The Friendly Alternative
to Registry Editing:
Introducing Local Security Policy Editor
by David M. Piscitello, President, Core Competence, Inc.
Windows Operating Systems are often installed with default settings that maximize ease of use and "plug and play" operation. Unfortunately, these settings often conflict with business security needs -- and common sense.
Other than power users and system administrators, few folks bother to learn and perform customizing and hardening Windows 2000/XP desk and laptop ("client") computers. This is unfortunate, because some basic customizations to client computers are not only helpful, but also highly recommended. Changing certain Windows OS default settings, for example, eliminates some commonly exploited vulnerabilities. Other changes help you publish acceptable use policies and legal notices governing employee computer use. Still other changes can help you optimize network performance for broadband or dial-up access, or adjust the look-and-feel of your desktop.
Oh, The Good (Security) Deeds You Can Do
Let's consider all the things you can do with Windows settings that improve client computer security.
You can improve Windows Logon and Authentication in several ways. For instance, you can add a legal notice dialog box before logon to let users know what you consider acceptable use and abuse. (Attorneys say that such measures are necessary if you want to prosecute anyone for misuse.) You can force users to log on to Windows, control logon passwords by setting a minimum length, disable password caching, limit the lifetime of passwords, and prevent the username of the last successful logon from being displayed automatically.
You can take several measures to protect client computers from network attacks, including certain Denial of Service attacks, attacks against Windows file sharing, and network access to certain critical Windows information. While these countermeasures are typically enforced at your office by your firewall, teleworkers and mobile employees who don't have (or forget to run) personal firewall software will benefit from modifying default settings.
Additional measures can be taken to remove traces of user activity. You can have all Temporary Internet Files and the IE browser History removed when a user logs off, and you can even have a special file that supports virtual memory (the swap or Page File) removed at System Shutdown. Why remove it? Some sensitive information may be installed in clear text in this file, so it could represent a risk on mobile worker computers that are lost or stolen. If it's removed, though, you eliminate potentially useful computer forensic information, so think this setting through carefully and discuss it with your legal department.
If you provide public access computers, you can prevent access to removable media (removable, floppy, and CDROM drives), and restrict access to critical operating system libraries.
Modifying these and literally hundreds more default Registry settings are seemingly Good Deeds. Customization and hardening of Windows OSs, however, can be tricky business.
No Good Deed Goes Unpunished?
To understand why so few folks modify default Windows settings, let's consider some Windows administration basics. When you add or remove hardware and software on your computer, installer programs modify a database of information that Windows OSs require to operate your computer: the Registry. When you change settings using Control Panels, change the properties of your display, or add printers and network cards, you are actually changing the Registry. In fact, most everything about your computer, peripherals, programs, network access, desktop appearance, and security preferences is stored in the Registry.
Most users first encounter the Registry when they see an error message or "Blue Screen" that indicates something in the Registry is broken, or corrupted. The first lesson most users learn about the Registry is that presumably competent application and hardware developers can break the Registry by editing it improperly. The common warning about Registry editing is that you can corrupt this critical database so badly that you'll have to reinstall your operating system, hardware drivers, and applications, and you may lose valuable data files as well. So it's no surprise that users are intimidated by the notion of editing the Registry.
Dodging Punishment
But if you choose to edit the Registry, there are some simple measures you can take that can protect you from self-inflicted wounds, mistakes, and random acts of stupidity.
If you know nothing about the Registry, read a tutorial or eBook before you whack at it. A good rule of thumb when editing the Registry is, "back it up, you may need it." Should you damage it badly, you can restore the Registry (see also, using the Last Known Good Configuration option in Windows 2000 and XP). A second rule of thumb: use one of the many advanced registry editors you can find for free or cheap on the Web (just Google "Registry Editors"). Choose one that automates the backup process and provides safe editing measures (multi-level Undo, search&replace, etc.).
If you reach the point where you're comfortable editing the Registry, visit The WinGuides Network Registry Guide Pages; here you can learn what Registry keys you must change to adjust the security settings I described earlier, and more.
Avoiding Punishment Entirely
For many security settings, you can avoid direct Registry editing. Locate the folder Administrative Tools on your computer, then choose Local Security Policy (or simply RUN secpol.msc from your START Menu). This utility provides a much friendlier user interface for modifying security policy. Most of the policy settings I mentioned above can be found in the Account Policies directory and Security Options sub-directory of Local Policies. While I would not call secpol.msc intuitive, it's far simpler to use than a Registry editor.
Let's try an example. Windows Anonymous Login (also known as "null session") is Number 5 on the SANS Top 20 Vulnerability List. The recommended procedure for protecting against Anonymous Login is to change the value of the Registry Key
HKLM/System/CurrentControlSet/Control/LSA
/RestrictAnonymous
to one (1) for NT, and two (2) for Windows 2000 and XP.
A much simpler and safer way to change this is to set the Local Security Policy Setting Additional Restrictions for Anonymous Connections to "No Access Without Explicit Anonymous Permissions." Want to add a Legal Notice for users attempting to log on? Rather than composing your "Get Lost if You Don't Belong Here" message in Notepad and pasting it into
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\Winlogon\LegalNoticeText
you can modify Message Text for users attempting to log on. You're on a roll! While you have the policy editor open, change Do not display last user name in logon screen from Disabled (default) to Enabled, adjust the amount of idle time required before disconnecting user sessions, rename your Administrator and Guest accounts to something other than the defaults.
If you spend a small amount of time browsing Local Security Settings, you'll find all sorts of useful ways to tweak client computer security policy. If you aren't entirely certain what a particular setting does, Googling the exact setting name almost always returns a page from Microsoft's Developer Network (MSDN) or TechNet Libraries that describes the Security Setting, and additional hyperlinks often provide helpful information about exploits related to the setting.
Raise the Bar
Many small businesses don't have the staff or budget to create standard desktop installations, then push these to every PC in the organization. Too often, client computers in small-to-medium businesses are left less secure than they should be. A small amount of knowledge about Local Security Policy and how to configure it can help raise the security baseline in your company, and at home. It doesn't cost one cent in hard cash, and it's not all that painful a process to use the tools Microsoft built into your software. Read, think, then apply -- you'll be glad you did. ##
Copyright© 2003, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.