Essential Computer Security

Editing The Registry

UAC (User Account Control) has been much maligned over the past year. The community clamored for tighter security to prevent exploitation and compromise of the Windows operating system, but Microsoft has been buried by criticism of UAC since the release of Windows Vista. UAC has also been the target of humorous ads for the Apple Mac computer and operating system.

In defense of UAC, Dr. Jesper Johansson, co-author of Windows Vista Security (Securing Vista Against Malicious Attacks), has written an excellent article. If you want to gain a better understanding of UAC, its intended purpose, and how to use it, read The Long-Term Impact of User Account Control.

It is possible to edit the configuration or disable UAC using Group Policy for systems in a network domain, or by using the Local Security Policy settings for standalone systems. However, Microsoft does not include the ability to access these settings from Windows Vista Home or Windows Vista Home Premium. Users of the Windows Vista Home operating systems have to manually edit the Registry to change the UAC settings.

Let me preface by stating that I do not recommend disabling UAC. Johansson’s article clearly explains the benefits of UAC, and for the vast majority of home users, leaving the default UAC configuration is advised. If you are a more advanced user, or you just really feel a need to change the UAC configuration though, just follow these steps:

Click Start, then click Run

Start RegEdit

In the Open field of the Run box, type “RegEdit” to open the Registry editing utility. Assuming that you have not already disabled UAC, you will receive a UAC prompt for consent to open the utility.

Find The UAC Registry Keys

Using the menu in the left pane, you must navigate to the section of the Registry holding the Registry Keys that configure UAC.

1. Select HKEY_LOCAL_MACHINE
2. Select SOFTWARE
3. Select Microsoft
4. Select Windows
5. Select CurrentVersion
6. Select Policies
7. Select System

Edit ConsentPromptBehaviorAdmin

There are a variety of Registry Keys related to various UAC functions. The one that has the most direct and significant impact for a home user running as an Administrator on Windows Vista Home though is ConsentPromptBehaviorAdmin

.

If you double-click this key, you will be able to change the value of the DWord associated with it. There are three possible values you can use:

• 0 = Do not prompt. Setting this value to zero effectively disables UAC and allows programs and tasks to execute without first requiring consent to elevate privileges
• 1 = Prompt for credentials. When this key is set to ‘1′, UAC will prompt for user credentials- a username and password- rather than simply asking for consent. This is a higher level of security than the standard UAC consent because it requires entering a password for a valid, authorized account each time.
• 2 = Prompt for consent. This is the default setting. When UAC is set to prompt for consent, any action or execution that requires elevated administrative privileges will result in the darkened screen and UAC pop-up to verify consent before proceeding.

For further explanation about the other UAC Registry keys, you can refer to the MSDN UAC blog, or Disable UAC on Windows Vista Home and Windows Vista Home Premium at TweakVista.

Tags: Configuring Vista Security, How-To’s and Tutorials by Tony Bradley
Comments Off

Windows Vista Backup Center

Microsoft has included some type of data backup functionality in Windows for years. However, the latest flagship operating system, Windows Vista, has a much improved backup and restore utility.

In Windows Vista, Microsoft has provided more capabilities and automation and wrapped it up in a more intuitive GUI to help novice users backup the data that should be backed up without having to become disaster recovery or data backup experts.

To open the Backup and Restore Center, follow these steps:

1. Click the Start icon at the lower left of the display
2. Select Control Panel
3. Choose Backup and Restore Center

Complete PC Backup

If you select Backup Computer from the right pane, you will see the console displayed here (you will also receive a UAC (User Account Control) warning). Select the location that you want to backup to- usually either an external USB hard drive or a CD / DVD recorder, and click Next. Confirm your selection and click Start Backup to backup the entire contents of your PC.

Configuring Backup Options

If you choose Backup Files, Vista will walk you through choosing a destination to backup to (again- this is typically an external USB hard drive or a CD / DVD recorder), and then choosing the drives, folders, or files that you want to include in your backup. Note: If you have already configured Backup Files, clicking on the Backup Files button will instantly initiate a backup. To modify the configuration, you instead need to click on the Change Settings link below the Backup Files button.

Backup FAQ

Throughout the process of configuring and initiating a backup or restore, you will see questions and phrases that are links you can click on. These links take you to the FAQ (Frequently Asked Questions) and are very helpful for explaining various terms and topics.

For example, under the Restore heading, it explains that “You can use shadow copies to restore previous versions of files that have been accidentally modified or deleted.” That sounds great…I think. It begs the question “what is a shadow copy?”

Thankfully, Microsoft already realized the question was begged. Immediately following the explanation sentence, you will find the question “what are shadow copies?” which links to the FAQ to give you an explanation.

This type of assistance and explanation is always a click away throughout the Backup and Restore Center.

Select File Types

Once you select the location to back up to and the drives you want to back up, you will be prompted to choose the types of files you want to back up.

Rather than expecting you to know all of the different file extensions and file types, or be technical enough to understand exactly which files to back up, Microsoft has made it simple by providing checkboxes for categories of files.

For example, you don’t need to know that a graphic image could potentially be a JPG, JPEG, GIF, BMP, PNG, or other file type. You can simply check the box labeled Pictures and the Backup and Restore Center will take care of the rest.

Set Backup Schedule

You could just manually back up your files whenever you happen to remember to, but that more or less negates the effectiveness and efficiency of this utility. The whole point is to automate the process so your data will be protected without you having to be involved any more than necessary.

You can choose to back up your data Daily, Weekly or Monthly. If you choose Daily, the “What Day” box becomes grayed out. However, if you choose Weekly, you will need to select what day of the week, and if you choose Monthly, you will need to select what date of each month you would like the back up performed.

The last option is to choose a time. If you turn your computer off, then you will need to schedule the back up to run at some point while the computer is on. However, using the computer during the backup may make it impossible to back up some files, and the process of backing up will eat systems resources and make your system run slower.

If you leave your computer on 24/7, it makes more sense to schedule the backup while you are sleeping. If you set it for 2am or 3am, it will be late enough that it won’t interfere if you happen to be up late, and early enough to make sure the backup is complete if you happen to get up early.

Restoring Data

If you click on Restore Files, you are offered two choices: Advanced Restore or Restore Files. The Restore Files option allows you to restore your files that were backed up on the computer you are currently using. If you want to restore data that was backed up on a different computer, or restore data for all users rather than just yourself, you must select the Advanced Restore option.

Advanced Restore Options

If you select Advanced Restore, the next step is to let Vista know what type of data you wish to restore. There are 3 options:

• Files from the latest backup made on this computer
• Files from an older backup made on this computer
• Files from a backup made on a different computer

Select a Backup

Regardless of the options you choose, at some point you will be presented with a screen that looks like the image shown here. There will be a list of the available backups and you must select which backup you want to restore from.

If you wrote a term paper 4 days ago that you accidentally deleted, you obviously would not choose a backup from a month ago since the term paper did not yet exist.

Conversely, if you are having problems with a file or accidentally altered a file that has been on your system for some time, but you aren’t sure when it got corrupted, you can choose a backup from farther back to try to ensure you go back far enough to get the functional file you are looking for.

Select Data to Restore

Once you have selected the backup set to use, you need to choose the data you want restored. At the top of this screen, you can simply check the box to Restore everything in this backup. But, if there are specific files or data you are looking for, you can use the Add Files or Add Folders buttons to add them to the restore.

If you are looking for a file, but you are not sure exactly what drive or folder it is stored in, you can click on Search to use the search function to locate it.

Once you have selected all of the data you wish to restore from this backup set, click Next to initiate the data restoration and go get yourself a cup of coffee. Soon that investment account information you accidentally deleted, or the important PowerPoint presentation your kid “modified” will be back safe and sound just like you remember it.

Tags: Configuring Vista Security by Tony Bradley
1 Comment »

Windows Vista enables you to control many of the features and functions by configuring Local Security Policy settings. There are six components that make up the Password Policy under Vista Local Security Policy. Click the links below for more details about what each of these six policy settings means and how you should configure them to manage passwords on your Windows Vista system.

Enforce Password History

This settings defines the minimum number of passwords that must be created before a previous password is allowed to be re-used.

Store Passwords Using Reversible Encryption

This setting should only be enabled in extreme circumstances. It basically forces passwords to be stored in plain text for cases where an application or process needs access to them for authentication purposes.

Tags: Configuring Vista Security by Tony Bradley
Comments Off

Enabling Store Passwords Using Reversible Encryption determines whether Windows stores passwords using reversible encryption.

Enabling this is essentially the same as storing passwords in plain text which is insecure and not recommended. The purpose of this policy setting is to provide support for applications that use protocols that require knowledge of the user’s password for authentication purposes. Enabling this policy setting should be a last resort used only in extreme situation where no alternative exists and application requirements outweigh the need to protect password information.

Store Passwords Using Reversible Encryption must be enabled when using CHAP (Challenge-Handshake Authentication Protocol)authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

Default: Disabled

Tags: Configuring Vista Security by Tony Bradley
Comments Off

This security setting enforces password complexity to ensure that users create strong passwords that are not easily guessed or cracked.

With Passwords Must Meet Complexity Requirements enabled, passwords must meet the following minimum requirements:

• Must not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
• Must be at least six characters in length (or the length specified in Minimum Password Length if that setting is higher than 6)
• Must contain characters from three of the following four categories:
  • Uppercase characters (A through Z)
  • Lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Special symbols or non-alphabetic characters (for example: !, $, #, %, etc.)

Complexity requirements are enforced when passwords are changed or created.

Defaults:

• Enabled on domain controllers
• Disabled on stand-alone servers

Note: By default, PC’s on a network domain follow the configuration of their domain controllers.

Tags: Configuring Vista Security by Tony Bradley
1 Comment »

The Minimum Password Length policy setting defines the least number of characters that a password may contain. You can set a value of between 1 and 14 characters. You can also enable an account to have no password requirement at all by setting the Minimum Password Length to 0 (zero).

Defaults:

* 7 on domain controllers
* 0 on stand-alone servers

Note: By default, PC’s on a network domain follow the configuration of their domain controllers.

Tags: Configuring Vista Security by Tony Bradley
Comments Off

Maximum Password Age defines the maximum period of time (in days) that a password can be used before the user must change it. You can set passwords to expire between 1 and 999 days. If you a set a Maximum Password Age of 0 (zero), passwords never expire.

Unless the Maximum Password Age is set to 0 (zero), or no expiration, the Maximum Password Age setting must be higher than the Minimum Password Age setting. When the Maximum Password Age is set to never expire, the Minimum Password Age can be any value between 0 and 998 days.

Note: It is considered a recommended security practice to have passwords expire every 30 to 90 days, depending on the level of security or confidentiality in your environment. Requiring periodic password resets limits the window of opportunity an attacker might be able to exploit a compromised password.

Default: 42.

Tags: Configuring Vista Security by Tony Bradley
Comments Off

Minimum Password Age determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

The Minimum Password Age setting must be lower than the Maximum Password Age, unless the Maximum Password Age is set to 0 (zero), or never expire. If the Maximum Password Age is set to 0, the Minimum Password Age can be set to any value between 0 and 998.

Minimum Password Age is useful in conjunction with Enforce Password History to prevent users from simply entering new passwords repeatedly to bypass Enforce Password History and reuse their current password.

Defaults:

• 1 on domain controllers.
• 0 on stand-alone servers.

Note: By default, PC’s on a network domain follow the configuration of their domain controllers.

Tags: Configuring Vista Security by Tony Bradley
Comments Off

his security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

This policy enables enhanced security by ensuring that old passwords are not simply reused every time a user is required to periodically change or update their password.

Defaults:

• 24 on domain controllers
• 0 on stand-alone servers.

Note: By default, PC’s on a network domain follow the configuration of their domain controllers.

Enforce Password History should be used in conjunction with the Minimum Password Age policy setting to ensure that users do not simply create password after password immediately in order to bypass the Enforce Password History setting and reuse an old password sooner. For information about the minimum password age security policy setting, see Minimum Password Age.

Tags: Configuring Vista Security by Tony Bradley
Comments Off

Open Windows Local Security Policy Console

Open the Microsoft Windows Local Security Policy console and navigate to the Password Policies following these steps:

1. Click on Start
2. Click on Control Panel
3. Click on Administrative Tools
4. Click on Local Security Policy
5. Click on the plus-sign in the left pane to open Account Policies
6. Click on Password Policy

Enforce Password History

Double-click on the Enforce password history policy to open the policy configuration screen.

This setting ensures that a given password can not just be re-used. Set this policy to force a wider variety of passwords and make sure that the same password is not re-used over and over.

You can assign any number between 0 and 24. Setting the policy at 0 means that password history is not enforced. Any other number assigns the number of passwords that will be saved.

Maximum Password Age

Double-click on the Maximum Password Age policy to open the policy configuration screen.

This setting basically sets an expiration date for user passwords. The policy can be set for anything between 0 and 42 days. Setting the policy at 0 is equivalent to setting the passwords to never expire.

It is recommended that this policy be set for 30 or less to ensure user passwords are changed on at least a monthly basis.

Minimum Password Age

Double-click on the Minimum Password Age policy to open the policy configuration screen.

This policy establishes a minimum number of days that must pass before the password is allowed to be changed again. This policy, in combination with the Enforce password history policy, can be used to make sure that users don’t just keep resetting their password until they can use the same one again. If the Enforce password history policy is enabled, this policy should be set for at least 3 days.

The Minimum Password Age can never be higher than the Maximum Password Age. If the Maximum Password Age is disabled, or set to 0, the Minimum Password Age can be set for any number between 0 and 998 days.

Minimum Password Length

Double-click on the Minimum Password Length policy to open the policy configuration screen.

While it is not 100% true, generally speaking the longer a password is, the harder it is for a password cracking tool to figure it out. Longer passwords have exponentially more possible combinations, so they are harder to break and, therefore, more secure.

With this policy setting, you can assign a minimum number of characters for account passwords. The number can be anything from 0 to 14. It is generally recommended that passwords be a minimum of 7 or 8 characters to make them sufficiently secure.

Password Must Meet Complexity Requirements

Double-click on the Password Must Meet Complexity Requirements policy to open the policy configuration screen.

Having a password of 8 characters is generally more secure than a password of 6 characters. However, if the 8-character password is “password” and the 6-character password is “p@swRd”, the 6-character password will be much more difficult to guess or break.

Enabling this policy enforces some baseline complexity requirements to force users to incorporate different elements into their passwords which will make them harder to guess or crack. The complexity requirements are:

• Password must not contain significant portions of the user’s account name or full name
• Password must be at least six characters in length
• Password must contain characters from at least three of the following categories:
  • Uppercase characters (A through Z)
  • Lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Special characters (for example, &, $, #, %)

You can use other password policies in combination with Password Must Meet Complexity Requirements to make passwords even more secure.

Store Password Using Reverse Encryption

Double-click on the Store Passwords Using Reversible Encryption policy to open the policy configuration screen.

Enabling this policy actually makes the overall password security less secure. Using reversible encryption is essentially the same as storing the passwords in plain-text, or not using any encryption at all.

Some systems or applications may require the ability to double-check or verify the user’s password to function, in which case this policy may need to be enabled for those applications to work. This policy should not be enabled unless it is absolutely necessary.

Verify New Password Settings

Click on File | Exit to shut down the Local Security Settings

You can re-open the Local Security Policy to review the settings and make sure that the settings you chose were properly retained.

You should then test out the settings. Either using your own account, or by creating a test account, try to assign passwords that violate the requirements you just set. You may need to test it a few times to try out the various policy settings for minimum length, password history, password complexity, etc.

Tags: Configuring Vista Security, How-To’s and Tutorials by Tony Bradley
Comments Off