Download Mark Boyer - Methods of securing data in window networks

Methods of Securing Data in Windows Networks
Mark Boyer
COSC 352
10/2/2008
The process of securing data in windows networks is a very important task, especially if
you are involved with a company or business. The loss or theft of data from a top secret sector of
a company could be catastrophic. Items such as people’s personal files, bank account
information, and things of that nature need to be protected with the up most importance. There
are multiple tools that we can use to help secure windows machines and networks. Some of these
tools deal with authentication, authorization, setting file permissions, encryption, VPN’s,
malware protection, and wireless security.
Windows goes about securing the authentication process by using tools such as password
length, password complexity, password age, and account lockout. Password length has to do with
setting up the minimum and maximum length of the password that a user uses to log on to their
user name. Windows XP uses the option of anywhere from 0 to 128 characters to be used.
Anywhere from 8 to 16 characters is an adequate length for a good password. Then there is the
complexity setting within the password policies section of the administrator tools. This setting
can either be enabled or disabled. If it is enabled the user has to meet three out of four special
requirements while creating their passwords. These four requirements include the use of
uppercase letters, lowercase letters, numbers, and special characters. This setting will only let the
user create a new password if it meets at least three or four of these requirements. Another
technique that is used to verify authentication is account lock out. With this setting the
administrator has the ability to specify how many times a user can enter the wrong password
before they are locked out of the system. This can help to stop brute force attacks on a users
account and prevent a hacker from guessing a users password and falsely being identified as
legitimate user. Once the user is locked out of the system the administrator can either choose to
unlock the password automatically, over a specified period of time, or manually by himself or by
another permitted individual. The final thing that I found to help an admin using windows to
authenticate users is the ability to restrict login times and locations. With this setting they are
able to specify the times of the day, days of the week, and location (computer) that they are
allowed to access the system from. Some of the reasons for this are to secure, important data
from being stolen from outside the company. Another involves the backup process; they usually
do not want any users logged on during the backup process so that there is nothing that can
possibly interfere with it.
Another thing that administrators can do is authorize what a user is allowed to have
access to once they have been authenticated. They can go about this by using one of two
programs. These programs are called sharing permissions and NTFS permissions. Sharing
permissions allows the admin to set restrictions on what folders a user is able to view over the
network. This permission is only able to be applied to folders and not files, in turn though all
permissions that are assigned to a folder are also assigned to all the files within that folder. One
of the problems with this is that the permissions that are assigned are not applied to users
accessing the network locally, meaning they will still have access to all files within your system.
The other form of assigning file permissions NTFS permissions is basically an upgraded version
of sharing permissions. It has the same ability to assign permissions to folders but it can also
assign permissions to files as well. Also it has the ability to restrict local users as well as users
over the network. Another ability that it has is to assign permissions to individual users and
groups of users as well. The NTFS permissions use a set of six standard permissions and 14
special permissions to restrict a user’s access to the system. Some of the six standard permissions
include read, write, full control, and modify. Some of the 14 special permissions include read
attributes, create files/write data, create folders/append data, delete, change permissions, and read
permissions. With these two tasks an administrator can protect their system much better than
they can without them.
The next topic that I need to talk about involves securing Windows networks is,
encryption. To start things off you need a good definition of encryption. Encryption is the
process of turning a segment of data into cipher text, something unreadable, by using a program
that uses a cipher to encrypt and decrypt the message. There are two ways, which the book talks
about, of encrypting in windows systems. The first is IP Security (IPSec) and the second is
Encrypting File systems (EFS). IPSec is probably the most popular method encrypting data. It
works by creating and validating a connection between two devices. This can be done in one of
three ways the first is a preshared key, which is a special key entered on both devices
communicating by an administrator. Second is Kerberos authentication, this is also a way of
using a special key but instead of the admin creating it the OS does. This makes the process
much more secure than the preshared key, because it eliminates the chance for human error.
Then last are digital certificates, these use a third party know as the Certification Authority (CA)
to authenticate. Each device must have applied for a digital certificate from the Certification
Authority. Once they have them communication can then take place. They send their messages
then they each verify with the CA to be sure they are who they are and then the messages are
decrypted and delivered. Along with the three ways of authentication there are three different
policies that are used for IPSec in windows. They are Client (respond only), meaning that it only
uses a secure communicator if the other device suggests it. The second policy is Server (request
security), meaning that it requests secure communication if it is available. If it is not available it
continues the communication insecurely. Then the third form of policy is SecureServer (require
security), meaning that it requires both parties to support secure communication in order to
communicate. If they both do not then the communication process is terminated. This process
helps to secure all data that is sent over the computers network connection. What about if
someone gains access to your hard drive? That is where Encrypting File Systems (EFS) comes
in. The EFS gives the user that creates a given file the ability to encrypt it so that only they or the
data recovery agent can decrypt and read it. The data recovery agent most of the time is the
administrator of the system the user has saved the file on. In doing this the encrypted file is
protected from anyone else being able to access it.
The next securing measure is the VPN. A VPN is a temporary or permanent connection
across a network such as the internet that uses encryption to send and receive data. This is very
useful for securing data transmissions and I will leave it at that, because this is another person’s
topic.
Another important device in securing windows networks are firewalls. Firewalls are
hardware or software programs that inspect in going and outgoing packets and weeds out any
that are undesired. Windows has included a firewall within its operating systems called Windows
firewall. This device’s purpose is to keep out hackers and what not that try to break into your
system. There are many different brands of firewall software that you can download to help
better secure your computer. Some of them include ZoneAlarm Firewall, Armor2net Personal
Firewall 3.12, Commando Firewall Pro, and Tiny Personal Firewall 6.5. Overall fire walls can be
very useful in keeping out “want to be hackers”.
The next thing that I would like to talk about is malware protection. Malware is any type
of software that is meant to cause harm or disruption to any computer system. Four different
types of malware are viruses, worms, Trojans, and spyware. A virus is a program that spreads by
replicating itself into other programs or documents. Its main goal is to corrupt or delete files that
are in the system. Next are worms they also replicate themselves but they are self contained and
do not need any outside help to spread over a network they can do it themselves. Their goals are
to send emails, delete files, create backdoors, and use up the networks bandwidth. Trojans are the
next topic I would like to talk about, they are programs that appear to be something useful, such
as free software but they are really something else in disguise. They do have programs out there
that attempt to catch these malicious programs before they are able to cause any harm on the
computer. These programs are called antivirus software. There are many different types of this
software out there ranging form free to fairly expensive. Some examples of this software
includes AVG Anti-Virus Free Addition, AVAST home addition, Avira Antivir Personal – Free
Antivirus, Norton AntiVirus, and McAfee Virus Scan Plus. Another form and final that I listed is
Spyware, this is a program that collects info about activities on a computer that they are on and
reports them back to the user the put them there. These reports are later used mainly for
marketing purposes such as add pop ups. There is also software out there that can get rid of
spyware on a computer system. Some of these software applications include Ad-Aware 2008,
Spybot – Search & Destroy, Spyware Doctor 5.5, and SpywareBlaster 4.1. With the use of any of
these antivirus, and spyware software you can help increase the security of your system then it
was before they were installed but the main thing that you have to remember is to update. If you
do not your protection becomes weaker and weaker as time goes on.
The final topic I would like to talk about dealing with windows security is wireless
security. As more and more devices and places become wireless we need to learn how to better
protect wireless networks from war drivers. There are five ways that the book lists to do this. The
first is using a Service Set Identifier (SSID), this is a alphanumeric label that identifies on LAN
from another. Second is the wired equivalency protocol (WEP), this provides data encryption in
a network and it uses a static encryption key. Thirdly is 802.11i (WPA2), this provides better
encryption and encrypting key handling. Then lastly is MAC address filtering, this is used on
smaller networks and restricts network access to specific MAC addresses.
These are the main ways that I have learned from the book and internet about securing all
of these topics. I feel that they are all very useful in setting up a secure network, but no matter
what you do you need to make sure that everything is kept up to date and is prepared for the
newest and most popular types of attacks. Remember also that security is worth the cost if it
protects data that is important to the future of your business or company.
Works Cited
Cnet. Retrieved October 1, 2008, Web site: http://www.download.com
Windows IT Library. Retrieved October 1, 2008, Web site
http://www.windowsitlibrary.com
Greg Tomsho, Ed Tittle, David Jhonson. (2007) Guide to Networking Esentials, Fifth
Edition.