\EFS
- action: add recovery agent
- browse to .cer file (can be stored locally or in Active Directory)
Remove the private key to prevent someone logging in as administrator and viewing encrypted files
- logon with recovery agent account
- run certificate export wizard
- copy and delete private key
- copy and delete file to removable storage
Without private key, recovery agent cannot decrypt any files. The public key is still added to each newly encrypted file.
When you use EFS for the first time, windows creates a self-signed certificate, which becomes your personal encryption certificate and contains your public/private key pair.
Backup recovery agent certificate:
- logon as administrator
- secpol: EFS
- export recovery certificate
- select DER encoded
- specify path
Backup personal certificate:
- content tab of internet options
- certificates: personal
- highlight and export EFS certificate
Import personal certificates via internet options also, to personal store or use certificates mmc. efsinfo utility (from support.cab) shows who encrypted and who can decrypt a file.
Disable EFS via regedit, EFS\EFSConfiguration=1, or GPO for domains
Extra measures:
- don't destroy recovery certificates when you change recovery agents. Wait until all files have been updated
- avoid using spool files, or encrypt them
Clear Pagefile at Shutdown
Top Bottomhklm\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown = 1
