|The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to cc.realtimepublishers.com.|
Local system permissions
Local system permissions are the final area covered in this chapter. Consider Cmd.exe, a file that is usually located in C:WindowsSystem32. Figure 2.16 shows the file permissions on Cmd.exe on a Windows XP Professional computer that has been upgraded to SP2.
Figure 2.16: Default permissions on Cmd.exe.
Notice that the SYSTEM account has Full Control. Why would the system itself need to open a new command-line window? I typically remove the SYSTEM account from this and many other files in the file system.
Also notice that the Internet Guest Account has permissions to run Cmd.exe. Anonymous users have the ability to open a command-line window and execute commands. Spend some time investigating the default permissions on the many files and folders lurking around in Windows and to apply more sensible defaults. Some other files you might want to investigate include:
|Don't try to delete these files; most are under Windows File Protection and will be replaced eventually (by a service pack, if nothing else). Instead, modify the permissions on these files so that only appropriate users -- real users, not SYSTEM -- can execute them.|
Client computers represent a significant security risk in many organizations simply because they're rarely as controlled or as well-configured as servers. This chapter has introduced you to some of the major client vulnerabilities and given you some tips on how to lock them down appropriately. One way to get a better handle on client security is to think about the entire life cycle data takes in your organization -- from the server, across the network, to the client, to portable devices, and so forth. Thinking about that life cycle will help you better implement appropriate levels of security at each point in the cycle.
The next chapter will focus on a topic that affects both clients and servers -- the software built-in to Windows that presents major vulnerabilities. Often called "middleware," applications such as Internet Explorer (IE), Windows Media Player, and other applications have a reputation for security problems. I'll show you some ways in which those problems can be addressed and mitigated.
To download the complete chapter, Securing Clients, click for the .pdf.
This was first published in October 2005