Export (0) Print
Expand All

Chapter 9 - Security

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This chapter presents an overview of security features provided in Microsoft Windows 98. It describes their use, together with security features of Internet Explorer version 4.0, in a networking environment. It is intended for system administrators and others who have authority to set security levels for network clients, and for those who need secure communication over the Internet.

See Also

  • For information about file and printer sharing services and user-level or share-level security, see Chapter 18, "Logon, Browsing, and Resource Sharing." 

  • For information about editing system policies, see Chapter 8, "System Policies." 

  • For information about security for Internet Explorer, see Chapter 20, "Internet Access and Tools." 

  • For information about Distributed Component Object Model (DCOM), see Chapter 29, "Windows 98 Network Architecture" and Chapter 25, "Application Support." 

Overview of Security Features

Cc768179.spacer(en-us,TechNet.10).gif Cc768179.spacer(en-us,TechNet.10).gif

Computer security refers to the protection of all components—hardware, software, and stored data—of a computer or a group of computers from damage, theft, or unauthorized use. A computer security plan that is well thought out, implemented, and monitored makes authorized computer use easy and unauthorized use or accidental damage difficult or impossible.

Personal computing depends increasingly on computers connected through networks, and more often through the Internet and intranets. You can use Windows 98 security to prevent unauthorized access to shared resources on computers in a network. The security features built into Windows 98 are described briefly in this section, and in more detail later in the chapter.

Logon Security

Windows 98 allows users to log on fully. In a networking environment, you can set your system up so that when a name and password pair have been validated against the security authority of a network server, the Windows 98 user interface is displayed.

Logon Password

A user can log on to all networks and Windows 98 at the same time. If a user's password for Windows 98 or for another network is the same as the password for the primary logon client, Windows 98 automatically logs the user on to Windows 98 and all networks using that password.

Note A unified password prompt does not enhance security, but eases logging on to the system. As the system administrator, you can require additional passwords for a more secure system.

For more information about the logon prompt, see "Using the Windows 98 Logon Password" later in this chapter. Once users log on to their machines, they have the option to cache their passwords. These passwords are cached in a file with a .pwl extension. The file name is the same as the user's name. See "Password Caching" later in this chapter.

Network Validation

With system policies, you can prevent users from logging on to Windows 98 if their Windows NT or Novell NetWare network logon is not validated. This causes the network logon dialog to appear before, or instead of, the Windows 98 logon prompt. Also, the user list may not be network wide, but specific to a server, and may be different for different servers.

For more information about logon security, see "Network Security" later in this chapter. For more information about system policies, see "Using System Policies to Enforce Password Security" later in this chapter, and Chapter 8, "System Policies."

Shared-Resource Security

When a computer is running Windows 98 with file and printer sharing services, other users can connect to shared printers, volumes, directories, and CD-ROM drives on that computer. To protect these shared resources, Windows 98 provides user-level and share-level security.

User-Level Security

With user-level security, a user's request to access a shared resource is passed through to a security provider, such as a Windows NT or NetWare server. The security provider grants or denies the request by checking the requestor's user name and password against a network-wide or server-wide stored list. User-level security does not require file and printer sharing services. These accounts must be created on the machine providing user-level authentication, such as a Windows NT or NetWare server. Windows 98 cannot act as an authentication server for user-level security.

This type of security allows fine-grained control over per-user access and allows individual accountability. The disadvantages are that you must create a user account for each user you want to grant access to, and you must grant that user the access.

Share-Level Security

With share-level security, users assign passwords to their shared resources. Any user who can provide the correct password is permitted to access the shared resource. The password is stored and checked by the computer where the resource resides. Share-level security requires file and printer sharing services.

Note Any subfolders of the shared folder, if they are also shared, must be set with the same level of security as the parent folder.

The advantage of this type of security paradigm is that it allows granting access to a broad range of people with very little effort. However, it is not as secure as user-level security, because the password is widely distributed and there is no notion of personal accountability.

Note You cannot use share-level security on NetWare networks, because the File and Printer Sharing for NetWare Networks utility does not support passwords. You can limit access, however, by defining a resource as read-only.

Password Controls

In addition to setting up passwords for security, Windows 98 also provides password caching, Password List Editor, and system policies.

Password Caching

Like unified logon, password caching provides a convenient and secure way to access protected resources. The first time a user connects to the resources and saves the password, Windows 98 caches the password in a PWL file. Whenever the user logs on again, the logon password unlocks the PWL file and the resource passwords it contains, and the user then has free access to those resources. If password caching is disabled, users must type the password each time they connect to a password-protected resource.

Password List Editor

Password List Editor lets you view resources on a password list. It also lets a user view or edit his or her own password file (PWL). You may then delete a password (you cannot view the actual password) so that it can be replaced.

System Policies

System policies let you enforce a password policy with some or all of these restrictions:

  • Disable password caching. 

  • Require an alphanumeric Windows 98 logon password. 

  • Require a minimum Windows 98 logon password length. 

You can also define system policies that prevent users from enabling peer resource sharing services and that enforce other security techniques, such as preventing users from configuring system components.

For more information, see "Using System Policies to Enforce Password Security" later in this chapter, and Chapter 8, "System Policies."

Internet and Intranet Security

The Internet is an effective way to communicate and share information with others, but with its use comes a greater need for security. The following security features make it easier for you to protect your computer and your privacy when using the Internet.

Internet Explorer

Internet Explorer 4.0 has new security options that let you configure a security level to a specific Web site according to how much you trust the content of that Web site. Four security zones are set up in Internet Explorer 4.0. They are:

  • An Internet zone that by default contains all Internet sites. 

  • A Trusted sites zone to which you can assign Web sites you trust. 

  • A Restricted sites zone to which you can assign Web sites you do not trust.

  • A Local intranet zone for computers connected to a local area network. 

Outlook Express

Outlook Express includes tools to protect you from fraud, ensure your privacy, and prevent unauthorized access to your computer. These tools enable you to send and receive secure e-mail messages and to control potentially harmful e-mail messages through security zones.

Distributed Component Object Model

A distributed application consists of multiple processes that cooperate to accomplish a single task. The Distributed Component Object Model (DCOM) can be used to integrate distributed applications in a network, thus allowing specified users to have access to certain processes.

Firewalls

A firewall enforces a boundary between networks. The boundary prevents unauthorized access of private networks by preventing the passage of packets between networks.

Security Planning Checklist

Cc768179.spacer(en-us,TechNet.10).gif Cc768179.spacer(en-us,TechNet.10).gif

You need to determine the type of exposure or risk you potentially have, and develop a security policy that reflects this level of risk. On the basis of that analysis, choose products, network technology, and business practices for the installation, integration, and management of your system.

Before you integrate Windows 98 security into your network security model, consider the following issues:

What kind of logon security do you need? Do you allow users to log on to Windows 98 and the network with the same password? Do you want to require alphanumeric or minimum-length passwords for the Windows 98 logon password? Do you want to require that users be validated by the network security provider before being able to log on to Windows 98? For both Windows NT and NetWare networks, you can use system policies to require validation by a Windows NT or NetWare server before allowing access to Windows 98 and to specify other Windows 98 password restrictions.

What kind of resource protection do you need on Microsoft networks? you enable peer resource sharing, you must decide how to protect those resources with share-level or user-level security. User-level security provides greater security because the network security provider must authenticate the user name and password before access to the resource is granted. Share-level security is not available for NetWare networks.

For more information about NetWare networks, see Chapter 17, "Windows 98 on Third-Party Networks."

What kinds of access rights will users have to resources protected by user-level security? You can specify the types of rights users or groups of users have to resources by setting Sharing properties for the shared resource (such as a folder or drive). For example, you can restrict other users to read-only access to files or give them read-access and write-access to files.

How do you want to enable user-level security? You can enable security in a setup script or in system policies. If you enable user-level security in either a setup script or Control Panel, remote administration is enabled by default for domain administrators on a Windows NT network and for supervisors on a NetWare network.

Should password caching be allowed? You can use system policies to disable password caching and thus require users to type a password each time they access a password-protected resource.

Should users be able to change Control Panel settings? You can use system policies to restrict users' ability to change the configuration of system components, their desktops, applications, or network connections in the Control Panel folder.

Does a particular hard disk need extra protection? Windows 98 security obstructs hacking over the network; but if a person has physical access to the computer, critical data could still be taken from the hard disk where it resides by using Safe Mode or a floppy disk to start the workstation. If specific data requires greater levels of security, you should store critical files on a secure server. If computers require greater levels of security, Windows NT Workstation is recommended, because it provides a means to protect resources on a hard disk based on a user's identity.

Are there applications that should not be run? You may need to restrict access to some applications while supplying access to other applications in your system. To implement this type of security, use system policies. You can also restrict access to parts of an application by using DCOM.

Do certain processes of an application need protection? If security is required for a distributed application — that is, one whose component processes are distributed over more than one computer in the network — use DCOM. DCOM provides the structure to share applications at the component level between a server and clients. The components can be shared over the Internet or an intranet. Using DCOM to set a security level for the application automatically applies that security level to each component, wherever located.

Should Internet or intranet access be limited? You may need to limit access to certain sites on the Internet and on your intranet. To implement this type of security, use Internet Explorer security features.

Network Security

Cc768179.spacer(en-us,TechNet.10).gif Cc768179.spacer(en-us,TechNet.10).gif

Windows 98 allows users to log on fully. The first thing most users encounter after booting their Windows 98 systems is a logon dialog box, which varies depending on the type of network. Once the proper user name and password are validated against the security authority of the network server, the Windows 98 user interface is displayed.

System administrators can configure the Windows 98 system to allow entry into the operating system with no network access (this configuration is the default). As an alternative solution to this problem, system administrators can specify guest accounts that have limited network access.

The Windows 98 user logon should not be construed as a mechanism to fully secure personal computers. Because personal computers are still vulnerable to a floppy boot, all data stored on their disks is potentially available. The underlying file system in Windows 98 is the MS-DOS file allocation table (FAT) file system, which has no built-in encryption or other security mechanisms.

Network resources are secured under Windows 98 using the same security mechanisms employed by network servers on corporate networks. The user name and password in Windows 98 can be configured to be the same as those used by the network server. By doing this, the network manager can control network access, provide user-level security for access to shared resources on the local computer, control the various agents in Windows 98, and limit who has remote administration authority on this Windows 98 system. In this fashion, Windows 98 leverages the existing investment in network servers, management tools, utilities, and infrastructure. System administrators can manage user accounts centrally on the server, just as they always have. They can also use familiar tools for managing user accounts.

Implementing Network Security

Implementing security in a Windows 98 networking environment involves the following types of activity:

  • Define user accounts on a network server or domain controller for user-level security. For more information, see the documentation for the software on the network security provider.

  • Install file and printer sharing services, and then enable user-level or share-level security. 

  • Define access rights for resources protected by user-level security.

  • Make the Windows 98 logon password and network logon password the same. Disable password caching if you do not want this feature. For more information, see "Using the Windows 98 Logon Password" and "Using the Windows 98 Password Cache" later in this chapter. 

  • Define system policies to restrict users' ability to configure the system or shared resources, and to enforce password policies. 

  • Define Internet and intranet security zones. For more information, see "Setting Up Security Zones" later in this chapter. 

Sharing Resources

Windows 98 provides share-level or, alternatively, user-level security for protecting shared resources on computers running Windows 98 (the share level requires file and printer sharing services).

Share-level security protects shared network resources on the computer running Windows 98 with individually assigned passwords. For example, you can assign a password to a folder or a locally attached printer. If other users want to access it, they need to type in the appropriate password. If you do not assign a password to a shared resource, every user with access to the network can access that resource.

User-level security protects shared network resources by requiring that a security provider authenticate a user's request to access resources. The security provider, such as a Windows NT domain controller or a NetWare server, grants access to the shared resource by verifying that the user name and password are the same as those on the user account list stored on the network security provider. Because the security provider maintains a network-wide list of user accounts and passwords, each computer running Windows 98 does not have to store a list of accounts.

Note For Microsoft networks, the security provider must be a Windows NT domain or workstation. For NetWare networks, it must be either a NetWare 4.x server running bindery emulation or a NetWare 3.x server.

Figure 9.1 shows how user-level security works for Microsoft networks. The reference numbers are explained after the illustration.

Cc768179.wrk0n01(en-us,TechNet.10).gif 

Figure 9.1 User-level security 

  1. Joe's computer is running Windows 98. Joe enters a password to access a shared resource protected by user-level security. 

  2. The Windows 98 computer passes a request to the server (security provider) to authenticate Joe's identity. 

  3. The security provider sends a verification to the computer if Joe's name and password combination are valid. 

  4. Windows 98 grants access to the shared resource according to rights assigned to Joe on the Sharing property sheet for that resource. 

Joe's password is stored on his computer's PWL file to be used for authentication when he accesses that resource again. He will not be prompted for the password again during that session. When he logs off, the computer will erase his password from the file.

Setting Up Security for Shared Resources

Before a user can share a resource on a computer running Windows 98, the computer must be configured for share-level or user-level security, and file and printer sharing services must be installed by using the Network option in Control Panel. Configuring share-level or user-level security is described briefly in the following sections, and in Chapter 18, "Logon, Browsing, and Resource Sharing."

Note Share-level security is not available on NetWare networks.

To set up share-level security
  1. Install File and Printer Sharing for Microsoft Networks, as described in the "Installing Peer Resource Sharing" section of Chapter 18, "Logon, Browsing, and Resource Sharing." 

  2. On the computer that hosts the resource to be shared, in Control Panel, double-click Network, and then click the Access Control tab. 

  3. Click Share-level access control, and then click OK.

To set up user-level security on a Microsoft network
  1. Install File and Printer Sharing for Microsoft Networks, as described in the "Installing Peer Resource Sharing" section of Chapter 18, "Logon, Browsing, and Resource Sharing." 

  2. In Control Panel, double-click Network, and then click the Access Control tab.

  3. Click User-level access control.

  4. In the User-level access control box, type the name of the Windows NT domain or Windows NT workstation where the user accounts reside. 

  5. Click OK.

To set up user-level security on a NetWare network
  1. Install File and Printer Sharing for NetWare Networks, as described in the "Installing Peer Resource Sharing" section of Chapter 18, "Logon, Browsing, and Resource Sharing." 

  2. In Control Panel, double-click Network, and then click the Access Control tab.

  3. Click User-level access control.

  4. In the User-level access control box, type the name of the NetWare server. 

  5. Click OK.

For information about specifying values for security in custom setup scripts, see Appendix D, "Msbatch.inf Parameters for Setup Scripts." For information about using System Policy Editor to set user-level security and other security options, see Chapter 8, "System Policies."

Using Share-Level Security

You can restrict access to resources such as a shared folder or a printer by either defining it as read-only or assigning a password to it.

To share a folder or printer with share-level security
  1. In Windows Explorer, right-click the folder or printer to be shared, and then click Properties

  2. In the Properties menu, click the Sharing tab.

  3. Click Shared As, and type the resource's share name.

    The shared resource name will be the computer name plus the share name. For example, in the following screen shot, if the computer name is mycomputer, this shared resource is \\mycomputer\mydocuments.

    Cc768179.wrk0n03(en-us,TechNet.10).gif  

  4. Specify whether you want users to have read-only or full access to this resource. 

    Note There is no read-only share-level access for a printer or remote administration. 

  5. Type the password for the specified access, and click OK.

Tip You can share a folder but hide it from the Network Neighborhood browsing list by adding a dollar sign ($) to the end of its share name (for example, PRIVATE$).

Using User-Level Security

Windows 98 uses the logon process to provide user-level security for a variety of services beyond network resource access, including the following services that are remotely accessible:

  • File and printer sharing. 

  • Dial-up network access gateway control. 

  • Backup. 

  • Network and system management. 

Pass-through security is implemented in Windows 98 as the mechanism to enable user-level security. Pass-through literally means that Windows 98 passes authentication requests through to a Windows NT or NetWare server. Windows 98 does not implement its own unique user-level security mechanism but instead uses the services of an existing server on the network.

Enabling pass-through security is a two-step process. First, user-level security must be enabled using the Control Panel. Second, the device must be shared, and users with access privileges must be specified. Right-clicking the drive C icon in My Computer and selecting Properties from the Shortcut menu displays a property sheet that shows which shares already exist and which users have access. It also allows new devices to be shared and new users to be added to specific shares. The Windows NT server or the NetWare bindery supplies the user names listed in this property sheet.

For more information about file and printer sharing, see Chapter 18, "Logon, Browsing, and Resource Sharing."

The Remote Administration function of a Windows 98 personal computer specifies the users or groups who have authority to manage the Windows 98 system, including the following:

  • Dial-up network access gateway control. 

  • Backup. 

  • Remote access to the registry. 

  • Remote NetWatcher access. 

  • Remote system performance monitoring. 

Remote Administration is controlled through the Passwords option in Control Panel. For more information about Remote Administration, see Chapter 23, "System and Remote Administration Tools."

For each network resource governed by user-level security, there is a list of users and groups that can access that resource.

To share a resource with user-level security
  1. In Windows Explorer or My Computer, right-click the icon for the resource to be shared, and then click Properties

  2. In the Properties menu, click the Sharing tab. 

  3. Click Add

  4. In the Add Users dialog box, click a user or group, and then assign access rights as described in the following paragraphs.

    Assign, for each user, a set of rights for the resource. The kinds of rights that you assign depend on the kind of resource you are securing:

    • For shared directories, you can let a user have read-only access, full access, or custom access. Within custom access, you can grant the user any or all of the following rights: read, write, create, list, delete, change file attributes, and change access rights.

    • For shared printers, a user either has the right to access the printer or not. 

    • For remote administration, a user either has the right to be an administrator or not as defined in the Passwords option in Control Panel.

    Permissions are enforced for a resource as follows:

    • If the user has explicit rights to the resource, those rights are enforced.

    • If the user does not have explicit rights to the resource, the permissions are determined by taking all of the rights of each group to which the user belongs.

    • If none of the groups to which the user belongs has any rights to that resource, the user is not granted access to the resource. 

When you do not explicitly assign access rights to a file or folder, Windows 98 uses implied rights. Implied rights are those assigned to the nearest parent folder of a file or folder. If none of the parent folders (up to and including the root directory of the drive) have explicit rights, no access is allowed.

Note Implied rights are displayed automatically on the property sheet for the shared file or folder.

Specifying Folder Access Rights in User-Level Security

Access rights specify what a user can do in a folder protected by user-level security. The access rights you define for a folder apply to all of its subfolders. You cannot, however, assign access rights to individual files in Windows 98. (Both Windows NT and NetWare let you assign access rights to files.)

Note Any subfolders of the shared folder, if they are also shared, must be set with the same level of security as the parent folder.

For each folder, you can assign read-only, full, or custom access. Custom access lets you further specify exactly what each user or group can do in the folder, as specified in Table 9.1.

Table 9.1 Custom access options 

File operation

Required permissions

Read from a closed file

Read files

See a file name

List files

Search a folder for files

List files

Write to a closed file

Write, create, delete, change file attributes

Run an executable file

Read, list files

Create and write to a file

Create files

Copy files from a folder

Read, list files

Copy files to a folder

Write, create, list files

Make a new folder

Create files

Delete a file

Delete files

Remove a folder

Delete files

Change folder or file attributes

Change file attributes

Rename a file or folder

Change file attributes

Change access rights

Change access control

To define custom access
  1. Open the Add Users dialog box in a shared resource's properties (described in the procedure, "To share a resource with user-level security" earlier in this chapter). 

  2. In the Add Users dialog box, click a user or group, click Custom, and then click OK.

  3. In the Add Users dialog box, click a user or group from the Name list, and then click Custom.

  4. In the Change Access Rights dialog box, click the type of rights the user or group of users may have in the folder, and then click OK.

  5. To remove a user or group of users, click that user or group, and then click Remove.

  6. To edit the access rights for a user or group of users, click that user or group, and then click Edit.

Managing User Lists

Windows 98 user-level security depends on a list of accounts and groups located on a security provider. You cannot add or remove users and groups from the security provider list by using Windows 98 tools. However, you can do this by running User Manager for a Windows NT domain, SYSCON for NetWare 3.x, and NETADMIN for NetWare 4.x in a NetWare bindery environment. You can use these tools on a computer running Windows 98. These tools are provided by the respective vendors and not by Windows 98. Under Windows 98, you specify what rights users have to specific resources on the local computer as described in "Using Share-Level Security" earlier in this chapter. For more information about changing a user's access rights, see "Specifying Folder Access Rights in User-Level Security" earlier in this chapter.

Note Although Windows NT networks allow multiple domains, a computer running Windows 98 can specify only one domain for user-level security. However, you can set permissions for users or groups from any domain in the Sharing properties for the shared resource, as long as the two domains have a proper trust relationship. Also, rights may include user accounts from different trusted domains. To use a trust relationship to access multiple domains, you should consult the Microsoft Windows NT Server 4.0 Concepts and Planning Guide, part of the Windows NT Server documentation set.

Managing Security for Windows 98 in NetWare Bindery Environments

NetWare 3.x servers store all the information about users, groups, passwords, and rights in a database stored on the server called the bindery. NetWare 4.x servers can appear to have a bindery through bindery emulation, a feature that is enabled by default. There is a separate bindery for each NetWare server. Windows 98 can use the bindery of only one NetWare server as the security provider. It is common for a company to have one or more NetWare servers per department, where users log on to the server for their department. This scenario can pose a problem when the bindery differs from one NetWare server to another. For example, Sue and Bob log on to the Sales server, and Fred logs on to the R&D server. Because Sue is running Windows 98 and can specify only one server for pass-through validation, she specifies Sales (the server she uses for logon). She can now grant access to shared resources on her computer to Bob but cannot grant access to Fred.

The only way to solve this problem is to include all user accounts for all servers on one NetWare server. This server should be specified as the security provider for every computer running Windows 98 with File and Printer Sharing for NetWare Networks.

Note Windows 98 supports only bindery emulation to obtain user lists on NetWare 4.x servers. It does not support user lists obtained with NetWare Name Service (NNS) or other add-on services for that purpose.

Passwords

Cc768179.spacer(en-us,TechNet.10).gif Cc768179.spacer(en-us,TechNet.10).gif

A good password policy helps users protect their passwords from other individuals. This helps to reduce the probability of someone logging on with another user's password and gaining unauthorized access to data.

The following guidelines should help you create a basic security policy:

  • Tell users not to write down their passwords. 

  • Tell users not to use obvious passwords, such as their names, their spouses' names, their children's names, and so on. 

  • Do not distribute user accounts and passwords in the same communication. For example, if you are sending a new user's account name and password in writing, send the user name and the password at different times. 

You can use the following Windows NT and NetWare security features to enhance Windows 98 security:

Enforce a reasonable minimum password length. This policy increases the number of permutations needed to guess someone's password randomly or programmatically. Additionally, you can enforce an alphanumeric password combination to achieve the same security.

Enforce maximum and minimum password age. This policy forces the user to change the password, preventing someone else from discovering it as a result of the password being in use for a long time. A minimum password age prevents a user from immediately reverting to a previous password after a change.

Enforce password uniqueness and maintain password history. This policy prevents users from toggling between their favorite passwords. You can specify the number of unique passwords that a user must have before that user can use a previously used password.

For more information about using Windows NT and NetWare security features, see the documentation for those products, or see the Microsoft Windows NT Server Networking Guide in the Windows NT Server Resource Kit (for Windows NT Server version 4.0) (ISBN 1-57231-343-9).

Using the Windows 98 Logon Password

With Windows 98, users can log on to all networks and Windows 98 at the same time. The first time a user starts Windows 98, logon dialog boxes appear for Windows 98 and for each network client on that computer. This is useful for you as a network administrator, because you can use existing user accounts on a network security provider to validate access to the network for users running Windows 98. For more information, see Chapter 18, "Logon, Browsing, and Resource Sharing."

If a user's password for Windows 98 or for another network is the same as the password for the primary logon client, Windows 98 logs the user on to Windows 98, and then the network automatically uses that password. When a user logs on to other networks with different passwords and chooses to save them, the passwords are stored in the password list file. The Windows 98 password unlocks this file. Thereafter, Windows 98 will use the passwords stored in the password list file to log a user on to other networks, so that no additional passwords need to be typed. This single logon provides a solution to the problem of password proliferation.

The Passwords option in Control Panel provides a way to synchronize logon passwords for different networks. This allows users to use the password for whatever logon dialog box appears first (the primary network logon client or Windows 98 logon) for logging on to all other network clients.

To change a password for a network resource to be the same as the Windows 98 logon password
  1. In Control Panel, double-click Passwords, and then click Change Windows Password.

  2. In the Change Windows Password dialog box, select the other passwords you would like to change to use the same password as the Windows 98 password, and then click OK

    To appear in this list, the related software must include a function that lets its password be changed.

  3. In the second Change Windows Password dialog box, type the current (old) Windows 98 password, type a new password, and then, in the Confirm new password box, type the new password again. Click OK

Note The Windows Screen Saver passwords option appears here only if the Windows screen saver has been turned on and the password-protected option has been selected.

You can maintain separate passwords for a network resource and require users to type a password each time they access it.

To change a password for a network resource
  1. In Control Panel, double-click Passwords, and then click Change Other Passwords.

  2. In the Select Password dialog box, select the password you want to change, and then click Change.

  3. In the Change Password dialog box, type the current (old) network password, type a new password, and then, in the Confirm new password box, type the new password again. Click OK.

    You must now type the new password to access the resource. 

Note You can also use the Passwords option to change individual passwords to other network resources to be different from the Windows 98 logon password.

Using Windows 98 with NetWare Passwords

To log on to a NetWare network, you must type the name of the preferred server on which the related user account is stored. After the user name and password are validated by the network server, you can use resources shared on that server. If you are not validated, you will be prompted to enter a password whenever connecting to a NetWare server during this work session.

The first time you attempt to connect to a NetWare server other than the preferred server, Windows 98 searches for an appropriate user name and password in the PWL file. If no matching set of credentials is found, Windows 98 tries to log on using the Windows 98 password. If this fails, Windows 98 displays a NetWare logon prompt for you to enter a valid user name and password, which can then be stored in the PWL file.

To avoid use of automatic NetWare logon
  • Use system policies to enable the policy named Disable Automatic NetWare Login

To change your password on a NetWare server
  1. At the command prompt, use the net use command to connect to the NetWare server's SYS volume. For example, for a server name NWSVR2, you would type:

    net use * \\nwsvr2\sys 

  2. At the command prompt, change to the drive for the NetWare server, and then make the Public folder the current folder. For example, if the drive is mapped to drive N, type: 

    n:

    Then type: 

    cd \public

    Note If you want to change your password on more than one server, connect to all affected servers before running the setpass command. Setpass is a utility provided by Novell and is not part of Windows 98.

  3. At the command prompt, type setpass

    If the server on which you want to change your password is different from the one on the current drive, type setpass and the name of the server. 

    For example, to change your password on the server named NWSERVE1, type: 

    setpass nwserve1 

  4. When you are prompted, type your old password, and then type and confirm the new password. 

  5. If you are connected to other NetWare servers that also use your old password, these servers are listed, and you are asked if you want to change your password on these servers also.

Using the Windows 98 Password Cache

Keeping track of multiple passwords can be a problem for users. Often, they either forget the passwords or write them down and post lists of passwords near their computers. When this happens, the security policy is no longer doing the job it was meant to do — to allow access to those who should have it and to deny access to those who should not.

Windows 98 solves this problem by storing passwords for resources in a password list file (PWL). This file stores passwords for the following network resources:

  • Resources on a computer running Windows 98 that are protected by share-level security. 

  • Password-protected applications that have been specifically written to the password-caching application programming interface (API). 

  • Windows NT computers that do not participate in a domain. 

  • A Windows NT logon password that is not the Primary Network Logon. 

  • NetWare servers. 

The password list file is stored in the Windows folder on the local computer by using an encryption algorithm. An unencrypted password is never sent across the network.

Caution If you delete PWL files, you will lose all previously stored passwords. You will need to retype each password.

Password caching is enabled by default when you install Windows 98. When you access a password-protected resource for the first time, make sure the Save this password in your password list option is selected (it should be selected by default) to save the password to the password list file.

Note If, during log on, you click Cancel to bypass the logon screen, the cache will not be opened, and you will be prompted for a password each time you attempt to use a protected resource.

You can disable password caching by using System Policy Editor, which is shipped on the Windows 98 compact disc but not automatically installed onto your system during Setup. Use the Add/Remove Programs option in Control Panel to install System Policy Editor.

To install System Policy Editor
  1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk.

  2. In the Install From Disk dialog box, click Browse and specify the Tools\Admin\Poledit folder on the Windows 98 compact disc.

  3. Click OK, and then click OK again in response to the dialog boxes. 

  4. In the Have Disk dialog box, click System Policy Editor, and then click Install

To disable password caching by using system policies
  1. On the Start menu, click Run.

  2. Type poledit, and then click OK

  3. In System Policy Editor, double-click the Local Computer icon.

  4. In the Local Computer Properties, click Network

  5. Click Passwords

  6. Click the policy named Disable Password Caching.

For more information, see Chapter 8, "System Policies."

Note If you have any share-level security servers and you disable password caching and are running Client for Microsoft Networks, you should not use the Quick Logon feature in the Network option in Control Panel.

Using Password List Editor

If password caching is enabled, Windows 98 caches passwords in the password list file when you connect to a password-protected network resource. Password List Editor (Pwledit) lets you view the resources listed in a user's password list (PWL) file. It does not let you view the actual passwords, but lets you remove specific password entries if problems are encountered using a cached password.

Password List Editor works only if the password list file is unlocked, that is, if the user is logged on. It can be used to view only the contents of the logged-on user's password list file, so you should run it on the user's computer.

Note Only users themselves can view or edit their own PWL files.

Password List Editor can be found in the Netadmin\Pwledit folder on the Windows 98 compact disc.

To install Password List Editor
  1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk

  2. In the Install From Disk dialog box, click Browse.

  3. Type the path name to Netadmin\Pwledit\Pwledit.inf, and then click OK.

  4. In the Have Disk dialog box, click Password List Editor, and then click Install.

To run Password List Editor
  • On the Start menu, click Run. Type pwledit, and then click OK

Using System Policies to Enforce Password Security

You can use system policies to increase security by requiring users to follow specific password guidelines. Using system policies, you can enforce password policies.

For information about restricting settings with system policies, see Chapter 8, "System Policies."

Internet Explorer Security

Cc768179.spacer(en-us,TechNet.10).gif Cc768179.spacer(en-us,TechNet.10).gif

Internet Explorer 4.0 adds several security features to Windows 98, including support for security zones, Secure Socket Layer (SSL) versions 2.0/3.0 and Private Communication Technology (PCT) version 1.0 protocols, client and server authentication, and the Platform for Internet Content Selection (PICS) rating system. These security features make it easier for you to protect your computer and your privacy while using the Internet.

Security zones. You can divide the Web into zones and have Internet Explorer 4.0 provide different levels of security depending on which zone you have assigned to a Web site.

When you install Windows 98, you configure the following Internet Explorer settings:

  • Internet zone 

  • Trusted sites zone 

  • Restricted sites zone 

  • Local intranet zone 

A fifth zone, My Computer, is also created, but it is not configurable through the security options.

This system lets the administrator divide the Web content a browser can visit into groups, each of which can have a security level associated with it. The Web content can be anything from a Hypertext Markup Language (HTML) file to a graphic, an ActiveX control, a Java applet, or an executable file.

Authenticode technology. An Authenticode certificate identifies who published a piece of software and verifies that it has not been tampered with.

Certificate management. System administrators can control which Java applets, ActiveX controls, and other software can be run on their intranets, based on who published the software.

Capabilities-based Java security (sandboxing). The Internet Explorer 4.0 security model for Java makes it easy for you to control how Java applets interact with your computer system. You can decide what capabilities and levels of access to your computer or system you want to give Java applets. You can offer full access to applets from trusted sources while restricting applets from unknown sources to safe "sandboxes" where they cannot harm files.

Privacy protection. Internet Explorer 4.0 supports all standard Internet security protocols to ensure private communication over the Web. Internet Explorer prompts you before user names or passwords are sent to Web sites not designated as trusted. For trusted sites, you can choose not to be prompted before personal information is transmitted. Outlook Express — the Internet mail and news component of Internet Explorer 4.0 — lets you encrypt messages and ensures that no one can falsely assume your identity on the Internet.

The following sections explain how to configure these settings.

Setting Up Security Zones

Internet Explorer 4.0 has security options that let you configure a security level to a specific Web site according to how much you trust the content of that Web site. Five predefined security zones, four of which have configurable security settings, are set up in Internet Explorer 4.0:

  • Internet zone that by default contains all Internet sites. 

  • Trusted sites zone to which you can assign Web sites you trust. 

  • Restricted sites zone to which you can assign Web sites you do not trust. 

  • Local intranet zone for computers connected to a local area network. 

  • Local machine called My Computer, unsecured, providing full access to all aspects of the machine, not configurable. 

Note Because security works differently in Internet Explorer 4.0, any existing Internet Explorer 3.0 settings are not preserved.

Using the Internet Properties dialog box in the Internet option in Control Panel, you can set the security options you want for Internet, Trusted sites, Restricted sites, and Local intranet, and then add or remove sites from the zones depending on your level of trust in each site.

In corporate environments, administrators can set up zones for users and can add or remove authentication certificates of software publishers that they do or do not trust so that users do not have to make security decisions while they are using the Internet.

For each security zone, you can choose a High, Medium, Low, or Custom security setting. Use the High setting for sites in a zone of untrustworthiness and Low in a trusted zone. The Custom option gives advanced users and administrators even more control over all security options, including the following:

  • Access to files, ActiveX controls, and scripts. 

  • The level of capabilities given to Java applets. 

  • Whether sites must be identified with SSL authentication. 

To set up security zones
  1. In Control Panel, double-click Internet. 

  2. Click the Security tab. 

  3. Configure the settings according to your security needs. 

Setting Up the Internet Zone

By default, the Internet zone is set to the Medium security level. If you are concerned about security problems as users browse the Internet, change this setting to High. When this level is set to High, some Web pages may not be allowed to perform certain operations that can potentially compromise security.

For more advanced and detailed security control, use the Custom settings to configure each individual security setting for the zone.

To set up custom settings for the Internet zone
  1. In the Security tab, select Custom, and then click Settings

  2. Configure the settings according to your security needs. 

Adding Sites to the Trusted and Restricted Zones

You can classify Web sites into two categories, according to how much you trust their contents:

  • Trusted sites zone 

  • Restricted sites zone 

By default, the Trusted sites zone is set to the Low security level. When you add a site to the Trusted sites zone, the site is allowed to perform more operations, and Internet Explorer will ask you to make fewer security decisions when you access the site. Add a site to this zone only if you trust all of its content never to do anything that may harm your computer. For the Trusted sites zone, it is strongly recommended that you use the HTTPS protocol so that you can securely connect to the site.

By default, the Restricted sites zone is set to the High security level. When you add a site to the Restricted sites zone, the site is allowed to perform only minimal, very safe operations. Add sites that you do not trust to this zone.

To add sites to the Trusted sites zone or Restricted sites zone
  1. In the Security tab, select either the Trusted sites zone or Restricted sites zone in the Zone list. 

  2. Click Add Sites, select the desired sites for that zone, and then click OK

Setting Up the Local Intranet Zone

To be secure, the Local intranet zone must be set up in accordance with the proxy server and firewall configuration. All sites in the zone should be "inside the firewall," and proxy servers should be configured so that they do not allow an external Domain Name System (DNS) to be resolved in this zone.

By default, the Local intranet zone consists of local domain names and those set in proxy override in the Connection tab. Make sure that these settings are indeed secure for the installation; if they are not, adjust them as needed. You can check that the Local intranet zone is configured correctly by browsing various intranet and Internet pages and checking that the correct zone is shown in the status bar.

After you have checked that the Local intranet zone is secure, you can change the zone's security level to Low to allow a wider range of operations and make the Web pages more functional. You can also adjust individual security settings in the Security Settings dialog box as explained in "Setting Up the Internet Zone" earlier in this section.

If parts of your intranet are not secure or do not meet your security standards, you can exclude them from the Intranet zone by adding them to the Restricted sites zone.

The Local intranet zone is designed to be configured using the Microsoft Internet Explorer Administration Kit; however, you can also use the Security tab in the Internet Properties dialog box.

Summary of Authenticode Technology

When users download signed code to their computers, Authenticode verifies both its publisher and its integrity (that it has not been tampered with since the author published it). No software can be guaranteed to be 100 percent safe under all circumstances, but Authenticode uses public key technology to sign objects digitally and help you make informed decisions about blocking the execution of certain code. Authenticode works with all common types of downloadable code, including Java applets, ActiveX controls, and plug-ins.

Authenticode checks to see that a piece of software is digitally signed during the valid lifetime of the publisher's certificate.

Authenticode can also automatically check to make sure a software publisher's certificate has not been revoked. Publishers can have their certificates revoked if they abuse their code-signing agreement by, for example, creating malicious code that harms users' computers.

Summary of Certificate Management

Authentication certificates are a key tool in providing Internet security. Certificate management eases the administration of network security. The certificates, which are assigned to software publishers who meet defined levels of integrity and security in their code, give users a way to identify the origin of a piece of software on the Internet. This identification mechanism forms the basis of Authenticode. Certificate Management lets system administrators control which Java applets and ActiveX controls are allowed to run on their networks based on who published the applets or controls.

Example
Certificate Management

You can let users open and run all internally created controls, but keep all controls that originate from outside your corporate firewall from loading and running on company computers.

Site certificates verify that you are really connected to the Web sites that you believe you are connected to. Viewing information may not present a security risk, but sending information can. Security certificates are issued to particular organizations for specific periods of time. Before you send information, certificates are sent from the secure Web sites to Internet Explorer 4.0. These certificates provide certain information about security at those sites. Internet Explorer 4.0 verifies that the Internet address stored in the certificate is valid and that the current date precedes the expiration date.

Note Site Certificates are active only for Uniform Resource Locators (URLs) using HTTPS. Communication to and from Web sites using HTTPS are kept private through encryption when this mode is active.

To see the site certificates stored in Internet Explorer 4.0
  1. Start Internet Explorer. 

  2. Click the View menu, and then click Internet Options.

  3. Click the Content tab, and then click Authorities.

    By default, the Certificate Authorities dialog box contains a list of authorities that are allowed to issue certificates to sites. 

If you are connected to a site with a certificate, a lock icon appears on the bottom right corner of the browser window.

Cc768179.wrk0n02(en-us,TechNet.10).gif 

Summary of Java Security (Sandboxing)

Support for sandboxing, the Java security model, was built into Internet Explorer 3.0 and has been enriched in Internet Explorer 4.0. Running a Java applet in a sandbox prevents it from accessing a computer or network resource and also greatly restricts what it can do. Internet Explorer lets you control access of applets to users' resources, such as their hard disks and network connections. It presents users with a range of security options, such as allowing a Java applet to access a specific amount of hard disk space on a client computer.

Summary of Privacy Protection

The following list describes the kinds of privacy protection built into Internet Explorer 4.0.

Secure channel services. Support for Secure Socket Layer (SSL) versions 2.0/3.0 and Private Communication Technology (PCT) version 1.0 ensures that personal or business communications using the Internet or an intranet are private. The SSL and PCT protocols create a secure channel so that no one can eavesdrop on communications. With secure communications guaranteed, users can buy consumer goods, reserve plane tickets, or conduct personal banking on the Internet.

Transport Layer Security. Transport Layer Security (TLS) is a new secure channel protocol under development by the Internet Engineering Task Force. TLS builds on existing protocols to create an improved Internet secure channel protocol.

Personal Information Exchange. The Personal Information Exchange (PFX) is a set of public key-based security technologies that is part of the Microsoft Internet security framework. PFX supports such Internet standards as X.509 and PKCS#12 certificate formats. Microsoft has submitted PFX for consideration as a new Public Key Cryptography Standard (PKCS).

Cookie privacy. Some Web sites use cookie technology to store information on client computers. These cookies are usually used to provide Web site personalization features. With Internet Explorer 4.0, you can choose whether or not to store a cookie.

Tip You can decline cookies from a site by selecting Prompt before accepting cookies on the Advanced tab in the Internet Options dialog box of the Internet Explorer View menu.

SOCKS firewall support. Many corporations provide their employees with access to the Internet through firewalls that protect the corporation from unwanted access. SOCKS is a standard protocol for traversing firewalls in a secure and controlled manner. Internet Explorer 4.0 is compatible with firewalls that use the SOCKS protocol.

Windows NT Server challenge/response. Corporations can take advantage of the Microsoft Windows NT LAN Manager challenge/response authentication that might already be in use on their Windows NT Server network. Users enjoy increased password protection and security while still able to use their existing Internet information servers.

CryptoAPI version 2.0. CryptoAPI provides the underlying security services for secure channels and code signing. Through CryptoAPI, developers can easily integrate strong cryptography into their applications. Cryptographic Service Provider (CSP) modules interface with CryptoAPI and perform functions, including key generation and exchange, data encryption and decryption, hashing, digital signatures, and signature verification. CryptoAPI is included as a core component of Windows 98 and Windows 95. Internet Explorer 4.0 automatically provides this support for earlier versions of Windows.

Microsoft Wallet. Microsoft Wallet supports securely storing important and private information, such as credit cards, electronic driver's licenses, ATM cards, and electronic cash. No application or person can view this information without a user's permission. In addition, a user decides where to store the information (on a computer, smart card, or floppy disk). Users have to enter password or account information only once and do not have to remember many different passwords. Users have complete control over who can see or use this information. Wallet allows information to be securely transferred to any computer and used with any application through the use of PFX technology. Designed for the future, Wallet supports additional payment methods (such as Internet cash) as well as other credentials and confidential information.

PICS standards for Internet content. Parents want the assurance that children can be blocked from visiting sites that display inappropriate information. Corporations have similar concerns, wanting to block the use of sites that offer no business value to their customers. Microsoft has been working closely with the Platform for Internet Content Selection (PICS) committee to help define standards for rating Internet content.

Forget your password? With Internet Explorer 4.0, you do not have to type your user name and password every time you want to access a subscription Web service. Instead, Internet Explorer 4.0 functions as your virtual wallet, flashing your personal certificate to Web servers that want to verify your identity. It works the other way, too. You can also store certificates of Web servers in Internet Explorer 4.0. This means you can verify the identity of any Web merchant or other Web server before you purchase goods or communicate with them.

Security Features in Outlook Express

Cc768179.spacer(en-us,TechNet.10).gifCc768179.spacer(en-us,TechNet.10).gif

As the use of e-mail and electronic commerce becomes more widely adopted, the amount of confidential information being exchanged over the Internet is growing rapidly. As a result, there is a need to make e-mail messages secure and private. In addition, with the growing popularity of ActiveX controls, scripts, and Java applets, there is an increased chance that the HTML content you receive in an e-mail message could damage or compromise files on your computer.

Outlook Express includes tools to protect you from fraud, ensure your privacy, and prevent unauthorized access to your computer. These tools enable you to send and receive secure e-mail messages and to control potentially harmful e-mail messages through security zones.

Using Security Zones for Outlook Express

Outlook Express enables you to choose which Internet Explorer security zone your incoming e-mail messages are in — either the Internet zone or the Restricted sites zone. Which zone you decide to select depends on how concerned you are about active content (e.g., ActiveX controls, scripts, and Java applets) weighed against the freedom to run that content on your computer. In addition, for each security zone, you can choose a High, Medium, Low, or Custom security level setting.

For more information about security zones, see "Setting Up Security Zones" earlier in this chapter.

Caution Changing the settings for the Internet zone or Restricted sites zone will also change this setting for Internet Explorer and vice versa.

To change the security zones settings for Outlook Express
  1. In Outlook Express, click the Tools menu.

  2. Click Options, and then click the Security tab.

  3. Configure the settings according to your security needs. 

Using Digital IDs

To use secure e-mail in Outlook Express, you need a digital ID. Digital IDs (also called certificates) provide a means for proving your identity on the Internet, much as a driver's license or other ID cards identify you.

Digital IDs let you sign your e-mail messages, so that the intended recipients can make sure that the message actually came from you and has not been tampered with. Also, a digital ID allows other people to send you encrypted messages.

For more information, see Outlook Express Help.

Getting a Digital ID

You obtain your digital ID from a certifying authority, an organization responsible for issuing digital IDs and continuously verifying that digital IDs are still valid.

Using Your Digital ID

Before you can send signed e-mail messages, you must associate your digital ID with the e-mail account you want to use it with.

To associate your digital ID with an e-mail account
  1. In Outlook Express, click the Tools menu, and then click Accounts.

  2. Select the account you want to use your ID with, click Properties, and then click the Security tab.

  3. Select Use a digital ID when sending secure messages from.

  4. Click Digital ID, and then select the digital ID you want to associate with this account.

    Note Only the digital IDs with the same e-mail address as the e-mail address for the account will be shown. 

Backing Up Your Digital ID

Part of your digital ID is an irreplaceable private key stored on your computer. If the private key is lost, you will no longer be able to send signed e-mail messages or read encrypted e-mail messages with that digital ID. You are strongly encouraged to make a backup of your digital ID in case the files containing it are damaged or made otherwise unreadable.

To back up your digital ID
  1. In Internet Explorer, click the View menu, and then click Internet Options.

  2. Click the Content tab, and then click Edit Profile

  3. Click the Digital IDs tab.

  4. The Import and Export buttons let you manage your digital IDs. Use Export to back up your digital ID. 

Sending Secure E-mail Messages

Now that you have a digital ID, you can send secure e-mail messages. Secure e-mail messages in Outlook Express protects your Internet communications through both digital signatures and encryption. Using digital signatures, you can sign your e-mail message with a unique ID that assures the person receiving the message that you are the true sender of the message and that it was not tampered with in transit. Encrypting e-mail messages that you send can ensure that no one except the intended recipient can read the contents of the message while it is in transit.

Because Outlook Express uses the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard, other people can read secure e-mail messages that you compose, using programs that support this technology. Likewise, you can read messages composed by other people by using e-mail programs that support S/MIME technology.

Sending and Receiving Signed E-mail Messages

Signed e-mail messages let recipients verify your identity. To send signed e-mail messages, you must have a digital ID of your own.

To digitally sign an e-mail message
  1. In Outlook Express, click the Tools menu. 

  2. Click Options, and then click the Security tab. 

  3. Select Digitally sign all outgoing messages.

    – Or – 

    Use the Digitally sign message button on the message toolbar. 

Signed e-mail messages from others lets you verify the authenticity of a message — that the message is from the supposed sender and the message has not been tampered with during transit. Signed e-mail messages are designated with special signed e-mail icons. Any problems with signed e-mail messages that you receive (described in Outlook Express security warnings) could indicate that the message has been tampered with or was not from the supposed sender.

Sending and Receiving Encrypted E-mail Messages

Encrypting an e-mail message prevents other people from reading it when it is in transit. To encrypt an e-mail message, you need the digital ID of the person you are sending the e-mail message to. The digital ID must be part of the person's entry in the Address Book.

To send encrypted e-mail messages
  1. In Outlook Express, click the Tools menu. 

  2. Click Options, and then click the Security tab. 

  3. Select Encrypt contents and attachments for all outgoing messages.

    – Or – 

    Use the Encrypt message button on the message toolbar. 

When you receive an encrypted e-mail message, you can be reasonably confident that the message has not been read by anyone else. Outlook Express automatically decrypts e-mail messages, provided that you have the correct digital ID installed on your computer.

Sending and Receiving Digital IDs

For others to be able to send you encrypted e-mail messages, they need your digital ID. To send it to them, simply send them a digitally signed e-mail message, and Outlook Express will automatically include your digital ID.

To send others encrypted e-mail messages, you need their digital ID. Outlook Express lets you retrieve digital IDs via directory services.

To find a digital ID
  1. In Outlook Express, click the Edit menu, and then click Find People.

  2. Select a directory service that supports digital IDs (for example, the VeriSign directory service). 

  3. Enter the recipient's name or e-mail address in the appropriate search field, and then click Find Now.

  4. Select a listing from the results pane, and then click Add to Address Book.

Changing Trust Status on Digital IDs

When you add someone's digital ID to your Address Book, it has a trust status associated with it that indicates whether you trust the individual, group, or corporation to whom the digital ID was issued. If a digital ID owner warns you that he or she suspects that the digital ID's private key has been compromised, you may want to change the trust status to "Explicitly Distrust."

To change the trust status of a digital ID
  1. In the Address Book, double-click the name of the contact. 

  2. Click the Digital IDs tab, select the digital ID whose trust level you want to change, and then click Properties

  3. Click the Trust tab, and then select an option in the Edit Trust area. 

For more information, see Outlook Express Help.

Firewalls

Cc768179.spacer(en-us,TechNet.10).gifCc768179.spacer(en-us,TechNet.10).gif

An Internet firewall lets you take advantage of the services offered on the Internet, while limiting exposure to attack. A firewall may consist of a collection of hardware and software components that collectively provide a protected channel between networks with differing security. Potential paths to the private network are limited by configuring the firewall to accept only packets from Internet Protocol (IP) addresses and/or ports of the Transmission Control Protocol/Internet Protocol (TCP/IP) that have been designated by the system administrator.

For more information, see Chapter 20, "Internet Access and Tools."

Understanding Proxy Servers

The most critical component of your firewall is your proxy server. A proxy server listens to the computers on your internal network. When a client application makes a request, a proxy server responds by translating the request and passing it to the Internet. When a computer on the Internet responds, the proxy server passes that response back to the client application on the computer that made the request.

Proxy servers make a firewall safely permeable to users behind the secured entrance, while closing entryways in the private network to potential attacks. The proxy server must act as both a server and client. It serves proxy clients when accepting approved requests for external servers, and requests services from those servers on behalf of its clients. Proxy servers are commonly used by administrators of corporate networks connected to the Internet and by Internet Service Providers (ISPs).

Microsoft Proxy Server provides an easy, secure, and cost-effective way to bring Internet access to every desktop in an organization. Microsoft Proxy Server routes requests and responses between the Internet and client computers, acting as a liaison between them. In addition to routing requests, Microsoft Proxy Server provides a cache of frequently requested Internet sites, blocks access to specified sites, and provides secure access between your internal network and the Internet. It also offers firewall features.

Configuring Proxy Servers

Access to Web sites secured by Windows NT Challenge and Response requires that firewalls and proxy servers be configured to permit passage of Windows NT Challenge and Response.

If you want to use a proxy server or firewall to protect your local area network (LAN) from being accessed by others on the Internet, carry out the following steps, which set up your computer to gain access to the Internet through a firewall.

To set up a LAN proxy server or firewall
  1. Run the Internet Connection Wizard. 

    Click Start, point to Programs, point to Internet Explorer, and then click Connection Wizard.

  2. Configure your computer to connect to the Internet by using TCP/IP on your LAN. 

  3. When you are prompted for the gateway address, type an address only if your organization uses gateways for routing information over the network. 

    Note The gateway computer is not the same as the proxy server or firewall computer that protects your LAN from the Internet, so do not type your proxy server or firewall address here. 

  4. In Control Panel, double-click Internet, and then click the Connection tab.

  5. In the Proxy server area, select the Access the Internet using a proxy server check box.

  6. Click Advanced.

  7. In the first text box, type the Hypertext Transfer Protocol (HTTP) server address for the computer you want to use as the proxy server. In the second text box, type the port number. An example of a proxy server and port number is http://myproxy.mycompany.com:80

    In this example, you would type http://myproxy.mycompany.com in the first text box, and 80 in the second text box. 

    You can use a different proxy for different types of addresses. However, if you want to use the same proxy for all types of addresses, make sure you select the Use the same proxy server for all protocols check box.

  8. In the Exceptions area, click the text box, and then type the names of the computers, domains, and ports on the Internet that, when accessed, will not go through the proxy server. Separate each item you type with a semicolon (;). Local addresses are defined as those in which the server name does not have a period (.) in it.

    For example:

    • http://internalweb/ is a local address. 

    • http://www.microsoft.com/ is not a local address. 

    For Help on these items, click the ? in the title bar, and then click the item.

  9. When you have finished changing settings, click OK.

  10. Click OK to close the Internet properties in Control Panel. 

If you are running Internet Explorer, restart your computer so that the new proxy settings can take effect.

Note If you are setting up Internet Explorer with a SOCKS proxy server, you must set it up separately from other proxy information (for example, HTTP, FTP, or Gopher). In most cases, this means that all other proxy fields should be left blank and the SOCKS field should contain the address of your SOCKS proxy server. The only exception is when you are using a SOCKS proxy server and a different proxy (for example, HTTP) on the same connection.

For more information about proxy servers and firewalls, see Microsoft Proxy Servers Installation and Administration Guide.

Distributed Component Object Model

Cc768179.spacer(en-us,TechNet.10).gifCc768179.spacer(en-us,TechNet.10).gif

The Component Object Model (COM) defines how components and their clients interact. The Distributed Component Object Model (DCOM) extends the COM infrastructure that underlies ActiveX, transparently and naturally adding support for reliable, secure, and efficient communication between ActiveX controls, scripts, and Java applets residing on different machines on a LAN, a wide area network (WAN), or the Internet. With DCOM, applications can be distributed across locations that make the most sense to your customer and to the application.

Because DCOM is a seamless evolution of COM, you can leverage your existing investment in all ActiveX applications, components, tools, and knowledge to move into standards-based distributed computing. As you do so, DCOM handles the low-level details of network protocols. DCOM enables component applications to operate across the Internet, because it works natively with such Internet technologies as TCP/IP and Java. It provides the "object glue" that allows business applications to work across the Web.

Figure 9.2 shows the overall DCOM architecture. The COM run-time provides object-oriented services to clients and components and uses the remote procedure call (RPC) and the security provider to generate standard network packets that conform to the DCOM wire protocol standard. COM provides sophisticated mechanisms for the marshaling and unmarshaling of method parameters that build on the RPC infrastructure defined as part of the distributed computing environment (DCE) standard. DCE RPC defines a standard data representation for all relevant data types, the Network Data Representation (NDR).

Cc768179.wrk0n09(en-us,TechNet.10).gif

Figure 9.2 Overall DCOM architecture 

A distributed application consists of multiple processes that cooperate to accomplish a single task. A distributed application can accommodate different clients with different capabilities by running components on the client side when possible and running them on the server side when necessary. A distributed application is also much more scalable than its monolithic counterparts, and easier to administer and deploy.

Designing a distributed application poses several challenges to the developer. One of the most difficult design issues is security: Who can access which objects? Which operations is an object allowed to perform? How can administrators manage secure access to objects? How secure does the content of a message need to be as it travels over the network?

Mechanisms to deal with security-related design issues have been built into DCOM from the ground up. DCOM provides an extensible and customizable security framework upon which developers can build when designing applications.

Different platforms use different security providers, and many platforms even support multiple security providers for different usage scenarios or for interoperability with other platforms. DCOM and RPC are built in such a way that they can simultaneously accommodate multiple security providers.

Common to all these security providers is their providing a means of identifying a security principal (typically a user account), a means of authenticating a security principal (typically through a password or private key), and a central authority that manages security principals and their keys. If a client wants to access a secured resource, it passes its security identity and some form of authenticating data to the resource, and then the resource asks the security provider to authenticate the client. Security providers typically use low-level custom protocols to interact with clients and protected resources.

Configuring Applications to Use DCOM

The DCOM Configuration tool can be used to configure 32-bit COM and DCOM applications.

To run the DCOM Configuration tool
  • Click Start, click Run, and then type dcomcnfg.

Note Before you can use an application with DCOM, you must use DCOM Configuration to set application properties, such as security and location.

Distributed Applications for the Internet or an Intranet

You can use DCOM to integrate client/server applications across multiple computers. DCOM provides the infrastructure that enables client/server applications to share components over the Internet or intranet.

To set default permissions for all DCOM applications
  1. Run dcomcnfg to open the DCOM Configuration tool. 

  2. Click the Default Security tab.

  3. Click Edit Default for Default Access Permissions.

  4. If necessary, click Add to add other user accounts to the Name box.

To set permissions for a DCOM application
  1. Run dcomcnfg to open the DCOM Configuration tool. 

  2. Click the application you want to configure, and then click Properties.

  3. Click the Security tab.

  4. Select Use Custom Access Permissions for launch, access, or configuration, and then click Edit.

  5. If necessary, click Add to add other user or group accounts to the Name box.

To grant permissions that apply to all applications
  1. Run dcomcnfg to open the DCOM Configuration tool. 

  2. Click the Default Security tab.

To set the location of a DCOM application
  1. Run dcomcnfg to open the DCOM Configuration tool. 

  2. Click the application you want to configure, and then click Properties.

  3. Click the Location tab, and specify the location of the application.

Troubleshooting Security

Cc768179.spacer(en-us,TechNet.10).gifCc768179.spacer(en-us,TechNet.10).gif

To make it easy for customers to contact Microsoft with any potential security issues, an e-mail address has been created: secure@microsoft.com. Please use this address to report security issues with a Microsoft product. Microsoft product teams respond to security issues you bring to their attention.

No Windows or Network logon dialog box appears at startup. 

When you start Windows 98, you might not receive a Windows or a Network logon dialog box, or you might receive one of the following error messages:

No network provider accepted the given network path.

The operation being requested was not performed because the user has not logged on to the network. The specified service does not exist.

Another symptom of this problem is the absence of the Change Passwords tab in the Passwords Properties dialog box.

This problem occurs if any of the following conditions are true:

  • The primary network logon field is not set correctly. 

  • The following entry appears in the HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Network \Real Mode Net registry key: 

    AutoLogon=<x>
    

    where <x> is a number. 

  • You are logging on to a Novell NetWare network, and the server you log on to is running multiple frame types. 

  • You are logging on to a Microsoft or NetWare network, and you have cached your network password. 

  • The network adapter is improperly configured. 

Find Fast does not index password-protected files. 

Because password-protected files are encrypted, they cannot be indexed. Find Fast does not index password-protected documents because they are not searchable files. Any references to file properties or content will not be addressed in the index. The behavior of Find Fast is, by design, to uphold the security and protection of your documents.

File and Printer Sharing for Microsoft Networks is unavailable. 

When you use the right mouse button to click a drive, folder, or printer, there may be no Sharing command on the menu that appears even though File and Printer Sharing for Microsoft Networks is installed. The cause may be that Nwserver.vxd is loading even though File and Printer Sharing for NetWare Networks is not installed in network properties. If this service is installed and you do not use NetWare networks, you need to remove the Microsoft Client for NetWare Networks by clicking Network in Control Panel, clicking Client for NetWare Networks, and then clicking Remove. Click OK, and then restart your computer when you are prompted.

The user list with user-level security is incomplete. 

Your Windows 98 system is configured for user-level security with a Windows NT system as the security provider, but when you try to add a user in a shared folder's properties, you may not see a full list of users. Or some users on the network who do not have an account in the user list from the security provider may be able to gain access to your shared Windows 98 computer.

This problem can occur when the security provider is a Windows NT Workstation that is a member of a Windows NT domain. The user list in the Add Users dialog box is the list of local user accounts defined on the Windows NT Workstation, but access to the Windows 98 computer is controlled by the accounts in the Windows NT domain.

Use the list of user and group accounts from the Windows NT domain. To do so, specify the name of the domain instead of the Windows NT Workstation on the Access Control tab of the Network option in Control Panel.

The selected security provider cannot be found. 

When you select user-level security and enter the name of a server to use as a security provider, you may receive the following error message:

Window could not find the specified security provider on the network. Do you wish to use the name you typed anyway?

This error message can occur for any of the following reasons:

  • You specified an incorrect server name. 

  • The server type does not match the services selected for file and printer sharing. For example, you specified a NetWare server but File and Printer Sharing for Microsoft Networks is installed. 

  • The server is not operational. 

  • The network has not been started. 

  • You are not logged on to the Microsoft LAN Manager or the Windows NT domain. 

To resolve this problem

  1. Verify that the server name you entered is correct. 

  2. Verify that the server type you specified matches the network services you are running. For example, if you are running File and Printer Sharing for NetWare Networks, make sure to specify a NetWare server. 

  3. Verify that the server is operational. 

  4. After you verify the previous items, if the network has not been started, restart the computer. 

No logon servers are available. 

When you attempt to connect to a share on a Windows 98 computer that is using a Microsoft Windows NT domain to provide user-level security, you may receive the following error message:

There are currently no logon servers available to service the logon request.

This problem may occur regardless of which users have been given access to the share you are connecting to and which access rights each user has been given. It does not occur when the Windows 98 computer you are connecting to is configured for share-level security.

This problem can occur when your user account is configured so that you can log on only to certain computers in the domain. If your user account is configured in this manner and the Windows 98 computer you are attempting to connect to is not one of the specified computers, you are unable to connect to resources on that computer.

To work around the problem, configure the Windows 98 computer you are attempting to connect to for share-level security.

To configure Windows 98 for share-level security

  1. In Control Panel, double-click Network, and then click the Access Control tab.

  2. Click Share-level access control, and then click OK.

  3. Restart the computer when prompted. 

Note After you change the type of access control a computer is using, any resources that were shared on that computer are no longer shared. You must share resources again to allow other people access to them.

Additional Resources 

For more information about

See this resource

Windows NT

Microsoft Windows NT Server Networking Guide in the Microsoft Windows NT Server Resource Kit (for Microsoft Windows NT Server version 4.0)
Microsoft Windows NT Server 4.0 Concepts and Planning Guide

Internet security

Microsoft Internet Explorer Administration Kit

Proxy servers 

Microsoft Proxy Servers Installation and Administrator's Guide

 

http://www.microsoft.com/security/ 

Cc768179.spacer(en-us,TechNet.10).gif

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft