Much of the OS security vulnerability has been due to the lack of security built into the various Microsoft OS systems, i.e., Windows 95/98/ME and earlier OS.  These systems and attendant applications were designed for ease of use and not with much of any security in mind.  Unauthorized users have been able to take advantage of the openness of these systems to cause problems for us.  Granted, part of the problem is our lack of security action and/or understanding of the problems.  We users are by nature lazy or unmotivated in security matters anyway.  However, Microsoft has been on the backside of the power curve with it’s OS for most of its development cycles, mainly offering new versions for it’s own corporate profit reasons, without really designing for security.  As one writer stated,

This duty to the stockholder, has driven Microsoft to make continuous releases of products with new features to insure continued sales at the expense of making sure that existing products were secure.

Microsoft addressed the security issues late in its OS development.  Their security development started with NT3.5/ 4.0.  The NT 4.0 kernel offered the first real MS security capability.  Microsoft has been very good about issuing security patches as problems have been uncovered.  This procedure has left most of us on our own in making sure that our OS has the latest patches installed.  In the past, Microsoft would issue a patch and wait for the users to forget about it.  The September 11 terrorist attack changed the public awareness toward security in general and computer security in particular.  This awareness caused a backlash against Microsoft for being behind the security issues.  This backlash and the fact that Microsoft is experiencing security problems with it’s development of its next release, .NET, has caused Microsoft to rethink its development of security in its OS systems.  It is almost worth the aggravation of keeping the Microsoft XP Pro Automatic Updates turned on.  At least you receive the latest security patches on a timely basis with that feature.  Security patches for IE, MS Office, Windows Messenger, and the various XP OS versions are steadily released.

Security and usability are not really compatible.  There has to be a trade-off between them.  A secure computer would probably be unusable for most tasks.  Users must be able to complete their tasks.  The security trade-off is to have computers that are usable, high-performance, and secure.  In the near term, the next ten years or so, there will continue to be a great security need for anti-virus programs, firewalls, VPN, encryption, and content filtering.

Designing for future threats will include use of secure computers and OS systems to keep the unauthorized use out.  Attention to threats from the outside, e.g., denial of service attacks and system penetration, are on the rise.  Many security experts feel that the Microsoft tying of the browser to the OS is a great mistake and will have to be corrected in the long term.  The hackers are getting more sophisticated with blended virus threats as well as use of automated tools for the attack.  The new favorite attack point is becoming the wireless access via wireless devices including PDAs, tablets, integrated mobile phone handsets, because most are sold with the network access open as default.

MS W2K/XP has built-in capabilities that greatly increase our ability to keep our data relatively secure from unauthorized use.  As these OS versions are becoming the standards that we use, it is the intent to cover as much of the How-to as I know how to describe.

Computer OS Security
With the introduction of NT/W2K/XP, Microsoft has introduced security in its OS, the ability to control access to the local computer as well as to the network.  Both the user OS, NT 4.0 Pro/W2k Pro/ and XP/Home/Pro and the Server OS versions come with security settings built-in.  Even the disk format was changed to meet greater security. 

The basic security of the computer OS design started with its change in the disk format from FAT32 to NTFS in the NT4.0 OS kernel.  This shift from FAT to NTFS moved the security settings from the overall computer file system to the user/file level.  In addition to having the disk overall sharing changed, all of the sub-directories can be managed as to access as well as individual files.  Another change started with NT was the use of <Ctrl-Alt-Del> in the log-on procedure.  As we all know, <Ctrl-Alt-Del> restarts the computer, dumping all data in the RAM, giving the computer a fresh start with nothing in memory from previous use.  This clears any lurking unwanted or unauthorized code from the RAM.  These two changes, NTFS and <Ctrl-Alt-Del> have been carried on and refined in W2K/XP.

Another NT 4.0 security requirement that was introduced concerned user identification to have access of the computer.  A system of authority to grant and use the resources of the computer and the network was established within the setup of the OS.   Users were identified by name and password, a function in any security scheme.  User ID and password are basic to the use of the computer and/or network.  The OS has the ability to grant use of the computer and/or network by authenticating the user ID and associated password.  This has been extended and refined as well in W2K/XP.

The final over-all change made in NT 4.0 and refined in W2K/XP was the use of TCP/IP (Transmission Control Protocol/Internet Protocol) as the network protocol.  This is a mixed blessing. On the one hand, it made the Microsoft OS computer and network capability compatible with the rest of the world; on the other hand, it opened the OS to additional avenues of attack from unauthorized users.  TCP/IP protocols for network access are not in themselves secure.  They do offer protocol subsets that address certain security issues.  TCP/IP is the worldwide de facto standard for network connectivity.

NT/W2K/XP client and server versions are network ready out of the box.  All of them up to Windows 2003 Server have arrived with all the default security settings turned on for ease of use out of the box.  It was up to the user to go to each security setting and make choices within them.  As a result of well-directed criticism from the user community, starting with Windows Server 2003 versions, the default security settings are delivered turned off.  In order to get the use of these Win2003 Server settings, one has to go into the OS and turn them on.  The NT settings were a good start, but they left many security breaches that could be exploited.  W2K/XP client (Pro) OS version security settings are extensive and need to be exercised to assure good security form.  It is on these settings that this security column series will concentrate.  From this point on, the settings will concern the W2K/XP Pro settings.  The Server versions= settings will have to be another series of settings.  The remainder of this column will concentrate on the general location and what those settings do for the computer and network security. Subsequent column articles will cover the details of each of these settings.

Windows 2000/XP Pro Security Settings
Most of the security settings are found by opening <Start><Control Panel><Administrative Tools>.  One of the unfortunate issues at this point is that not all the security settings are in one location.  Most are found in the <Administrative Tools> icon.  In keeping with my plan to give the over-all settings background in this column, I will highlight the major settings locations and cover the detailed settings in later articles.

However, some of the Services security settings are found elsewhere. For example, by opening the <Network Connections> icon in XP, selecting the <LAN or Highspeed Internet setting> and right clicking the <Local Area Connection>, choosing <Properties> in the pull down menu to open the <Local Area Connection Properties> window, one can get to some of the network security settings that deal with network ports. (However, one has to dig deeper into the Properties windows to really get to the security settings.)  To continue, On this window, select the <Internet Protocol (TCP/IP) service>, then choose <Properties> button to open the settings window in the <General tab>.  Next, select the <Advanced> button to get to the <Advanced TCP/IP Settings> window.  Select the <Options tab> where the Optional Settings TCP/IP filtering is highlighted and select <Properties> button.  In the TCP/IP Filtering window, there is a <Check Box> Enable TCP/IP Filtering (All Adapters) that can be checked. (Default is unchecked).  There are also three columns headed by Radio Buttons for <Permit All> and <Permit Only> TCP Ports, UDP Ports, and IP Protocols with <Add> and <Remove> buttons in each column.  (Default is Permit All in each column.)   Now as a user, you are faced with a dilemma, there is no Microsoft Help in the port definitions and there are 60,000 plus ports to deal with.  So, unless you are really advanced, getting to the settings page will do you no good.  Understanding what protocol ports to open or close is basic to controlling this security setting.  This example, illustrates the complexity and problems associated with security setup by most of us.

Now, back to the <Administrative Tools> icon and the security settings locations.  The reminder of this column will cover the general locations with some explanation of what the settings do.  Later 2004 columns will expand on each of them.

Upon opening the <Administrative Tools> icon, there are ten plus Desktop.ini, new icons that each have something to do with computer management in XP.  These ten icons include <Component Services>; <Data Sources>; <Event Viewer>; <Microsoft .NET Framework Configuration>; <Performance>; <Services>; <Computer Management>; <Local Security Policy>; <Microsoft .NET Framework>; and <Server Extensions Administrator>.  There are security settings in nearly all of these OS control functions.  The majority of this series will focus on <Computer Management> for user and group settings; and <Local Security Policy> for security policy settings.

<Computer Management> contains three local management Extension Snap-in settings tools.  The first is for System Tools, which has the {Event Viewer}; {Shared Folders}; {Local Users and Groups}; {Performance Logs and Alerts}; and {Device Manager}.  The second snap-in group, Storage, contains controls for {Removable Storage}; Disk Defragmenter}; and {Disk Management}.  The third snap-in group, Services and Applications, controls those items.

Note: All of these functions are contained in Microsoft Management Console (MMC) administrative folders that are used to manage the local computer. <Computer Management> is one of these administrative folders.  There are built-in snap-in tools for the common controls.  Special snap-ins can be added.

System Tools {Local Users and Groups} contains the first security settings that need covering. {Local users and Groups} is a snap-in tool used to manage local users and groups in W2K/XP Pro and Windows Server versions.  Local user and group accounts can be added from the local computer.  Rights and permissions are added to the account from this snap-in control tool.  There are two types of users and groups, local, for the local computer, and Domain users and groups for the network overall.  Local and Domain bring complexity to the security equation. Local and Global (Domain) users and groups can be added to the local computer.  The local computer users and groups can not be added to the Domain network.

 <Local Security Policy> contains five Extension Snap-in tools.  All are security settings.  They are {Account Policies}; {Local Policies}; {Public Key Policies}; {Software Restriction Policies}; and {IP Security Policies on Local Computer}.  Each tool is further broken into other security settings to further lock out unauthorized users and control authorized users.  For example, {Account Policies} is broken into [Password Policy] and [Account Lockout Policy], which are each broken down further to lock down the security policy.  Each of these will be the subject of detailed explanation in follow-on columns.

Conclusion
Microsoft Windows W2K/XP Pro go far in providing local computer security.  It is up to the individual or Network Administrator to establish what that security is to the computer or network.  This new Computers and Security Windows 2K/XP; OS Settings column series addresses the AHow to@ aspects of that local computer security.