By John J. Yacono, Technical Editor
You just parked your car on a deserted city street at dusk. Did you leave the doors unlocked? The trunk open? The windows down? Of course not! So why are you compromising the security of your Windows 95 system by enabling file and print sharing, neglecting to load the Microsoft Service Pack and leaving Win95's default password-caching on? If you've committed any of the above security sins, you've got a problem. But don't worry: We've got the locks, keys, security gates and alarms you need to defend your data.
Microsoft's standard reply to complaints about Windows 95 security has always been, "If you want better security on the desktop, look to NT Workstation." But you don't have to abandon Win95 and switch to NT to be able to sleep at night. Instead, you can plug up the security leaks, and fix the bugs, oversights and misjudgments. So grab a padlock and the Club, and we'll set about foiling the would-be thieves and snoops who are eyeing your system.
Click Here to see a
9.56 KB bitmap image of artwork
which goes with this article, entitled:
Local User Properties
File and printer sharing are great for giving your workgroup members access to your resources. But the bugs in these services gnaw away at any semblance of network security, so be judicious about sharing. One bug pops up when you combine file and printer sharing for NetWare networks with remote administration or Remote Registry Services. If, for instance, the network administrator adjusts your system and then logs off, your files are available to all network users.
You could also run into problems if you enable file and printer sharing for Microsoft networks while using share-level security. This opens up your system to hackers-whether they're inside your company or prowling the Internet. Using Samba's shareware client, called SMBCLIENT, UNIX users can issue commands to access your hard drive.
Fortunately, these problems are easily fixed with Microsoft's Service Pack for Win95. Download it from the Microsoft Web site at http://184.108.40.206/kb/softlib/mslfiles/SETUP.EXE.
When you download the Service Pack, you'll also swat an OLE bug. If you use Notepad to open a document created in Word, Excel or PowerPoint, you might find that material deleted from the original files is still there. For example, maybe you may wrote a letter of resignation to your boss, then thought better of it. Instead of closing the document and starting a new one, you erased your resignation letter and typed your weekly budget memo. If your boss opens that document with Notepad, better start cleaning out your desk. If you install the Service Pack, however, deleted material won't come back to haunt you.
The Service Pack also solves some problems with Win95's password-file encryption. By default, Win95 stores your passwords in an encrypted .PWL file. The 32-byte key Win95 uses for encryption is easy to break. Its first 20 bytes are the user name (usually the same as the filename) in capitals padded with a special character.
But the problem isn't with the algorithm; it's with Microsoft's implementation of it. The same key is used to encrypt the password for every resource (the names applied to shared drives or printers). That makes it easy for hackers to figure out the encryption algorithm. As a result, there's already at least one program on the Internet that decrypts .PWL files.
The best way to deal with password caching is to disable it altogether, which will keep people from copying your .PWL files to a diskette. Use Win95's Policy Editor to trash your cache. You'll find Policy Editor on Win95's CD-ROM version, or you can download it from Microsoft's Web site at http://www.microsoft.com/windows/software/admintools.htm.
Once it's loaded, start Policy Editor from the Run dialog box by typing poledit. Select Open Registry from the File menu, double-click on Local Computer, click on Network, then Passwords, and check the box marked Disable Password Caching. Delete your .PWL files to complete the procedure.
We don't recommend using password caching at all. But if you must, practice safe software with the Service Pack, which upgrades the encryption. Before you load the Service Pack, make sure you know all your passwords. Your .PWL files sometimes contain incorrect resource pointers, and the Service Pack might mangle a password while converting it to the new system.
You can use the Policy Editor in several ways to make up for Win95's lack of a password requirement. Start by using Control Panel's Passwords applet, click on the User Profiles tab, and then click on the box labeled Users Can Customize Their Preferences. Now you can use Policy Editor to grant yourself privileges and limit what default "guests" (especially the uninvited ones) can do. For example, you can limit access to certain drives or keep programs from being launched with the Run command.
If the options in Policy Editor seem confusing, check out the Windows 95 Resource Kit. On the CD, you'll find it in ADMIN\RESKIT\HELPFILE\WIN95RK.HLP. It's also available on the same Web page as Policy Editor. It contains information on both Policy Editor and security in general.
Microsoft Exchange is a security sieve, mainly because Microsoft misjudged the importance of security and placed more emphasis on ease of use. Even with password caching disabled, the default settings for Exchange permit anyone to saunter over to your PC, enter his own name, network password and mail password, and read your mail. That's because Exchange sets up a local mail file (called a .PST or Personal Folder file) without any password protection.
To correct this oversight, go to Exchange's Tools/Services menu, select the Personal Folders file and click on Properties. Then click on Change Password and enter a password. Now you've got password protection, but your .PST file is still on the system and can easily be copied to a diskette. Talk to your network administrator about moving the .PST file to a network drive, where it will be safer.
Click Here to see a
9.39 KB bitmap image of artwork
which goes with this article, entitled:
User-level access control under Windows 95 provides better protection than share-level access control. If you access your system remotely or share resources (such as disks or files) with other users, then user-level access control is preferable.
In the share-level access scenario, the Windows 95 host confirms user identity. If an intruder can get to your system, he may be able to find a chink in your armor and gain access. With user-level access control, your company's secure network server verifies the user. Since the server is usually physically inaccessible, this provides a higher level of protection. To see which scenario you're using, go to Control Panel's Network screen and click on the Access Control tab. If you decide to go with the user-level option, you'll need to get the name of the user-list server from your network administrator.
A password-protected screen saver is a handy way to fend off the curious. Intruders can get around some 16-bit screen savers with Ctrl+Alt+Delete commands, so use a 32-bit program like Win95's Blank screen saver. To establish a password, use the screen-saver dialog under Control Panel/Display.
If you find screen savers intrusive, try setting one up only as a runtime service. The screen saver will run once on boot up. Only an intruder who knows he has to reboot in DOS mode will be able to get into your system at this point. And if your system has a BIOS password, nobody's getting in.
To turn your screen saver into a runtime service, run the Registry Editor. (Select Run from the Start menu and type regedit at the command line.) Drill down to My Computer\HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\. Look for a key called Runservices. (If you don't find such a key, create one under CurrentVersion by selecting New/Key from the Edit menu and entering Runservices.) Create a string value under Runservices by selecting New/String Value from the Edit menu. Give the new string a name and select Modify from the Edit menu. In the Data value field, enter C:\Windows\System\Blank Screen.scr /S. Go to Control Panel/Display to select the Blank screen saver, assign a password, then disable the screen saver.
If your PC is a remote-access server (RAS), you shouldn't leave it logged into the network while you're away from the office. And you don't have to, provided your system loads the Remote Network Access (RNA) layer just before the log-on dialog box pops up. To make that happen, go to the Registry Editor and add a string value to My Computer\HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\ Windows\CurrentVersion\Runservices. Name it something like Remote Access and enter a Data value of C:\windows\system\RNAAPP.EXE. You can also handle power outages this way. When power returns, your remote access software is automatically back in place.
You can take other steps to secure your data. Perhaps the best is to keep your office locked when you're not around. Using the lock on your system cabinet (provided you haven't lost the keys like everyone else) will disable the mouse and keyboard. Make sure the lock cinches the computer case to keep intruders from bypassing the lock wiring under the hood.
One of the most effective measures you can take is enabling your system's BIOS password-if it has one. (Go into your system BIOS setup program to see if your system offers one. From there, you can set a password.) That way, only you will be allowed to boot the system. However, motherboards with this feature often have a jumper to erase the password. Also, you can't reboot the host remotely using communications programs like LapLink95 or pcAnywhere32.
If these options don't work for you, at least remove the floppy drive from your system. Although your hard drive will still be accessible, would-be thieves won't be able to steal your data unless they've got a null-modem or parallel-communications cable, or your PC is networked.
Considering the time and money you've invested in your data, it's
well worth the time and effort to take a few precautions to protect
your system. And while you're at it, don't forget to buy that
Club for your car!