Security

The security section of the A+ exams tests your knowledge of basic principles of implanting security on desktop computers. You must have a good understanding of security fundamentals and be able to troubleshoot general problems related to security settings on a personal computer.

Principles of Security

This section covers the basic aspects of computer security, including access control methods, auditing, and logging. Besides this, I briefly explain the procedures for implementing basic security mechanisms on personal computers and methods to troubleshoot problems related to security settings.

The term access control refers to the method of granting or denying access to network resources by means of security policies, hardware devices, or software applications. In its simplest form, access control is applied on files and folders, or on other shared network resources by means of assigning permissions. Smart cards and biometric devices are examples of hardware devices used for access control. Access control can also be implemented by means of network devices such as routers and wireless access points (WAPs). Access control mainly falls into the following categories:

Mandatory Access Control (MAC)

A mechanism, usually hardcoded into an operating system, to protect computer processes, data, and system devices from unauthorized use. It may also be built into an application to grant or deny permissions, and is universally applied to all objects. MAC is also known as label-based access control.

Discretionary Access Control (DAC)

This is usually implemented in the operating system in the form of user rights and permissions. NTFS permissions used in Windows-based computers are a good example of DAC.

Role-based Access Control (RBAC)

This is used to implement security on objects based on roles (job functions) of individual users or user groups. RBAC is highly flexible and configurable and provides centralized administration.

A user account is the most basic form of security on a network. A user account allows a user to log onto the system and the network and access resources. While a local user account allows access only to the resources located on the local computer, a domain/network account allows access to all resources located across different parts of the network. Local user accounts are stored on the local computer only. Network accounts are stored in a centralized database on a network server.

Local user accounts

A local user account allows users to log on locally to a computer and access resources located on the local computer only. These accounts are stored in the local security database, which authenticates users when they log on. Local user accounts cannot be used on any other computer on the network.

Domain user accounts

A domain user account allows users to log on to the network from any computer in the network domain. User accounts in Windows 2000 and Windows Server 2003 domains are stored in a centralized database known as the Active Directory database, which is located on the Domain Controller. If there are multiple domain controllers in the network, the user accounts are replicated to all domain controllers along with other Active Directory data.

On Windows XP and Windows 2000 Professional operating systems, the following types of local user accounts can be created:

Administrator

The administrator account has full control over the operating system and resources located on it. This account is used for creating and maintaining user accounts, assigning permissions, managing shared resources, installing and configuring devices, and configuring local security policies.

Guest

The guest account allows occasional users to log on and access local resources. This account is usually disabled by default.

User

Normal users fall into this category. These accounts are created to allow users to log on to the system and access resources for which they have been assigned permissions.

All desktop and network operating systems provide methods to create and manage user accounts. For example, on a Windows XP computer, local user accounts can be created using the User Accounts utility in the Control Panel. Similarly, in Windows 2000 and Windows Server 2003 domains, user accounts are created using the Active Directory Users and Computers utility. Active Directory allows administrators to create, delete, and disable user accounts.

A group is a collection of user accounts. Groups simplify the administration of resources on a local computer or on a network server. They allow administrators to assign permissions to resources to multiple users simultaneously instead of assigning permissions to individual users. Administrators usually choose users based on their job roles and put them into groups. These groups are then assigned permissions on local or network resources. Windows XP and Windows 2000 Professional computers have the following common built-in groups:

Administrators

Members of this group can perform all administrative tasks on the system. The Administrator account is a member of this group by default.

Power Users

Members of this group can create and manage user accounts and shared resources on the computer.

Guests

Members of this group can occasionally log onto the system and perform only those tasks for which they have been assigned permissions. The Guest user account is a member of this group by default.

Backup Operators

Members of this group can back up and restore files and folders on the local computer.

Users

Members of this group contain all user accounts created on the system. Users can perform only those tasks and access only those resources for which they have permissions.

Permissions allow users to access resources and perform specific tasks based on the type and level of access granted. Administrators use groups to assign permissions on shared resources. Shared resources on a computer usually include files, folders, and printers. Resource permissions mainly fall into the following categories:

File permissions

File permissions or NTFS permissions can be configured on individual files on computers using NTFS. NTFS permissions are applied to local users as well as to network users. The FAT filesystem does not support file-level permissions.

Folder permissions

Folder permissions can be configured to the entire folder, subfolders, and files within the folder. These permissions are also applied to local and network users.

Share permissions

Share permissions can be configured on both NTFS and FAT filesystems. These permissions do not affect the user who logs on locally to the system, and are applicable only to the users who connect from the network.

Printer permissions

Printer permissions allow users to connect and send print documents to a shared printer. In Windows XP and Windows 2000 Professional, users must have at least Print permissions to send print jobs to a shared printer.

The level of access granted to a user or group on a shared resource is controlled by permissions. Each file, folder, and printer on a Windows computer has an associated ACL that defines the level of access granted to users or groups. The levels of access on files and folders fall into the following categories:

Read permission

Allows users to read the contents of a file or folder.

Write permission

Allows users to create new files and subfolders in folders and write data to files.

Read and Execute permission

Allows users to read the contents of a file and execute it.

Modify permission

Allows users to modify the contents of a file or a folder.

Full Control permission

Allows users to change permissions on a file or folder and perform all actions permitted by other permissions.

List Folder Contents (Folder Only) permission

Allows users to navigate through the folder and subfolders.

The level of access on printers can be configured as follows:

Print permission

Allows users to print to the printer and manage (pause, resume, restart, and cancel) their own documents.

Manage Documents permission

Allows users to print to the printer and manage (pause, resume, restart, and cancel) all documents sent to the printer.

Manage Printers permission

Allows users to print and manage documents (pause, resume, restart, and cancel), share the printer, create and delete a printer, and change print permissions.

Restricted spaces in computer networks refer to those areas where physical access is restricted to authorized personnel only. These areas usually include network operating centers (NOCs), telecommunication rooms, and other computer rooms. Restricted physical access ensures safety and security of expensive and critical network equipment, servers, and cabling systems. Critical servers and network equipment such as switches, routers and firewalls are located inside network operating centers. Strict security policies are enforced to restrict access. Organizations usually employ one or more of the following methods to restrict access to these areas:

The term auditing refers to the process of tracking and logging activities of users and processes on computer systems and networks. Auditing can be useful in multiple scenarios, such as troubleshooting a failed process, finding a security breach on the part of an internal or external user, and tracking unauthorized access to secure data. Auditing enables administrators to track security breaches such as unauthorized access to confidential data by identifying the user who made the attempt. It also helps diagnose problems related to process failures.

Auditing is essentially a two-step process. The first part deals with enabling auditing on system and network resources. The second part is to view and analyze the data collected by audits. Collecting audit information in logs is known as event logging. The following sections explain the purpose and characteristics of the auditing and logging process.

Auditing is the process of tracking system usage and authorized or unauthorized access to system services and data. This may also be helpful in diagnosing problems related to application failures during the development or implementation phase. Since auditing puts a significant processing load on servers, you must first make sure that the benefits of auditing are clearly understood and visible. While administrators should implement certain audits manually, network operating systems include processes that automatically audit the system process and log audit data that can be analyzed later in order to troubleshoot system failures. In its basic form, a secure computing environment can be established by splitting the duties of employees within an organization. This ensures that whatever actions are taken by an employee are consistently supervised or controlled by someone superior in the organizational hierarchy.

On Windows desktops, the following types of events can be audited for success or failure:

Account Management

Includes events related to creation, modification, and deletion of user accounts by administrators.

Log Off and Log On

Includes events related to users logging on or logging off the local computer.

Process Tracking

Includes events related to actions performed by software applications.

Object Access

Includes events related to access of files and folders by users.

Privilege Use

Includes events related to users exercising their rights, such as changing the system time.

System Events

Includes events related to system processes such as shutting down or restarting the computer. These events also relate to system security.

Almost all network operating systems include methods to audit system processes and user activities. These audits can be logged in special log files. The log files can be viewed and analyzed to track problems related to security breaches and to troubleshoot process problems. Operating systems such as Microsoft Windows XP, Windows 2000, and Windows Server 2003 include a management console snap-in named Event Viewer where you can view the logs related to system processes, security, and applications.

Install, Configure, and Upgrade Security

The task of installing, configuring, and maintaining security involves knowledge of authentication technologies for both wired and wireless networks. This section provides a brief description of authentication methods, configuring auditing, and configuring permissions to ensure data access security.

Authentication technologies ensure secure access to system and network resources. The most commonly used and basic form of authentication is the username and password combination, which allows users to log on to a system or a network. Other forms of secure authentication include tokens, biometrics, and multifactor, as discussed in the following sections.

Almost all network operating systems implement some kind of authentication mechanism wherein users can simply use a locally created username and password to get access to the network and shared resources within the network. This is the simplest form of authentication and can be implemented easily, but it also comes with its own limitations. Many organizations document and implement password policies that control how users can create and manage their passwords in order to secure network resources. The following are common elements of a password policy:

An Authentication token (also known as security token or hardware token) is considered the most trusted method for verifying the identity of a user or a system. Tokens provide a very high level of security for authenticating users because of multiple factors employed to verify the identity. In its simplest form, an authentication token consists of the following two parts:

Hardware device

This is a small device that can be carried on a key chain or in a wallet. Some tokens are coded to generate token values at predetermined intervals. Some security tokens may contain cryptographic keys while others may contain biometrics data such as the fingerprints of the user.

Software component

This tracks and verifies that the codes or keys used by the hardware device are valid.

Biometrics refers to the authentication technology used to verify the identity of a user by measuring and analyzing human physical and behavioral characteristics. This is done with the help of advanced biometric authentication devices, which can read or measure and analyze fingerprints, as well as scan the eye retina and facial patterns, and measure body temperature. Handwriting and voice patterns are also commonly used as biometrics.

In computer authentication, a factor is a piece of information that is present to prove the identity of a user. In a multifactor authentication mechanism, any of the following factors may be utilized:

Wireless authentication is implemented in one of the following methods:

Open System

This authentication is actually no authentication. Every computer trying to connect to a wireless network is granted a connection.

Shared Key

This authentication requires that every wireless client knows the shared secret key. The access point and all wireless clients must use the same shared secret key.

IEEE 802.1x

This authentication requires use of advanced encryption and authentication techniques to provide strong authentication.

WPA or WPA2 with Preshared Key

This authentication method can be used for smaller home or office networks that cannot implement the IEEE 802.1x authentication mechanisms. The preshared key consists of a 20-character long paraphrase containing upper- and lowercase letters and numbers.

A firewall is a dedicated hardware device or a software application that prevents a system or a network from unauthorized access. A software firewall is usually a software application or is installed as one of the operating system features. For example, Windows XP SP2 includes a firewall that can be configured to permit or deny certain network traffic.

Software firewalls installed on individual PCs are also known as personal firewalls. They do nothing more than protect the individual computer on which they are installed. The firewall functionality is often provided by the operating system or a software application. They differ from conventional network firewalls in that network firewalls are often dedicated hardware devices or the firewall functionality is built into routers.

In a workgroup environment, each user can turn on the firewall and configure its settings on her desktop on Windows XP computers. The following steps explain how firewall settings can be configured on a Windows XP SP2 computer:

  1. Click Start → Control Panel → Windows Firewall.

  2. Click the ON radio button to turn on the firewall.

  3. Click the Advanced tab to open the advanced firewall settings for the network adapter.

  4. Select the checkbox for the shown network adapter and click Settings. Note that all services are disabled by default.

  5. Select the services that you want to allow, as shown in Figure 5-22.

    Firewall settings in Windows XP

    Figure 5-22. Firewall settings in Windows XP

  6. Click OK.

  7. Click the Settings button for ICMP. Note that all options are disabled by default.

  8. Click the checkboxes for ICMP messages that you want to allow.

  9. Click OK.

Enabling auditing on Windows desktops is a two-step process. First, you will need to enable auditing in the Local Security Policy, and second, you will need to enable auditing on files or folders. Remember that file and folder auditing can only be enabled on NTFS partitions. FAT and FAT32 do not support auditing. The following two exercises explain the steps involved in configuring auditing.

Enabling auditing in Local Security Policy

  1. Click Start → Control Panel

  2. Double-click Administrative Tools.

  3. Double-click Local Security Policy.

  4. Expand the Local Policies folder in the Local Security Policy window.

  5. Click Audit Policy to display available policies in the Details pane.

  6. Double-click the event that you need to audit. For this exercise, double-click Object Access.

  7. The Audit Object Access Properties dialog box opens. Click the Success and Failure checkboxes.

  8. Click OK. Close the Local Security Policy window and restart the computer.

Configuring auditing on a folder

  1. Open Windows Explorer.

  2. Navigate to the folder on which you want to configure auditing.

  3. Right-click the folder and click Properties.

  4. Click the Security tab and click Advanced to open the Advanced Security Settings window.

  5. Click the Auditing tab and click Add to add audit entries for users.

  6. Click the list of events that you wish to audit.

  7. Click OK to return to Advanced Security Settings window.

  8. Click OK twice to close all windows.

For most home networks, wireless routers come with Zero Configuration features to automatically configure the Windows XP computers to use the wireless network as well as share the Internet connection. This configuration dynamically assigns IP addresses to computers. For infrastructure networks in medium- to large-scale networks, the wireless networks need to be configured to connect to an appropriate wireless Access Point (WAP). Security in wireless networks is configured using the Wired Equivalent Privacy (WEP), Wireless Protected Access (WPA), or WPA2. In Infrastructure networks, both the access point and the Windows XP computers need to be configured.

The wireless access point must be configured as follows:

The wireless client on a Windows XP with an SP2 computer can be configured to use WEP authentication using the following steps:

  1. Click Start → Control Panel → Network Connections.

  2. Double-click the Wireless Connections applet.

  3. Click View Available Wireless Networks to open the wireless connections dialog box.

  4. Double-click the name of the wireless network.

  5. Type the WEP key and re-enter it in the confirmation box.

  6. Click Connect.

  7. In the Network Authentication box, click Open.

  8. In the Data Encryption box, click WEP.

  9. Type the WEP encryption key in the Network Key and the Confirm Network Key boxes.

  10. Click OK to save the settings to the wireless connection.

The most basic form of implementing data security is through assigning permissions to users and groups. Access permissions are granted to users or groups based on their job functions. On Windows 2000 Professional and Windows XP Professional desktops, file and folder access is configured using filesystem permissions and share permissions. While file-level security is available only on disk partitions formatted with NTFS, share-level security can be configured on all FAT and FAT32 and NTFS filesystem partitions.

To configure NTFS permissions on a file or folder located on a Windows desktop, the following steps need to be completed:

  1. Open Windows Explorer and navigate to the file or folder.

  2. Double-click the file or folder to open its Properties window.

  3. Click the Security tab to view currently configured permissions.

  4. Click the Add button to add users or groups that you need to allow access to.

  5. Select the user or group from the list of users.

  6. Click the checkboxes for appropriate permissions.

  7. Click OK to close the Properties window of the file or folder.

Share permissions can be assigned to shared folders as described in the following steps:

  1. Open Windows Explorer and navigate to the file or folder.

  2. Double-click the file or folder to open its Properties window.

  3. Click the Sharing tab.

  4. Click the Permissions button to add users or groups and configure their permissions.

  5. Click OK to close the Properties window of the folder.

Tip

Note that the Security tab in the Properties window of a file or folder is available only when the disk partition where the file or folder is located is formatted with NTFS. This is because FAT and Fat32 filesystems do not support NTFS permissions.

Windows XP Professional and Windows 2000 Professional operating systems include a command-line utility called convert.exe to convert FAT or FAT32 partitions to NTFS. This process does not cause any loss of existing data on the partition. The following steps explain the usage of this command to convert a partition D from FAT16 or Fat32 to NTFS:

  1. Click Start → Run.

  2. Type cmd in the dialog box and press the Enter key. This opens the Windows command prompt.

  3. Type the following command and press the Enter key:

    convert D: /FS:NTFS

If the partition you are converting is a system volume, the conversion is done after the system restarts.

Warning

Remember that you can convert from FAT or FAT32 to NTFS at any time during or after the installation without losing any data. This conversion is a one-way process. You cannot convert from NTFS back to FAT or FAT32 without losing data.

Diagnostic and Troubleshooting Techniques

Troubleshooting security-related problems is a daunting task if network devices and individual systems are not configured properly. This section covers some of the sources of security-related problems and explains how these problems can be prevented.

Software firewalls can pose problems if not configured properly. Incorrectly configured firewalls can deny access to legitimate users and can also allow access to hackers. Software firewalls work according to firewall rules that are usually configured to allow or deny access to a network based on the following parameters:

It is recommended that software firewall configuration be tested thoroughly to ensure that it works as expected. A firewall should not allow any undesired network traffic, but legitimate users should not suffer due to incorrectly configured firewall rules.

SSID enables wireless clients to connect to a wireless access point and to access network resources. If a wireless client is reporting connectivity problems, wireless configuration should be checked to make sure that the client is using the correct SSID. Remember that both the access point and the wireless client should be configured with the same SSID.

In large corporate networks, security is a prime concern, and most administrators configure certain authentication mechanisms to prevent unauthorized access to confidential company data. If a user cannot log on to a wireless network, make sure that he has sufficient permissions. Additionally, confirm that the encryption and authentication settings are configured correctly on his computer. Wireless networks use Wired Equivalent Privacy (WEP) protocol, which supports both 64- and 128-bit encryption. Make sure that the client is configured to use the correct WEP encryption standard.

Problems involving access of resources are very commonly seen in networks. Users often complain of an "Access is Denied" message popping up on their desktops when they want to connect to a computer or access a shared file, folder, or printer. The following are some of the common reasons for data access problems:

Insufficient permissions

A user may not be able to access a shared resource due to insufficient permissions. For example, if a user is allowed only the Read or the Read and Execute permission, she may not be able to make any changes to a file. Similarly, if a user is granted the List Folder Contents permission, she may not be able to even open or run a file within the folder.

Permission conflicts

Administrators usually assign permissions to groups instead of configuring permissions for each individual user. In some cases, a particular user may be a member of more than one group with different levels of permissions assigned to each group. This conflict of permissions may also result in access problems. On Windows desktops with NTFS permissions, if a Deny permission is assigned to any user, it overrides all his permissions for a particular file or folder. For example, if a user is allowed access in one group to a folder, but another group has a Deny permission on that folder and the user is a member of both groups, his effective permission would be calculated as deny access. Moreover, when both share permissions and NTFS permissions are configured on a folder, the most restrictive permissions are applied to a user or a group.

Local security policies

Local security policies such as Log On Locally or Access This Computer From Network affect how the user can log on or access local resources on a computer. If a user or group is allowed share permissions on a folder, but a member user is not allowed to access the computer from the network, he will not be able to access the shared folder.

Encryption problems

Encryption problems result in denying access to a user, to a system, or to the entire network. The user may not be able to log on to a desktop or to a domain due to incorrect configuration settings. Encryption problems usually fall into the following categories:

Unsupported encryption protocols

The user's operating system or software application may not support the encryption method required by the system. This is a common problem for users trying to connect remotely to a network.

Protocol mismatch

If two computers are using different encryption protocols, they may not be able to communicate, resulting in denial of access for a user on one system to another system.

Preventive Maintenance for Security

Implementing strong security measures for networks is one of the most critical tasks for most network administrators. When properly implemented, security mechanisms protect network resources from unauthorized access and damage to critical data. Apart from implementing security, administrators need to implement certain procedures and policies to make sure that security implementation works as desired and is not breached due to loopholes or lack of user training.

It is important to emphasize the importance of implementing security policies in an organization. Security policies consist of the following essential components:

Account policies

Account policies define how the user accounts are handled by the system when someone tries to log on using an incorrect password. A user's account may be locked after a certain number of unsuccessful logon attempts.

Password policies

Password policies define how users maintain their passwords. These policies include minimum password length, maximum password age, and password complexity requirements.

Audit policies

Audit policies define whether or not object access and use of privileges and rights are to be audited.

Software restriction policies

Software restriction policies define which applications are not allowed to run on a system. These policies prevent damage of critical operating system files.

Registry

The registry component of security policies defines security for registry keys and subkeys to prevent unauthorized modification.

Social engineering refers to the process of obtaining personal or confidential information about someone by taking that person into confidence. The so-called "social engineer" generally tricks the victim over the telephone or on the Internet to reveal sensitive information. Instead of exploiting any security vulnerabilities in computer systems, the person becomes a victim of his own tendency of trusting someone who is trying to exploit the sensitive information collected from the victim.

Social engineering also involves face-to-face interactions between a computer user and an attacker to get access to the computer by taking the victim into confidence. It may also come in the form of an email attachment that asks the user to give away confidential information to the sender of the message. Phishing attacks are very common outcomes of social engineering. In a phishing attack, a user of computer systems frequently has interesting chats over the Internet or over the phone to unknown attackers in which she reveals sensitive information such her password or credit card numbers. Responding to fraudulent email messages can also make you a victim of a phishing attack.

Unfortunately, no technical configuration of systems or networks can protect an organization from social engineering. There is no firewall that can stop these attacks. The best protection against social engineering is to train the users about security policies of the organization.

In case it is found that some user has disclosed his username or password to an outsider, the user account should be immediately locked or the user should be asked to change his password immediately. This can prevent the possibility of loss of information or confidential company data due to misuse of user credentials.

Tip

The last two sections for Exam 220–602 ("Safety and Environmental Issues" and "Communications and Professionalism") are covered in Chapter 2. Refer to this chapter for revision of these topics. Also note that Exam 220–603 does not have a "Safety and Environmental Issues" section, and that Exam 220–604 does not cover "Communications and Professionalism."