by Rik Farrow <rik@spirit.com>
By now, XP has been released and desktop systems finally get all of the reliability and security features found in Microsoft's server operating system, Windows 2000. You also get some features designed to make XP a much better fit than Windows 2000 for a notebook, desktop, or home system.
And it all comes at a price--complexity. Microsoft's designers have done their best to create reasonable defaults without sacrificing too much security, and the average home user may be able to live with these defaults. The fascist network administrator will just love Windows XP because of the level of control it provides over desktops, even to the point of blocking the execution of certain applications. Security lovers will appreciate the enhanced authentication, which can support SmartCards for domain login and to hold private keys.
But the real answer--how secure is Windows XP--will not appear for months, or even years, as enough people begin to understand this elaborate operating system and its many features. XP does include the Indexing Service, a later version of the software that was exploited for many weeks this summer by the Code Red Worm For now, let's just take a look at some of the things XP can do to improve your security.
Windows XP comes in two flavors, Home or Professional. I have only examined Professional (Release Candidate 2), but it seems that they appear to be largely similar. But XP can also be viewed in a different light as having two flavors: installed as part of a domain and installed in a workgroup or as a standalone system.
Windows XP is Windows 2000, evolved and modified to best function as a desktop operating system--that is, to be primarily a system for end-users. IIS is included with XP Professional, but you can choose not to install it. You will need a fast system with lots of memory for reasonable operations, and lower resolution monitors just won't cut it (as many messages will just not fit into the single line in the table where they are displayed on a 1024x768 monitor). XP is designed for new desktop systems, not ones two years old.
Like Windows 2000, XP uses the NT File System (NTFS), a logging file
system more robust than the old Windows file system. Access control
lists (ACLs) are
included with NTFS, and I am happy to write that the default ACLs on
system files and directories are much stronger by default than what
you may be used to seeing in Windows NT. Microsoft set up NT ACLs as
a compromise that permitted ordinary users great latitude in installing
software, something that also permits installing Trojan horses. XP,
by default, restricts writing of system files
to the Local System and to the Administrators Group. Here is where you
can see the beginning of the great divide between domain and standalone
use. The default account that is created in a standalone and workgroup
install is automatically a member of the powerful Administrators Group.
As an Administrator, you control your XP system. You can create users, who can also be administrators or just normal users. You can also play with twisting the controls, and there are many of those. For the corporate, domain-controlled environment, the person who creates and modifies domain accounts controls what users of XP can do. An Administrator can install software, for example, but unless made a member of the appropriate Domain Group, XP users in a domain cannot.
XP goes farther than Windows 2000 when it comes to control. Policy can be created to limit which applications can be executed by any user. For standalone XP, this is done through the Local Security Settings. When XP is installed in a domain, the Microsoft Management Console (MMC) Policy plugin can either permit all applications while blocking a small set (specific games, for example), or block all applications except a specific set. This Restrict Applications policy is more clever than some attempts in the past, as it can be based on a hash of the application in question, so renaming tombraiders.exe to word.exe won't work. Well, won't necessarily work, as a clever person using a binary editor could tweak a couple of bits to perturb the hash algorythm. For the really manic control freak, digital signatures can be applied instead.
Windows XP in standalone version permits the user to choose a blank password, but then institutes certain default limitations. You cannot login remotely to an account with no password, but only login at the console, which is sensible. A new feature, Fast User Switching (FUS), permits you to log into a completely different user, and then switch between multiple user contexts without backing out of any applications that are running. FUS will not work when a user has chosen no password.
While examining the Local Security Settings, I uncovered the defaults for passwords. In NT, you could find this in User Manager, but in the standalone version, settings like password lengths and number of failed login attempts are found here. And, except for the number of failed logins being set to 10, and passwords expiring after 42 days, all other password features are set to zero or disabled. Thus, someone can enter a blank password, or recycle their old password when it expires. Password complexity checks are also disabled, which I checked by creating an Administrator account with the password set to the username.
While blank passwords sound okay for home users, it turns out that there is a bit more to XP and passwords than logging in or switching between user contexts. But, I need to discuss some other security features before it becomes apparent that having a blank password is a really, really, bad idea in XP.
Like Windows 2000, XP includes the Encrypting File System (EFS). Unlike Windows 2000, EFS is enabled by default, so that as soon as you begin creating files with XP, they are encrypted. This is transparent to the user, although you can use Explorer to control this behavior on a per-file or folder level. You don't need to enter the encryption key, as XP has done this for you.
XP can also encrypt Cached Files, a technique that permits you to use up to 10% (by default) of your hard disk space to hold files that would normally be stored on a remote file share. You can then disconnect from the network, go home (or travel), and still access these files. The Windows Mirroring system will then reconcile the file changes you have made with the Windows 2000 or XP file shares when you reconnect with the network. Encrypting these cached files is a great idea, as your notebook might be stolen. Or the evil genius that happens to be your son or daughter happens upon them while using your XP system at home.
XP also supports file sharing using WebDAV (Web Developing, Authoring, and Versioning [according to www.microsoft.com/iis]), which uses HTTP to access remote files through firewalls. EFS can keep your remotely stored files encrypted, and has the added value that while accessing files using regular file sharing means that the data is decrypted before being sent across the network, WebDAV can store and will transmit the data without decrypting. The encryption is done locally. While WebDAV with EFS is a powerful feature, it also sends chills up the spine of any corporate security person even remotely aware of the use of Web tunneling to move internal files offsite--and encrypted to boot!
Credential Management stores various credential for you, including public key certificates you might have. It will also manage Kerberos keys, the default authentication mechanism for Windows 2000 and XP within a domain. You can store other usernames and passwords here as well, by asking (when prompted) that the Credential Manager "remember the password". In this way, the Credential Manager becomes a single-sign-on agent.
The keys that encrypt your stored private key, other passwords, and EFS are all based on two things--secrets that remain fixed for XP, and your password. If you have chosen a blank password, you have also chosen a null seed for the key for encrypting many things that should be important to you. Even choosing a weak password is a very bad idea if you plan on relying on any of these features. XP supports passwords longer than 14 characters (the old limit imposed by the user interface in Windows 95/98/NT), so you could use a passphrase instead.
XP includes a policy option of using reversible encryption for storing passwords. This sounds like a very bad idea, as passwords are typically stored as hashes, a value based on the password but not reversible.
Domain users have the option of using SmartCards for authentication. Using SmartCards is a big improvement over passwords. By adding a SmartCard reader to your desktop or notebook (they do come in PCMCIA packages), you have added something you have (the SmartCard) to something you know (the PIN that unlocks it). SmartCards can often store your private key and any certificates as well, making them more secure than online storage as well. SmartCards do have their weaknesses--keystroke monitors can collect your PIN, but even then they still need the card.
Even if you do use a SmartCard, XP appears to provide a way around that. XP can hibernate instead of shutting down. Hibernation means that when you restart your computer, you are right where you left off. It also means that if you hibernate, and the janitor powers on your system, he or she is also right where you left off. I tried this in the standalone version, and am assuming it works the same way in domain installations.
Windows XP (and Windows 2000) include support for IPSec, the Internet standard for using encryption for network communications. The IPSec support appears to be very complete, so that you can use shared secrets (the most common method in many VPN products), as well as certificates and Microsoft Kerberos. I call it Microsoft Kerberos, as Microsoft has added extensions to the protocol so that the the Key Distribution Server must reside on Windows 2000.
For home users, you get two useful features designed to compete with the small office/home office firewall vendors. The Internet Connection Sharing (ICS) feature means that your XP system can act as a Network Address Translator (NAT) for other system in your local network. ICS includes a DHCP server, for assigning addresses to members of your local network, and transparently routes packets through your XP system to your ISP. ICS can bring up dial-up connections on demand, as well as hang-up the modem temporarily so that you can use the phone, yet still maintain the state of your Internet connection when resumed.
The Internet Connection Firewall (ICF) uses information collected by ICS to provide limited firewall capabilities. ICS must keep track of traffic that leaves your network, so it can perform NAT. ICF uses this information to control which IP packets can enter your network--if a packet attempting to enter your network does not match at least one outgoing packet, it is blocked. ICF provides the simplest form of firewall, essentially just NAT, and also will not permit you to set up a public server behind it.
XP also sports a new feature called Remote Assistance. With Remote Assistance, you can send a message to a 'friend' (using Windows Messenger or Outlook Express) inviting them to take remote control of your XP system. With the complexity of XP, you might really need help in configuring, but the notion of provide a remote control capability does sound like a dangerous thing. But, when someone consented to let me be their friend, XP failed to pass through the local, Linux-based firewall, while complaining about a failure to resolve the hostname (which was resolvable using nslookup under XP).
With any luck, many of the things that at first glance appear dangerous in XP will not be--just like Remote Assistance that requires a Help Desk call just to get going. Microsoft has taken strong steps to improve desktop security with XP, and we can only hope that it works.
Microsoft's information white paper about security enhancements in Windows XP Home and Professional editions: http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/security/01section01.asp
There are nine RFCs dealing with IPSec, ranging from 2401-2409: http://www.faqs.org/rfcs/rfc2401.html
Most recent problem found in WebDAV:
http://www.microsoft.com/technet/security/bulletin/MS01-022.asp
Description of Code Red Worm v2:
http://www.eeye.com/html/Research/Advisories/AL20010804.html