In this chapter, we discuss ways to maintain security in Microsoft Windows XP and Microsoft Windows 2000 Professional. We discuss using Windows Update and Automatic Updates to ensure that critical operating system updates are applied. We teach students how to configure Internet Connection Firewall and discuss use of antivirus tools for the prevention of computer viruses. We finish with a short description of the Microsoft Baseline Security Analyzer.
Windows Update uses the Internet to provide up-to-date critical fixes and operating system updates to users of Windows computers. Users of Microsoft Windows 98 or later versions will be able to scan their computers and download Microsoft-tested patches required by their specific installation. If possible, demonstrate scanning and downloading an update from Windows Update. Explain that users must be using Microsoft Internet Explorer 5 or later to access the features of this site.
Microsoft usually classifies patches for security vulnerabilities as “critical updates.” When Microsoft makes critical updates available, these updates appear in the Critical Updates and Service Packs section of the Windows Update site. Users can select one or more critical updates to be downloaded and installed at once.
The next section of the Windows Update Web site contains updates recommended for the operating system. This list is compiled as the service scans for installed options. These updates provide enhanced reliability of installed components or, occasionally, additional features provided by Microsoft for the operating system. You can explain that upgrades to Microsoft Windows Media Player as well as patches to database access tools are distributed in the Windows Operating System Updates area.
The Driver Updates section contains any updated device drivers available for your system based on the results of the scan. It is not uncommon to see this area empty. Manufacturers often provide updated drivers on their own Web sites, and do not go to the trouble of passing the updates through WHQL.
Windows 2000 (Service Pack 3 and later), Windows XP, and Windows Server 2003 are able to automatically obtain updates from the Windows Update service. These operating systems can be configured to schedule application of these updates, and even to restart if necessary to complete the application. The location of the configuration dialog boxes differs between Windows 2000 and the later versions of Windows. In Windows 2000 (Service Pack 3 and later), configure Automatic Updates from the Automatic Updates tool in Control Panel. In Windows XP and later versions, configure Automatic Updates in the Automatic Updates tab of the System Properties dialog box.
Microsoft provides the Software Update Services (SUS) architecture to enable corporate IT departments to provide automated distribution of patches to client systems. Corporate administrators download and approve updates to be distributed to their client computers. Client computers can be any version of Windows compatible with Automatic Updates. Administrators can also use group policy templates provided for SUS to manage the configuration of the Automatic Updates feature of client operating systems.
You can enable Internet Connection Firewall (ICF) on Windows XP or later systems to prevent outside attackers from gaining access to the system. It is configured by default to disallow any external access not originally initiated from inside the firewall. You can also configure it to allow inbound connections to support hosted services such as Web serving or File Transfer Protocol (FTP). In addition, security logging can be enabled to allow analysis of attack attempts and patterns.
ICF is enabled in the Advanced tab of the Properties dialog box for an Internet connection. Take a few minutes to discuss the ramifications of enabling a service that blocks all inbound traffic. What will happen if this is enabled on an internal interface? What will this do to file sharing? Will other users be able to use your printer? If enabled on the external interface, will this keep instant messaging or file sharing applications from operating properly?
ICF can log dropped packets and successful connections. You can use this information when troubleshooting ICF or when attempting to trace the source of specific attacks. This slide presents the steps to enable security logging. Take note of the default location of the personal firewall log file. The log file can be located from the browse window available from this dialog box or by finding and opening the file with Notepad or a similar text editor. The structure of the log is presented as a header entry in the log file. This describes the format of the log records.
Internet Control Message Protocol (ICMP) is used to allow routers and other Internet hosts to communicate status or configuration information to each other. ICF blocks all ICMP traffic by default to prevent denial-of-service (DoS) attacks. Sometimes, however, it is necessary to temporarily enable specific ICMP functions. You can do this in the ICMP tab of the Advanced Settings dialog box for ICF. This slide depicts enabling the echo request option. This allows the computer to respond to ping packets originating from the Internet. Be sure to explain that it would be wise to disable ICMP again after testing has been completed to block a range of DoS attack vectors.
You can configure ICF to allow inbound connections to services hosted on the ICF computer or another computer on its network. This slide depicts first enabling the standard Hypertext Transfer Protocol (HTTP) service definition, then a custom service definition for a computer game. In your discussion of service definitions, explain that users activating custom service definitions need to know how the service application communicates. They need to know the port number used by the application, and whether it uses Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) for communication.
This slide depicts three of the most common causes of problems with ICF. A user must be an administrator to access the dialog boxes and enable and configure ICF. Enabling ICF on the wrong interface might interfere with normal network communication and does not provide protection from external threats. Failure to activate a service definition results in Internet clients not having access to that service.
This section of the chapter discusses managing antivirus solutions and responding to virus infections. We discuss in broad terms the installation and configuration of an antivirus solution and how to recognize common signs of virus infection. We complete this section by discussing how to recover from a virus infection.
To be effective, you should install an antivirus solution according to the developer’s instructions. This includes properly configuring it to protect all aspects of a computer’s operation, including e-mail, instant messaging, file sharing, and Web browsing. Most major antivirus solutions protect all these communications methods.
An antivirus solution is only as good as its latest signature update. Antivirus vendors work very hard to ensure the latest viruses are detected by their systems. This means they have to provide up-to-date virus signatures to users of their applications. Most major applications do this automatically. Describe the effects of having a two-day-old signature update when a brand new virus enters the wild overnight. Many of the more newsworthy viruses spread quickly because they traveled from system to system before the systems could be updated with detection signatures for the virus. It is like a game of cat and mouse between virus writer and antivirus vendor.
This slide presents a few warning signs of a virus infection. Users should be educated to recognize when something isn’t right and report the symptoms quickly to the support desk. Refer the students to the complete list in the textbook for additional symptoms. As you discuss the symptoms of a virus infection, ask for a show of hands of who has experienced a virus infection. Ask them how they became aware of the infection and what they did to remove it.
The effects of a virus dictate what actions can be taken to remove it and return the affected system to normal operation. Sometimes tools are made available to remove the virus; sometimes you need to make use of a recovery disk. In extreme cases, you might even have to reinstall the system and applications. Ask your students what actions they have taken in the past to remove virus infections.
We finish the chapter by introducing the Microsoft Baseline Security Analyzer (MBSA). This tool, provided free for download from the Microsoft Web site, scans a system and reports on configurations and settings that weaken security. If time permits, run MBSA to scan a classroom computer. Explain the different items on the report and discuss how any deficiencies reported can be remedied.
Microsoft provides the Windows Update tools and services to assist users and administrators with keeping their systems up to date. Tools provided for this purpose include the Windows Update Web site, Automatic Updates built into Windows 2000 Service Pack 3 and later versions, and Software Update Services. ICF protects a computer from external attack. By default, no inbound traffic is permitted. Service definitions must be enabled to allow inbound connections to services. Security logs are available to allow tracking of dropped packets and successful connections.
Antivirus solutions are available to protect systems from e-mail viruses, Internet worms, and chat room viruses. The success of these solutions relies on the availability of up-to-date virus signature files. These applications typically can be configured to obtain signature updates automatically.
PROTECT THE COMPUTER Chapter 10
CHAPTER OVERVIEW AND OBJECTIVES <ul><li>Using Windows Update </li></ul><ul><li>Configuring Automatic Updates </li></ul><ul><li>Using Internet Connection Firewall </li></ul><ul><li>Installing and operating antivirus solutions </li></ul><ul><li>Using Microsoft Baseline Security Analyzer </li></ul>
SOFTWARE UPDATE SERVICES (SUS) <ul><li>Installed on a server running Windows 2000 or later </li></ul><ul><li>Managed by corporate IT administrators </li></ul><ul><li>Distributes Microsoft Updates to client systems </li></ul><ul><li>Can use group policy to manage Automatic Updates </li></ul>
INTERNET CONNECTION FIREWALL <ul><li>Protects Windows XP and later systems </li></ul><ul><li>Prevents penetration from external attacks </li></ul><ul><li>Can be configured to host services </li></ul><ul><li>Supports logging for forensic analysis </li></ul>
ANTIVIRUS SOFTWARE <ul><li>Must be installed and configured properly </li></ul><ul><li>Must protect e-mail, files, and network communications </li></ul><ul><li>Should quarantine or clean infected files </li></ul>
ANTIVIRUS SIGNATURE UPDATES <ul><li>Allow the automatic retrieval of updated virus signatures </li></ul><ul><li>Promote rapid identification of new viruses </li></ul><ul><li>Necessary for complete protection </li></ul>
COMMON VIRUS WARNING SIGNS <ul><li>Unexpected application behavior </li></ul><ul><li>Inexplicable system restart </li></ul><ul><li>Corrupt or missing data files </li></ul><ul><li>Disabled computer </li></ul><ul><li>Slow or unresponsive applications </li></ul>
VIRUS RECOVERY <ul><li>Depends on the effects of the virus </li></ul><ul><li>Might require use of antivirus recovery disk </li></ul><ul><li>Removal tools might be available </li></ul>