Operating System Securing Mobile Computers with Windows XP Professional By Nick George Microsoft Corporation Published: October 2001 Abstract This article examines specific threats that can affect mobile computers—also known as laptop or notebook computers. It also covers how the security tools and privacy services included in the Microsoft® Windows® XP Professional operating system provide solutions to combat these threats. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2001 Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA Securing Mobile Computers with Windows XP Professional 1 Contents Acknowledgements .................................................................................................................................................... 3 Introduction................................................................................................................................................................ 4 Understanding Security Threats to Mobile Computers ......................................................................................... 5 Data Loss and Theft ................................................................................................................................................. 5 Network Penetration ................................................................................................................................................ 5 Eavesdropping on Wired and Wireless Sessions ...................................................................................................... 5 Password Cracking................................................................................................................................................... 6 Exposure of Confidential Data ................................................................................................................................. 7 Security Technologies in Windows XP ..................................................................................................................... 8 Group Policy Objects and Smart Card Authentication............................................................................................. 9 Managing Network Authentication—Guest Account............................................................................................... 9 Syskey Encrypts the SAM Database Using Strong Encryption ............................................................................... 9 Mobile Network Access Technologies ................................................................................................................... 10 Virtual Private Networking ................................................................................................................................ 10 802.1X—Encryption Key Management ............................................................................................................. 10 IrDA ................................................................................................................................................................... 10 PPPoE Client ...................................................................................................................................................... 10 Callback.............................................................................................................................................................. 10 Encrypting File System .......................................................................................................................................... 10 EFS Architecture ................................................................................................................................................ 10 EFS and NTFS ................................................................................................................................................... 11 Maintaining File Confidentiality ........................................................................................................................ 11 How EFS Works ................................................................................................................................................. 11 Configuring EFS for Your Environment ............................................................................................................ 12 What Can Be Encrypted ..................................................................................................................................... 12 Encrypting Offline Files ..................................................................................................................................... 12 Encrypting the Offline Files Database ............................................................................................................... 12 Certificate Services ................................................................................................................................................ 13 Certificate and Public Key Storage .................................................................................................................... 13 Private Key Storage ............................................................................................................................................ 13 User Certificate Autoenrollment ........................................................................................................................ 14 Credential Management ......................................................................................................................................... 15 Credential Prompting ......................................................................................................................................... 15 Stored User Names and Passwords .................................................................................................................... 15 Remote Access uses Credential Manager Keyring ............................................................................................. 16 Keyring ............................................................................................................................................................... 16 Summary .................................................................................................................................................................. 18 Related Links ........................................................................................................................................................... 19 Securing Mobile Computers with Windows XP Professional 2 Acknowledgements David Cross, Windows Security Program Manager, Microsoft Corporation Jason Garms, Windows Security Program Manager, Microsoft Corporation Praerit Garg, Windows Security Lead Program Manager, Microsoft Corporation Jason Anderson, Consumer Platform Technical Evangelist, Microsoft Corporation Michael Kessler, Technical Editor, Microsoft Corporation Securing Mobile Computers with Windows XP Professional 3 Introduction This article examines specific security threats applicable to mobile computers—also known as laptop or notebook computers, along with the security tools and privacy services included in the Microsoft® Windows® XP Professional operating system that provide solutions to combat these threats. Only a few of the security benefits identified in this article are available to non-domain-connected computers; where applicable these benefits will be identified. Organizations are reevaluating their internal controls and are making the protection of mobile computing a top priority, as discussed in the ZDNet article, Wolves at the Door. Microsoft Windows XP addresses this security imperative with a range of features designed to provide strong security while preserving the flexibility and power that information security managers have come to expect from an enterprise operating system. If you’re an information security manager, you can also customize Windows Server 2003, including the deployment of Group Policies, to provide a secure working environment. For a great overview article describing the new security features and policies available in Windows XP, read the article What’s New in Security for Windows XP Professional and Windows XP Home Edition—many of the security topics included in that article are presented here in the context of mobile computing security. How This Article is Organized This article is comprised of two parts: Understanding Security Threats to Your Mobile Computer This section examines the most worrisome mobile computing security threats and summarizes the related Windows XP Professional solutions. Security Technologies in Windows XP This section details the security technologies included in Windows XP Professional. Securing Mobile Computers with Windows XP Professional 4 Understanding Security Threats to Mobile Computers This section catalogs the security threats to mobile computers and identifies ways that Windows XP deals with these threats. Whenever a mobile computer is outside the enterprise’s physical security boundary, theft of the computing device and the data it contains is a primary concern. If theft does occur, the initial data loss problem escalates to potentially having an unauthorized person penetrate the network via remote dial-up or wireless networking. Warning The mobile computer is subject to all typical computer security threats. Data Loss and Theft Data loss may not seem like a security threat, but it is, as illustrated by the Third Immutable Law of Security from the Microsoft TechNet article which states: ”If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.” By design, mobile computers and many new types of portable devices have a higher risk of being stolen than a non-portable device. Often these machines hold important company data and represent a security risk if stolen; this point is illustrated in a Computerworld article outlining the security lessons learned when the chairman of a large telecommunications firm had his laptop computer stolen. Protecting Against Data Loss The Encrypting File System (EFS) in Windows XP Professional enables you to protect yourself against the loss of stolen data. This security feature obscures data on the hard drive and renders it useless to anyone without proper credentials. Windows XP also incorporates Intellimirror® technology and supports redirection of the My Documents folder, whereby a user’s data is stored centrally. EFS, coupled with the capability to locally cache your network-based files and folders, provides the highest level of security, full-time access to data, and the convenience of centralized network file backup. Note EFS, offline folders and file caching are features of Windows XP Professional, and are not included in Windows XP Home Edition. Network Penetration Network penetration is a serious security threat that can occur as a result of information gleaned from a stolen or non-secure mobile device. Many network penetrations are committed by individuals using stolen mobile computers. The following Windows XP features limit the risk of network penetration: Access control management curtails the anonymous access associated with the Internet. Simple Sharing limits access to only those network resources provided to guest accounts. Force Guest restricts access to unauthenticated user accounts within a domain. Automatic smart card enrollment and self-registration authority provide enhanced security for enterprise users by adding another layer of authentication. Credential Manager enables stored or cached user credentials to be encrypted so that only authenticated users have access to stored credentials. Internet Connection Firewall (ICF) provides baseline intrusion prevention functionality to computers running the Windows XP operating system. It’s designed for computers directly connected to a public network as well as computers that are part of a home network when used with Internet Connection Sharing Eavesdropping on Wired and Wireless Sessions Another way the security of your business and personal data can be compromised is through network sniffing or Securing Mobile Computers with Windows XP Professional 5 “eavesdropping”. Remote computing, in both wired and wireless networking scenarios, is becoming a common part of business life—along with the security risks associated with this practice. By default, e-mail headers and content are transmitted in clear text, and if no encryption is used, the content of a message can be read or altered in transit. In another example, a header can be modified to hide or change the identity of the sender, or to redirect the message. As a result, security using wired and wireless networks is becoming more and more crucial as companies continue to use public infrastructure to transport company data. Enterprise Security Management Issues There’s a growing interest in using the IEEE 802.11 networking protocol as an enterprise-deployable technology; but enterprise security management issues still remain. These issues include: Open and visible service set identifiers (SSID) are an inherently weak security mechanism. Wired Equivalent Privacy (WEP) key attacks are theoretically possible using publicly available tools. IEEE 802.11 WEP key management is lacking a protocol for distribution of keys. Lack of authentication and encryption services in a wireless 802.11 ad hoc network mode raises security concerns when users engage in peer-to-peer collaborative communication in areas such as conference rooms. Protecting Remote Computing Sessions Windows XP limits the risk of having remote computing sessions intercepted in the following ways: Protects communication over the Internet using virtual private networks (VPN) and integrated tunneling and encryption technologies. These technologies include: Internet protocol security (IPSec); Layer 2 tunneling protocol (L2TP); public key infrastructure (PKI); and Point-to-point tunneling protocol (PPTP). Provides for zero configuration networking and roaming enhancements to make transitioning between wireless networks easy. Supports the IEEE 802.1X protocol to make it easier to manage wireless devices, control the flow of data through wireless access points, and periodically challenge and re-authenticate the wireless stations attached to those wireless network access points. Supports WEP, the first-generation IEEE 802.11 wireless access session security protocol. (Enterprise networks should be configured with IEEE 802.1X to control wireless sniffing threats against IEEE 802.11 network configurations). Provides callback access support, a mobile network access technology that instructs a remote access server to disconnect, and then call you back after you dial-in. Supports remote access and VPN—including support for credential keyring Note For more information about wireless network configuration, and security issues related to the IEEE 802.11 protocol, see read Wireless LAN Technologies and Windows XP. Password Cracking Many network penetrations are committed either by individuals using stolen mobile computers, or by unauthorized users having access to an authorized user’s machine. Typically, mobile computers that are part of a domain are more secure because domain members' credentials are centrally stored, and can only be changed at a domain controller, which, if best practices have been followed, will be the most heavily-defended machine in a network. Protecting Credentials Remote computing dial-up applications that allow the end-user to cache their network access credentials aren’t helping secure corporate networks—network security managers should implement password policies that enforce strong passwords, force password entry when resuming from system power management standby modes and screensavers, and prohibit the caching of remote access credentials. Windows XP reduces the risk of exposing confidential data, such as passwords; Syskey encrypts the password hashes stored in the Security Account Manager (SAM) Securing Mobile Computers with Windows XP Professional 6 Protecting Standalone Computers Mobile computers that are not part of a managed domain are even more at risk as a result of the lack of enforceable security policies. By default, user accounts configured on a Windows XP computer that is not joined to the domain do not have passwords associated with them for convenience sake. While this is acceptable in a home desktop environment, small business and home mobile users need to take extra steps to ensure that accounts configured on these systems have strong passwords associated with them. Exposure of Confidential Data Virtually all corporate employees have some sensitive material on their computers that needs to be protected against improper disclosure. Through education and corporate policies, users should be encouraged to store sensitive documents on network servers. Where this policy is too restrictive, Windows XP Professional provides ways to reduce the risk of exposing confidential data. Reducing the Risk of Exposure Windows XP Professional reduces the risk of exposing confidential data in the following ways: NTFS and EFS scramble the contents of documents so that they’re unreadable by unauthorized users. Controlled network access, including support for dial-up connections, limits exposure to authorized uses. Blank password restriction enforces basic security principles. Protecting Standalone Computers Users of mobile computers that are not part of a managed domain also store sensitive data on their machines. For these non-domain-connected machines NTFS and EFS, coupled with strong user passwords, is the best defense. Securing Mobile Computers with Windows XP Professional 7 Security Technologies in Windows XP This section focuses on Windows XP security technologies that support mobile computing—security technologies applicable exclusively to desktop computers are not covered. Note For a complete description of security technologies in Windows XP see What’s New in Security for Windows XP Professional and Windows XP Home Edition. If you are already familiar with the security model in Microsoft Windows NT® 4.0 and Microsoft Windows 2000, you will recognize many of the security features in Windows XP Professional. At the same time, you will also find a number of familiar features that have changed significantly, and new features that will improve your ability to manage system security. Windows XP provides several methods for managing security. Knowledge of how Windows XP security features work provides a framework for understanding how to design and maintain a secure environment where mobile computers are part of a domain. Mobile Computing Security Framework Windows XP Professional includes a number of features that businesses can use to protect selected files, applications, and other resources on both desktop and mobile computers. These features include access control lists (ACL), security groups, and Group Policy—in addition to the tools that allow businesses to configure and manage these features. Together they provide a powerful, yet flexible, access control infrastructure for business networks. Windows XP offers thousands of security-related settings that can be implemented individually. It also includes predefined security templates that can be used without modifications, or used as the basis for a more customized security configuration. Using Security Templates Businesses can apply security templates when they: Create a resource, such as a folder or file share, and either accept the default access control list settings or implement custom access control list settings. Place users in the standard security groups, such as Users, Power Users, and Administrators, and accept the default ACL settings that apply to those security groups. Use the Basic, Compatible, Secure, and Highly Secure Group Policy templates that have been provided with the operating system. Settings and Tools Each of the Windows XP security features—ACL, security groups, and Group Policy—have default settings that can be modified to suit a particular organization, and in particular the mobile computer. Businesses can also make use of relevant tools to implement and modify access control. Many of these tools, such as the Microsoft Management Console (MMC) snap-ins, are components of Windows XP Professional. Other tools are included with the Windows XP Professional Resource Kit. Key Security Features for Mobile Computing The following list outlines the Windows XP security features that support mobile computing. These security features are described in greater detail in the sections that follow. Group Policy Objects—smart card authentication Managing Network Authentication—Guest account used for internet logins Syskey encrypts the SAM database using strong encryption Mobile Network Access Technologies Virtual Private Networking 802.1X—encryption key management Securing Mobile Computers with Windows XP Professional 8 Infrared Data Association (IrDA)—allows user control of access and file transfers Point-to-point protocol over Ethernet (PPPoE) client Callback Encrypting file system EFS and NTFS Encrypting offline files and the offline files database Certificate services Credential management (including stored passwords) Note Most Windows XP security features support both desktop and mobile computers. Those key foundational technologies are not described within this article. For a complete description of security technologies in Windows XP read What’s New in Security for Windows XP Professional and Windows XP Home Edition. Group Policy Objects and Smart Card Authentication Windows XP Professional offers robust security features to help businesses protect sensitive data and provide support for managing users on the network. One of the great features available in Windows XP Professional is the use of Group Policy objects (GPO). GPOs allow system administrators to apply a single security profile to multiple computers, and optionally use smart card technology to authenticate users with information stored on a smart card. Unfortunately, mobile computers typically do not include a smart card reader though most mobile computers can support smart card authentication. For Mobile computers without native smart card readers, support for smart cards can be provided by either a PCMCIA or USB-based Smart Card reader Note In order to use smart card authentication the computer must join a domain. Therefore smart cards cannot be used on a local workgroup machine. Managing Network Authentication—Guest Account An increasing number of Windows XP Professional mobile computers are connected directly to the Internet rather than to domains. This makes proper management of access control (including strong passwords and permissions associated with different accounts) more critical than ever. To ensure security, the relatively anonymous access control settings commonly associated with open Internet environments need to be curtailed. As a result, the default in Windows XP Professional requires all users logging on over the network to use the Guest account. This change is designed to prevent hackers attempting to access a system across the Internet from logging on by using a local Administrator account that has no password. Syskey Encrypts the SAM Database Using Strong Encryption Syskey is a feature that was first introduced in Windows NT® 4.0 that makes it more difficult for an attacker to compromise user passwords on a Windows machine. In Windows NT, Windows 2000 and Windows XP the hashed values for passwords are encrypted using the Syskey, and then stored in the SAM database. This slows down a brute-force password attack. Thwarting a Brute-force Attack Syskey effectively thwarts a brute-force password attack by encrypting the SAM database using strong encryption. Even if an attacker did manage to obtain a copy of the Syskey-protected SAM, he would first need to conduct a brute-force attack to determine the Syskey, and then conduct a brute-force attack against the hashes themselves. This dramatically increases the work factor associated with the attack, to the point where it's considered to be computationally infeasible. To learn more about this read the Microsoft TechNet article, Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System. Domains Are More Secure Than Workgroups Mobile computers that are part of a domain are more secure than those in a workgroup. Domain members' credentials are centrally stored and can only be changed at a domain controller. If best practices for Encrypting File System have been followed, the domain controller will be the most heavily-defended machine in a network. Securing Mobile Computers with Windows XP Professional 9 Mobile Network Access Technologies Virtual Private Networking VPNs allow you to rely on the Internet as a secure pipeline to your corporate LAN. If you are traveling, you can dial-in to almost any local Internet service provider (ISP), then set up a VPN session to connect to your corporate LAN over the Internet. With VPNs, companies can significantly reduce long-distance dial-up charges, and mobile employees have an inexpensive method of remaining connected to LANs for extended periods. In addition to supporting today’s most common VPN protocol, Point-to-Point Tunneling Protocol (PPTP), Windows XP Professional supports new, more secure ways of creating virtual connections. These include Layer-2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec), which allow you to connect to corporate networks with confidence. More information about PPTP, L2TP, and IPSec can be found in the Windows 2000 Technical Library at www.microsoft.com/windows2000/techinfo/default.asp. 802.1X—Encryption Key Management Support for the 802.1x security standard in Windows XP lets you roam from access point to access point within your corporate LAN. You can also roam from hot spot to hot spot—for example, airport lounge to Internet café— and be identified and allowed access to those networks without additional logons. Access is controlled per-user and/or per-port; this allows for precise access control and identification which allows a wide variety of services to be provided. And thanks to the security protocols used in the 802.1X standard, you can use your networks with a higher level of confidence in their security than even wired connections can offer. IrDA Windows XP Professional supports the Infrared Data Association (IrDA) protocol suite that lets you transfer information and share resources like printers between computers without using physical cables. Many mobile computers include hardware support for IrDA. Two users traveling with laptop computers can transfer files by setting up an IrDA connection, instead of using cables or floppy disks. When users place two computers close to one another, IrDA can automatically configure the connection. Windows XP Professional lets you limit users—other than the computer’s owner—who can send files using infrared communications. You can also specify the location where documents should be received. Windows XP Professional automatically detects devices that use infrared communications, such as other computers and cameras. PPPoE Client Windows XP lets you create connections using PPPoE. Using PPPoE and a broadband modem, mobile LAN users can gain individual authenticated access to high-speed data networks. Callback Windows XP also supports callback modem configurations, The callback feature instructs the remote access server to disconnect, and then to call you back after you dial-in. Callback provides cost advantages to you and security advantages to your network. Encrypting File System The increased functionality of Encrypting File System (EFS) has significantly enhanced the power of Windows XP Professional by providing additional flexibility for corporate users when they deploy security solutions based on encrypted data files. One of the cornerstones of mobile computing’s data and access security is EFS. EFS Architecture EFS is based on public-key encryption and takes advantage of the CryptoAPI architecture in Windows XP. The default configuration of EFS requires no administrative effort—you can begin encrypting files immediately. EFS automatically generates an encryption key pair and a certificate for a user if one does not exist already. EFS can use either the expanded Data Encryption Standard (DESX) or Triple-DES (3DES) as the encryption Securing Mobile Computers with Windows XP Professional 10 algorithm. Both the RSA Base and RSA Enhanced software that cryptographic service providers (CSPs) included in the operating system may be used for EFS certificates, and for encryption of the symmetric encryption keys. Note If you encrypt a folder, all files and subfolders created in, or added to, the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level to prevent plain-text temporary files from being created on the hard disk during file conversion. EFS and NTFS EFS protects sensitive data in files that are stored on disk using the NTFS file system. EFS is the core technology for encrypting and decrypting files stored on NTFS volumes. Only the user who encrypts a protected file can open the file and work with it. This is especially useful for mobile computer users because even if someone else gains access to a lost or stolen laptop, he or she will not able to access any of the files on the disk. Windows XP Professional enables EFS to work with offline files and folders. Mobile Security Tip Use EFS on mobile NTFS volumes. NTFS coupled with the Encrypting File System scrambles the contents of documents so that they’re unreadable by unauthorized people. Mobile computer data protected by EFS can’t be compromised. EFS enables you to encrypt individual files and folders. Encrypted files will remain confidential even if an attacker bypasses system security by installing a new operating system. EFS provides strong encryption through industry standard algorithms, and because it is tightly integrated with NTFS, it is easy to use. EFS for Windows XP Professional offers new options for sharing encrypted files and disabling data recovery agents, and it facilitates management through Group Policy and command-line utilities. Mobile Security Tip Make sure you implement strong passwords when using EFS. Since EFS protects files based on the local user’s certificate, encrypted files are only as secure as the password associated with that user’s account on the system. Maintaining File Confidentiality Security features such as logon authentication and file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer can install a new operating system on that computer and bypass the existing operating system's security. In this way, sensitive data can be exposed. Encrypting sensitive files using EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker has full access to the computer's data storage. Only authorized users and designated data recovery agents can decrypt encrypted files. Other system accounts that have permissions for a file—even the Take Ownership permission—cannot open the file without authorization. Even the administrator account cannot open the file if that account is not designated as a data recovery agent. If an unauthorized user tries to open an encrypted file, access will be denied. How EFS Works EFS enables you to store confidential information about a computer when people who have physical access to your computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on mobile computers or on computers shared by several users. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of ACLs. In a shared system, an attacker can gain access by starting up a different operating system. An attacker could also steal a computer, remove the hard drive(s), place the drive(s) in another system, and gain access to the stored files. Files encrypted using EFS, however, appear as unintelligible characters when the attacker does not have the decryption key. Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When you open a file, it is decrypted by EFS as data is read from disk. When you save the file, EFS encrypts the data as it is written to disk. As an authorized user you might not even realize that the files are encrypted because you can work with them as you normally do. In its default configuration, EFS enables you to start encrypting files from Windows Explorer with no administrative effort. From a user's point of view, encrypting a file is simply a matter of setting a file attribute. The encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is automatically encrypted. Figure 1 below shows where you would create settings for EFS. Securing Mobile Computers with Windows XP Professional 11 Figure 1. EFS Local Security Settings Configuring EFS for Your Environment EFS is enabled by default. You can encrypt files if you have permission to modify the files. Because EFS relies on a public key to encrypt files, you need a public-private key pair and a public key certificate for encryption. Because EFS can use self-signed certificates, it does not require administrative effort before it can be used. If EFS is not appropriate in your environment, or if you have files that you do not want encrypted, you can disable EFS in various ways. There are also a number of ways in which you can configure EFS to meet the specific needs of your organization. In order to use EFS, all users must have EFS certificates. If you do not currently have a Public Key Infrastructure (PKI), you can use self-signed certificates that are generated by the operating system automatically. If you have certification authorities, however, you might want to configure them to provide EFS certificates. You will also need to consider a disaster recovery plan if you use EFS on your system. What Can Be Encrypted Individual files and file folders (or subfolders) on NTFS volumes can be set with the encryption attribute. Although it is common to refer to file folders with the encryption attribute set as "encrypted," the folder itself is not encrypted, and no public-private key pair is required to set the encryption attribute for a file folder. When encryption is set for a folder, EFS automatically encrypts the following: All new files created in the folder. All plaintext files copied or moved into the folder. Optionally, most existing files and subfolders; with the noted exceptions of Windows system files and user profiles Note The process of moving files from a unencrypted directory to an encrypted directory, using GUI drag and drop, will not encrypt the files moved into the encrypted directory. Encrypting Offline Files Windows 2000 introduced client-side caching functionality, now called Offline Files in Windows XP Professional. The offline files feature is a Microsoft IntelliMirror® management technology that allows network users to access files on network shares even when the client computer is disconnected from the network. When disconnected from the network, mobile users can still browse, read, and edit files because they have been cached on the client computer, and now with Windows XP Professional these offline files are encrypted/decrypted in real-time. When the user later connects to the server, the system reconciles the changes with the server. Mobile Security Tip: The Windows XP Professional client can use EFS to encrypt offline files and folders. This feature is especially attractive for traveling professionals who need to work offline periodically and maintain data security. Encrypting the Offline Files Database You now have the option to encrypt the Offline Files database. This is an improvement over Windows 2000, where the cached files could not be encrypted. Windows XP Professional offers you the option of encrypting the Offline Files database to safeguard all locally cached documents from theft while at the same time providing additional security to your locally cached data. Securing Mobile Computers with Windows XP Professional 12 For example, you can use offline files while keeping your sensitive data secure. And if you’re an IT administrator you can use this feature to safeguard all locally cached documents. Offline Files is an excellent safeguard if your mobile computer, with confidential data saved in the Offline Files cache, gets stolen. This feature supports the encryption and decryption of the entire offline database. Administrative privileges are required to configure how the offline files will be encrypted. To encrypt offline files 1. Go to Folder Options under Tools in My Computer 2. Check Encrypt offline files to secure data under the Offline Files tab as shown in Figure 2 below. Figure 2 Encrypting the Offline Files database Certificate Services Certificate Services is the part of the core operating system that allows a business to act as its own certification authority (CA), and issue and manage digital certificates. Windows XP Professional supports multiple levels of a CA hierarchy and a cross-certified trust network: This includes offline and online certificate authorities. The following sections discuss certificate services and related topics. Certificate and Public Key Storage Windows XP Professional stores your public key certificates in the personal certificate store. Certificates are stored in plaintext because they are public information, and they are digitally signed by certification authorities to protect against tampering. User certificates are located in Documents and Settings\username\ApplicationData\Microsoft\ SystemCertificates\My\Certificates for each user profile. These certificates are written to the personal store in the system registry each time you log on to your computer. For roaming profiles, your certificates can be stored anywhere and will follow you when you log on to different computers in the domain. Private Key Storage Private keys for the Microsoft-based cryptographic service providers (CSPs), including the Base CSP and the Enhanced CSP, are located in the user profile under RootDirectory\Documents and Settings\username\Application Data\Microsoft\Crypto\RSA. In the case of a roaming user profile, the private key resides in the RSA folder on the domain controller and is downloaded to your computer, where it remains until you log off or the computer is restarted. Securing Mobile Computers with Windows XP Professional 13 Because private keys must be protected, all files in the RSA folder are automatically encrypted with a random, symmetric key called the user’s master key. The user’s master key is 64 bytes in length and is generated by a strong random number generator. 3DES keys are derived from the master key and are used to protect private keys. The master key is generated automatically and is periodically renewed. When storing the master key on disk, it is triple-DES protected by a key based in part on your password. It encrypts each file in the RSA folder automatically as the file is created. User Certificate Autoenrollment Windows 2000 introduced machine certificate autoenrollment; Windows XP and Windows Server 2003 introduce user certificate autoenrollment and renewal. Autoenrollment for computer or domain controller certificates is enabled through Group Policy and Microsoft Active Directory™. Autoenrollment of computer certificates is most useful in facilitating an IPSec or L2TP/IPSec VPN connection with Windows XP Routing and Remote Access servers and other similar devices. Certificate autoenrollment lowers total cost of ownership and simplifies the certificate management life cycle for users and administrators. Automatic smart card enrollment and self-registration authority features provide enhanced security for enterprise users; this is in addition to simplified security processes for security conscious organizations. Mobile Security Tip Smart cards provide tamper-resistant storage for protecting private keys, account numbers, passwords, and other forms of personal information. Smart cards enhance software-only solutions, such as client authentication, single sign-on, secure storage, and system administration. Smart cards are an important component of the public key infrastructure that Microsoft integrates into the Windows platform. Pending Certificate Requests and Renewal User autoenrollment in Windows XP Professional supports both pending certificate requests and renewal features. You can manually or automatically request a certificate from a Windows Server 2003 CA. This request is held until administrative approval is received or the verification process is completed. Once the certificate has been approved or issued, the autoenrollment process will complete and install your certificates automatically. The process for renewing expired user certificates also takes advantage of the autoenrollment mechanism. Certificates are automatically renewed on behalf of the user—dependent upon the specifications in the certificate template in Active Directory. Certificates and keys are protected by default. Additionally, you can implement optional security measures to provide extra protection. If you need to increase the security of your certificates and keys, you can export private keys and store them in a secure location. Figure 3 below shows some of the options available for setting up certificate autoenrollment. Securing Mobile Computers with Windows XP Professional 14 Figure 3. Autoenrollment Settings Properties Credential Management Credential Management in Windows XP has three components: credential prompting UI, stored user names and passwords, and the keyring. Together, these three components create a single, sign-on solution. Credential Prompting The credentials prompting UI is displayed by an application when an authentication error is returned by the authentication package. (This is only applicable for applications that have implemented the UI.) From the dialog box you can enter a user name and password, or select a X.509 certificate from the My Store object. The application also has the option of displaying the Remember my password check box, which allows you to save your credential for later use. This is shown in Figure 4 below. Only integrated authentication packages (for example, Kerberos protocol, NTLM, SSL, and so on) allow credentials to be saved. For basic authentication the credentials prompting UI will still be shown, but you will not have the option of saving your credential. Figure 4. Prompt for Credentials User Interface Stored User Names and Passwords Stored User Names and Passwords is the secure roamable store where your saved credentials are kept. Access to the credentials is controlled by the Local Security Settings (LSA). The credentials are stored based on the target Information returned by the resource. When the credential is saved by checking the Remember my password check box on the credentials prompting UI, the credential will be saved in the most general form possible. For example, if you were accessing a specific server in a domain, the credential could be saved as *.domain.com. Saving a different credential for a different server in this domain would not overwrite this credential. It would be saved against more specific target information. When a resource is accessed through an integrated authentication package, the authentication package will look in Stored User Names and Passwords for the most specific credential that matches the target Information returned by the resource. If one is found, the credential will be used by the authentication package without any interaction from you. If a credential is not found, an authentication error will be returned to the application that attempted to access the resource. Note The application that is accessing the resource does not need to have implemented the credential prompting UI to use this seamless authentication. If the application uses an integrated authentication package, the authentication package will attempt to retrieve the credential. In fact, if you entered the credential, only the authentication package can retrieve it. Figure 5 below shows an example of the Windows XP password-management UI. Securing Mobile Computers with Windows XP Professional 15 Figure 5. Classic Password Management UI (Windows XP Professional in a Domain) Remote Access uses Credential Manager Keyring Remote Access participates in the keyring by adding a temporary default credential whenever a dial-up or VPN connection is successfully established. This credential contains the username and password that were used in setting up the connection since these are often the same credentials that will enable access to the resources on that network. This makes the experience of connecting to a remote network, and using resources on both that network and your local network, seamless. Keyring The keyring allows you to manually manage the credentials that are in Stored User Names and Passwords. The keyring is accessed through the User Accounts applet in the Control Panel. In the keyring you will see a list of all the credentials currently in Stored User Names and Passwords. When each credential is highlighted, a description field at the bottom will display a brief description of the credential. From there you can add a new credential, edit an existing credential, or remove an existing credential. Adding a credential. To add a credential you will be presented with a UI similar to the credential prompting UI, and you will need to fill in the target Information. Remember that target information can accept wildcards in the form of “*”. Editing a credential. Editing a credential enables you to change the target information or the credential itself. If this is a user name and/or password credential, you can change the password on the server from here. You will not be able to use the credentials prompting UI to edit credentials that have been created specifically by an application. For example, you cannot edit passport credentials. Removing a credential. You can remove any credential. The ability to save credentials in Stored User Names and Passwords can be switched on or off through Group Securing Mobile Computers with Windows XP Professional 16 Policy. Mobile Security Tip For the highest level of security, network managers can disable the saving credentials feature in the keyring. This will eliminate the possibility of an unauthorized person with a stolen mobile computer gaining access to your network infrastructure. Securing Mobile Computers with Windows XP Professional 17 Summary Windows XP Professional offers a complete set of security and privacy solutions that combat threats to mobile computers. Encrypted files on NTFS-formatted storage volumes, group policies, and encryption provide strong data security foundations; tightly integrated, domain-based network authentication; secure networks; traceable user and machine certificates; localized, encrypted credential storage; and no-nonsense password policies complete the set of Windows XP security offerings. While mobile computer users whose machines are not joined to a domain have fewer security options, both domain and non-domain-connected mobile computer users benefit from secure access to encrypted data while working on the network or offline. Securing Mobile Computers with Windows XP Professional 18 Related Links See the following resources for further information: Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System at http://www.microsoft.com/TechNet/itsolutions/security/topics/efs.asp Best Practices for Enterprise http://www.microsoft.com/TechNet/itsolutions/security/bestprac/bpentsec.asp Security at This 12-part series includes: Security Threats at http://www.microsoft.com/technet/itsolutions/security/bestprac/secthret.asp Security Considerations for End Systems http://www.microsoft.com/technet/itsolutions/security/bestprac/sconsid.asp Data Protection and Recovery in Windows XP http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp at at Policy-Based Desktop Management in Windows http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/intellimirror.asp Protect Your System from Viruses (Software Restriction Policies supported in Windows XP) at http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/antivirus.asp Security at http://www.microsoft.com/technet/security Security Newsgroups at http://www.microsoft.com/technet/newsgroups/NodePages/security.asp The Ten Immutable Laws of Security at http://www.microsoft.com/technet/columns/security/10imlaws.asp What’s New in Security for Windows XP Professional and Windows XP Home Edition at http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/security/default.asp Wireless LAN Technologies and Windows http://www.microsoft.com/windowsxp/pro/techinfo/planning/wirelesslan/default.asp For the latest information about http://www.microsoft.com/windowsxp. Windows XP, see the Windows XP at XP XP Web Securing Mobile Computers with Windows XP Professional at site at 19