START OF DOCUMENT PREVIOUS PAGE

Copyright © 1995 Robert M. Free - publishing rights reserved

This document may be freely copied and distributed, provided that: this copyright notice is included, the entire body of text is included, and the textual content of this document is unchanged.

For written permission to use portions of this document in other publications, send email to bfree@graphcomp.com.

This is a work in progress.

MS Windows Security Issues

Since few internet protocols involve encryption, little can be done about safeguarding passwords. If internet security is required, your best bet is to use non-standard protocols that use a key-based encryption system. Unfortunately, this prevents you from accessing the most commonly used internet services.

As such, minimize access to internet servers that require passwords. When you do access such services, use long, non-obvious passwords and change them frequently.

When sending email or data, it is a good idea to stamp them with an encrypted signature - and encourage others to do the same. This allows receivers to validate that the data actually came from you, and that the content has been unaltered.

Any server that allows a remote user to copy a file to your PC is creating a security risk; particularly if they can copy those files to sensitive OS locations.

Note: some PC-based ftp servers do not prevent remote users from navigating outside of their home directories. In other words, even though you may define their home directory to be d:\ftp\pub, your ftp server may allow them to navigate to ..\.. to get to the root; or worse yet, to navigate to c:\ where they can overwrite your AUTOEXEC.BAT file. The next time you reboot, you will unwittingly launch whatever script, program or virus they may have ftp'd to your PC.

!WARNING! I have seen ftp servers distributed by well-respected network vendors that not only allow remote users to access other drives, but even allow them to access network drives mapped to your PC - giving them access to your entire corporate network!

Find out immediately if your server limits user navigation - if it doesn't, don't use it!

Even if you can control user navigation, most PC-based ftp servers will not prevent a remote user from creating new files or overwriting existing ones. This allows them to put bogus files on your ftp site, potentially setting you up for liability if someone else downloads a harmful file.

If you can, upgrade to NT and install an NTFS partition (or OS/2 and HPFS) so that you can control who writes what where. If this is not feasible, do the following:

This will prevent users from replacing your valid files with bogus ones and will give benign users a way to validate the files they are receiving.

If you have a LAN, you should dedicate one PC as a network server and keep all your internet server applications running on that machine. Allow your other PCs to read and write to the server machine, but don't allow the server machine any rights to the rest of your network.

Beware of WWW (http) servers - the lastest protocols are designed to POST or launch scripts. Using ftp, a user could overwrite scripts, and/or your htm documents and initiate unauthorized/undesireable events on your PC.

Check to see if your servers support script/executable launching; if so, you probably don't want to use them unless you are using a secure file system.

In any case, your HTML files and scripts should be unaccessable via ftp, and probabaly should be set to read-only.

Any time you install a server on your PC, think about who will be connecting to it, where will they be able to access, what can they write/overwrite, and what can they launch. If you cannot control those factors, don't use the server.

NEXT PAGE Return to Start of Document

Send comments on this document to email bfree@graphcomp.com.