Windows Share Permissions (in XP)gato-docs.its.txstate.edu/vpit-security/training... · one punctuation mark or non-printing ASCII character within the first seven characters. The

Information Security –Server Management

Page 1

Windows Share Permissions (in XP)

7. Select Share this folder

8. Click on the Permissions tab

1. Create users and groups with Computer Manager (Jim, Susan, Research Group)

2. Navigate to My Documents 3. Right click and create folder titled Library 4. Open Library and create another folder

within it titled Research 5. Right Click on Library 6. Click on Sharing and Security…


Page 2

Remove Everyone

9. Click Add

10. Change the location to your local system 11. Type the name of the user or group– for this example, type Research Group 12. Click OK


Page 3

13. Select Full Control for the Research Group

14. Click Apply and OK 15. Notice that now your folder has an icon of a hand beneath it. This means that this is a Shared

folder.

16.


Page 4

Windows Security Permissions (XP)

Add the Research Group to Library folder and assign default permissions.

1. Navigate to the Library folder you created in the previous exercise 2. Right click and select Sharing and Security… 3. Click on the Security tab


Page 5

4. Click Add 5. Change the Location to your local computer and type Research Group for the object name. 6. Take the default permissions (Read & Execute, List Folder Contents, Read). Click OK.

Check Effective Permissions

7. Navigate to the Library folder 8. Right click and select Sharing and Security… 9. Click on the Security tab 10. Click on Advanced


Page 6

11. Click on Effective Permissions 12. Click on Select

13. Change your location to the local computer 14. Type Susan for the object name.


Page 7

15. Click OK and close all dialog boxes.

View Inherited Permissions

16. Navigate to the Research folder under Library 17. Right click and select Sharing and Security… 18. Click on the Security tab 19. You will see that Research Group is already listed as having rights

20. Click on Research Group and Click on Remove 21. You will get an error stating that this group cannot be removed because it is inheriting rights from

it’s parent. 22. Click OK to close the dialog box


Page 8

Assign Explicit Permissions for Susan at the Research Folder

23. Click Add and change the location to your local computer 24. Type Susan in the object name box, click OK

25. Select Full Control in the Permissions box, Click OK


Page 9

Check Effective Rights for Susan on the Research Folder

26. Navigate to the Research folder under Library 27. Right click and select Sharing and Security… 28. Click on the Security tab 29. Click on Advanced 30. Click on Effective Permissions


Page 10

31. Change your location to the local computer 32. Type Susan for the object name. 33. Note that Susan has Full Control to this folder


Page 11

Google Scanning

1. Search within a site for all files with a particular file type site:http://security.vpit.txstate.edu pdf

2. Search within a site for all files with a particular file type with a particular set of characters. site:http://security.vpit.txstate.edu pdf password


Page 12

Windows Event Viewer

1. Open Computer Managent and drill down to System Tools -> Event Viewer 2. Discuss each type of log and significance along with configuration options


Page 13

Identity Finder Scanning

1. Launch Identity Finder • Start -> All Programs -> Identity Finder

2. Click on the Locations tab • Default file search location is My Documents

3. Select click Custom Folders and then click Enable Custom Folder Search


Page 14

4. Click on the Browse button for the Folder field and choose Desktop; click OK

5. Once the selected location displays in the Folder field, click Add

6. The location will be copied to the Folder Location, Click Apply and OK

7. Click ‘Apply’ and then ‘OK’

8. Go to the Main tab and click on the Start button to begin scanning


Page 15

9. Once the search is completed, ID Finder Search Summary is displayed

Click Advanced

10. If a file containing an Identity Match is located after a scan, the results specifying the location

of the file and the match that was found are displayed


Page 16

11. Go to the Main tab a. There are three options available for users to choose what action they want to take

on the file with an identity match: i. Shred: completely and permenantly deletes file from your computer

ii. Quaratine: moves file to a specific location iii. Ignore: leaves file as it is

12. Click on a result to select it for deletion

Remember: Once shredded Files/Folders cannot be recovered

13. Click Yes to confirm that you want to delete the file


Page 17

14. Click OK

15. Close Identity Finder 16. Click No on the Save Results pop-up box


Page 18

Sysinternals

1. Download and run TCPview.exe from Microsoft Sysinternal site: http://live.sysinternals.com/

http://live.sysinternals.com/�


Page 19

2. Download and run Autoruns.exe from http://live.sysinternals.com

3. Download and run Procmon.exe from http://live.sysinternals.com




Page 20

Scanning with Windows Defender

1. Click on Start -> All Programs -> Windows Defender

2. Click on the arrow next to ‘Scan’

3. Choose ‘Custom Scan’


Page 21

4. Choose ‘Scan selected drives and folders’ Click the’ Select’ button

5. Choose‘---------‘ and click ‘Ok’

6. Close Windows Defender once the scan is finished


Page 22


Page 23

Microsoft Baseline Security Analyzer

1. Start -> All Programs -> Microsoft Baseline Securirty Analyzer

2. Click on ‘Scan a computer’

3. Make sure to check these boxes: • Check for Windows administrative vulnerabilities • Check for weak passwords • Check for IIS administrative vulnerabilities • Check for SQL administrative vulnerabilities • Check for security updates

4. Click the ‘Start Scan’ button


Page 24

5. Once the scan is completed, a detailed report will be generated

6. You can look at the Result details

7. If there are any vulnerabilities discovered, click on

How to corrrect this

8. Click ‘OK’ to close the program

to view solutions


Page 25

Using Windows XP Professional Security Checklist

Verify that all Disk partitions are Formatted with NTFS

NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions on your computer are formatted using NTFS. If necessary, use the Convert utility to non-destructively convert your FAT partitions to NTFS.

1. Check the status of your Disk partitions

Protect File Shares

By default, Windows XP Professional systems that are not connected to a domain use a network access model called "Simple File Sharing," in which all attempts to log on to the computer from across the network will be forced to use the Guest account. This means that network access through Server Message Block (SMB, used for file and print access), as well as Remote Procedure Call (RPC, used by most remote management tools and remote registry access) will be available only to the Guest account.

In the Simple File Sharing model, file shares can be created so that access from the network is read-only or access from the network is able to read, create, change, and delete files. Simple File Sharing is intended for use on a home network and behind a firewall, such as the one provided by Windows XP. If you are connected to the Internet, and are not operating behind a firewall,


Page 26

you should remember that any file shares you create might be accessible to any user on the Internet.

The Classic security model is used if your Windows XP Professional computer is joined to a domain or if Simple File Sharing is disabled. In the Classic security model, users who attempt to log on to the local computer from across the network must authenticate as themselves and are not mapped to the Guest account. File shares should be created so that access from the network is granted only to the appropriate groups and/or individual users.

1. Go to Computer Management and drill down under Shared Folders

2. Right click on share to stop sharing

Use Account Passwords

To protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can be used only to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network or for any other logon activity except at the main physical console logon screen. For example, you cannot use the secondary logon service (RunAs) to start a program as a local user with a blank password.

Assigning a password to a local account removes the restriction that prevents logging on over a network. It also permits that account to access any resources it is authorized to access, even over a network connection. As a result, it is better to leave a blank password assigned to an


Page 27

account rather than assigning a weak, easily guessed password. When assigning account passwords, make sure the password is at least eight characters long and that it includes at least one punctuation mark or non-printing ASCII character within the first seven characters. The longer the password, the stronger it is.

Caution: If your computer is not in a physically secured location, it is recommended that you assign passwords to all local user accounts. Failure to do so allows anyone with physical access to the computer to easily log on by using an account that does not have a password. This is especially important for portable computers, which should always have strong passwords on all local user accounts. Note: This restriction does not apply to domain accounts. It also does not apply to the local Guest account. If the Guest account is enabled and has a blank password, it will be permitted to log on and access any resource authorized for access by the Guest account.

If you want to disable the restriction against logging on to the network without a password, you can do so through Local Security Policy.

1. Go to Computer Manager, drill down under Local Users and Groups, create accounts and assign passwords here. Disable or delete unnecessary accounts here, such as Guest. Always rename the built in Admin account

.

You should review the list of active accounts (for both users and programs) on the system in the Computer Management snap-in. Disable any non-active accounts and delete any accounts that are no longer required.

This setting recommendation applies only to Windows XP Professional computers that belong to a domain or to computers that do not use the Simple File Sharing model.

On Windows XP Professional systems that are not connected to a domain, users who attempt to log on from across the network will be forced to use the Guest account by default. This change is designed to prevent hackers attempting to access a system across the Internet from logging on


Page 28

by using a local Administrator account that has no password. To use this feature, which is part of the Simple File Sharing model, the Guest account must be enabled on all Windows XP computers that are not joined to a domain. For those computers that are joined to a domain, or for unjoined computers that have turned off the Simple File Sharing model, the Guest account should be disabled. This will prevent users attempting to log on to the computer from across the network from using the Guest account.

Set Stronger Password Policies (Note: some of these policies are not required by DIR and not enforced by Texas State University)

To protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can be used only to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network or for any other logon activity except at the main physical console logon screen.

Note: This restriction does not apply to domain accounts. It also does not apply to the local Guest account. If the Guest account is enabled and has a blank password, it will be permitted to log on and access any resource authorized for access by the Guest account.

Use the Local Security Policy snap-in to strengthen the system policies for password acceptance. Microsoft suggests that you make the following changes:

Set the minimum password length to at least eight characters. The longer, the stronger.

Set a minimum password age appropriate to your network (typically between 1 and 7 days).

Set a maximum password age appropriate to your network (typically no more than 42 days).

Set a password history maintenance (using the "Remember passwords" radio button) of at least six.

Set Account Lockout Policy (Note: some of these policies are not required by DIR and not enforced by Texas State University)

Windows XP Professional includes an account lockout feature that will disable an account after an administrator-specified number of logon failures. For example, enable local account lockout after 5-10 failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to "Forever (until admin unlocks)." If that's too aggressive, consider permitting the account to automatically unlock after a certain period of time.

There are two common goals for using account lockout: one is to make it obvious that multiple attempts have been made to log on to a user account with an invalid password; the second is to protect accounts from attempts to guess a password by dictionary attacks or iterative guessing. There is no one correct setting here that will apply to all environments. Consider reasonable settings for your environment.

Disable Unnecessary Services

After installing Windows XP, you should disable any network services not required for the computer. In particular, you should consider whether your computer needs any IIS Web


Page 29

services. By default, IIS is not installed as part of Windows XP and should be installed only if its services are specifically required.

Install Antivirus Software and Updates

One of the most important things for protecting systems is to use antivirus software and ensure that it is kept up-to-date. All systems on the Internet, a corporate Intranet, or a home network should have antivirus software installed.

Keep up-to-Date on the Latest Security Updates

The Auto Update feature in Windows XP can automatically detect and download the latest security fixes from Microsoft. Auto Update can be configured to automatically download fixes in the background and then prompt the user to install them once the download is complete.

To configure Auto Update, click System in Control Panel and select the Automatic Updates tab. Choose the first notification setting to download the updates automatically and receive notification when they are ready to be installed.