Securing Remote Clients and Portable Computers

  • Article

Securing Remote Clients and Portable Computers

On This Page

Introduction
Protecting and Encrypting Your Data
Backing Up Your Files
Creating Strong Passwords
Installing Up-to-Date Antivirus Software
Getting Computer Updates
Using an Internet Firewall
Providing Security for Wireless Networks
Using VPN Connections
Related Information

Introduction

With the rising popularity of DSL and cable modems that are always connected to the Internet, home computer systems and portable computers connecting from remote locations to the Internet or other networks across the Internet are increasingly vulnerable to external attack from the Internet. The growing threat of malicious code — such as worms and viruses — and attempts by others to illegally gain access to your computers makes it more important than ever for you to ensure that your desktop and portable computers are as secure as possible.

This document provides a guide to security measures that you can use to help secure your home and portable computers that make remote connections to a corporate network. It also includes pointers to related documents that provide detailed instructions to help secure computers outside of a corporate network. Although many of recommendations in this document can help protect client computers on a corporate network, the recommendations are intended for computers connecting from outside a protected corporate intranet, especially portable computers.

The element that makes portable computers advantageous — their combination of small size and ease of mobility — also makes them easy to steal. And a portable computer is stolen not just for the computer itself, but for the information it contains. More importantly, portable computers are frequently removed from the protective borders of a corporate network and connected to other networks, such as wireless fidelity (Wi-Fi) HotSpot providers or Internet cafes. When portable computers are connected to other networks that use security technologies with known security issues — or no security at all— they can be subject to malicious attacks or infected by other computers on the unprotected network. This is also true of home and small office networks. Configuring portable computers in a "secure" manner is not enough. Users who move portable computers on and off of the corporate network must be careful to ensure they do not connect to networks that fail to provide security levels required by corporate standards.

The purpose of this document is to introduce several methods that can help protect computers running the Microsoft Windows XP Professional operating system. However, much of the information also applies to other Windows operating systems.

Protecting and Encrypting Your Data

Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Windows XP Professional, and Microsoft Windows Server™ 2003 operating systems include two technologies that provide performance, security, reliability, and advanced features not found in any version of the FAT file system: the NTFS file system and Encrypting File System (EFS). NTFS is one method of formatting a hard disk. EFS is an encryption technology that works with files that are stored on NTFS hard disks.

NTFS

Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, and Windows Server 2003 all provide the ability to format the hard disk as well as folders and their contents by using the NTFS file system. NTFS is a more advanced file system than either FAT or FAT32. NTFS guarantees volume consistency using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. NTFS also provides advanced features, such as file and folder permissions and compression. The versions of NTFS in these operating systems also support EFS, which can be used to encrypt individual and multiple files.

  • Note: An attacker with physical access to a hard drive formatted with NTFS can bypass the NTFS permissions, but defeating the EFS encryption will be much more difficult. NTFS provides no protection against physical attacks, but EFS can provide some protection, if properly configured.

To use NTFS to help protect your data, it is recommended that you run Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, or Windows Server 2003 on your computer. Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Millennium Edition operating systems use the FAT or FAT32 file systems. FAT and FAT32 do not support file-level security, so anyone who gains access to your computer can access your entire system. If your Windows 2000, Windows Server 2003 or Windows XP operating system has not been formatted using NTFS, it is recommended that you convert from FAT to NTFS using the procedure outlined in "How to Convert FAT Disks to NTFS" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22806.

  • Note: Some older programs may not run on an NTFS volume, so you should research the current requirements for your software before converting.

EFS

Encryption is the process of encoding data to prevent unauthorized access. EFS is a Microsoft technology that is included with Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, and Windows Server 2003 operating systems. EFS uses symmetric key encryption and public key infrastructure technology. With EFS, you can encrypt files and folders that are stored on NTFS volumes. In the event of computer theft, EFS helps prevent anyone from accessing your files by physically mounting the hard drive on another computer and taking ownership of files.

  • Note: Enable encryption on folders, not just files, so that all of the files in your folders will be encrypted.

For detailed information about protecting connections on computers running Windows XP Professional, see "Protecting Data by Using EFS to Encrypt Hard Drives" in the Security Guidance Kit.

Backing Up Your Files

Backing up files helps you protect your information from accidental erasure or damage resulting from a power surge, hardware failure, or malicious users. Making sure you back up your files regularly is an inexpensive, proactive method for protecting your valuable data. For information about how to back up and recover data using Backup, see "HOW TO: Use Backup to Back Up Files and Folders on Your Computer in Windows XP" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22755.

Creating Strong Passwords

One of the easiest ways to prevent unauthorized access to information on a computer is to create and use strong passwords. Strong passwords are important because password-guessing tools continue to improve and the computers that are used for this purpose are more powerful than ever. Using strong passwords on computers in a home or small office network, as well as on individual computers that are not part of a network, can help prevent unauthorized access to your information.

For detailed information about establishing strong passwords, see "Enforcing Strong Password Usage Throughout Your Organization" in the Security Guidance Kit.

Installing Up-to-Date Antivirus Software

Viruses are commonly transmitted through e-mail and Internet sites. Worms and viruses can cause your computer to lose data, perform poorly or erratically, or cease working altogether. They can also provide unauthorized access to your computer or allow your computer to be used in an attack against other computers. If you do not already have antivirus software installed on your computer, there are many good products on the market today. Microsoft partner companies also offer some free solutions on the Protect your PC Web site at https://go.microsoft.com/fwlink/?LinkId=22645.

You should consider installing antivirus software on each of your computers and schedule the antivirus program to scan all files on the computer at least weekly. Because new viruses surface periodically, updating the virus signatures for your antivirus software regularly helps keep your computers free from infection. If an infection is found, the antivirus software can repair or quarantine specific files.

Getting Computer Updates

Performing regular software updates to your operating system and other software helps reduce the risk of unauthorized access to your network. A regular maintenance schedule is often the most effective means of applying updates.

One efficient method for ensuring that your computer has the most recent updates is to configure your computer to automatically update its software from the Internet or a centralized update server, such as the Automatic Update utility in Windows XP. Other methods include making frequent visits to the Microsoft Windows Updates Web site at https://go.microsoft.com/fwlink/?linkid=3326 and manually installing updates.

For step-by-step instructions for enabling Automatic Updates, see "Deploying Patches with Windows Update and Automatic Updates" in the Security Guidance Kit and the Protect your PC Web site at https://go.microsoft.com/fwlink/?LinkId=22645.

Using an Internet Firewall

Computers on corporate networks are protected by firewalls that help prevent intruders from gaining access to their systems through the company's Internet connection. Once a portable computer leaves the security of the corporate network structure and connects to the Internet, both its data and its connection to the Internet or corporate network are vulnerable to attack. Home computers that connect to the Internet or a corporate network are also vulnerable.

If you use a computer to connect to the Internet or a corporate network from any remote location, you should use a firewall. Although you are likely to find information to the contrary, it is recommended that Internet Connection Firewall (ICF) be enabled on every connection that appears in the Network Connections folder that does not already have a firewall enabled. Windows XP Professional includes ICF software, which you can use to restrict the information that is communicated between the Internet and your home network. ICF is free and should be used as the first line of defense against computer viruses and potentially harmful content on the Internet. ICF does not protect against all forms of attack; e-mail and malicious Web sites may be able to circumvent your firewalls.

  • Note: ICF is configured on a per-connection basis. For example, if you use a dial-up modem to connect your computer to the Internet some of the time and you use a DSL modem to connect your computer to the Internet at other times, you need to configure ICF separately for each connection.

For detailed information about protecting connections on computers running Windows XP Professional, see "Protecting Clients From Network Attacks" in the Security Guidance Kit.

Providing Security for Wireless Networks

In the past few years, there has been a significant increase in the deployment of 802.11 wireless networks. This increase can largely be attributed to the Wireless Fidelity standard, which makes the deployment of wireless networks simple for corporations and home users alike. 802.11 wireless products that are Wi-Fi-certified are designed to be interoperable; any Wi-Fi-certified wireless adapter should work with any Wi-Fi-certified access point.

Security problems arise when wireless security technologies with known security issues are deployed, or when Wi-Fi access points are deployed without enabling any type of wireless security. Care must be taken to ensure that users do not connect to networks that provide security levels that fail to meet required corporate standards. Many people think that 802.11b wireless signals can travel only as far as can be detected by the antennas in their laptop computers. They assume the network is safe because they believe it has a limited broadcasting range. The reality is that 802.11b signals can be detected at substantially greater distances by anyone who has a Wi-Fi-enabled computer with a long range antenna.

The interoperability of various Wi-Fi devices has greatly simplified the deployment of wireless networks. If you have not enabled and configured some form of wireless security, it can be relatively easy for someone with a wireless computer to gain access to your 802.11b wireless network or to gather information that is sent between your wireless-enabled computers and the access point.

To help provide security for a home or small office network that uses 802.11b wireless components, follow the steps in "Configuring Windows XP IEEE 802.11b Wireless Networks for the Home and Small Business" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22647.

Using VPN Connections

A virtual private network (VPN) is a secure, virtual connection between two or more computers that traverses another network. VPNs combine digital certificates, encryption, user authentication, and computer authentication to ensure that the communications between the systems remains secret and that data is not modified. A VPN connection can connect your computer to a remote network to make it seem as if you are directly connected to that network. For example, remote users can connect to the corporate network to check their e-mail or do other work. If your corporate network provides VPN for remote computers, following the recommendations in "Securing Remote Access" in the Security Guidance Kit will help protect your computer and network.

  • Note: If you use Internet Connection Sharing (ICS) to allow several home computers to share an Internet connection, do not launch either dial-up or VPN connections to the corporate network from the ICS host computer. To do so will route all of the traffic generated by your home ICS network to the corporate network. For most businesses, this is a violation of corporate security policy. Alternatively, it is generally acceptable to launch VPN or dial-up connections from a computer that is a client of an ICS network because the network address translation (NAT) performed by ICS provides some additional security. Consulting with your authorized IT personnel and legal counsel on effective computer access policies can often reduce the risks associated with VPNs.

For more information about firewalls, computer updates, and antivirus software, see the following: