Securing Remote Clients and Portable Computers
On This Page
Before You Begin
Service Packs and Hotfixes
Viruses and Worms
Adware and Spyware
Protecting Your Files
Wireless Network Security
This document describes security features that can help protect mobile and remote computers running the Microsoft® Windows® XP Professional operating system.
Computer users can connect to the Internet from a variety of locations around the world, such as hotels and private residences. They can connect via traditional network cables or wireless networks. Many airports, coffee shops, and even entire metropolitan areas have service via wireless networks. The mobile computer user can connect to the Internet, browse less-than-friendly Web sites, and then connect to their organization's network by using a virtual private network (VPN). The potential risks from malicious code (including viruses, worms, and Trojan Horses) are a very real threat. Not only are laptops at risk, but any infected or compromised computer can be the source of an infection that could impact other computers on a small business network.
Precautions must be taken to reduce the risks presented by remote and portable computers. Some of these precautions, or security features, are the same as those you would, or should, enable on workstations. Mobile users have more threats to consider. There is also the very real threat of laptop loss, damage, and theft.
This document provides information about security features that a small business can use to reduce the risks facing their mobile and remote computer users. It also includes pointers to related documents that provide detailed instructions to help secure these computers.
Objective of this Document
This document is intended to familiarize you with the described tools and features for securing your remote client and portable computers. After reading it you will also be able to verify the level of security being provided.
Before You Begin
You should review the following information before you apply any of the recommendations in this document.
Throughout this document it is often required that a privileged account be used to perform tasks. The account must be a member of the local Administrators group on the workstation. Only an account with this level of permission on the workstation can grant another account membership in the local Administrators group. Less privileged accounts will receive “Access Denied” notices
Windows Live OneCare
Windows Live OneCare provides security features for protecting client computers from network attacks. Each of these features have specific components within Control Panel. Windows Security Center consolidated several of these functions, but still relied on some third-party software.
The Windows OneCare health meter provides a clear, continuous indication of your computer's overall level of protection and performance. If Windows OneCare detects anything that you can do to improve the health of your computer, the service will automatically show you what action to take and provide a one-click solution.
Windows OneCare Antivirus, Window OneCare Firewall, Windows OneCare Backup, and Tune-up are always on and always monitoring. Each of these services is automatically configured to update themselves and help keep your computer protected from the most recent threats. Microsoft recommends Windows Live OneCare be installed and used to consolidate a family of tools into a single console or user interface.
The use of Defender in addition to Windows Live OneCare offers a great set of tools to manage the health and security of your computer.
For more information, see the Windows Live OneCare Web site at www.windowsonecare.com/.
No single security feature should be depended upon to protect your mobile and remote computers from attack. A layered security approach allows for failures and still provides a level of security. Laptops are particularly vulnerable to theft and loss. Contained within this article are security features that can provide extra layers of security for all Windows XP Professional computers, but there are additional layers of security that are included to help protect your files if a laptop is stolen to exploit the information it might contain.
Service Packs and Hotfixes
The Microsoft Security Center provides an easy way to manage security updates for its large family of operating systems and other Microsoft applications, such as Microsoft Office.
Complete the following steps to configure Security Center to automatically download and install updates as needed. Doing so will allow you to manage security hotfixes without the overhead of applying them manually.
Click Start, and then Control Panel.
In Control Panel, click Security Center (shown in the following screen shot).
Click Automatic Updates (shown in the following screen shot).
Select Automatic (Recommended) (shown in the following screen shot) and specify a recurring schedule to have the automatic updates downloaded and installed. Ensure you schedule a time when the computer is running.
After you specify a schedule, click OK.
Viruses and Worms
Computer viruses are software programs deliberately designed to interfere with computer operation. They can record, corrupt, or delete data and spread themselves to other computers and throughout the Internet, often slowing things down and causing other problems in the process.
Just as human viruses range in severity from the 24-hour flu to the Ebola virus, computer viruses range from the mildly annoying to the downright destructive Also, they continue to evolve and take on new and different forms. The good news is that with an ounce of prevention and a little knowledge, you can significantly reduce your exposure and diminish their impact.
You can help protect the data and applications on your computer by using antivirus software and keeping it current. There are many antivirus programs that can be installed to help protect Windows users from viruses. Ensure that the system requirements for such a program are met before installation. When considering which antivirus program to purchase, choose one that has the following features:
A real-time service that monitors and prevents virus attacks.
Automatic updates to keeps virus signatures current.
On-demand and scheduled scanning and cleaning.
You can access a list of Microsoft antivirus partners at http://www.microsoft.comhttp://www.windowsmarketplace.com/category.aspx?bcatid=326&tabid=2.
Adware and Spyware
Spyware is often associated with software that displays advertisements (called adware) Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information. That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but "pay" for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.
Other kinds of unwanted software will make changes to your computer that can be annoying and can cause your computer slow down or crash. These programs have the ability to change your Web browser's home page or search page, or add additional components to your browser you do not need or want. These programs also make it very difficult for you to change your settings back to the way you originally had them. These types of unwanted programs are also often called spyware.
Windows Defender (Beta2) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed, which helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up-to-date.
You can download Windows Defender from www.microsoft.com/athome/security/spyware/software/default.mspx. The current version is a Beta 2 version. The file name is WindowsDefender.msi and is about 5.5MB in size. (The file name and size may change after the full release.)
Complete the following steps to install Windows Defender (Beta 2) when you download it.
When you download Windows Defender (Beta 2), the following dialog box will display. Click Run.
The following Welcome to the Installation Wizard for Windows Defender screen will display. Click Next.
The Windows Defender License Agreement will display (shown in the following screen shot). Review the terms of the agreement.
To continue installation, you need to select I accept the terms in the license agreement and then click Next.
On the Help protect Windows screen (shown in the following screen shot), select Use recommended settings. Click the Privacy Statement button if you wish. Then click Next.
On the Setup Type screen (shown in the following screen shot), select Complete and then click Next.
When the following Ready to Install Windows Defender screen displays, click the Install button to begin the installation.
After the installation process is complete, the following Windows Defender Installation Complete screen should display.
Ensure the Check for updated definitions and run a quick scan now option is selected, and then click Finish.
Note An Internet connection is required for this step.
When the following screen displays, click the Check for Updates button to obtain recent updates.
For more details and advanced features of Windows Defender (Beta 2), see the Windows Defender (Beta 2) Web site at www.microsoft.com/athome/security/spyware/software/default.mspx.
Different things can corrupt an operating system and its applications. Windows XP Professional can help restore a mobile or remote client back to a known-good restore point. These restore points are sometimes saved automatically by the operating systems before some events.
To learn more, see “How to ‘undo’ a big mistake in Windows” at www.microsoft.com/smallbusiness/resources/technology/business_software/how_to_
A firewall is a security system that acts as a protective boundary between a network and the outside world. Windows XP SP2 includes Windows Firewall, software that functions in much the same way for each individual client computer.
Windows Firewall comes installed on Windows XP Professional SP2 and is highly configurable. It is enabled by default and helps protect against network attacks. Windows Live OneCare also monitors Windows Firewall, giving you a single console to check the overall security status of your PC. The rest of this document will show you how to change Windows Firewall settings through the Windows Security Center, which is found within the Control Panel.
Note Windows Firewall is not intended to replace the functionality of a network firewall. Windows networking is enabled and allowed to pass Windows Firewall, which means that you can still communicate with other network computers, print, and access network shares. A network firewall is still recommended to protect the ports that are opened by these functions.
For information about the Microsoft network firewall solution, see the Microsoft Internet Security and Acceleration Server page at www.microsoft.com/isaserver/default.mspx.
Configuring Windows Firewall General Settings
Windows Firewall general settings allow you to configure these options:
Off (not recommended). Turning off Windows Firewall will make your computer more vulnerable to damage from viruses, worms, or intruders.
To open the Windows Security Center, click Start, then click Control Panel. The following screen will display.
In the Pick a category section, click Security Center. The Windows Security Center screen will display, as shown in the following screen shot.
By default, Windows Firewall displays a notification dialog box whenever it blocks a program that attempts to communicate from your computer to another. The dialog box looks similar to the one shown in the following screen shot:
The dialog box indicates which program has been blocked and allows you to choose whether to allow this program. The available options are:
Keep Blocking. Use this option so the program won't accept connections from the Internet or network without your permission.
Unblock. Use this option to place the program in the Windows Firewall exceptions list.
Ask me later. Use this option if you do not know whether to block or to unblock the program. This option keeps the program blocked for greater security. This message appears again the next time that this program is blocked.
To learn more about advanced features, see "Understanding Windows Firewall" at www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx.
Protecting Your Files
Windows XP Professional and other Microsoft operating systems use the NTFS file system (NTFS). This file system is more fault-tolerant than its File Allocation Table (FAT) predecessors. NTFS also offers file-level access controls and the Encrypting File System (EFS). When building a Windows XP Professional laptop, Microsoft recommends that only NTFS be used to format the hard drive(s).
NTFS v5 is a more advanced file system than FAT8, FAT16, FAT32, or even the NTFS v4 file systems. NTFS is better suited to handle minor disk errors, and with the proper use of EFS it is smartly suited for mobile computing.
Note By default an experienced attacker with physical access to a hard drive formatted with NTFS or the FAT family of file systems can bypass the NTFS security features without EFS enabled. Even with EFS enabled it might still be possible for an attacker to break in to a missing Windows XP Professional laptop.
It is possible to convert an existing Windows XP Professional FAT partition to an NTFS partition to gain the added level of stability and security. The procedure is outlined in "How to Convert FAT Disks to NTFS" on the Microsoft Web site at www.microsoft.com/technet/prodtechnol/winxppro/maintain/convertfat.mspx. However, some older programs may not run on an NTFS volume, so you should research the current requirements for your software before converting.
Note Always back up important files before converting one file system to another.
EFS is only available on NTFS file systems, not on FAT file systems. Encryption is the process of encoding files to help prevent unauthorized access. After you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders.
There are several ways to implement EFS, but establishing recovery policies locally on a laptop or remote desktop can be a mistake. Local policy recovery allows a knowledgeable technician to gain access to EFS encrypted files and directories. A recovery implementation from a domain perspective can provide a more secure file system.
To learn more about advanced features, see “Protecting Data by Using EFS to Encrypt Hard Drives” on the Microsoft Web site at www.microsoft.com/technet/security/
Note Files cannot be compressed and encrypted at the same time.
Backing up files helps ensure their availability if a mobile or remote user experiences a problem. The problem could be as simple as accidental erasure of files, or as serious as the deliberate theft of a small business laptop. Backing up files regularly is an inexpensive, proactive method for protecting your valuable data.
For information about how to back up and recover files in Windows XP Professional, see the Microsoft Knowledge Base article "How to Use Backup to Back Up Files and Folders on Your Computer in Windows XP" at http://support.microsoft.com/kb/308422.
One of the most common security weaknesses is a weak password. A password should be strong enough to protect the files and computers with which it is used. A strong password can help protect any computer from being compromised. Password-guessing software is commonplace and easy to use.
For detailed information about establishing strong passwords, see "Selecting Secure Passwords” on the Microsoft Web site at www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx.
Wireless Network Security
Remote and mobile client computers are at risk of attack at any point when their wireless network adapter is enabled. Microsoft recommends that wireless network adapters be disabled when not in use.
Special consideration must be made before attaching to a new wireless network. Some wireless networks that advertise themselves are completely insecure. The features described within this article can help protect Windows XP Professional workstations and laptops from attack while attached to these networks, but the first rule of wireless networks is to connect only to known networks.
To help provide security for remote wireless networks, such as the home office, see "Configuring Windows XP IEEE 802.11 Wireless Networks for the Home and Small Business" on the Microsoft TechNet Web site at www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx.
A virtual private network (VPN) is a way to connect a remote or mobile computer securely from one network to another, typically over the Internet. This technology allows a Windows user with a laptop to connect to a network at a hotel or coffee shop and then securely connect to their networked computers at work.
Small businesses might be tempted to provide non-VPN connections over the Internet to provide connectivity for remote access. Microsoft recommends that a VPN be used instead of an insecure Internet connection. The use of such insecure connections exposes small businesses and home networks to undue risks.
When using VPN connections over the Internet, it is important to ensure that the VPN solution inhibits the concurrent connection to another network. This feature removes a straight path from one network to another, which malicious software or hackers could exploit.
For more information about firewalls, computer updates, and antivirus software, see the following:
The Protect Your PC page on the Microsoft Web site at www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx.
The article "5-Minute Security Advisor - The Road Warrior's Guide to Laptop Protection" on the Microsoft TechNet Web site at www.microsoft.com/technet/
The article “Network Ports Used by Key Microsoft Server Products” in the Security Guidance Kit, which is available on the Microsoft Download Center Web site at www.microsoft.com/downloads/details.aspx?FamilyID=c3260bd0-2ebb-4496-ad07-7e9d55d0ef1f&displaylang=en.
The article "Port Numbers” on the Internet Assigned Numbers Authority Web site at www.iana.org/assignments/port-numbers.
"Managing Windows XP Service Pack 2 Features Using Group Policy – Windows Firewall" on the Microsoft TechNet Web site at www.microsoft.com/technet/
For more information about Windows XP SP2 security, see the following:
The updated Windows XP Security Guide, which is available on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35309.
"Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 2: Network Protection Technologies" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35486.
For information about how to determine the security state of your network, see the following:
The Microsoft Baseline Security Analyzer page on the Microsoft TechNet Web site at www.microsoft.com/technet/security/tools/mbsahome.mspx.
For definitions of security-related terms, see the following:
The Microsoft Security Glossary page on the Microsoft Web site at http://go.microsoft.com/fwlink/?linkid=35468.