Microsoft Desktop Security
Featuring:
Microsoft® Office XP Professional
Microsoft Windows® XP Professional
Published: April 2002
Abstract
The purpose of this white paper is to discuss how security features provided by Microsoft ®
Windows® XP Professional and Microsoft Office XP Professional are addressing new threats
both internal and external to the enterprise. The paper highlights the evolution of computer
network security threats since the introduction of Microsoft Office 97 and Microsoft Windows 98
as well as increased sophistication needed to adequately respond. With the release of both
Office XP Professional and Windows XP Professional, Microsoft has greatly improved the
capability for enterprises to secure desktop computing and network resources. More and more
businesses are utilizing information systems in mission critical capacities. The consequences of
a breach in security can be disastrous. From attacks causing denial of service to corruption and
loss of confidential information, the security threats facing the enterprise today have the potential
to effectively bring down an organization. Servers and end user workstations must work
together to protect integrity and access to information.
Microsoft Desktop Security: White Paper
Table of Contents
Introduction .................................................................................................................................... 1
Increasing Sophistication of Security Threats ........................................................................... 3
Evolution of Security Threats ....................................................................................................... 3
Comparing Security in Versions of Microsoft Office and Windows .............................................. 5
Microsoft’s Response to Security Threats and Vulnerabilities ..................................................... 6
Industry Initiatives ..................................................................................................................... 7
Protecting the Enterprise .............................................................................................................. 8
The Need for a Comprehensive Approach .................................................................................. 8
The Security Entity Building Block Architecture ........................................................................... 9
End Systems ............................................................................................................................ 9
Local Communications Systems ............................................................................................ 10
Administrative Authority.......................................................................................................... 10
Private Networks .................................................................................................................... 11
The Internet ............................................................................................................................ 11
Security versus Performance and Productivity ...................................................................... 11
Windows XP and Office XP Role in Securing the Enterprise .................................................... 12
Windows XP / Office XP Desktop Security ............................................................................... 13
Windows XP Security Features ................................................................................................. 13
Encrypted File System ........................................................................................................... 13
Group Policies ........................................................................................................................ 13
Data Backup ........................................................................................................................... 14
Offline File Synchronization .................................................................................................... 14
Digital Certificates and PKI ..................................................................................................... 14
Smart Cards ........................................................................................................................... 15
Auditing Security Events ........................................................................................................ 15
Integrated Wireless Networking ............................................................................................. 15
Office XP Security Features ....................................................................................................... 15
Digital Signatures ................................................................................................................... 16
Code Signing .......................................................................................................................... 16
Access Control Settings ......................................................................................................... 16
Microsoft Desktop Security: White Paper
Macro Security ....................................................................................................................... 16
Document Protection .............................................................................................................. 16
Privacy .................................................................................................................................... 17
Outlook Security ..................................................................................................................... 17
COM Add-Ins Security............................................................................................................ 18
Data Recovery using AutoRecovery ...................................................................................... 19
Internet Explorer Security Features ........................................................................................... 19
Enterprise Network Security Management Tools ...................................................................... 20
Best Practices for a Secured Environment ............................................................................... 21
Enterprise Security Risk Analysis, Planning, and Design .......................................................... 21
End User System Security ......................................................................................................... 22
Windows XP Security ................................................................................................................. 23
Office XP Security Practices ...................................................................................................... 23
Staying Secure ........................................................................................................................... 24
Summary ...................................................................................................................................... 25
Further Reading, Resources, and References .......................................................................... 25
Microsoft Desktop Security: White Paper
Introduction
Protecting the enterprise from ever increasing and more malicious attacks requires a comprehensive
solution that addresses security threats and vulnerabilities at all levels. With the introduction of
Microsoft® Office 97 and Microsoft Windows® 98, Microsoft has continually improved these products to
respond to the major security risks and threats of the time. The release of Microsoft Windows XP
Home Edition and Microsoft Windows XP Professional (hereafter referred to collectively as Microsoft
Windows XP) and Microsoft Office XP Professional (hereafter referred to as Microsoft Office XP)
continues this trend, offering a new range of security features that enable Information Technology
administrators to address today’s threats while providing flexibility, simplified management, and
controlled access to information by authorized users.
Microsoft Office XP and Microsoft Windows XP (hereafter referred to collectively as XP products)
simplify many of the administrative and security management tasks resulting in a more secure
environment that is less vulnerable to attacks of all kinds.
The purpose of this paper is to provide background on the evolution of security threats including
Microsoft’s response to these threats by providing a secure and robust applications platform as
demonstrated by the XP products. Through an understanding of these threats and the respective
capabilities of Office XP and Windows XP, the enterprise administrator and IT decision makers will be
able to better asses the security risks and capabilities of their existing implementations. This paper is
not a detailed “How To” guide showing the specific implementation details. Rather, it is a discussion of
the increasing sophistication of enterprise security threats and the features and capabilities provided
by Microsoft Windows XP and Microsoft Office XP that help manage these threats, maintaining a
secure and manageable environment.
Successfully preparing for and protecting user workstations and the enterprise networks from a variety
of attacks have become increasingly more complicated due to the increased sophistication of malicious
attacks. The paper discusses the following topics:
Increasing Sophistication of Security Threats – introduces the types of security threats and
major attacks that have been mounted since the introduction of Windows 98 and Office 97 and how
Microsoft has steadily improved the features and capabilities of these products to deal with the
increased sophistication.
Protecting the Enterprise – presents an overview of Microsoft’s security architecture and the role
Windows XP and Office XP play in protecting user workstation and information.
Windows XP / Office XP Desktop Security – discusses the major security features and
capabilities of Microsoft Windows XP and Microsoft Office XP. Compared to Windows 98 and
Office 97, Windows XP and Office XP provide the levels of security, compatibility, and control to
safely share information in today’s Internet-connected, pervasive computing.
Best Practices for a Secured Environment – a brief discussion of some of the best practices and
techniques to use when securing an enterprise deploying a solution using Windows XP and Office
XP.
By reading this paper, the reader will take away an understanding of:
Types of threats (both malicious and non-malicious).
1
Microsoft Desktop Security: White Paper
Common attacks and outcomes.
How Windows and Office (beginning with Office 97 and Windows 98) have been improved over
time to respond to these increasingly sophisticated security threats.
The role of Windows XP and Office XP within the Microsoft enterprise security architecture.
Microsoft’s solution model for enterprise security.
High level understanding of Windows XP and Office XP security features and capabilities.
Best practices and resources for implementing and improving security within the enterprise.
2
Microsoft Desktop Security: White Paper
Increasing Sophistication of Security Threats
Like the ongoing escalation in an “arms” race, new platforms and applications introduced with new
security features in response to prior vulnerabilities result in new threats. These new threats may
ultimately be more vicious and malicious than any previous threat. The attackers and security
technologists are locked in an unending battle, which continues to raise the stakes, namely the
protection of enterprise resources and information.
In this section, we review the evolution of security risks and security technologies since the introduction
of Office 97 and Windows 98 through the release of the Windows XP and Office XP. The primary
sources of security threats are discussed as well as the types of threats facing the enterprise with
particular focus on the end user system (e.g. workstations, desktop and laptop computers). A threat is
defined as anything that could have an adverse and destructive impact on the integrity and function of
the enterprise.
The section, “Comparing Security in Versions of Microsoft Office and Windows” provides a side by side
comparison of the various Office and Windows products to illustrate the major security features and
changes in capabilities between each version. Microsoft’s response to security threats is also
discussed including general strategy as well as explicit initiatives designed to improve awareness,
education, and security technologies.
Evolution of Security Threats
The challenge to implementing a secure enterprise network is developing a plan and that can deal with
security threats both today and in the future. Given that the sophistication of security threats continues
to increase, the response is to continue to increase the sophistication of security measures and
procedures.
When Office 97 and Windows 98 were released, the majority of desktop computer use focused on
internal corporate e-mail, use of specialized client applications for working with centralized data
systems, and the productivity tools Microsoft Excel, Microsoft Word, Microsoft Access, Microsoft
Outlook® messaging and collaboration client, and Microsoft PowerPoint® presentation graphics
program. Internet usage for browsing the Web and corporate integration (business services,
exchanges, and electronic communication) was just in the beginning of adoption.
Within the enterprise, users typically were assigned a single workstation from which to interact with the
enterprise services and resources. Files were typically stored on a centralized file server, which could
be managed using Microsoft Windows NT®. When portable access was required, the users were
typically assigned a laptop that provided the capability to work remotely using some remote access
services (e.g. dialup). Enterprises provided most of the resources necessary (including modem pool)
for remote workers to connect to the local network using a phone line.
At that time, the capabilities of Microsoft Office 97 and Windows 98 were geared toward supporting
centralized services including file, printer, and database services that provided their own security
capabilities. Under this model the perimeter of the enterprise was essentially guarded by the remote
access server, which checked user credentials and authorization at entry points. Once authorized,
individuals were able to gain access to network services. The major threats of the time were mostly
from insider attacks by authorized users.
3
Microsoft Desktop Security: White Paper
External attacks from hackers were fairly limited to enterprises with full-time Internet connectivity. In
large corporations, firewalls were established at the Internet/WAN gateway that prevented most
unauthorized traffic. At the time, the popularity of Web services and peer-to-peer networking were fairly
limited and it was relatively easy to lock down the system. The same was also true for the desktop
given that sensitive resources were mostly located on a central server, and only authorized users were
capable of gaining access.
The security capabilities of Windows 98 and Office 97 addressed mostly non-malicious attacks
preventing loss of data, corruption, and unauthorized access. Some of the features included:
File backup and file recovery for the edited files.
Multi-User Support
Document Protection
Source code protection for script and other automation-enabled applications including Microsoft
Access, Word, Excel, and Outlook.
Threats due to virus attacks were minimal at the time as most virus attacks during those days were
fairly innocuous. The viruses sought to achieve attention for the hacker or to cause minor disruptions
and in some cases to cause minimal data loss.
However, times have certainly changed. The way we work with computers and information is
fundamentally changing. The enterprise is different today than it was when Office 97 and Windows 98
were released. Today the enterprise extends far beyond the physical boundaries of the company’s
facilities where virtual networks now connect remote users from potentially anywhere. Further, the
proliferation of mobile computing equipment including laptops, cell phones, PDAs (personal digital
assistant), and other data devices have complicated the ability for administrators to manage the
security of the enterprise. Devices that are no longer within the confines of the physical enterprise
must continue to have access. Both Windows XP and Office XP must provide an end-user experience
that supports pervasive computing anytime, anywhere.
In addition, external attacks have become much more malicious and commonplace. One look at the
Computer Emergency Response Team (CERT) advisory web site (http://www.cert.org/advisories) for
2001 versus 1998 should convince the reader of the increasing threat and vulnerabilities. The
attackers have begun to focus on exploitation of weaknesses within the operating system and
application software. Not limited to just Microsoft Windows and Office, these attacks seek to exploit
vulnerabilities on all types of systems. The dominant origin for external threats is from the Internet.
As a result, most enterprises have increased the complexity of their firewall systems as well as
ensuring that most security features are enabled on servers as well as workstations. Office XP and
Windows XP provide many new security features when compared to Office 97 and Windows 98,
specifically implemented to address a number of these new threats.
Compared to just a few years ago, users today are able to share more information and to customize its
use with less effort. To accomplish this, most software today including web browsers, email,
messaging, and productivity tools provide a high degree of interconnectivity, integration, and
automation. Though the ease of use has been greatly increased, freeing the users from redundant
data entry and tedious tasks, the potential for compromising the enterprise by the attacker have also
grown proportionately. These same integration capabilities and automation tools may be exploited in
new kind of attacks.
4
Microsoft Desktop Security: White Paper
The threat for malicious insider attack has also increased due to the continuing trend to computerize
most, if not all, of a business’s processes. Data stored within databases and file systems has become
increasingly valuable and mission critical to the enterprise as paper-based processes are deprecated
in favor of the more efficient computer-based processes. At one time information was locked
physically behind closed doors; now data must be protected electronically through a series of security
measures while still enabling the authorized user access to the information no matter where they are.
The potential risks associated with an inside attack are much higher today than they were just two
years ago. A successful denial of service attack can effectively bring an entire company to a halt.
On the other hand, the risks due to disaster and non-malicious attacks are greatly reduced given the
much increased redundancy and sophistication of enterprise network services and management
processes, when compared to just a few years ago. This is due primarily to advances in technology
both in hardware and software that are enabling much more robust enterprise solutions than was
possible before.
With advances in products like Windows XP and Office XP, networks can be more effectively
managed, consistently and securely enabling the protection of information and prevention of
unauthorized user access, data corruption, and data loss.
Comparing Security in Versions of Microsoft Office and Windows
One of the best ways to understand how much things have changed since the introduction of Office 97
and Windows 98 is to look at the security features between various versions of Office and Windows.
With today’s need for highly integrated and automated computing, the way we think about security has
fundamentally changed. To adequately address the risk presented by the threats today, Office XP and
Windows XP have had to implement fundamental architectural changes to the software when
compared to previous versions.
The following table details the major security features of both Office and Windows by major version
beginning with Office 97 and Windows 98 through the latest releases.
Table 1 Major Security Features by version of Office and Windows
Security Feature
Office 97/
Windows 98
Office 2000 /
Windows 2000
Office XP and
Windows XP
Microsoft Office Features
Virus API
Security Templates and Tools
Digital Signatures
Macro Security
Data Recovery
--
--
New with XP
Installation tools
in Resource Kit
Installation tools
in Resource Kit
Improved
Installation Tools
and Centralized
Management
Features
Standard
Standard
Code Signing
Some Protection
High, Medium, Low
Security
Management and
Zone Control.
Auto Save
Auto Save
New for XP products
Auto-Recovery
5
Microsoft Desktop Security: White Paper
Outlook Security
Privacy
Document Protection
Minimal
Level 1,Level 2
Attachments
Much Improved
--
Supported
Supported
Read-only,
Reviewing,
Password
Protection
Added Versions,
Encryption
Additional
Publication Features
Standard
Standard
--
Standard
Standard
Standard
Standard
Standard
Microsoft Windows
Secure Networking (IPSec)
User-Level Security for shared files,
folders
Screen Saver Password Protection
Encrypting File System
--
Standard
Standard
Public Key Infrastructure
--
Standard
Standard
Group Policy Objects
--
Standard
Standard
Smart Card Support
Available Third
Party
Standard
Standard
Multi-User Support
Limited Support
Standard
Standard
Remote Access
Third Party
Support
Add Terminal
Server
Components
Standard
Auditing
--
Standard
Standard
Integrated Wireless Networking
--
--
New
Internet Connection Firewall
--
Supported with
ISA Server
New
Microsoft’s Response to Security Threats and Vulnerabilities
Developing quality software that can provide effective security against all types of attacks and threats
has recently become priority number one for Microsoft. However, Microsoft has had a long history of
improving the security and robustness of their products and services to meet the challenges of the day.
Microsoft continually tests their software both internally and externally for potential security
vulnerabilities and software bugs. In fact, Microsoft works with both the CERT team and other external
organizations when attacks do occur. Whenever possible, Microsoft provides an immediate update or
patch to the affected product and service.
Unfortunately, due to the increasing sophistication of security threats and attacks, it is not always
possible for Microsoft to release an update which will fix all the potential vulnerabilities. In some cases,
fundamental changes are required in the structure of the software in order to completely eliminate the
potential vulnerability. In these situations, Microsoft issues procedural workarounds and
recommended practices, which can help minimize the chance for a successful attack.
One of the most common misconceptions about information security is the idea that systems and
applications can be made to be completely secure. This might be true if we could remove the human
element, but unfortunately with the potential for error both in programming and user actions a
completely secure software system will still have some risk exposure. In today’s world it is an
6
Microsoft Desktop Security: White Paper
unrealistic expectation to believe that any system is entirely secure. Sufficiently motivated hackers can
and will find a way.
Industry Initiatives
The best way to protect systems is constant vigilance and to have a good plan of action when attacks
occur. One way Microsoft is assisting in this effort is in the participation with industry initiatives to help
define standardized plans, practices, and security procedures.
Together with other security industry leaders, Microsoft has announced its intention to form an
organization whose purpose will be to develop and propose industry standards for handling security
vulnerabilities. The organization is yet unnamed but will have the primary goals of developing
standards with the following characteristics:
Comprehensive – a total approach towards handling security vulnerability including processes and
practices towards investigation and reporting as well as advisories.
Collaborative –create a framework to provide cooperative relationships between vendors and
security researchers with the goal of protecting computer users.
Broad Acceptance – standards created by this group will be developed as part of an open RFC
process. Any and all interested parties would have the opportunity to review drafts and provide
feedback.
Ultimately, the members of this organization will mutually agree to follow several basic practices to
improve the overall security consistency for detecting and responding to security vulnerabilities. When
completed, these new standards will contribute to significantly safer Internet and enterprise
environments. For more information see:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/standard.asp
Microsoft is also continuing to mobilize its own people and resources in the Microsoft Strategic
Technology Protection Program (STPP, htttp://www.microsoft.com/security). The focus of this program
is to integrate products, services, and support information relating to security. The program’s first
offering is the Microsoft Security Toolkit CD, which includes best practices, guides, and other
information for securing network and computer systems and ensuring protection against attacks.
7
Microsoft Desktop Security: White Paper
Protecting the Enterprise
Given the increasing sophistication of security threats and the new capabilities of Microsoft products
including Windows XP and Office XP, the question then becomes: what is the most appropriate way to
protect and secure the enterprise? In this section, security practices, technologies, and management
policies are presented to provide an overview of the elements needed to create a secure environment.
This section will also discuss the role Windows XP and Office XP serve in protecting the computing
network environment as well as major new security features and enhancements.
The Need for a Comprehensive Approach
Microsoft realized long ago that building effective solutions against would-be attackers and other
security threats require a comprehensive security infrastructure that would provide the technologies
and capabilities needed to secure the entire network including the user desktop. These technologies
had to be developed concurrently with administrative polices and user practices in order to effectively
reduce risk to security vulnerabilities and attacks.
The problem was and is to define a comprehensive approach for security that covers all aspects of
security management. Without this, the exposure and potential for attack is too varied and functionally
discrete to be handled independently. Developing security technologies that both reduce the risk from
both non-malicious and malicious attacks is far simpler than attempting to define solutions separately.
Given that the result of attacks are typically unauthorized access, loss of data, and disruption of
service the motive or type of attacker really does not matter . Security should improve the robustness
of the environment providing higher quality of service and availability for authorized users.
A comprehensive approach needs to address the following topics:
Strategy, Planning, and Architecture – important in any comprehensive approach is the need to
understand why and how tools, technologies, policies, procedures, and practices are chosen so
that they are consistent and make sense. Particularly in security, it is important to have a general
strategy, plan, and architecture defined in order to evaluate the robustness and capabilities of the
chosen solution.
Tools and Technologies – the tools and technologies provide the first line of defense in managing
both desktop security as well as the enterprise network. The same is true for administrative tools
and enterprise services (Windows 2000 Server, Windows .NET Server, and server applications).
Policies – with a good foundation of strategy and tools, policies must be created and defined that
help determine how these tools, technologies, and strategies will be utilized. In some cases,
policies can be automated and managed by the systems, facilitating user compliance. A secure
environment will typically have both automated policies (see Group Policies below for an example
of policy automation) as well as manual policies to support both user and hardware computing
environments.
Procedures and Practices – the enterprise may define specific procedures and practices for
working with the enterprise network systems to further ensure good security. Common procedures
and practices may be defined for installation and deployment, user account management, file
recovery, e-mail, and user settings.
8
Microsoft Desktop Security: White Paper
The Security Entity Building Block Architecture
A comprehensive security solution covering all the topics described in the last section is specific to
each enterprise implementation. Corporate policies, business objectives, and available resources all
play an important role in determining the appropriate level of risk and need for security. Microsoft,
however, defines a general architecture for assessing and managing security. Named the “Security
Entity Building Block Architecture”, SEBA, the architecture defines the entities or ‘zones’ of security
and their relationships to each other. Using this model, it is possible to breakdown security threats and
vulnerabilities and to assess the potential risk and required security features. The entities include:
End Systems (computer hardware devices with an operating system)
Local communications systems (network functionality)
Administrative authority (centralized security management)
Private Networks (network sharing between companies)
The Internet
Analysis of the dataflow in and between the entities provides the means to understand and isolate the
vulnerability points. Examining how data is stored and managed by a computer as well as the data
traveling across communication networks can expose the weaknesses in the enterprise. Left
unprotected, these weaknesses may cause loss of data, unintended exposure of confidential
information, or corruption.
A complete understanding of the strengths and weaknesses of the enterprise is then determined by
examining the entities together, beginning with End System working out toward the Internet Entity.
Each of the security entities are briefly described in the following subsections. For more information
regarding SEBA, see Security Entities Building Block Architecture
(http://www.microsoft.com/technet/security/bestprac/secentbb.asp).
End Systems
The end system is the basic security element within the network. Its most basic form is a computer
with an operating system. In the enterprise today, however, end systems are typically specialized to
perform explicit functions within the network environment. The most common differentiation is defining
these systems either as a user workstation or server. Servers may also be further categorized as to
their particular role: roles such as mail server, file server, application server, web server, database
server, etc.
The key elements of an end system that may be viable to attack include:
Local Account Information
Local policies and event logging
The Registry
File system
System Services and Applications.
The extent to which these elements are vulnerable and need to be protected is also dependent upon
the role that the end system plays with the enterprise. One common misconception is that servers are
more vulnerable to attack than workstations. From a security point of view, servers tend to pose less
9
Microsoft Desktop Security: White Paper
of a risk as they are usually well managed and controlled in comparison to user workstations. Often
users will download information to a relatively unprotected workstation, providing a high a degree of
risk exposure. If the user workstation were a portable laptop or mobile computing device, theft of this
information would be relatively easy.
Servers, on the other hand, may contain mission critical information or provide mission critical
functionality that must be protected where any breach of security could be catastrophic. Servers are
most often the targets of denial of service and unauthorized access by external attackers. To further
protect these server systems, application services running on the platform will typically provide
additional security measures to further reduce the risk to attack. Services including Microsoft Internet
Information Server (IIS), Microsoft SQL Server™, and Microsoft Exchange all provide security
functionality in addition to what is provided by the basic operating system (Windows 2000 Server,
Windows .NET Server).
With the release of Windows XP, Microsoft has finally achieved a common base of security
functionality across all versions of their operating systems, protecting both workstations and servers
alike. Windows XP, Windows 2000 (and its predecessor Windows NT), and the forthcoming release of
Windows .NET Server all provide security functionality for the end systems.
The specific features for securing the workstation running Office XP and Windows XP will be covered
in the section Windows XP / Office XP Desktop Security. In addition to providing basic resource
security features for services and data located on the server, Windows server operating systems
provide additional security services which are useful for managing security of the entire enterprise –
centrally. As is discussed further, Microsoft Active Directory® Services and the Microsoft Management
Console (with associated plug-ins) are powerful services and applications enabling centralized
systems management.
Local Communications Systems
From a security perspective there are two primary issues with local communications. First, data
transmitted from one end system to another must reach the target without being read or modified
before it reaches its destination. Second, data sent to an end system must be from an authorized user
with appropriate access credentials.
Data moving within the communications systems cannot be protected directly by the operating system.
Windows uses multiple transmission protocols (e.g. Point to Point Tunneling Protocol, PPTP, and
secure sockets) that encrypt information before it leaves the end system. Using these protocols helps
ensure that information is not viewed or tampered with while data is transmitted, but it’s not completely
secure. All protocols have limitations and require a clear understanding before use.
Windows provides authentication and access control for remotely connected users. When
implemented correctly and used appropriately these capabilities can dramatically reduce the security
vulnerabilities in networks and other locations.
Administrative Authority
To make an enterprise secure with reduced risk from attack requires all network and end systems
within the enterprise to be managed consistently. This usually requires some centralized authority to
monitor and configure all systems and networks. From a security perspective a centralized
administrative authority is less prone to vulnerabilities than a distributed approach. But the model still
has challenges in that administrative processes such as system maintenance (including installation,
10
Microsoft Desktop Security: White Paper
deployment, and configuration management), auditing (monitoring activity and resource utilization),
and account management all have some vulnerabilities, particularly for a malicious insider threat.
These processes can sometimes be compromised to enable the attacker to create vulnerabilities in
enterprise security.
Managing this risk can be minimized, however, through the use of Windows administrative features
including:
Group Policy Objects– both user and end system policies.
Active Directory Domain Management Tools and Services.
User Access Control for shared resources: files, folders, printers, etc.
With these tools, administrative authority can be finely controlled effectively limiting the risk exposure
from any one individual administrator. Similarly, these tools have features enabling fine grained
access control for enterprise users, limiting the user’s access within the enterprise.
Private Networks
One of the most important benefits of the information revolution is the ability for organizations to share
information. When two or more companies share information over a private network, they typically
have independent administrative authorities for each enterprise. The information resources shared are
well defined and explicitly controlled through trusts established by administrators. In this manner, the
two companies can maintain effective security of their enterprise while enabling authorized outsiders
limited access.
With Windows Active Directory Services, administrators are able to create trusts between enterprises
with very fine degree of control and granularity. See the Active Directory website
(http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp) for more information.
The Internet
The Internet entity represents the threats and vulnerabilities associated with an enterprise that is
permanently connected to the Internet. End systems and network components supporting Internet
access are usually the most vulnerable to external threats and attacks, since it is usually necessary to
provide some access to untrusted users. In these situations the operating system must delegate some
security management to the Internet accessible service (e.g. Web Server or FTP Server). Internet
services should be hardened and well-tested for security vulnerabilities before deployment, since they
have the potential for compromising the enterprise security. The service must provide a robust
environment where the user is able to access needed functionality strictly limited to the specific
purpose.
Security versus Performance and Productivity
When examining an enterprise’s security strengths and weaknesses, it is important to consider the
impact of security on productivity and the overall system performance. It is certainly possibly to make
an enterprise more secure by severely limiting access as well as increasing the levels of
authentication. But the value of this must always be weighed against the potential performance impact
and loss of user productivity. The challenge for Microsoft is to provide a set of tools that can be
tailored to deliver the appropriate security capabilities for any enterprise while still providing
exceptional flexibility without overly constraining the user. The SEBA model provides an excellent
11
Microsoft Desktop Security: White Paper
means for both analyzing vulnerability as well as understanding what types of security features are
needed for protecting the enterprise.
Windows XP and Office XP Role in Securing the Enterprise
Windows XP and Office XP each serve as the first line of defense in protecting the end-user system
and the enterprise from unauthorized user access. The products’ tools and features give users the
ability to control access to information at a very fine level of granularity. Windows XP and Office XP
provide the primary access portal for working with enterprise resources.
With the user needing easier and better ways to manage and share multiple devices, workstations, and
information, the ability for the workstation operating system and application software to effectively and
securely manage user interaction with the enterprise is critical. Consider that many users need to work
with their information and applications from multiple workstations. Similarly multiple users may use a
single workstation. Windows XP and Office XP provide multi-user support, terminal services, and
virtual desktop features enabling the user to have a consistent and secure experience on multiple
workstations, whether locally or remotely connected.
When compared to their predecessors, Windows XP and Office XP have evolved to support these
more complex user requirements, where the emphasis is now on sharing information and access to
services across a connected network of systems. With previous versions, the emphasis was on the
end-system and providing maximum performance for an individual user experience, given limited
computing resources. The growth of distributed network services has been a natural evolution of
computing technology driven by our increased understanding and awareness of the value of networked
information. As previous versions of Windows and Office presented the right features and capabilities
for their time, now the XP products are positioned for the next evolution – pervasive computing.
12
Microsoft Desktop Security: White Paper
Windows XP / Office XP Desktop Security
Both Windows XP and Office XP provide an extensive set of features for protecting the enterprise.
This section presents a brief overview of the many security features and capabilities of Windows XP,
Office XP, Microsoft Internet Explorer, and major enterprise security administration tools.
The combined capabilities of these features provide the enterprise with new level of protection not
previously available in earlier versions. Administrators can fine tune the security features of Office XP
and Windows XP, enabling user privileges and access consistent with enterprise security management
policies and practices. Windows XP and Office XP also provide improved capabilities for centralized
management and administration of the security features through installation tools as well as Active
Directory Services.
Windows XP Security Features
Windows XP provides a solid foundation for workstation security and end user management. The
operating system controls and manages data I/O as well as the protection of information while stored
locally. Further, Windows XP provides additional features for managing the configuration and user
access control within the environment. Windows XP also includes several key components and
applications which assist application security features.
For more information in regards to Windows XP security features and capabilities, please refer to
Windows XP help documentation as well as the MSDN/security website (http://msdn.microsoft.com
/security). The major Windows XP security features are described briefly in the following subsections.
Encrypted File System
Windows XP provides built-in functionality for encrypting user files. The Encrypting File System (EFS)
allows users to store sensitive files in encrypted folder structures. Applications that access the files
automatically encrypt and decrypt files that only users with the proper credentials can read. Encrypted
files and folders work like any other files or folders because encryption is transparent to the user.
EFS provides the ability to encrypt files using the properties dialog box by simply selecting a check
box. EFS only encrypts data that is stored on disk. To encrypt data as it is transported over a network
requires the use of Internet Protocol Security (IPsec) and PPTP encryption. One other important
feature of EFS is the ability to recover encrypted files. Authorized administrators can gain access to
the encrypted content even when the original user credentials are compromised. See Encrypting File
System (EFS) at
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced
/help/sag_SEconceptsUnEFS.htm for more information.
Group Policies
Windows XP provides extensive policy templates that can be used to manage both user and computer
environmental settings. Administrators can consistently and simply manage large numbers of desktop
environments through policies by selectively turning on and off particular features. Using the group
policy snap-in, group policy settings can be specified centrally using Active Directory then applied to a
whole group of users and computers. The group policies are provided for users, client computers,
servers and domain controllers. Some of the major group policy features supported by Windows XP
are described below:
13
Microsoft Desktop Security: White Paper
User Policies – these policies are applied to the individual user. Windows XP supports the ability
to assign scripts, redirects folders, manage application configurations, store user preferences and
settings. Whatever Windows XP computer the user logs into, these policy settings will follow.
Computer Policies – these policies provide the means to manage computer security, access
control, and configuration. Account policies, public key policies, start up and shutdown scripts, local
policies (auditing, user rights assignment, and security options) and IP security policies are
supported.
Local Security Policy – the local security policy can be used directly to modify account and local
policies, public key policies and IP security policies. Local policies are provided for non-domain
user accounts and local machine policies. But in most cases domain computer policies will override
the local security policies.
Computers belonging to a domain are managed with group policy objects associated with the
organizational units that contain the particular computers or users. The policies applied to a particular
user are calculated during log-in and are known as the Resultant Policy Set. Using the group policy
object snap-in, Windows XP users with appropriate permissions may view their Resultant Policy Set.
Data Backup
Preventing data loss and recovery capabilities is standard with Windows XP. The backup software
application provided and system tools enables users to back up files and folders to fixed or removable
storage devices. One powerful use of this backup is to configure it to regularly back up local files on a
server, which can subsequently be backed up by enterprise backup procedures.
See Back Up and Recover Your Information
(http://www.microsoft.com/windowsxp/pro/using/howto/gettingstarted/guide/backup.asp) for more
information.
Offline File Synchronization
In addition to backup, users can select server-based shared files and folders for use offline. Windows
XP can make these files available on a computer that is not connected to the network. When offline
these files are stored locally, and can be encrypted to prevent unauthorized access. When the
computer reconnects, any changes are automatically synchronized and the temporary local files may
be deleted.
See Use Offline Files When You’re off the Network
(http://www.microsoft.com/windowsxp/pro/using/howto/gomobile/offlinefiles.asp) for more information.
Digital Certificates and PKI
Windows XP provides built in support for managing public key certificates and the Public Key
Infrastructure (PKI). Certificates can be used for a variety of functions including user authentication,
document signing, code signing, secure e-mail, and internet protocol security. PKI is a standardsbased infrastructure model that allows any PKI compliant computer or service to obtain access and
authorization through a well defined method. The certificates are a digitally signed statement that uses
the value of a public key with the identity of a person, device, or service holding a corresponding
private key.
14
Microsoft Desktop Security: White Paper
For more information see PKI Enhancements in Windows XP Professional and Windows .NET Server
http://microsoft.com/security
(http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.asp).
Smart Cards
For enterprises desiring to implement stronger authentication than is provided by ordinary user name
and password combinations, Windows XP provides built in support for smart cards. Smart cards are
credit card sized devices that contain digital signatures, passwords, public and private keys, and other
personal information. They are useful for providing a tamper resistant storage and serve to provide an
additional element of identification.
For more information see Smart Card Overview
(http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/WINDOWSXP/hom
e/using/productdoc/en/sag_SC_intro.asp).
Auditing Security Events
Windows XP provides an extensive set of auditing functionality for monitoring and detecting
unexpected conditions and events that may occur within the computing environment. Monitoring
system events is useful for detecting intruders as well as detecting attempts to compromise data on the
local system. The most common types of events to be audited are object access, management of user
groups and group accounts, and user logons and log off. In particular, auditing may be used to
monitor a specific event such as failed logon attempts. The security logs can be viewed using the
event viewer. The audit policy controls which events are audited.
For more information see Using Audit Policies to Secure Your Windows 2000 Network
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnexnt00/html/ewn0054.asp).
Integrated Wireless Networking
With built in support for working with wireless data communications, Windows XP offers an easy way
to connect with a variety of portable computing devices including PDAs, cell-phones, and other
computers. With this capability, features are provided to ensure that only authorized wireless devices
may connect and access information. See Wireless LAN Technologies and Windows XP
(http://www.microsoft.com/windowsxp/pro/techinfo/planning/wirelesslan/default.asp) for more
information.
Office XP Security Features
Office XP includes additional security features beyond those supported by Windows XP. Focusing on
managing applications and improving document security, Office XP features provide a secure
environment for your user applications and data. For a detailed description of security features and
tips see Microsoft Office XP Security
(http://www.microsoft.com/office/techinfo/administration/XPsecurity.doc).
This section presents a brief overview of the major security features and enhancements available in
Office XP. Compared with previous versions of Microsoft Office, Office XP has evolved to support fully
integrated Internet-based shared content and information management. Each of the Office
applications has been restructured from the inside out to safely incorporate and share information
between users. Whether sharing data and resources via an Intranet or the Internet, Office XP provides
new capabilities to protect and ensure integrity of information with more flexibility than ever before.
15
Microsoft Desktop Security: White Paper
Digital Signatures
A digital signature uses private key material from a digital certificate to protect against tampering and
to provide authentication. Office XP uses digital signatures to sign files (e.g. documents,
presentations, workbooks, and macros) providing a means to identify the source and authenticity. If
the entire file is signed, the digital signature ensures the file has not been modified since it was signed.
See General Information about Microsoft Office XP Encryption (Q290112) at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290112 for more information.
Code Signing
Code signing is similar to digital signatures but refers to the use of the signatures on executable code
including macros. By signing the code, whether it is an ActiveX® control, COM component, or macro,
a high degree of verification is provided to ensure the source authenticity and code integrity. Code
signing does not guarantee the quality, trustworthiness, or competence of the signer. See Code
Signing with IEAK 5 and Later (Q269395) at http://support.microsoft.com/default.aspx?scid=kb;ENUS;q269395 for more information.
Access Control Settings
Each of the applications within Office XP provides a number of access controls which enable users
and administrators to specify security settings. Word, Excel, Access, and Outlook all provide property
pages and installation templates enabling and disabling one or more application features. See Outlook
Virus Protection below for a specific example.
Macro Security
With all the recent exploitation of macros, administrators might be tempted to permanently disable all
macro functionality. Though Office XP provides the capability to do just that, it has also greatly
improved the management and security for executing macros. Most Office XP applications provide the
means to specify the macro security within a range from ‘high’ to ‘low’. With ‘high’ macro security, only
signed macros from trusted sources are allowed to run. Unsigned macros are automatically disabled.
Medium security allows the user to choose if they want to run potentially unsafe macros. Low security
runs all macros without warnings. For more information see Office XP Macro Security White Paper
(http://office.microsoft.com/downloads/2002/offxpsec.aspx).
Document Protection
Word, Excel, Access, and PowerPoint provide various features to protect documents from changes
and unauthorized access. These features are provided in addition to the operating system features
such as EFS and the use of share-level permissions. Users can control access to documents using
file access protection. The author may specify a password in order to open or modify the document.
Depending on the mode, users may not be able to view the document or view it as read-only unless
they provide the correct password.
Microsoft Word also provides other features for protecting and documenting changes during review
cycles, allowing reviewers and editors to make comments and changes to the documents while still
preserving the original version. Word also provides features to protect certain portions of a document
from changes. Similarly, Excel provides features to protect ranges of cells, and Access provides
various methods for controlling access to database objects (e.g. tables, queries, forms, etc.). See
Protecting Office Documents at http://msdn.microsoft.com/library/default.asp?url=/library/enus/xpreskit/html/admc01.asp for more information.
16
Microsoft Desktop Security: White Paper
Privacy
Microsoft Office XP provides two major enhancements in support of confidentiality and privacy. Users
can encrypt files using a password as a key to prevent them from being read by unauthorized users.
This is different from the EFS in that this encryption is preserved in the document even when it is
transmitted through the network. For example, encrypting the document with a password and then
sending it via e-mail still requires the receiver to know the password before they can read the
information. Office applications also provide another feature for stripping metadata information (i.e.
document properties such as title, author name, etc.) to ensure that user information is not transmitted
in published documents. See Protecting Office Documents at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpreskit/html/admc01.asp for more
information.
Outlook Security
As the center-point of user workflow and information management, Outlook 2002 has been improved
to reduce the risk of security threats, while still enabling a high-degree of flexibility and control. By
default, Outlook 2002 is much more stringent on sending and receiving specific types of attachments
and access to contact and address data. Administrators can customize the security settings to meet
the organization’s requirements.
Outlook 2002 security model supports S/MIME v3 security, which allows users to exchange secure email messages with other S/MIME e-mail clients over the Internet, as well as within an organization.
By providing features including digital signing and encryption, Outlook 2002 helps to ensure user
information is protected both when stored locally and in transit.
Several new security features that are optional in Outlook 2000 Service Release 1 are now standard in
Outlook 2002. These features include support for security labels and signed receipts, which allow you
to provide more secure e-mail communications within your organization and to customize security to
your requirements. Security profiles are configured automatically during installation and provide the
administrator more control with greater customization and flexibility compared to previous versions.
Registry settings can be used to customize controls on secure messages to match an organization's
security policies. For more information see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpreskit/html/outg01.asp.
Outlook 2002 provides the following security features:
Attachment Security – viruses, worms, and Trojan horses attached to e-mail messages have the
potential to spread quickly through an organization, once a machine is infected. Outlook 2002
checks attached files using two internal attachment lists: ‘Level 1’ and ‘Level 2’ lists specify how
attachments should be handled. ‘Level 1’ attachments including .bat, .exe, .vbs, and .js are totally
blocked by Outlook 2002, which notifies both the sender and the receiver that the message
contains blocked information. ‘Level 2’ may be viewed by the user but not executed directly; users
are prompted to save the attachments as they decide. Administrators can modify these lists either
on the local machine or through a master list stored in an Exchange public folder.
Address Book Security – Outlook 2002 no longer allows programs to automatically access
Address Book and Contact Lists, and send messages on behalf of the user. Though these
capabilities can greatly streamline workflow with other applications, it can also be used by a
malicious program to propagate itself to unsuspecting recipients. Now when another program
attempts to access a user’s address book, a warning box appears on the screen, which enables the
17
Microsoft Desktop Security: White Paper
user to allow/disallow access for a specified period of time. Specifying ‘No’ prevents the external
program from accessing personal information.
Restricted Sites Settings – by default, the security zone setting for Outlook 2002 is “Restricted
Sites”; prior versions were set to “Internet”. The “Restricted Sites” setting disables most of the
automatic scripting and prevents ActiveX controls from running without permission. These settings
can be specified during installation or through the Security Tab in program options (found on the
Tools menu). See Internet Explorer Security Features for more information regarding security
zones.
Protected HTML Messages – with the security settings set to “Restricted Sites” by default, ActiveX
Controls contained within HTML pages are disabled. The Outlook 2002 zone setting overrides the
Internet Explorer zone setting, thus preventing any malicious exploits based on embedded
elements. Java Script can also be disabled, providing additional security, but at the cost of
disabling some functionality that might be required by certain organizations.
Security Administration Tools – Outlook 2002 provides administrative tools available with the
Office Resource Kit CD or Enterprise editions of Microsoft Office XP. These tools provide a set of
templates, tools, and information for configuring Outlook 2002 security. These files are contained in
an executable admpack.exe, which will install or copy the tools as specified by the administrator.
Deployment Improvements – Outlook 2002 security settings can also be administered using
Group Policy Objects. Using the System Policy Editor provided in the Office Resource Kit Toolbox,
administrators can automatically load the appropriate policy templates (an ADM file) into Active
Directory. For Office XP deployments previously installed without policies, a registry key in the
client computers must be updated to tell Outlook where to find the security settings. Once installed,
the policy file will be downloaded each time users log onto the system.
Specify Trusted COM Add-Ins– One of the security administration tools, the Trusted Code Control
(Hashctl.dll), allows administrators to specify a list of trusted COM Add-Ins that can run without
being locked out by the application security. With this tool and the administrative templates
(Admin.Oft), rich workflow solutions can be deployed without sacrificing system security. Each of
the workflow Add-Ins can be added to the trusted list and used automatically by Outlook. In
addition, Outlook supports signed COM Add-Ins and ActiveX Controls, see COM Add-Ins Security
below for more information.
Support for S/MIME Encryption – encrypt and decrypt any S/MIME version 3.0 messages.
Outlook 2002 can send and receive encrypted files. Supports both high and low encryption
algorithms including RSA (128, 40 bit keys), 3DES (168 bit key), CAST (64, 40 bit keys), and DES
(40 bit key). User’s may also digitally sign and verify messages. Outlook also supports integration
of digital keys and signatures with Active Directory, for simplified management across the entire
enterprise.
COM Add-Ins Security
All of the products in Microsoft Office XP can be configured to trust installed COM add-ins
automatically. Enabled by checking the “Trust all add-ins and templates”, the applications will
automatically load all the COM add-ins, application specific add-ins, and templates in trusted folders
without checking to see if their signature is valid.
18
Microsoft Desktop Security: White Paper
If disabled, Office XP Application checks to see if the add-in has been digitally signed by a trusted
source. If the component is signed, then it is loaded in under any security level. For unsigned
components, components not signed by a trusted source, or if the signature is invalid, the application
will do the following according to the current macro security level (see Macro Security):
High Security – add-ins and template components are not loaded.
Medium Security – users are warned of the potential security risk of using an unsafe component.
Low Security – the component will load and run without user prompting.
To digitally sign a COM add-in DLL, a digital certificate from a certificate authority must be obtained
and then run with the Signcode.exe utility included with the Microsoft Internet Client Software
Development Kit (SDK). For more information regarding the COM Add-Ins Security see COM Add-Ins
Security at http://msdn.microsoft.com/library/default.asp?url=/library/enus/modcore/html/deovrCOMAddinsSecurity.asp
Data Recovery using AutoRecovery
Perhaps one of the most valuable improvements is the new AutoRecovery feature supported by all
Office XP applications. When an Office XP application encounters a fatal problem and is unable to
continue, the AutoRecovery feature attempts to close the program in a controlled manner. It attempts
to save the current edited version as well as any temporary versions that may have been stored on
disk. The recovered files are checked for errors and corrected whenever possible. AutoRecovery then
restarts the failed program and prompts the user to select from a list of possible recovered documents.
In many situations, the feature is able to recover the entire document allowing the user to continue
editing without losing any information. AutoRecovery is also available in the Office Tools program
group. Users may also specify the auto-save interval which by default is set to 10 minutes (saves only
if necessary).
Internet Explorer Security Features
Beginning with Internet Explorer version 4.0, security features have been provided to help prevent
users from inadvertently downloading and executing malicious code or ActiveX controls contained
within web pages. New with Internet Explorer 6.0, however, is better support for privacy and
improvements in code access security via Microsoft Authenticode provided by Windows XP.
Like Microsoft Outlook, Internet Explorer also supports security zones and security levels, which allows
the user to control how information and controls are downloaded and executed from each zone. Sites
specified within one zone are treated differently than sites registered in others. The security zones are
described briefly as follows:
Local Intranet Zone – by default, the Local Intranet zone contains all of the network connections
that were established by using a Universal Naming Convention (UNC) path, and websites that
bypass the proxy server or have names that do not include periods (for example, http://local),
provided they are not assigned to either the Restricted Sites or Trusted Sites zone. The default
security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low
(Internet Explorer 5 and 6).
Trusted Sites Zone – this zone contains web sites that are trusted as safe (such as websites that
are on an organization's intranet or from established companies). Files downloaded from a website
in the trusted zone should be safe and a minimal threat to user’s workstations and information. By
19
Microsoft Desktop Security: White Paper
default, there are no websites assigned to the Trusted Sites zone, and the security level is set to
Low.
Restricted Sites Zone – This zone contains websites that are not trusted. Sites added to the
Restricted Sites zone may contain harmful information that could damage or corrupt user
workstations and information. By default, there are no websites assigned to the Restricted Sites
zone, and the security level is set to High. The Restricted Sites zone may contain websites that are
not on the local computer, intranet, or other websites assigned to the local and trusted zones.
Internet Zone – This zone contains all websites not included in the other zones.
These new security features help protect users from many attacks by means of scripting. Using Group
Policies Objects and/or custom user settings (via the Options on the Tools menu in Internet Explorer),
administrators can specify security settings for each zone. For more information on Restricted Sites
and Internet zones, see the Microsoft Knowledge Base article (Q174360), How to Use Security Zones
in Internet Explorer.
Enterprise Network Security Management Tools
Though the emphasis of this paper is on enterprise security using Windows XP and/or Office XP, it is
worthwhile to mention some of the enterprise management tools that can be used to manage networks
with a large number of computers and workstations. Windows XP and Office XP are both designed to
meet the needs of centralized data management. As a result administrators are able to manage
security policies and application configurations centrally without the need to configure every desktop
individually.
Using Active Directory Services, MMC, and templates found in the Microsoft Office XP Resource Kit
(http://www.microsoft.com/office/ork/xp/default.htm), Administrators can configure the security features
as needed for each group of users using Group Policy Objects. Active Directory also provides support
for managing user certificates through a fully integrated PKI solution. This enables full access to public
and private key data on any desktop machine that the user logs-on.
In addition, Microsoft provides a number of installation tools and customization capabilities for even
more control of the desktop configuration.
20
Microsoft Desktop Security: White Paper
Best Practices for a Secured Environment
In this section, best practices are presented for establishing a secured environment using the features
and functionality of both Windows XP and Office XP. One of the principle challenges to securing an
enterprise is to gain a good understanding of the risks including both the threats and vulnerabilities.
The intent of these best practices is to provide some general tips and strategies for improving
enterprise security.
Enterprise Security Risk Analysis, Planning, and Design
This cannot be overstated: obtaining a good understanding of the organization’s security needs,
vulnerabilities, and general strategy is the most important activity toward implementing a secure
environment. If an organization does not take the time to determine its strengths and weaknesses
appropriately, installation of security measures may ultimately prove ineffective. Applied correctly, the
security technologies provided by Windows XP and Office XP can effectively reduce the risk exposure
of end user systems. Consider the following practices:
Create a Security Team – an internal team that is empowered to define security standards and
implement security policies. Roles and functions may vary depending on the size and complexity of
the organization. The team can provide strategic direction, training methodologies, and provide
management functions for an overall security infrastructure. Also consider the creation of a
corporate security officer (CSO) whose primary responsibility is the protection and management of
the organization security.
Do a detailed assessment of enterprise vulnerabilities and user computing practices –
develop a model of the enterprise and prioritize the risks and vulnerabilities faced. Be sure to
consider non-malicious threats as well, since it is more likely that the organization will be
compromised due to unintended user actions.
Review and analyze data I/O and storage practices – determine where sensitive information is
being stored. In particular, look at how local storage on user workstations and mobile devices is
used to store information temporarily. Some training might be required to improve awareness of
the appropriate practices for storing and using data. For example, locally stored data should be
encrypted using EFS, or at least password protected.
Develop a comprehensive security plan – planning end user system security should be done in
conjunction with planning for the entire enterprise. A comprehensive security plan will also have
strategies and scenarios that detail the steps to take should the enterprise be compromised in
some manner. Given that security threats are very real and it is unlikely that technologies can
provide total protection, knowing what to do when a breach does occur is extremely important in
minimizing damage.
Perform an external review of enterprise security solutions – perhaps one of the best methods
to get a handle on the security of the enterprise is to have a professional enterprise security
consultant come in and review the organization’s current practices and security tools. They may be
able to identify additional areas of vulnerabilities or help improve efficiency. In either case, an
external review will help to increase the confidence and awareness of potential threats and
vulnerabilities.
21
Microsoft Desktop Security: White Paper
Prefer transparent security measures over manual policies and procedures – as most wellseasoned administrators will confirm, attempting to create a secure environment using complicated
manual policies and procedures will ultimately lead to disaster. The best approach, whenever
possible, is to make security transparent to users. The use of security tools and technologies will
generally provide a more consistent and secure enterprise.
Do not overly constrain user privileges and access – when developing the security plan for the
end user system, be sure to consider the user’s work habits and needs. It is important to provide
enough security to protect the enterprise without overly constraining the user’s productivity. An
overly constrained environment could lead to some unintended consequences as users will usually
attempt to find workarounds that simplify their own job. This is a tough balance to determine, but it
is crucial to ensuring that the security measures and practices in place continue to be effective.
End User System Security
With a good understanding of the needs, threats, and potential vulnerabilities consider the following
practices to managing the security of end user systems.
Secure Physical Equipment – be sure to consider how well computers and other networking
equipment are secured. Even with the best software technologies, equipment that can be easily
removed, stolen, or physically compromised is significant security vulnerability. If computers are
exposed to unauthorized user(s) extra security measures such as locks and removal of unsafe I/O
devices may be required.
Create a Security Policy Document – develop a document that outlines a series of guidelines and
standards that attempt to protect the organization from the common kinds of attacks and
vulnerabilities. Such a document might include: general principles of conduct, user access policies,
responsibilities and duties, itemized list of sensitive materials and confidential information, and
procedures in the event a breach of security should occur.
Remote Access Control – beginning with Windows 2000, remote access control can be managed
through the Remote Access Group Policy. This is the preferred method for control. Be sure that all
users understand the policies with regards to remote access and that the policies are consistent
with the organization’s overall security practices. In most cases, remote access to shared network
resources is strictly limited to specific user groups. It is good practice to disallow access by
anonymous, guests, or ‘everyone’.
Encryption Strategies – consider using EFS and S/MIME encryption of sensitive corporation
information. In situations where there is unauthorized access, the attackers may not be able to
read what they find.
Virus Protection – end systems and network servers should install an automated virus protection
scheme. The solution should periodically scan the machine for potential virus, worms, and other
infections as well as provide regular updates. Virus software should also support the Office XP
Anti-virus API, which enables Office XP applications to scan documents for known viruses when the
Office applications attempt to open a file.
22
Microsoft Desktop Security: White Paper
Windows XP Security
Define user-level security for shared files, folders – for local resources as well as server based
resources user-level security should be applied so that only authorized users may view, access, or
modify selected information. Avoid allowing ‘everyone’ to see and access any files.
Establish Group Policies for Users and Computers – for each group of users defined in the
domain, establish the appropriate computer and user policies. Use the Group Policy Management
tools found in the Microsoft Management Console.
Limit Access to System Registry – as part of the user workstation configuration limit access to
the system registry to administrators or authorized users. The integrity of the local machine can be
quickly compromised by changing registry entries.
Monitor System Events and Performance – set up and monitor Windows XP events and
performance. When breakdowns do occur, logs provide a good source of information to figure out
what happened. Consider auditing the following: account logon events, account management,
directory services access, object access, privilege use, system events (e.g. shutdown)
Use Screen Saver Password Protection – unattended, but still logged in sessions are a real
vulnerability that can be exploited for unauthorized access. Be sure to turn on password protection
for screen savers. Screen savers should start after a maximum of five minutes of idle operation.
Smart Cards, Digital Signatures, and PKI – for extra security and simplified management of
signatures, public and private keys, consider incorporating smart cards in the enterprise. These
provide a higher degree of authentication and are less prone to compromise when compared to
username / password identification alone.
Office XP Security Practices
Utilize Security Templates and Tools Included in the Office XP Resource Kit – the Office XP
Resource Kit provides a wealth of security tools and features for deploying a secure installation of
Office XP in large enterprise environments. Administrators can customize these installation
templates with default security settings consistent with the enterprise security policies.
Only allow Macros / ActiveX Controls to run from trusted sources – disable macro and ActiveX
controls from untrustworthy sources. At the very least prompt the user before running these
objects. These settings can be defined during installation and through the security access controls
provided in all of the Office XP applications.
Sign all distributed macros – for controls and macros developed within the enterprise, it is good
practice to sign them (using a trusted digital signature) so they may be transparently activated by
the user. This keeps security in place without sacrificing functionality. Users may also want to sign
their own macros using the selfcert.exe tool found in the Office XP Resource Kit.
Specify security settings using policies – the policy templates shipped with the Office XP
Resource Kit provide the means to specify most of the system settings for Office XP. Once
properly configured, policies updates and changes can be downloaded at logon and applied
individually.
Use Group Policy Objects – administrators can create Group Policy Objects, which are similar to
system policies (see last bullet), that are more comprehensive. For Office XP, GPOs can be
created to manage Office deployment and configuration. These capabilities work in conjunction
23
Microsoft Desktop Security: White Paper
with Windows XP software distribution and publication features. Though settings can be managed
on a per user basis, it is usually more effective to manage policies for a specific group of users,
whoever and wherever they are.
Staying Secure
Even with a good security plan in place and functioning, vigilance and awareness are critical to staying
secure. To this end, Microsoft is committed to providing the latest information and updates in regards
to security issues with all of its products. Consider these sources for additional information and
updates:
Microsoft Windows Update – website provides the latest updates and tools for Windows
operating systems (http://windowsupdate.microsoft.com).
Microsoft Windows XP Security Website – provides latest information regarding security and
updates (http://microsoft.com/WindowsXP/default.asp).
Microsoft Office XP Website – provides the latest information in regards to Microsoft Office XP,
the latest service packs, and security information (http://microsoft.com/Office/).
24
Microsoft Desktop Security: White Paper
Summary
The security features provided by Microsoft Windows XP and Microsoft Office XP have greatly
improved the security and integrity of enterprise desktops and workstations. With the increasing
sophistication of security threats and the ingenuity of attackers, enterprise administrators need to
deploy tools and technologies that effectively control access to network resources. More and more
businesses are utilizing information systems in mission critical capacities. The consequences for a
breach in security can be disastrous. From attacks causing denial of service to corruption and loss of
confidential information, the security threats facing the enterprise today have the potential to effectively
bring down an organization.
Microsoft has made a renewed commitment to providing tools and technologies enabling
administrators to effectively secure enterprise networks. With the security features provided by
Windows XP and Office XP, the bar is effectively raised yielding a safer and more robust working
environment protecting the user and network resources from both malicious and non-malicious types
of attack.
Further Reading, Resources, and References
For additional information and resources in regards to Windows XP and Office XP security, please
consult the following resources:
Windows XP security white papers –
http://www.microsoft.com/windowsxp/pro/techinfo/articleindex.asp
New security features/technologies of Windows XP –
http://www.microsoft.com/windowsxp/pro/techinfo/planning/security/whatsnew/default.asp
Security how-to's – http://www.microsoft.com/windowsxp/pro/using/howto/default.asp#section7
Best practices for Enterprise security –
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/bpentsec.asp
System security checklists – www.microsoft.com/technet/security/tools.asp
25
Microsoft Desktop Security: White Paper
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
©2002 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, Outlook, PowerPoint, Windows, Windows NT, are
either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.
Microsoft Corporation One Microsoft Way, Redmond, WA 98052-6399 USA
26
