How Secure is the Windows Operating System?
Bardon Data Systems
The vast majority of business computers use the Microsoft Windows operating system. Most companies have Windows workstations on the employee's desktops, networked to servers which may also run a version of Windows. Since Windows rules the corporate world, it is a fair question to ask whether it natively provides the security that enterprises need to protect themselves and conduct efficient business operations. Unfortunately, the answer to this question has historically been "No". Microsoft continually releases "Critical" (their term) update patches to correct security infractions within portions of Windows. Even Bill Gates himself decided that Microsoft wasn't doing a good enough job at securing Windows, and recently refocused the entire company to concentrate on security.
Some security vulnerabilities are inherent in the structure of Windows itself, and cannot be corrected with a simple patch. The fundamental architecture of Windows was not designed with security as a high priority. Because Windows consists of millions of lines of programming code, it would take Microsoft years to completely revamp their products from a security perspective. This is a technically daunting task, and one that surely gives Microsoft pause from a business resources perspective. Without completely scrapping the billions of dollars and countless hours they have invested in the existing Windows architecture, Microsoft must adopt an "as-needed" approach to correcting security problems for the foreseeable future.
Internal Security Is A Real Issue
The security vulnerabilities of Windows have recently received a good deal of press coverage. However, most of this coverage has concentrated on Windows' vulnerability to external attacks. This is primarily due to the rapid rise of the Internet over the last several years and the subsequent proliferation of high profile Internet-based security infractions. These external attacks are very important, and must be addressed. However, major security management studies have reported that "insider" security infractions account for the vast majority of reported IT security violations.
Insiders with access to IT resources have consistently been the major source of security breaches within organizations. Year after year, security organizations report that "insider" security infractions are as high as 75% of all reported IT security violations. Companies with large numbers of employees are especially vulnerable to insider malfeasance. Many managers are reluctant to consider that their own employees could be the source of access policy violations, security breaches, and illegal activities. However, these studies show that it is important to acknowledge and correct Windows' internal security holes at the workstation level.
Security Options Within Windows
Although Windows internal security measures vary with the version of Windows, generally speaking Windows offers three levels of native security: Logon validation involves the use of a secure password or biometric reading (thumbprint, retinal scan, voiceprint, etc.) prior to allowing the user to access the system. Windows Policies may be set within Windows by the administrator to determine access permissions for an individual user at logon. These permissions can include such things as which programs the user can run, whether or not icons will display on the desktop, and so forth. The Windows file system is the underlying structure of files on the system. It comes in two versions, NTFS and FAT. NTFS is available for NT/2000/XP. FAT is universally used for legacy versions of Windows (95/98/ME).
Legacy Versions of Windows: 95, 98, and ME
No version of Windows can be considered very secure, but legacy versions of Windows are especially vulnerable. It is generally acknowledged in the security community that legacy versions of Windows have no reliable native security measures. These earlier versions of Windows lack the ability to enforce secure passwords. Additionally, the FAT file system used by them is trivially easy to access without authorization, even for someone with only modest computer skills. When these versions of Windows were current in the marketplace, Microsoft didn't want them to compete with the more expensive Windows NT (and later 2000) for professional usage. So, Microsoft left out key security features. However, most companies still chose to install Windows 95, 98, or ME on the enterprise desktop. Many of these installations are still in use today.
Bardon's software products (Full Control, WinU, and Full Control Internet) can "harden" these legacy versions of Windows. They can secure the Windows logon for any version of Windows. If desired, administrators can also add a biometric authentication device such as an Identix fingerprint reader. This will further secure the Windows logon, and Bardon's products can leverage the biometric device during the session to enhance security when programs are launched and at other points. Bardon's products also prevent unauthorized access to DOS commands and the file system from within Windows. This can prevent a determined user from bypassing the security measures installed on the system. By the use of these and other features, Bardon's software provides real security for legacy versions of Windows.
Other Versions of Windows: NT, 2000, and XP
Microsoft included additional security features in Windows NT, 2000, and most recently, XP. The most significant changes in these versions over legacy systems consisted of more-secure passwords and the NTFS file system. Although these features increased the security of these versions of Windows, other important security issues remained unaddressed.
The Windows "Policies" settings allow administrators to control the user's access to workstation resources. Unfortunately, though, these use a "set it and forget it" model of computer security. That is, Windows establishes all controls through Policies at the time of user logon, but after that point it no longer monitors or oversees user activities. These settings are not comprehensive, and even those that exist are easily bypassed. Users can modify the Registry, change system settings, erase and load programs, alter key files, access problematic resources, and attempt any number of other infractions. A sophisticated user bent on unscrupulous activities can bypass Policies protections through various means, even to the point of erasing Windows itself. Even an unskilled user may inadvertently disable the computer or accidentally alter critical files. Further, if a user is engaging in unauthorized activities, Windows has no mechanism to discover this and alert the administrator, and Windows cannot create an audit-trail log of what occurred during the session.
Bardon's products correct Windows Policies holes by providing realtime, ongoing oversight of Windows workstations. Administrators can ensure that users cannot alter critical system settings, change the Registry, install or uninstall programs, access unauthorized files, alter secured data, and many other features. Sophisticated users attempting to bypass security settings will find that their usual bag of tricks (DOS commands, booting from a floppy, key combinations such as Ctrl+Alt+Delete, Registry changes, system modifications using an Internet browser, and so forth) simply won't work. If a user attempts to access unauthorized resources or bypass security settings, the administrator can receive a realtime alert. Further, Bardon products create an ongoing audit trail log of all user activities, including program, file, and Internet access. Full Control Internet also includes keystroke logging, to provide detailed information on the exact changes made within files and records. None of these features are available in any version of Windows.
Bardon's products also provide enhanced security within the broader workstation environment. Features such as time limits, blockout periods, and inactivity management are important within specific industries. For example, nurses or physicians accessing medical workstations may be called away from computer activities for emergencies without warning. Bardon's products will secure the workstations after a specified period. In other instances, employees may have access to files and records during specified work hours, but find them inaccessible at night or over the weekend. This can be important when the integrity of electronic data must be verifiable.
Windows File Systems: FAT and NTFS
Windows NT, 2000, and XP can optionally use NTFS (the "NT File System"). However, due to technical and marketing considerations, not all NT, 2000, and XP computers are installed with NTFS. When used, NTFS can be a more secure system than the FAT file system typically used on legacy versions of Windows. XP includes an encryption option that is marketed as further enhancing its security. However, software tools are freely available on the Internet that can allow individuals to break into NTFS. These tools are easy to use and can fit on a floppy disk. Bardon's products can prevent these tools from accessing the file system. They can prevent illicit programs from running and protect system entry points (such as the floppy disk) from unauthorized access. Further, audit trails and keystroke logs provide detailed records of every action taken on the system, with information on exactly who was logged on and the time of the activities.
Remote Management of Workstations
One overlooked aspect of Windows workstation security is the onerous task of managing the desktop security of hundreds or thousands of workstations. Networking tools are ineffective at this task, because they were designed to manage the security of the network, not the individual workstations. For example, if a perpetrator attempts to violate network security, the administrator may receive an alert of an infraction. Yet, this same individual could sit down at a workstation and quietly alter or copy the contents of the hard drive without anybody knowing. The basic tasks of assigning, installing, monitoring, and enforcing security standards on workstations throughout the organization are an enormous problem using traditional networks and the Windows operating system.
Bardon's security products include sophisticated tools for workstation security management throughout an enterprise. They allow the simple distribution and installation of security settings, easy access to audit-trail logs, realtime displays of user activities, administrator alerts of suspicious activities, online "chat" between administrators and users, management reports, and many other features. Bardon offers a range of security products: Full Control, WinU, and Full Control Internet. Full Control and WinU allow administrators to manage computers over a single LAN. Full Control Internet allows administrators to manage multiple networks of workstations located anywhere in the world. WinU also includes a kiosk-like Simplified Replacement User Interface to clarify the tasks which can be performed on a workstation, making computers easy to use even for novices.
Paperwork Reduction, Electronic Data, and the Trusted Operating System
Within the last several years, the U.S. federal government has enacted legislation to reduce paperwork and move towards becoming a society based around electronic data storage. To ensure this transition, the government has been defining standards for data security and electronic data integrity validation. Solutions already exist to meet these standards at the level of the enterprise network. However, for the reasons previously discussed, all versions of Windows currently lack the security and validation criteria necessary to meet these standards at the workstation level. Bardon's products transform Windows. They harden the computer to provide many of the benefits of a Trusted Operating System, making it capable of securing and preserving the integrity of electronic data on a Windows workstation.