If you would like to read the other parts in this article series please go to
- Top 10 Windows Security Configurations: Where and How! (Part 1)
- Top 10 Windows Security Configurations: Where and How! (Part 2)
Introduction
For my last installment in this series of articles, I am going to cover three additional settings that many of you might not know about. If you do know about them, there is a chance you might not be aware of the amazing security benefits that come with implementing them in your Windows environment. I will first cover how Protected Mode with Internet Explorer 7/8 helps protect your computer and in essence, the entire network. Then, we will go over access based enumeration (ABE), which is a technology that has helped more than one company meet compliance regulations. Finally, those pesky anonymous connections must be protected, especially for your older systems, but it is always good to check and ensure they are not allowed for your newer systems too. To read the first two installments of this series, all you need to do is click here for Part 1 and here for Part 2!
8. Configure IE security for Protected Mode
Windows Internet Explorer version 7 and 8 come with a great security feature, which is named Protected Mode. Protected Mode is more than just a setting that “hopes” to actually protect you whilst browsing on the Internet, it works well, and I am living proof of it!
In order to configure IE 7/8 for Protected Mode, you will need to be running Windows Vista or Windows 7. Windows XP can not utilize Protected Mode, due to the fact that UAC (User Account Control) does not run on this operating system. If you open up the Internet Options from within IE and select the Security tab, you will be able to toggle Protected Mode on/off, as seen in Figure 1.
Figure 1: Protected Mode is a check box in the Security tab for your Internet Explorer Settings
As I just stated, this is only valid on Windows Vista and 7, as they are the only versions of Windows that support UAC. Logic will prevail here, in that UAC also needs to be configured! All of the great benefits that UAC provides for the local applications and OS features, will apply to protect you while on the Internet.
Protected Mode also provides security for you with the use of integrity levels. Integrity levels are new for Vista (and beyond), and control which level of the OS the application runs within. There are 4 levels: low, medium, high, system. IE 7/8 runs in low, which means it can only communicate with other applications running in low. Nearly all other applications run in medium! So, anything nasty from the Internet can not jump to another application, because low applications can’t communicate with medium applications.
9. Use ABE for Shared Folders
Access Based Enumeration (ABE) is a technology that Microsoft released with Windows Server 2003 R2. To understand what ABE does for you, let me give you a scenario.
Imagine that you have a folder on a server, say the folder is named Patients. Of course, under the Patients folder you have additional folders with patient names. This would be the main source of documents used to manage patient information for your doctor office. The Patients folder has been shared, so when anyone types in \\server1\patients to their Run command, they see the full list of patient folders. The issue here is that this breaks HIPAA compliancy!
ABE is a technology that will allow the administrator to set up security on each of these types of folders, by just using the standard NTFS security access control list, but with ABE on top, only those users that have access to the contents will see the contents. In our example, now the patient folder names will not be visible to anyone, except those that have permissions to them!
The easiest way to set up ABE is to use Group Policy. If you have Group Policy Preferences configured for your enterprise, you will simply go into a GPO and expand the following path: Computer Configuration\Policies\Windows Settings\Network Shares. Right-click on the Network Shares and create a new Network Share. (If you do not have Group Policy Preferences yet, they are free and you can read here how to get them into your environment). A dialog box like that shown in Figure 2 will appear.
Figure 2: ABE is configurable via a Group Policy Object
All you need to do here is to configure the policy to share your folder, then, at the bottom of the dialog box for the policy, enable ABE! That is all you need to do.
10. Ensure anonymous connections are denied
Anonymous connections are something that you need to concern yourself with, especially for older operating systems. For your newer Windows XP/2003 and greater systems, you just need to ensure that the correct Group Policy settings are configured. This is a quick check and even easier configuration.
To check that your computers (yes, this should be checked on each computer individually) are set up to protect against anonymous connections, you will run secpol.msc from either the Start-Run menu or a command prompt. Regardless, once you have the window open that secpol.msc launches, which can be seen in Figure 3, you will expand the following nodes: Local Policies\Security Options.
Figure 3: Secpol.msc opens up the local security settings on your computer
Notice that I have the key anonymous settings highlighted and the correct, best practice settings configured for each within the figure. These settings will help protect your computer from anonymous connections, users will not be able to get SIDs for user accounts, enumerate the list of users within the database (either local SAM or Active Directory), and will not be able to get a listing of the shares (normal, hidden, and hidden administrative shares) on the computer.
Summary
This installment of our security settings for your Windows environment takes us to a full circle of amazing security settings that you need to include for all of your Windows computers. In this article, we have gone over how to secure Internet Explorer, help secure your shared folders, and then finally anonymous access. With IE, you need to be running the latest version, either 7 or 8. You also need to be running Windows Vista or 7, in order for Protected Mode (with UAC) to work effectively. With ABE, you are now able to restrict what a user can see in a browse list, completely based on the NTFS permissions that are already configured on the resource. This will help make you compliant with HIPAA, SOX, FDCC, and any other compliance that requires that resources should not be seen by users that do not have access to them. Finally, we looked at anonymous connections. Anonymous connections have been given some excellent control settings, but you need to ensure they are set properly. Of course, before you set them settings to the highest level of security, you need to test to ensure that “things” don’t break on your network with them at the highest levels. If you take all of the settings in all three of these articles in the series, you will be moving in a great direction to making your Windows network more secure.
If you would like to read the other parts in this article series please go to