The reason for understanding and completing these exercises in security for one’s local computer is to control the hacks, viruses, and all that spam that bombards us today, in addition to protecting the data that resides on one’s computer.  Safety of the data and the hardware should be priority one for each of us.

Hacks into one’s computer can be very costly, for example.  Hacks can be anything from a Atrue hacker, whose whole role is to prove that his theories are valid and does little or no harm, to the Ascript kiddies, who attempt to deface Web sites or launch minor denial of service attacks, to the real destructive hackers, whose role is to destroy one’s computer or components.

Virus attacks are a real problem.  As late as two years ago, one had to actually run a program or utility infected with a virus to have a problem.  That is not the case today.  New classes of viruses, called Ablended threats, can hit your computer without your doing anything with the file that contains the virus. Viruses like Nimba, CodeRed, Klez, SoBig, Lirva and Yaha all can do major damage by being connected to the Internet.  Blended threats are sophisticated.  They get into e-mail, downloads, Web pages, and shared network folders and exploit multiple vulnerabilities in each of these items, and they do this in much the same way as a hacker would.

The Windows OS and major utilities such as Outlook or Outlook express have the ability to control the spam that constantly hits us.  Again, nearly two years ago, spam was a minor nuisance.  Today, nearly 40 percent of all Internet e-mail is unsolicited and unwanted.  It has been estimated that the average e-mail user receives 2,200 spam e-mails per year.  Spam is officially defined as Aunsolicited commercial bulk e-mail, unsolicited chain letters, urban legends, jokes, and frivolous multimedia files that are not asked for.

What about the future?  Well, there are other problems just over the horizon for most of us.  Intrusion via DoS or other attacks is on the increase against individuals as well as commercial computers and networks.  As I have noted before, open connections to the Internet via broadband and relatively powerful individual computers make all of us tempting targets for attacks.  Firewalls and anti-virus protection can prevent many of the intrusion attacks, but we may also need IDS (Intrusion Detection Systems) to keep sophisticated attacks at bay.  Firewalls, software and hardware, are very good at network attacks, but can do little in the face of worms and application attacks that exploit open ports such as 80 (http) and 443 (https).  This is where IDS systems come into play.  IDS sits passively on the computer or network, inspecting traffic for signs of malicious activity.  Signature-based and anomaly-based technologies detect application level attacks.  There have been problems with IDS in the past.  Currently, too, there are problems, in that the intrusion may be detected accurately, but the IDS does not do anything about it.  This is an evolving technology that will soon be available at the individual level.

Windows 2000/XP Pro Security Settings
This column will concentrate on the Local Security Policy Console found in the <Administrative Tools> Console.  Opening this Console provides the subdirectories for five security consoles.  They are {Account Policies}, {Local Policies}, {Public Key Policies}, {Software Restriction Policies}, and {IP Security Policies on Local Computer).  The Account Policies Console has two subdirectories, {Password Policy} and {Account Lockout Policy}.  There are three subdirectories in the Local Policies Console; {Audit Policy}, {User Rights Assignment}, and {Security Options}.  Public Key Policies has one subdirectory {Encryption File Settings}.  Software Restriction Policies is the next entry.  This security setting normally does not have any policies defined, by clicking on the <Action> pull-down menu entry, new policy settings may be defined.  Care should be taken when defining policies for applications, as any entry may cause problems with Microsoft or third party applications.  IP Security Policies on Local Computer contains three subheadings, {Client (Respond Only), Secure Server (Require Security), and Server (Request Security)}.

It is when we borrow down into each of these policy settings that the real details of the settings come out.  Care should be taken when changing any of these settings.  There is a possibility that you can lock everyone out of the computer.  I know for a fact that the computer can be locked down so that no one can use it.  One bit of insurance is to have an Administrator identification and password that is additional to any other entry to the computer.  This is usually done at startup.

The Account Policies Console, for example, has two sub-headings, Password Policy and Account Lockout Policy.  Opening Password Policy by clicking on it, provides six settings policies concerning passwords.  These are {Enforce password history}, {Maximum password age}, {Minimum password age}, {Minimum password length}, {Password must meet complexity requirements}, and {Store password using reversible encryption}.  Account Lockout Policy contains three settings policies, (Account lockout duration}, {Account lockout threshold}, and {Reset account lockout counter after}.

Each policy setting has two columns on the right side that come as a Default setting.  Each can be changed by Right Clicking to open a pull-down menu for the <Properties> change settings.  Take <Password Policy>, left panel; <Enforce password history>, right panel, as an example.  Right clicking to get the Pull-down menu <Properties> opens a tab {Local Security Settings that will enforce password history.  This means that, when set, the OS will remember the number of passwords entered as sat in the type in window.  This keeps users from using the same password all the time.  If five is the number of passwords to be remembered, then the old password can not be used until five new ones have been used.  The next right panel setting is <Maximum password age> and again is sat by right clicking the line item and choosing <Properties>.  The number entered there-in is the age of the password, and can be set to be changed any way one chooses, from 0 to any number of days in the future one wants.  The default is 100 days.  The third right panel setting is <Minimum password age> and is again sat by the right click to open <Properties> to set the minimum password change time.  0 days means that the password can be changed immediately.  The fourth right panel setting is <Password must meet complexity requirements> and is reached by right clicking <Properties>.  Radio buttons <Enabled> and <Disabled> are the choices.  When this setting is enabled, a complex password must be generated.  The final right panel setting for <Password Policy> is <Store password using reversible encryption>.  Again, Radio buttons for <Enable> and <Disable> are the choices.

 The <Account Lockout Policy>, the second policy setting under Account Policies Console has three settings policies in the right panel, the first being <Account Lockout duration>.  Right clicking <Properties> for this setting will provide a number of minutes that a mis-typed password must wait before attempting to log-on again.  This setting can be from 0 minutes to any number when the setting is Applicable.  The second right panel setting concerns <Account lockout threshold> which is the number of mis-typed attempts that will be allowed before the system is permanently shut down until the Administrator resets it.  A number of invalid logon attempts can be set from 0 to any number.  The third right panel setting is <Reset account lockout counter after> which automatically resets the logon procedures after some period of time when the setting is Applicable.

The <Local Security Settings><Local Policies> settings are management tools for checking how the computer is being used.  There are three subdirectories, {Audit Policy}, {User Rights Assignment}, and {Security Options}, at this level on the left side.  Highlighting <Audit Policy>, for example, opens nine right side policy settings.  Each of these settings turns on some level of OS audit capability.  A right click and select <Properties> of each one can select a radio button <Success> or <Failure> to audit that setting.  These nine audit settings are {Audit account logon events}, Audit account management}, Audit directory service access}, {Audit logon events}, {Audit object access}, Audit policy change}, {Audit privilege use}, {Audit process tracking}, and {Audit system events}.  Granted, most of these audit settings are meant for network use to keep track of how a computer is being used.  They can be used to see if you are being hacked or if someone unauthorized is using the computer.  The {Audit logon events} and {Audit system events} settings can be very useful at various times to see how things are going in the computer.

The <Security Settings><Local Policies><User rights assignment> settings are also computer management settings to be used to further control how the OS and applications are to be handled.  There are thirty-nine settings that come with a default setting that most home users can live with.  A note of caution must be made at this point.  This is where you can lock yourself out of the computer with the wrong setting addition.  The settings include {Access this computer from the network}, {Act as part of the operating system}, {Add workstations to domain}, {Adjust memory quotas for a process}, {Allow logon through Terminal Services}, {Back up files and directories}, {Bypass traverse checking}, {Change the system time}, {Create a pagefile}, {Create a token object}, {Create permanent shared objects}, {Debut programs}, {Deny Access to this computer from the network}, {Deny logon as a batch job}, {Deny logon as a service}, {Deny logon locally}, {Deny logon through Terminal Services}, {Enable computer and user accounts to be trusted for delegation}, {Force shutdown from a remote system}, {Generate security audits}, {Increase scheduling priority}, {Load and unload device drivers}, {Lock pages in memory}, {Log on as a batch job}, {Log on as a service}, {Log on locally}, {Manage auditing and security log}, {Modify firmware environment values}, {Perform volume maintenance tasks}, {Profile single process}, {Profile system performance}, {Remove computer from docking station}, {Replace a process level token}, {Restore files and directories}, {Shut down the system}, {Synchronize directory service data}, and {Take ownership of files and other objects}.  As can be seen, this is a long list.

There are several steps that must be made to change each of these thirty-nine settings. A right click on any one of these settings will bring up <Properties> for the setting, which brings up the setting window.  Two entry buttons are available. <Add User or Group...> and <Remove>.  A left click on the <Add User or Group...> button brings up a new window choice with another type-in window or a <Advanced> button for further selection choices.  If the exact name or group is not known, choose <Advanced>, which brings up a new window.  This window has a right side button called <Find Now>.  Selecting this button fills out the bottom listing of all the choices available on this computer. Highlight your choice and click <OK> on this setting to move the selection back to the setting window. <OK> must be made on the next window to get back to the settings as well, and then choose the <Apply> button to make the choice permanent.  This three step procedure must be done for each setting parameter. 

The <Security Settings> <Local Polices> <Security Options> settings are even more extensive at sixty-one settings.  There are two types of entries for these settings, either a fill-in window for time or <Enabled> or <Disabled> radio buttons.  The default settings are good enough for most home set-ups.  I will not list all sixty-one due to space considerations for this column.

The <Security Settings> <Public Key Policies> <Encrypting File System> is the next setting that can be adjusted.  This is by default turned on in its property setting.  There is a radio button to check in the properties settings.

 The <Security Settings> <Software Restriction Policies> settings has two subdirectories, <Security Levels> and <Additional Rules>.  The properties settings for these are set by default and should be left in that configuration.  These right panel settings are <Disallowed> and <Unrestricted>.  In the <Security Levels> properties, a change from the <Disallowed> setting will restrict users from using any applications on the computer. <Unrestricted> properties allow users to use the applications on the computer.

The <Additional Rules> subdirectory contains new Registry entries that can be generated. This would take some Registry knowledge to set up.

The <Security Settings> <IP Security Policies on Local Computer> settings concern {Client}, {Secure Server}, and {Server} settings.  These settings get into the security of Virtual Private Network and server send and receive protocols in a network.  The default will work for them.

Conclusion
This third column on computer settings takes us through the Local Security Settings Extension Snap-in Console Tools, which are extensive in their settings.  These are complex settings and should be considered seriously.  Ask someone if the settings are unclear.  A wrong setting could lock you out of the computer, as I know first hand.  This brings us to the end of this series thread.  If things work out, I will add graphics settings to the articles in the future.