previous  next  Title  Contents  Index                                    Last Update: 17 Jul 2000

16. Securing Windows Clients (3.11/95/98)

16.1 A quickie guide to securing PCs

16.2 General

16.2.1 Use of portable computers

The use of laptops is to be minimised, as they represent a serious security risk - even if the trend is more and more towards mobile computing. They allow uncontrolled exchange of large amounts of data.

16.3 Documentation

See the Windows 95 Resource kit and the WfW 3.11 Resource kit.

16.4 Assurance

These operating systems cannot be certified to ITSEC or TCSEC standards. See the Operating System overview section.

16.4.1 Virus protection

Viruses are programs that self replicate: they attempt to spread from computer to computer and may cause damage (by erasing or corrupting data) or may annoy users (changing screen contents, printing messages). Viruses are a mostly PC (and more recently Macintosh) phenomenon. To combat viruses, the following measures are to be taken:

In addition:

Hoax virus protection:

The many "hoax" viruses (false warnings, jokes) may waste much of support personnel's time. It's difficult to protect against them, but the following may help:

16.5 Accountability

16.5.1 Identification / authorisation

Recommended for sensitive hosts: Windows 95 can be configured so that a user must log into an NT domain (i.e. the user cannot log in locally) with the Profile Editor (see Access Control section).

16.5.2 Audit Trail

A secure Audit trail is almost impossible on a non DAC system.

16.6 Access Control


Windows for Workgroups


16.6.1 Discretionary Access Control

Discretionary access control is not possible, mainly due to the FAT filesystem.

16.6.2 Secure System Startup

Lock the PC housing where possible.
Use boot passwords. If possible use separate user and administrator passwords.
For secure(ish) Win95 startup, disable the functions keys F5,F6 and F8 by setting Bootkeys=0 in msdos.sys. This will make debugging of startup problems more difficult, however.

16.6.3 Object reuse

A special utility should be installed on all PCs to erase files completely (e.g. F-Secure Desktop, see below).

16.7 Secure data exchange / communications

16.7.1 Peer Entity authentication

Workgroups: WfW 3.11 supports share-level security, but not user-level security.

AVOID using Workgroups, use Domains (Lan-Manager, NT) or NFS instead.
Disable Workgroups

16.7.2 Data confidentiality

Do not use as a RAS server.
PC clients should not be used as ftp or http servers.
Disable floppy boot in BIOS setup.

16.7.3 Non repudiation of origin / receipt

not supported.

16.8 Network & Communications

Install a minimum of network protocols. If possible do not install NetBEUI on subnetted networks - use TCP/IP & WINS servers instead.

16.8.1 Routing: TCP/IP

PCs should not be used for routing. A default gateway should be defined (Control Panel->Networks-> TCP/IP) and all TCP/IP packets for machines outside the current subnet will be forwarded to this gateway. Normally the default gateway is the router.

16.9 Availability

16.9.1 Backup and restore (Win95)

16.9.2 Prevention of Resource Abuse

Quotas etc. are not supported, but are not really necessary on client machines.

16.9.3 Patches & Release management

Date Problem Fix archive
13.12.95 The password cache has weak encryption (exposes all server systems used by a Win95 client). mspwlupd.exe
20.10.95 Problem with NetWare file sharing (read access to local files) nwsrvupd.exe
20.10.95 Problem with Microsoft networks file sharing (can read entire disk). vservupd.exe
6.12.95 OLE can hide parts of deleted files in Office 95 files (i.e. Winword, Excel, PowerPoint). These parts are visible via a plain-text editor, for example, notepad. ole32upd.exe

The above patches are available as a "Service Pack 1" for Win 95.
May'96 update: A new batch of updates need to be installed over Service Pack 1 to fix new bugs. See:

File name size
krnlupd.exe 296,960
mspwlupd2.exe 284,160
krnltoys.exe 54,586
oleupd.exe 404,992
cover_pg.exe 147,456
inetmail.exe 241,152
dlc32upd.exe 180,224

16.9.4 Replication

The Win95 Briefcase utility is useful for synchronising Laptops and servers. However, be aware that if the filesystem on the server is a compressed NTFS directory, the briefcase will only be "partially" synchronised. I prefer using NT's "robocopy" for synchronisation.

16.9.5 Redundancy

HW RAID is a possibility, but it is better to simply store data on a server.

16.10 PC Client Security Tools

WfW 3.11 has a utility called admincfg.exe which may be used to configure several network security options.

PGP is a great all round security tool, with File, Disk and Email encryption. (See chapter 7) and for International users..
For email, see also S/MIME.

16.10.1 Diverse

16.10.2 File/Directory encryption, secure deleting Tools

16.10.3 Anti-Virus protection

No PC should be without a virus protection.
Virus tools tend to have three functions:
1. Generic monitoring (prevention)
2. Scanning (looking for viral signatures)
3. Integrity checkers (looking for changes files)
There are literally hundreds of anti-virus programs available. Typically an enterprise buys a site wide license for all machines with regular (e.g. monthly) automatic updates.
If you're shopping for a new anti-virus:

previous  next  Title  Contents  Index                                   Last Update: 17 Jul 2000