Feature Articles   MS-Security Blog   Favorite Links  Tech Book Reviews  Discussion Board  MS-Security Home

QUESTION:
I have a small business network with 3 Windows XP computers used daily by three different employees, and a Windows 2003 server computer that we use for a Web server. They're networked in a peer to peer configuration. What benefits, if any (especially security benefits) would I get from creating a Windows domain? Do I need additional software to do this?

ANSWER:
A domain gives you more centralized control over access and security as well as centralized administration. In a peer to peer network, each user manages access to the files on his/her machine, and other users must have accounts on each computer to access resources on that computer. In a domain, the authentication server (domain controller) keeps the database of user and computer accounts.

If your web server runs Windows Server 2003 Standard or Enterprise edition, you can promote it to a domain controller using the Configure My Server admin tool or by running dcpromo.exe at the command line. No additional software is required. If it runs Web edition, you can't make it a domain controller.

QUESTION:

I teach a college course and want to be able to put materials on my web site for students to read. However, I don't want them to be able to select and copy text and graphics from the page or print it. I have a web server running Windows Server 2003 web edition with IIS 6. Is there any way to do this?

ANSWER:

To discourage copying of graphics and text you can use a Javascript to disable the right click menu, such as the one one this site: http://www.billybear4kids.com/clipart/riteclic.htm. However,  this doesn't prevent using the menus, and browsers that have Javascript support turned off will bypass the script. This works only with users who are not technically savvy.

Perhaps the best way to make it hard to copy your material is to create a PDF instead of HTML. Modern browsers can display PDFs in the browser but you can use PDF security to prevent printing or selecting/copying. You can set password protection on the documents so that those who know the password can print or copy the material, if you want some people to be able to. Without the password, even the full version of Acrobat won't let you print, select, save, etc.

Of course, none of these methods will stop a really determined person. If the material displays on the screen, someone could always capture a screenshot of it and save or print that.

QUESTION:

I just got a Windows Mobile (Pocket PC) cell phone and I love it. I have the unlimited data plan from my wireless provider so I can stay connected wherever I am. But I'm wondering if there are any security issues I need to be concerned about. Thanks.

ANSWER:

Windows Mobile operating systems were designed for the enterprise environment so security was a priority. One of the biggest security risks with these phones (which are really miniature full fledged computers) is one of physical security. Their size and portability makes them easy to lose or steal.

Consequently, you should password protect your device or even better, get one that support fingerprint or secure ID card authentication. You can also encrypt the data on the device and on storage cards using a program such as Sentry CE (http://www.softwinter.com/sentry_ce.html). There are also personal firewalls available for Windows Mobile, such as Airscanner Mobile Firewall, and PPC anti-virus programs such as SMobile VirusGuard (both can be downloaded from Handango at http://www.handango.com). 

Some common sense security measures include, as with desktop computers, turning off services you don't need. For example, many PPC phones support wi-fi and bluetooth. If you aren't using those connections, turn them off.

For more information on securing your mobile device, see my article titled "Securing Your Pocket PC" at
http://www.windowsecurity.com/articles/Securing-Pocket-PC.html

QUESTION:
I'm still running a Windows 2000 Professional computer for my main home computer. It does everything that I need, but I worry that it might not be as secure as it needs to be. I also have a Windows Me computer on my home network, that is used by my kids. Is there a way to make these more secure or to check them (preferably with a free tool) to see if they're configured right for security? Thanks. - M.J.

ANSWER:
Microsoft has become more cognizant of and focused on security with each new operating system, so it makes sense to wonder whether your older OS versions have security holes. In some cases, it's a matter of configuration; some security mechanisms that are turned on by default in Windows XP/2003 have to be explicitly enabled in Windows 2000. And some security mechanisms that are included with the XP/2003 operating systems, such as the Internet Connection Firewall (ICF) in XP that's upgraded to the Windows Firewall by Service Pack 2, are missing altogether in the older operating systems, so you may need to get third party software (such as Kerio, Zone Alarm, etc.) to protect them.

There are indeed free tools you can use to check your systems for vulnerabilities. For your Windows 2000 (as well as XP and 2003) computer, you can use the Microsoft Baseline Security Analyzer (MBSA) to check for vulnerabilities. It will tell you which critical updates and service packs are missing and analyze vulnerabilities caused by misconfigurations. You can download it free at http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

There's a free third party utility that you can use for both Windows 2000 and your 9x/Me computers (basically for all Windows operating systems), called Belarc Advisor. It performs similar functions and you can get it here:
http://www.belarc.com/free_download.html

QUESTION:
I have a server running Windows 2000 advanced server. I want to be able to access some files from any computer via the web. I do not understand using ftp. I have tried to configure it but it will not work. Am I approaching what I want to do in the wrong way? My wife and I have files we need to access from various places but do not know what the right approach is. My wife uses a VPN for her laptop but I am looking for another way. - Jim

ANSWER:
There are several different ways you can access files on your server from remote computers. Which one is the best choice for you depends on exactly what you want to do. You could VPN into the network as your wife does; this has security advantages, especially if you use L2TP/IPsec as the VPN method.

If you want to be able to run applications and manage the server from a remote computer, you can use Windows 2000 terminal services in remote administration mode (only allows two connections at a time). You can access it through the TS client or the web interface. Or you can use a third party remote access program such as PCAnywhere if you can install software on the remote system, or a service such as GoToMyPC that works via a web browser from any remote system.

If all you want to do is get files, setting up an FTP server in IIS may very well suffice. Here are step-b7-step instructions for installing and configuring IIS for FTP service: http://support.microsoft.com/default.aspx?scid=kb;en-us;300662&sd=tech.

QUESTION:
I have a laptop computer and I have some sensitive files on the hard disk that I've encrypted with EFS. But I'm worried because if someone steals the laptop and cracks my logon password, he'll be able to read those files, correct? Is there a better solution that will protect my files even if that happens? Thanks. -J.J.

ANSWER:
Anyone who logs onto your account will be able to access your EFS encrypted files - if the encryption keys are stored on the laptop's hard disk. That's the default location, but you can make EFS more secure by exporting your EFS certificate and private key to a removable device such as a USB "thumb drive" or CD. To export your certificate and key, use the Certificates MMC snap-in.

In the left pane, navigate to Console Root | Certificates - Current User | Personal | Certificates. In the right pane, right click the certificate that says "encrypting file system" in the Purposes column. Select All Tasks | Export. Follow the steps in the Certificate Export Wizard. Be sure to select the option to export the private key along with the certificate and to delete the private key when the export is completed.