Understanding Security Threats to Mobile Computers

Operating System
Securing Mobile Computers with Windows XP Professional
By Nick George
Microsoft Corporation
Published: October 2001
Abstract
This article examines specific threats that can affect mobile computers—also known as laptop or
notebook computers. It also covers how the security tools and privacy services included in the
Microsoft® Windows® XP Professional operating system provide solutions to combat these threats.
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
© 2001 Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows NT
are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
Other product and company names mentioned herein may be the trademarks of their
respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
Securing Mobile Computers with Windows XP Professional
1
Contents
Acknowledgements .................................................................................................................................................... 3
Introduction................................................................................................................................................................ 4
Understanding Security Threats to Mobile Computers ......................................................................................... 5
Data Loss and Theft ................................................................................................................................................. 5
Network Penetration ................................................................................................................................................ 5
Eavesdropping on Wired and Wireless Sessions ...................................................................................................... 5
Password Cracking................................................................................................................................................... 6
Exposure of Confidential Data ................................................................................................................................. 7
Security Technologies in Windows XP ..................................................................................................................... 8
Group Policy Objects and Smart Card Authentication............................................................................................. 9
Managing Network Authentication—Guest Account............................................................................................... 9
Syskey Encrypts the SAM Database Using Strong Encryption ............................................................................... 9
Mobile Network Access Technologies ................................................................................................................... 10
Virtual Private Networking ................................................................................................................................ 10
802.1X—Encryption Key Management ............................................................................................................. 10
IrDA ................................................................................................................................................................... 10
PPPoE Client ...................................................................................................................................................... 10
Callback.............................................................................................................................................................. 10
Encrypting File System .......................................................................................................................................... 10
EFS Architecture ................................................................................................................................................ 10
EFS and NTFS ................................................................................................................................................... 11
Maintaining File Confidentiality ........................................................................................................................ 11
How EFS Works ................................................................................................................................................. 11
Configuring EFS for Your Environment ............................................................................................................ 12
What Can Be Encrypted ..................................................................................................................................... 12
Encrypting Offline Files ..................................................................................................................................... 12
Encrypting the Offline Files Database ............................................................................................................... 12
Certificate Services ................................................................................................................................................ 13
Certificate and Public Key Storage .................................................................................................................... 13
Private Key Storage ............................................................................................................................................ 13
User Certificate Autoenrollment ........................................................................................................................ 14
Credential Management ......................................................................................................................................... 15
Credential Prompting ......................................................................................................................................... 15
Stored User Names and Passwords .................................................................................................................... 15
Remote Access uses Credential Manager Keyring ............................................................................................. 16
Keyring ............................................................................................................................................................... 16
Summary .................................................................................................................................................................. 18
Related Links ........................................................................................................................................................... 19
Securing Mobile Computers with Windows XP Professional
2
Acknowledgements
David Cross, Windows Security Program Manager, Microsoft Corporation
Jason Garms, Windows Security Program Manager, Microsoft Corporation
Praerit Garg, Windows Security Lead Program Manager, Microsoft Corporation
Jason Anderson, Consumer Platform Technical Evangelist, Microsoft Corporation
Michael Kessler, Technical Editor, Microsoft Corporation
Securing Mobile Computers with Windows XP Professional
3
Introduction
This article examines specific security threats applicable to mobile computers—also known as laptop or notebook
computers, along with the security tools and privacy services included in the Microsoft® Windows® XP
Professional operating system that provide solutions to combat these threats.
Only a few of the security benefits identified in this article are available to non-domain-connected computers;
where applicable these benefits will be identified.
Organizations are reevaluating their internal controls and are making the protection of mobile computing a top
priority, as discussed in the ZDNet article, Wolves at the Door. Microsoft Windows XP addresses this security
imperative with a range of features designed to provide strong security while preserving the flexibility and power
that information security managers have come to expect from an enterprise operating system. If you’re an
information security manager, you can also customize Windows Server 2003, including the deployment of Group
Policies, to provide a secure working environment.
For a great overview article describing the new security features and policies available in Windows XP, read the
article What’s New in Security for Windows XP Professional and Windows XP Home Edition—many of the
security topics included in that article are presented here in the context of mobile computing security.
How This Article is Organized
This article is comprised of two parts:
Understanding
Security
Threats
to
Your
Mobile
Computer
This section examines the most worrisome mobile computing security threats and summarizes the related Windows
XP Professional solutions.
Security
Technologies
in
Windows
XP
This section details the security technologies included in Windows XP Professional.
Securing Mobile Computers with Windows XP Professional
4
Understanding Security Threats to Mobile Computers
This section catalogs the security threats to mobile computers and identifies ways that Windows XP deals with
these threats.
Whenever a mobile computer is outside the enterprise’s physical security boundary, theft of the computing device
and the data it contains is a primary concern. If theft does occur, the initial data loss problem escalates to
potentially having an unauthorized person penetrate the network via remote dial-up or wireless networking.
Warning The mobile computer is subject to all typical computer security threats.
Data Loss and Theft
Data loss may not seem like a security threat, but it is, as illustrated by the Third Immutable Law of Security from
the Microsoft TechNet article which states: ”If a bad guy has unrestricted physical access to your computer, it's not
your computer anymore.”
By design, mobile computers and many new types of portable devices have a higher risk of being stolen than a
non-portable device. Often these machines hold important company data and represent a security risk if stolen; this
point is illustrated in a Computerworld article outlining the security lessons learned when the chairman of a large
telecommunications firm had his laptop computer stolen.
Protecting Against Data Loss
The Encrypting File System (EFS) in Windows XP Professional enables you to protect yourself against the loss of
stolen data. This security feature obscures data on the hard drive and renders it useless to anyone without proper
credentials.
Windows XP also incorporates Intellimirror® technology and supports redirection of the My Documents folder,
whereby a user’s data is stored centrally. EFS, coupled with the capability to locally cache your network-based files
and folders, provides the highest level of security, full-time access to data, and the convenience of centralized
network file backup.
Note EFS, offline folders and file caching are features of Windows XP Professional, and are not included in Windows XP Home
Edition.
Network Penetration
Network penetration is a serious security threat that can occur as a result of information gleaned from a stolen or
non-secure mobile device. Many network penetrations are committed by individuals using stolen mobile computers.
The following Windows XP features limit the risk of network penetration:
 Access control management curtails the anonymous access associated with the Internet.

Simple Sharing limits access to only those network resources provided to guest accounts.

Force Guest restricts access to unauthenticated user accounts within a domain.

Automatic smart card enrollment and self-registration authority provide enhanced security for enterprise
users by adding another layer of authentication.

Credential Manager enables stored or cached user credentials to be encrypted so that only authenticated users
have access to stored credentials.

Internet Connection Firewall (ICF) provides baseline intrusion prevention functionality to computers
running the Windows XP operating system. It’s designed for computers directly connected to a public network
as well as computers that are part of a home network when used with Internet Connection Sharing
Eavesdropping on Wired and Wireless Sessions
Another way the security of your business and personal data can be compromised is through network sniffing or
Securing Mobile Computers with Windows XP Professional
5
“eavesdropping”.
Remote computing, in both wired and wireless networking scenarios, is becoming a common part of business
life—along with the security risks associated with this practice. By default, e-mail headers and content are
transmitted in clear text, and if no encryption is used, the content of a message can be read or altered in transit. In
another example, a header can be modified to hide or change the identity of the sender, or to redirect the message.
As a result, security using wired and wireless networks is becoming more and more crucial as companies continue
to use public infrastructure to transport company data.
Enterprise Security Management Issues
There’s a growing interest in using the IEEE 802.11 networking protocol as an enterprise-deployable technology;
but enterprise security management issues still remain. These issues include:
 Open and visible service set identifiers (SSID) are an inherently weak security mechanism.
 Wired Equivalent Privacy (WEP) key attacks are theoretically possible using publicly available tools.
 IEEE 802.11 WEP key management is lacking a protocol for distribution of keys.
 Lack of authentication and encryption services in a wireless 802.11 ad hoc network mode raises
security concerns when users engage in peer-to-peer collaborative communication in areas such as
conference rooms.
Protecting Remote Computing Sessions
Windows XP limits the risk of having remote computing sessions intercepted in the following ways:
 Protects communication over the Internet using virtual private networks (VPN) and integrated tunneling
and encryption technologies. These technologies include: Internet protocol security (IPSec); Layer 2 tunneling
protocol (L2TP); public key infrastructure (PKI); and Point-to-point tunneling protocol (PPTP).

Provides for zero configuration networking and roaming enhancements to make transitioning between
wireless networks easy.

Supports the IEEE 802.1X protocol to make it easier to manage wireless devices, control the flow of data
through wireless access points, and periodically challenge and re-authenticate the wireless stations attached to
those wireless network access points.

Supports WEP, the first-generation IEEE 802.11 wireless access session security protocol. (Enterprise
networks should be configured with IEEE 802.1X to control wireless sniffing threats against IEEE 802.11
network configurations).

Provides callback access support, a mobile network access technology that instructs a remote access server
to disconnect, and then call you back after you dial-in.

Supports remote access and VPN—including support for credential keyring
Note For more information about wireless network configuration, and security issues related to the IEEE 802.11 protocol, see read
Wireless LAN Technologies and Windows XP.
Password Cracking
Many network penetrations are committed either by individuals using stolen mobile computers, or by unauthorized
users having access to an authorized user’s machine. Typically, mobile computers that are part of a domain are
more secure because domain members' credentials are centrally stored, and can only be changed at a domain
controller, which, if best practices have been followed, will be the most heavily-defended machine in a network.
Protecting Credentials
Remote computing dial-up applications that allow the end-user to cache their network access credentials aren’t
helping secure corporate networks—network security managers should implement password policies that enforce
strong passwords, force password entry when resuming from system power management standby modes and
screensavers, and prohibit the caching of remote access credentials.
Windows XP reduces the risk of exposing confidential data, such as passwords; Syskey encrypts the password
hashes stored in the Security Account Manager (SAM)
Securing Mobile Computers with Windows XP Professional
6
Protecting Standalone Computers
Mobile computers that are not part of a managed domain are even more at risk as a result of the lack of enforceable
security policies. By default, user accounts configured on a Windows XP computer that is not joined to the domain
do not have passwords associated with them for convenience sake. While this is acceptable in a home desktop
environment, small business and home mobile users need to take extra steps to ensure that accounts configured on
these systems have strong passwords associated with them.
Exposure of Confidential Data
Virtually all corporate employees have some sensitive material on their computers that needs to be protected
against improper disclosure. Through education and corporate policies, users should be encouraged to store
sensitive documents on network servers. Where this policy is too restrictive, Windows XP Professional provides
ways to reduce the risk of exposing confidential data.
Reducing the Risk of Exposure
Windows XP Professional reduces the risk of exposing confidential data in the following ways:
 NTFS and EFS scramble the contents of documents so that they’re unreadable by unauthorized users.

Controlled network access, including support for dial-up connections, limits exposure to authorized uses.

Blank password restriction enforces basic security principles.
Protecting Standalone Computers
Users of mobile computers that are not part of a managed domain also store sensitive data on their machines. For
these non-domain-connected machines NTFS and EFS, coupled with strong user passwords, is the best defense.
Securing Mobile Computers with Windows XP Professional
7
Security Technologies in Windows XP
This section focuses on Windows XP security technologies that support mobile computing—security technologies
applicable exclusively to desktop computers are not covered.
Note For a complete description of security technologies in Windows XP see What’s New in Security for Windows XP Professional
and Windows XP Home Edition.
If you are already familiar with the security model in Microsoft Windows NT® 4.0 and Microsoft Windows 2000,
you will recognize many of the security features in Windows XP Professional. At the same time, you will also find
a number of familiar features that have changed significantly, and new features that will improve your ability to
manage system security.
Windows XP provides several methods for managing security. Knowledge of how Windows XP security features
work provides a framework for understanding how to design and maintain a secure environment where mobile
computers are part of a domain.
Mobile Computing Security Framework
Windows XP Professional includes a number of features that businesses can use to protect selected files,
applications, and other resources on both desktop and mobile computers. These features include access control lists
(ACL), security groups, and Group Policy—in addition to the tools that allow businesses to configure and manage
these features. Together they provide a powerful, yet flexible, access control infrastructure for business networks.
Windows XP offers thousands of security-related settings that can be implemented individually. It also includes
predefined security templates that can be used without modifications, or used as the basis for a more customized
security configuration.
Using Security Templates
Businesses can apply security templates when they:
 Create a resource, such as a folder or file share, and either accept the default access control list settings or
implement custom access control list settings.

Place users in the standard security groups, such as Users, Power Users, and Administrators, and accept the
default ACL settings that apply to those security groups.

Use the Basic, Compatible, Secure, and Highly Secure Group Policy templates that have been provided with
the operating system.
Settings and Tools
Each of the Windows XP security features—ACL, security groups, and Group Policy—have default settings that
can be modified to suit a particular organization, and in particular the mobile computer. Businesses can also make
use of relevant tools to implement and modify access control. Many of these tools, such as the Microsoft
Management Console (MMC) snap-ins, are components of Windows XP Professional. Other tools are included
with the Windows XP Professional Resource Kit.
Key Security Features for Mobile Computing
The following list outlines the Windows XP security features that support mobile computing. These security
features are described in greater detail in the sections that follow.

Group Policy Objects—smart card authentication

Managing Network Authentication—Guest account used for internet logins

Syskey encrypts the SAM database using strong encryption

Mobile Network Access Technologies


Virtual Private Networking
802.1X—encryption key management
Securing Mobile Computers with Windows XP Professional
8

 Infrared Data Association (IrDA)—allows user control of access and file transfers
 Point-to-point protocol over Ethernet (PPPoE) client
 Callback
Encrypting file system

 EFS and NTFS
 Encrypting offline files and the offline files database
Certificate services

Credential management (including stored passwords)
Note Most Windows XP security features support both desktop and mobile computers. Those key foundational technologies are not
described within this article. For a complete description of security technologies in Windows XP read What’s New in Security for
Windows XP Professional and Windows XP Home Edition.
Group Policy Objects and Smart Card Authentication
Windows XP Professional offers robust security features to help businesses protect sensitive data and provide
support for managing users on the network. One of the great features available in Windows XP Professional is the
use of Group Policy objects (GPO).
GPOs allow system administrators to apply a single security profile to multiple computers, and optionally use
smart card technology to authenticate users with information stored on a smart card. Unfortunately, mobile
computers typically do not include a smart card reader though most mobile computers can support smart card
authentication. For Mobile computers without native smart card readers, support for smart cards can be provided
by either a PCMCIA or USB-based Smart Card reader
Note In order to use smart card authentication the computer must join a domain. Therefore smart cards cannot be used on a local
workgroup machine.
Managing Network Authentication—Guest Account
An increasing number of Windows XP Professional mobile computers are connected directly to the Internet rather
than to domains. This makes proper management of access control (including strong passwords and permissions
associated with different accounts) more critical than ever. To ensure security, the relatively anonymous access
control settings commonly associated with open Internet environments need to be curtailed.
As a result, the default in Windows XP Professional requires all users logging on over the network to use the Guest
account. This change is designed to prevent hackers attempting to access a system across the Internet from logging
on by using a local Administrator account that has no password.
Syskey Encrypts the SAM Database Using Strong Encryption
Syskey is a feature that was first introduced in Windows NT® 4.0 that makes it more difficult for an attacker to
compromise user passwords on a Windows machine.
In Windows NT, Windows 2000 and Windows XP the hashed values for passwords are encrypted using the Syskey,
and then stored in the SAM database. This slows down a brute-force password attack.
Thwarting a Brute-force Attack
Syskey effectively thwarts a brute-force password attack by encrypting the SAM database using strong encryption.
Even if an attacker did manage to obtain a copy of the Syskey-protected SAM, he would first need to conduct a
brute-force attack to determine the Syskey, and then conduct a brute-force attack against the hashes themselves.
This dramatically increases the work factor associated with the attack, to the point where it's considered to be
computationally infeasible. To learn more about this read the Microsoft TechNet article, Analysis of Alleged
Vulnerability in Windows 2000 Syskey and the Encrypting File System.
Domains Are More Secure Than Workgroups
Mobile computers that are part of a domain are more secure than those in a workgroup. Domain members'
credentials are centrally stored and can only be changed at a domain controller. If best practices for Encrypting File
System have been followed, the domain controller will be the most heavily-defended machine in a network.
Securing Mobile Computers with Windows XP Professional
9
Mobile Network Access Technologies
Virtual Private Networking
VPNs allow you to rely on the Internet as a secure pipeline to your corporate LAN. If you are traveling, you can
dial-in to almost any local Internet service provider (ISP), then set up a VPN session to connect to your corporate
LAN over the Internet. With VPNs, companies can significantly reduce long-distance dial-up charges, and mobile
employees have an inexpensive method of remaining connected to LANs for extended periods.
In addition to supporting today’s most common VPN protocol, Point-to-Point Tunneling Protocol (PPTP),
Windows XP Professional supports new, more secure ways of creating virtual connections. These include Layer-2
Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec), which allow you to connect to corporate
networks with confidence.
More information about PPTP, L2TP, and IPSec can be found in the Windows 2000 Technical Library at
www.microsoft.com/windows2000/techinfo/default.asp.
802.1X—Encryption Key Management
Support for the 802.1x security standard in Windows XP lets you roam from access point to access point within
your corporate LAN. You can also roam from hot spot to hot spot—for example, airport lounge to Internet café—
and be identified and allowed access to those networks without additional logons.
Access is controlled per-user and/or per-port; this allows for precise access control and identification which allows
a wide variety of services to be provided. And thanks to the security protocols used in the 802.1X standard, you can
use your networks with a higher level of confidence in their security than even wired connections can offer.
IrDA
Windows XP Professional supports the Infrared Data Association (IrDA) protocol suite that lets you transfer
information and share resources like printers between computers without using physical cables. Many mobile
computers include hardware support for IrDA.
Two users traveling with laptop computers can transfer files by setting up an IrDA connection, instead of using
cables or floppy disks. When users place two computers close to one another, IrDA can automatically configure the
connection.
Windows XP Professional lets you limit users—other than the computer’s owner—who can send files using
infrared communications. You can also specify the location where documents should be received.
Windows XP Professional automatically detects devices that use infrared communications, such as other computers
and cameras.
PPPoE Client
Windows XP lets you create connections using PPPoE. Using PPPoE and a broadband modem, mobile LAN users
can gain individual authenticated access to high-speed data networks.
Callback
Windows XP also supports callback modem configurations, The callback feature instructs the remote access server
to disconnect, and then to call you back after you dial-in. Callback provides cost advantages to you and security
advantages to your network.
Encrypting File System
The increased functionality of Encrypting File System (EFS) has significantly enhanced the power of Windows XP
Professional by providing additional flexibility for corporate users when they deploy security solutions based on
encrypted data files. One of the cornerstones of mobile computing’s data and access security is EFS.
EFS Architecture
EFS is based on public-key encryption and takes advantage of the CryptoAPI architecture in Windows XP. The
default configuration of EFS requires no administrative effort—you can begin encrypting files immediately. EFS
automatically generates an encryption key pair and a certificate for a user if one does not exist already.
EFS can use either the expanded Data Encryption Standard (DESX) or Triple-DES (3DES) as the encryption
Securing Mobile Computers with Windows XP Professional
10
algorithm. Both the RSA Base and RSA Enhanced software that cryptographic service providers (CSPs) included
in the operating system may be used for EFS certificates, and for encryption of the symmetric encryption keys.
Note If you encrypt a folder, all files and subfolders created in, or added to, the encrypted folder are automatically encrypted. It is
recommended that you encrypt at the folder level to prevent plain-text temporary files from being created on the hard disk during file
conversion.
EFS and NTFS
EFS protects sensitive data in files that are stored on disk using the NTFS file system. EFS is the core technology
for encrypting and decrypting files stored on NTFS volumes. Only the user who encrypts a protected file can open
the file and work with it. This is especially useful for mobile computer users because even if someone else gains
access to a lost or stolen laptop, he or she will not able to access any of the files on the disk. Windows XP
Professional enables EFS to work with offline files and folders.
Mobile Security Tip Use EFS on mobile NTFS volumes. NTFS coupled with the Encrypting File System scrambles the contents of
documents so that they’re unreadable by unauthorized people. Mobile computer data protected by EFS can’t be compromised.
EFS enables you to encrypt individual files and folders. Encrypted files will remain confidential even if an attacker
bypasses system security by installing a new operating system. EFS provides strong encryption through industry
standard algorithms, and because it is tightly integrated with NTFS, it is easy to use. EFS for Windows XP
Professional offers new options for sharing encrypted files and disabling data recovery agents, and it facilitates
management through Group Policy and command-line utilities.
Mobile Security Tip Make sure you implement strong passwords when using EFS. Since EFS protects files based on the local user’s
certificate, encrypted files are only as secure as the password associated with that user’s account on the system.
Maintaining File Confidentiality
Security features such as logon authentication and file permissions protect network resources from unauthorized
access. However, anyone with physical access to a computer can install a new operating system on that computer
and bypass the existing operating system's security. In this way, sensitive data can be exposed. Encrypting sensitive
files using EFS adds another layer of security. When files are encrypted, their data is protected even if an attacker
has full access to the computer's data storage.
Only authorized users and designated data recovery agents can decrypt encrypted files. Other system accounts that
have permissions for a file—even the Take Ownership permission—cannot open the file without authorization.
Even the administrator account cannot open the file if that account is not designated as a data recovery agent. If an
unauthorized user tries to open an encrypted file, access will be denied.
How EFS Works
EFS enables you to store confidential information about a computer when people who have physical access to your
computer could otherwise compromise that information, intentionally or unintentionally.
EFS is especially useful for securing sensitive data on mobile computers or on computers shared by several users.
Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of ACLs.
In a shared system, an attacker can gain access by starting up a different operating system. An attacker could also
steal a computer, remove the hard drive(s), place the drive(s) in another system, and gain access to the stored files.
Files encrypted using EFS, however, appear as unintelligible characters when the attacker does not have the
decryption key.
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When you open a file,
it is decrypted by EFS as data is read from disk. When you save the file, EFS encrypts the data as it is written to
disk. As an authorized user you might not even realize that the files are encrypted because you can work with them
as you normally do.
In its default configuration, EFS enables you to start encrypting files from Windows Explorer with no
administrative effort. From a user's point of view, encrypting a file is simply a matter of setting a file attribute. The
encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is
automatically encrypted.
Figure 1 below shows where you would create settings for EFS.
Securing Mobile Computers with Windows XP Professional
11
Figure 1. EFS Local Security Settings
Configuring EFS for Your Environment
EFS is enabled by default. You can encrypt files if you have permission to modify the files. Because EFS relies on
a public key to encrypt files, you need a public-private key pair and a public key certificate for encryption. Because
EFS can use self-signed certificates, it does not require administrative effort before it can be used.
If EFS is not appropriate in your environment, or if you have files that you do not want encrypted, you can disable
EFS in various ways. There are also a number of ways in which you can configure EFS to meet the specific needs
of your organization.
In order to use EFS, all users must have EFS certificates. If you do not currently have a Public Key Infrastructure
(PKI), you can use self-signed certificates that are generated by the operating system automatically. If you have
certification authorities, however, you might want to configure them to provide EFS certificates. You will also need
to consider a disaster recovery plan if you use EFS on your system.
What Can Be Encrypted
Individual files and file folders (or subfolders) on NTFS volumes can be set with the encryption attribute. Although
it is common to refer to file folders with the encryption attribute set as "encrypted," the folder itself is not
encrypted, and no public-private key pair is required to set the encryption attribute for a file folder. When
encryption is set for a folder, EFS automatically encrypts the following:
 All new files created in the folder.

All plaintext files copied or moved into the folder.

Optionally, most existing files and subfolders; with the noted exceptions of Windows system files and user
profiles
Note The process of moving files from a unencrypted directory to an encrypted directory, using GUI drag and drop, will not encrypt
the files moved into the encrypted directory.
Encrypting Offline Files
Windows 2000 introduced client-side caching functionality, now called Offline Files in Windows XP Professional.
The offline files feature is a Microsoft IntelliMirror® management technology that allows network users to access
files on network shares even when the client computer is disconnected from the network. When disconnected from
the network, mobile users can still browse, read, and edit files because they have been cached on the client
computer, and now with Windows XP Professional these offline files are encrypted/decrypted in real-time. When
the user later connects to the server, the system reconciles the changes with the server.
Mobile Security Tip: The Windows XP Professional client can use EFS to encrypt offline files and folders. This feature is especially
attractive for traveling professionals who need to work offline periodically and maintain data security.
Encrypting the Offline Files Database
You now have the option to encrypt the Offline Files database. This is an improvement over Windows 2000, where
the cached files could not be encrypted. Windows XP Professional offers you the option of encrypting the Offline
Files database to safeguard all locally cached documents from theft while at the same time providing additional
security to your locally cached data.
Securing Mobile Computers with Windows XP Professional
12
For example, you can use offline files while keeping your sensitive data secure. And if you’re an IT administrator
you can use this feature to safeguard all locally cached documents. Offline Files is an excellent safeguard if your
mobile computer, with confidential data saved in the Offline Files cache, gets stolen.
This feature supports the encryption and decryption of the entire offline database. Administrative privileges are
required to configure how the offline files will be encrypted.
To encrypt offline files
1. Go to Folder Options under Tools in My Computer
2. Check Encrypt offline files to secure data under the Offline Files tab as shown in Figure 2 below.
Figure 2 Encrypting the Offline Files database
Certificate Services
Certificate Services is the part of the core operating system that allows a business to act as its own certification
authority (CA), and issue and manage digital certificates. Windows XP Professional supports multiple levels of a
CA hierarchy and a cross-certified trust network: This includes offline and online certificate authorities. The
following sections discuss certificate services and related topics.
Certificate and Public Key Storage
Windows XP Professional stores your public key certificates in the personal certificate store. Certificates are stored
in plaintext because they are public information, and they are digitally signed by certification authorities to protect
against tampering.
User
certificates
are
located
in
Documents and Settings\username\ApplicationData\Microsoft\
SystemCertificates\My\Certificates for each user profile. These certificates are written to the personal store in the
system registry each time you log on to your computer. For roaming profiles, your certificates can be stored
anywhere and will follow you when you log on to different computers in the domain.
Private Key Storage
Private keys for the Microsoft-based cryptographic service providers (CSPs), including the Base CSP and the
Enhanced CSP, are located
in
the
user profile
under
RootDirectory\Documents
and
Settings\username\Application Data\Microsoft\Crypto\RSA.
In the case of a roaming user profile, the private key resides in the RSA folder on the domain controller and is
downloaded to your computer, where it remains until you log off or the computer is restarted.
Securing Mobile Computers with Windows XP Professional
13
Because private keys must be protected, all files in the RSA folder are automatically encrypted with a random,
symmetric key called the user’s master key. The user’s master key is 64 bytes in length and is generated by a strong
random number generator. 3DES keys are derived from the master key and are used to protect private keys. The
master key is generated automatically and is periodically renewed.
When storing the master key on disk, it is triple-DES protected by a key based in part on your password. It
encrypts each file in the RSA folder automatically as the file is created.
User Certificate Autoenrollment
Windows 2000 introduced machine certificate autoenrollment; Windows XP and Windows Server 2003 introduce
user certificate autoenrollment and renewal. Autoenrollment for computer or domain controller certificates is
enabled through Group Policy and Microsoft Active Directory™. Autoenrollment of computer certificates is most
useful in facilitating an IPSec or L2TP/IPSec VPN connection with Windows XP Routing and Remote Access
servers and other similar devices.
Certificate autoenrollment lowers total cost of ownership and simplifies the certificate management life cycle for
users and administrators. Automatic smart card enrollment and self-registration authority features provide
enhanced security for enterprise users; this is in addition to simplified security processes for security conscious
organizations.
Mobile Security Tip Smart cards provide tamper-resistant storage for protecting private keys, account numbers, passwords, and other
forms of personal information. Smart cards enhance software-only solutions, such as client authentication, single sign-on, secure
storage, and system administration. Smart cards are an important component of the public key infrastructure that Microsoft integrates
into the Windows platform.
Pending Certificate Requests and Renewal
User autoenrollment in Windows XP Professional supports both pending certificate requests and renewal features.
You can manually or automatically request a certificate from a Windows Server 2003 CA. This request is held until
administrative approval is received or the verification process is completed. Once the certificate has been approved
or issued, the autoenrollment process will complete and install your certificates automatically.
The process for renewing expired user certificates also takes advantage of the autoenrollment mechanism.
Certificates are automatically renewed on behalf of the user—dependent upon the specifications in the certificate
template in Active Directory.
Certificates and keys are protected by default. Additionally, you can implement optional security measures to
provide extra protection. If you need to increase the security of your certificates and keys, you can export private
keys and store them in a secure location.
Figure 3 below shows some of the options available for setting up certificate autoenrollment.
Securing Mobile Computers with Windows XP Professional
14
Figure 3. Autoenrollment Settings Properties
Credential Management
Credential Management in Windows XP has three components: credential prompting UI, stored user names and
passwords, and the keyring. Together, these three components create a single, sign-on solution.
Credential Prompting
The credentials prompting UI is displayed by an application when an authentication error is returned by the
authentication package. (This is only applicable for applications that have implemented the UI.)
From the dialog box you can enter a user name and password, or select a X.509 certificate from the My Store
object. The application also has the option of displaying the Remember my password check box, which allows
you to save your credential for later use. This is shown in Figure 4 below.
Only integrated authentication packages (for example, Kerberos protocol, NTLM, SSL, and so on) allow
credentials to be saved. For basic authentication the credentials prompting UI will still be shown, but you will not
have the option of saving your credential.
Figure 4. Prompt for Credentials User Interface
Stored User Names and Passwords
Stored User Names and Passwords is the secure roamable store where your saved credentials are kept. Access to
the credentials is controlled by the Local Security Settings (LSA). The credentials are stored based on the target
Information returned by the resource.
When the credential is saved by checking the Remember my password check box on the credentials prompting UI,
the credential will be saved in the most general form possible. For example, if you were accessing a specific server
in a domain, the credential could be saved as *.domain.com. Saving a different credential for a different server in
this domain would not overwrite this credential. It would be saved against more specific target information.
When a resource is accessed through an integrated authentication package, the authentication package will look in
Stored User Names and Passwords for the most specific credential that matches the target Information returned by
the resource. If one is found, the credential will be used by the authentication package without any interaction from
you. If a credential is not found, an authentication error will be returned to the application that attempted to access
the resource.
Note The application that is accessing the resource does not need to have implemented the credential prompting UI to use this
seamless authentication. If the application uses an integrated authentication package, the authentication package will attempt to
retrieve the credential. In fact, if you entered the credential, only the authentication package can retrieve it.
Figure 5 below shows an example of the Windows XP password-management UI.
Securing Mobile Computers with Windows XP Professional
15
Figure 5. Classic Password Management UI (Windows XP Professional in a Domain)
Remote Access uses Credential Manager Keyring
Remote Access participates in the keyring by adding a temporary default credential whenever a dial-up or VPN
connection is successfully established. This credential contains the username and password that were used in
setting up the connection since these are often the same credentials that will enable access to the resources on that
network. This makes the experience of connecting to a remote network, and using resources on both that network
and your local network, seamless.
Keyring
The keyring allows you to manually manage the credentials that are in Stored User Names and Passwords. The
keyring is accessed through the User Accounts applet in the Control Panel.
In the keyring you will see a list of all the credentials currently in Stored User Names and Passwords. When each
credential is highlighted, a description field at the bottom will display a brief description of the credential. From
there you can add a new credential, edit an existing credential, or remove an existing credential.
 Adding a credential. To add a credential you will be presented with a UI similar to the credential prompting
UI, and you will need to fill in the target Information. Remember that target information can accept wildcards
in the form of “*”.

Editing a credential. Editing a credential enables you to change the target information or the credential itself.
If this is a user name and/or password credential, you can change the password on the server from here. You
will not be able to use the credentials prompting UI to edit credentials that have been created specifically by an
application. For example, you cannot edit passport credentials.

Removing a credential. You can remove any credential.
The ability to save credentials in Stored User Names and Passwords can be switched on or off through Group
Securing Mobile Computers with Windows XP Professional
16
Policy.
Mobile Security Tip For the highest level of security, network managers can disable the saving credentials feature in the keyring.
This will eliminate the possibility of an unauthorized person with a stolen mobile computer gaining access to your network
infrastructure.
Securing Mobile Computers with Windows XP Professional
17
Summary
Windows XP Professional offers a complete set of security and privacy solutions that combat threats to mobile
computers. Encrypted files on NTFS-formatted storage volumes, group policies, and encryption provide strong
data security foundations; tightly integrated, domain-based network authentication; secure networks; traceable
user and machine certificates; localized, encrypted credential storage; and no-nonsense password policies complete
the set of Windows XP security offerings.
While mobile computer users whose machines are not joined to a domain have fewer security options, both domain
and non-domain-connected mobile computer users benefit from secure access to encrypted data while working on
the network or offline.
Securing Mobile Computers with Windows XP Professional
18
Related Links
See the following resources for further information:
 Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System at
http://www.microsoft.com/TechNet/itsolutions/security/topics/efs.asp


Best
Practices
for
Enterprise
http://www.microsoft.com/TechNet/itsolutions/security/bestprac/bpentsec.asp
Security
at
This 12-part series includes:
 Security Threats at http://www.microsoft.com/technet/itsolutions/security/bestprac/secthret.asp
 Security
Considerations
for
End
Systems
http://www.microsoft.com/technet/itsolutions/security/bestprac/sconsid.asp
Data
Protection
and
Recovery
in
Windows
XP
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp
at
at

Policy-Based
Desktop
Management
in
Windows
http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/intellimirror.asp

Protect Your System from Viruses (Software Restriction Policies supported in Windows XP) at
http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/antivirus.asp

Security at http://www.microsoft.com/technet/security

Security Newsgroups at http://www.microsoft.com/technet/newsgroups/NodePages/security.asp

The Ten Immutable Laws of Security at http://www.microsoft.com/technet/columns/security/10imlaws.asp

What’s New in Security for Windows XP Professional and Windows XP Home Edition at
http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/security/default.asp

Wireless
LAN
Technologies
and
Windows
http://www.microsoft.com/windowsxp/pro/techinfo/planning/wirelesslan/default.asp
For the latest information about
http://www.microsoft.com/windowsxp.
Windows
XP,
see
the
Windows
XP
at
XP
XP
Web
Securing Mobile Computers with Windows XP Professional
at
site
at
19