| Executive Summary: Security administrators should integrate security into their system or application design rather than letting it be an afterthought that is difficult to implement later on. This article reviews some common security aggravations—such as ad-hoc wireless networks, Internet Explorer’s password AutoComplete feature, UAC improvements, third-party application updates, and application virtualization—and offers suggestions for how to handle them. |
Many users, and even some IT administrators, would rather not have to deal with security. But like it or not, security is becoming more important than ever in today’s compliance-focused companies. Let’s review some common security aggravations and learn how to handle them.
Ad Hoc Wireless Networks
By default, Windows Vista and Windows XP can connect to different types of wireless networks. Infrastructure networks are networks in which computers are connected to a wireless router; this is the most common type of network. Ad hoc networks, which are set up to provide a quick and temporary wireless network for collaboration purposes, have computers directly connected to one another rather than via a router.
Because no special hardware is necessary to set up an ad hoc network, a hacker with only a laptop and a wireless network card can easily create an ad hoc network in a public place (e.g., a coffee shop) and give the network a name that’s similar to an official infrastructure wireless network, thus luring users into connecting to the ad hoc network. This type of social engineering is effective because despite Vista’s shield logo that alerts users to ad hoc networks, many users will still take advantage of a free Wi-Fi connection.
You can use Group Policy to remove the ability to connect to ad hoc networks. If you don’t have an Active Directory (AD) domain, you can use Netsh from the command line as follows:
1. Log on to Vista.
2. From the Start menu, enter cmd in the Start Search box and press Ctrl+Shift+Enter. Enter your administrator credentials to start the command-line session.
3. Run the following command: netsh wlan add filter permission=denyall networktype=adhoc
4. To check whether the filter was added successfully, run the following command: netsh wlan show filters
5. Under Block list on the system (user), the text SSID: “”, Type: Adhoc will display.
Windows Server 2008 and Vista Group Policy added support for controlling connection to ad hoc networks. You can back-port this functionality to Windows Server 2003 and Windows XP SP3 by updating the AD schema. For information about applying this update, go to TechNet’s “Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements” website (technet.microsoft.com/en-gb/library/bb727029.aspx). To use Group Policy to restrict ad hoc networks in Server 2008, follow these steps:
1. Log on to a Server 2008 DC as domain administrator.
2. Open Group Policy Management Console (GPMC) from the Administrative Tools menu.
3. Expand the forest, Domains folder, and domain.
4. Right-click Group Policy Objects and select New from the menu to create a new Group Policy Object (GPO). Name it “Wireless” and click OK.
5. Make sure that the Group Policy Objects container is selected in the left-hand pane, then right-click the “Wireless” GPO on the Contents tab and select Edit from the menu.
6. In Group Policy Management Editor, select Policies, Windows Settings, Security Settings under Computer Configuration.
7. Right-click Wireless Network (IEEE 802.11) Policies and select Create A New Windows Vista Policy from the menu.
8. In the Properties dialog box for the new policy, select the General tab and give the policy a name and description.
9. Select the Network Permissions tab, then select the Prevent connections to ad hoc networks check box. Click OK.
10. Close the Group Policy Management Editor window. In GPMC, link the “Wireless” GPO to the desired domain, site, or organizational unit (OU).
Password AutoComplete
Internet Explorer’s (IE’s) AutoComplete feature, which can “remember” usernames and passwords, seems attractive. However, IE’s AutoComplete or “remember me” functionality, which is often built in to web applications, has two major caveats. First, web browsers are notoriously insecure and are common targets for data and ID theft. Allowing IE (or any browser) to store your passwords increases the risk that your electronic ID(s) could be compromised. Second, users who rely on IE’s AutoComplete feature will run into problems if they move from one machine to another but can’t recall the multiple passwords that IE stored for them. This problem might not affect you if your organization uses roaming profiles. But for small shops, AutoComplete is not only a potential security risk but also a major annoyance, often resulting in time-consuming calls to the Help desk for logon assistance.
Fortunately a simple solution exists for IE’s AutoComplete “feature.” You can configure Group Policy to prevent IE from prompting for AutoComplete of forms and from storing passwords. Under User Configuration, Administrative Templates, Internet Explorer, set the Do not allow AutoComplete to save passwords option to Enabled.
Continue on Page 2