the Skateboard
    home
    message board
    newsgroups
    chat
    file library
    features

chat rooms
  :  the roundtable
message board
        message board
newsgroups
    intros & casual talk
    opinion & debate
    writers & poets
    relationships
    cooking
    announcements
features
    writers & poets
    technology
    business
    lifestyle
site info
    guestbook
    feedback
The CyberSpace
by Michael Solomon


XP Offers Multiple Layers of Security

Before Windows XP was ever released a lot was written about security holes in XP. Despite all the talk, commentary and doomsayers, XP is actually quite a secure environment, certainly more so than any of its 9x predecessors. However, some of that security depends upon how XP is used.

First, if you use Windows XP's built in firewall, you will get pretty good protection against incoming attacks, assuming you also keep up with Microsoft Security Patches. Most of those are offered at the XP Update site that can be reached by clicking Start, selecting All Programs and selecting Windows Update. However, unlike most third party firewalls, XP's firewall only protects against incoming attacks and provides no warning about those attacks. If you happen to get a virus or some spyware is deposited on your system because of some application you install or something you've downloaded, you get no alerts about any applications trying to send outgoing messages and XP's firewall doesn't block outgoing communication.

Second, if you continue to use the FAT32 file system, you won't get all the security options available to XP users. However, NTFS (New Technology File System) in XP Home Edition doesn't offer much more to users than FAT32. While some of the XP Home Edition limitations can be overcome by going into safe mode and setting permissions there, it is awkward and inconvenient.

So if a user wishes to take full advantage of all that Windows XP has to offer in the way of security benefits, it's necessary to be using Windows XP Professional. Before you start saying, "Now he tells me, I already own XP Home Edition," let me just say, for most home users, XP Home Edition offers all the security most home users need. Also, as I said above, some of the limitations in XP Home Edition can be overcome by going into Safe Mode.

Both XP Home Edition and Pro offer an option to set up multiple users that fall into specific categories such as "Administrator" and "Limited." Because limited users are limited in the functions they can perform, using a limited account while you are online enhances your security, especially if you password protect your Administrator account. This doesn't make it impossible for outsiders to hack into your setup but if a virus is deposited, it makes it very difficult to execute and it makes it difficult for an outsider to execute functions or take control of your system.

This is no substitute for a good antivirus program, but it's always good to have additional protection. For added protection, it is recommended that when users are online with XP they go online from a limited account and leave their Administrator account for personal chores and disk functions. That way such functions can't be executed by an intruder while on the Internet and helps reduce the possibility you'll accidentally execute a virus for which your antivirus program is not yet updated.

The key to the greater security offered by Windows XP is in NTFS. Also, if you've been used to using passwords for file and folder protection, NTFS introduces an advance that is far more robust but also adds considerably to the complexity of the operating system. Instead of passwords, NTFS uses permissions and a system of file ownership.

This is a twin-edged sword but once you become comfortable with working with file permissions and ownership, it's a robust new layer of security. The problem is, it tends to kick in at odd times and if you format your drive and start over, it's best to use a backup program that can remove those permissions, because even if you use the same account names for your setup after formatting, you'll receive an access denied error. Many XP backup applications have the option to restore NTFS file permissions, in this case, you would deselect that option. That option is for the purpose of restoring individual files to the same setup. Once removed, permissions would automatically be granted to the user account into which the files are restored.

You can restore permissions or reclaim ownership in XP Pro by turning off "Simple File Sharing" in Explorer under Tools\Folder Options\View. Then you can right click a file or folder, select Properties and go to the Security tab. In XP Home Edition, you'd have to boot into Safe Mode and perform the same function there. However, any time you had more ownership or permission issues in XP Home Edition, you would have to return to Safe Mode and perform the function again.

Ownership and permissions are designed for a corporate multi-user environment. If you have XP Pro, you can easily adapt it for home use. However, if you have XP Home Edition, for most purposes, you'll get more than adequate protection simply dividing tasks between Limited and Administrator Accounts. Frankly, I don't think the home user needs all the security offered by NTFS and can do quite well using a FAT32 setup.

As outlined above, the ability to set Limited and Administrator accounts even offers benefits to a single user and generally, it is not as inconvenient as it sounds. You need not log off or reboot to access most functions available to the Administrator account. If you set a password for your Administrator account, most applications you've installed in the Administrator account will be available to you in your limited account. However, instead of just clicking a shortcut to open the application you would do the following. Right click the shortcut to the application, select Run As from the context menu, select the name you've assigned to your Administrator account from the dropdown list, type in the password you've assigned and press enter.

You can follow this scenario from the account you plan to make your limited account. At the end of XP Setup, you are asked to create user accounts. By default, those user accounts are set up as Administrator accounts. I start by going to the account I plan to use as my Administrator account and password protect it. Note, XP has a feature that allows you to create a password reset disk. If you set a password, I emphatically implore you to use this option as it allows you to get into your password protected account in the event you forget the password. Be sure to make a separate disk for each account for which you create a password.

Once I've password protected the account I plan to use for administrative purposes I boot into the account I plan to set as a Limited account. When I set up my applications, I right click the application's "setup.exe" or whatever the install file happens to be, select "Run As," select my Administrator account name from the dropdown list, type in the password and press enter. This has the effect of installing the application in my administrator account but in most cases also places a shortcut in my limited account.

***Not, Some applications will need to be installed in the account from which you plan to use them as they simply weren't designed for this type of setup. If you plan to use them in more than one account, you will need to install them in all such accounts in which you plan to use them. Just install them to the same folder, it will take up no more space then a single install. For most applications however, if you are a single user on a machine where you've set up multiple accounts as I've described, this is not a problem as you can use "Run As" and install in your Administrator account as I've described.

For applications which don't automatically create a shortcut in my limited account, I create one manually. Once installed, these applications cannot be executed in my limited account unless they are opened using "Run As" and a password. This adds an ounce of inconvenience but considerable safety especially if you have a broadband connection that is always on. Assuming an outsider can get past your firewall and/or router, in order to do anything that might cause real damage to your setup, the outsider would also have to know your Administrator account password. Even using a random generator, you would likely see the activity long before it was able to execute. Further, if while you are in your Limited account you accidentally try to run some Trojan that has been surreptitiously deposited on your system, it generally won't be able to execute because the most harmful functions, formatting and other changes can't be executed in a limited account.

It would generate a rather jarring message that you don't have the rights to perform this action. If you see such a message after trying to open a file or e-mail attachment, run a virus scan. You'll likely find an infected file but you should be relieved to find your system intact and not infected beyond the malicious file.

This is not a perfect solution and as I said earlier, it is by no means a replacement for a firewall, router and up-to-date antivirus software but it adds another layer of protection. While I don't feel home users need anything beyond XP Home Edition, a multi-user configuration as I describe will work well, especially for the single user PC without the need for using NTFS.

In fact, NTFS just adds inconvenience for the Home Edition user, and I believe Home Edition users are better served by installing to a FAT32 partition. It should be noted, users cannot convert from NTFS to FAT32 without formatting unless they have third party software such as Partition Magic 7 or later. If you have Home Edition and it came pre-installed to an NTFS partition, try working with it, it may not be a hassle. If it turns into a chore, you know there's a way out and you can still create a fairly secure environment.

Nonetheless, regardless of version you use, depending upon how you choose to function, XP is far and away the most secure operating system Windows 9x users have ever been offered.


Copyright 2002 Michael Solomon