Protecting Sensitive Information
6.2.2 If using Windows
In addition to recommendations 1–13 listed in Section 6.2, do the following:
1. First and foremost, disabuse yourself of the notion that 2000 is more secure than NT; it is not. Its “encryption” option conveys a false sense of security because it is simply not secure at all from any competent forensics analyst for the following reasons:
a. That system does not allow the swap file to be encrypted. Given what was stated in Section 2.3 about the swap file and the fact that it usually contains a lot of what one does with the computer, encrypting a file or folder but not the swap file is like locking your front door and leaving the back door wide open.
b. System files (e.g., the Registry) also cannot be encrypted. Given what was said in Section 2.4 about the wealth of sensi- tive personal data placed by Windows into the Registry, leaving that unencrypted is like leaving all of one’s windows in the house wide open (in addition to leaving the back door open as per (a).
c. There is no encryption of the slack in the disk. Given what was said in Section 2.2.1 about what can exist in the slack to delight the forensic investigator, this is like exposing the floor plan to the burglar of one’s house for his convenience.
d. While one can (or should, but often does not think of doing) specify that the “Temporary” folder is to be encrypted as well, the fact is that different software programs have the bad habit of using their own temporary storage locations in one’s disk. As such, there is no one “Temporary” folder to protect. This is like locking one piece of jewelry in the safe but leaving the rest of them lying around for a burglar to help himself to.
e. Even though a folder can be specified to be encrypted, and files created in or copied to it are encrypted, the folder itself is not encrypted at all, and anyone with the right access permissions can see the names of the encrypted files in it.
In view of all of the foregoing, the much-heralded “encryption” option of the Windows 2000 operating system is a useless gimmick. In fact, it is worse than useless because it will tend to instill a false sense of security in the minds of those who use it in the mistaken belief that it protects their sensitive data from forensics analysis. It does not.
2. Do not display the last user’s name in the logon sequence screen; this takes a manual step to make it happen. To disable the last-user dis- play, go to the Local Security Policy and make the change. There is no reason why an unauthorized person should know half of your login magic words (user name) and only have to guess the other half (password).
3. Convert to NTFS with the command-line command convert C: /fs:ntfs (if converting a drive other than C:, use the appropriate letter).
4. Once Windows has been set up, do not log in for day-to-day usage with the administrator account or with any other account that has administrator privileges. Use, instead, one created for your use that has simple user privileges so that your system files (which require administrator privileges) cannot be accessed surreptitiously while you are using some software that has a dual malicious function. As with most any security measure, this will impact convenience: When you want to install software while logged in as someone with- out administrator privileges, you won’t be able to, but neither will any remote hacker.
5. Beware of Windows 2000’s master file table (MFT). It has at least one entry for every file in an NTFS volume in your computer, along with extended information about each such file (date/time stamps, data content, and so forth.). Worse yet, in the interest of speed, Microsoft does not edit and compact that MFT superfile but merely appends to
it. As such, it can contain a list of files that goes back to the day you installed Windows 2000, long after you think that you deleted all ref- erences to them. By the way, if you have a huge number of files on your disk after a year or two and Windows runs out of preallocated MFT space, you will get no warning, and the directory table for the volume will crash. To prevent that, you need to hack the Registry as follows:
a. Run REGEDT32.
b. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\FileSystem.
c. Select “Add” from the Edit menu. d. In the dialog box that comes up, enter
Value Name: NtfsMftZoneReservation Data Type: REG_DWORD
Data: (enter 3 or 4; 4 is the maximum) e. Close REGEDT32.
The above hack will only remove the possibility of a volume directory crash and will not fix the security problem, which is unfixable. About the only fix for the security problem is to use file names that are nonincriminating and nondescript.
6. If you elect to avail yourself of the “encryption” option in Windows 2000 (and there is really no benefit to doing so, as discussed above, other than some protection from a totally unsophisticated person that might take an interest in your computer), then at least realize that someone can still easily spoof your computer into revealing those encrypted files by logging in as an administrator through a back door as follows:
To encrypt a folder from the command line, type CIPHER [/E| /D] [/S:dir] [/I] [F/] [Q/] [pattern or directory], where
/E Causes the encryption of the specified directories /D Decrypts the folder and stops any further encryption /S Encrypts all files and subfolders in that directory
/I Forces the encryption to continue even if an error occurs
/I (normally encryption stops if an error occurs)
/F Forces encryption on all directories specified (already encrypted
/F directories will not be encrypted again)
/Q Reports minimal information about the status of the encryption
/Q of a file or folder being encrypted
To hack into your encrypted files without your knowledge, all someone has to do is restart your computer from the Emergency Repair Disk (ERD), reinstall the Windows 2000 operating system (e.g., from the distribution CD-ROM), set himself or herself up as the administrator, and use the default file-recovery certificate that you will most likely have left in the computer.
To preclude this happening, export the default recovery certificate to a floppy as follows:
1. Log in as administrator.
2. Start/Run mmc.
3. Select “Console,” then “Add/Remove.”
4. Select “Add.”
5. Highlight the “Certificates” option and click Add.
6. Select “My User Account.”
7. Click “Finish.”
8. Close and click “OK.”
9. Open Certificates—Current User, Personal, Certificates in the left panel. On the right side, you will see a certificate listed. Right-click on it and select “All tasks.” Export. This will start the Certificate Wizard.
10. Choose “Yes, export the private key.” Click “Next.”
11. Select “Personal Information Exchange” and then remove the check by “Enable strong protection” and also by “Delete the private key if effort is successful.” Select “Next.”
12. Enter a good password. Make sure you write it down somewhere so that it is not forgotten. Select “Next.”
13. Make up a file name under which to save that key. Put a floppy disk in the computer and type A:RECOVERY.PFX
14. Select “Next” and “Finish.”
15. Now you must delete the certificate on the hard disk. Right-click on the entry for the certificate and select “Delete.”
16. To verify that the certificate has indeed been deleted, reboot the computer, log in as administrator, and try to read any file on the disk that has been encrypted as any user other than administrator; it should fail.
17. Install and use a RAM disk, such as the one depicted in Figure 6.6 (http://www.cenatek.com/product_ramdisk.cfm).
Caution: Do not enable the option whereby the RAM disk is saved onto the physical hard disk just before shutting down. Doing so will negate the security benefit of having a RAM disk in the first place.
Caution: This admonition applies to all computer users, regardless of which operating system is being used and regardless of whether the com- puter in question is ever connected to any network: If you plan to have your computer serviced or repaired by someone else, make sure that the hard disk is removed first. The reasons should be self-evident by now.