S 2.328 Use of Windows XP on mobile computers

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

When using Windows Vista on mobile computers, as with all other mobile PCs, module S 3.203 Laptops must be taken into account.

Data encryption

Mobile computers are often located in environments that provide a significantly lower level of security than protected office environments. For this reason, any data stored on the mobile computer requiring protection should be encrypted (see also S 4.29 Use of an encryption product for portable IT systems). In addition to a series of products offered by third-party manufacturers, the integrated Windows XP mechanisms can also be used for encryption:

• EFS (Encrypting File System),
• Encryption of the offline files.

Information on the secure use of EFS can be found in safeguard S 4.147 Secure use of EFS under Windows.

The concept of offline files was introduced in Windows 2000. Offline files are basically copies of documents found located on a network share. They are stored in a database on the local computer so that the documents can still be accessed even when the network share is not accessible.

The option of encrypting these offline files was introduced in Windows XP. The entire storage for offline files, which contains files from every user, is encrypted using a computer-specific key. Encryption is transparent to the users and can only be enabled and disabled by administrators. Enabling can take place through the folder properties in the Windows Explorer under Extras | Folder options | Offline files | Encrypt offline files to protect data or in group policies under Computer configuration | Administrative templates | Network | Offline files | Encrypt offline file cache. The enabling of offline file encryption is especially recommended if original documents to be synchronised are encrypted and the local offline copies could exist in decrypted form.

The strategy used to protect the data stored on a mobile computer (Windows XP EFS, offline file encryption or encryption using a third-party product) must be specified based on the specific circumstances and on a case-by-case basis, if necessary.

Local firewall

In contrast to stationary desktop computers installed in the organisation, with mobile clients it is possible to connect directly to the Internet. It is essential in this case to protect the mobile computers using locally installed firewalls.

A new functionality has been implemented with Windows XP - the Internet Connection Firewall (ICF), renamed to Windows Firewall with Service Pack 2. The Windows Firewall is a stateful packet filter that analyses each TCP/IP or UDP packet and processes it according to the configuration.

Among other things, Windows XP Service Pack 2 contains the following enhancements to the ICF/Windows Firewall:

• Enabled by default for all interfaces
• Protection already when booting
• Central configuration via GPOs
• Source address restriction for port
• Command line support
• Lock-down mode
• List of exceptions for applications
• Several policy profiles possible
• RPC support
• Reset to manufacturer configuration
• Support of unattended installation.

The Windows Firewall only filters ingoing connections. There are no restrictions on outgoing packets. This means that it is not possible to restrict accessible Internet servers with the Windows Firewall, for instance. Programs that are to be authorised for Internet access cannot be specified and controlled. Therefore, the Windows Firewall does not provide protection against Trojan horses that are already on the computer.

The use of ICF (prior to Service Pack 2) in company or government agency environments is very difficult due to the lack of central configuration options. The ICF can only be completely disabled using the group policy Computer configuration | Administrative templates | Network | Network connections | Prohibit use of Internet Connection Firewall on your DNS domain network. The configuration of the ICF is carried out for each network interface locally on the Windows XP system.

With the implementation of Service Pack 2, administrators now also have the option of centrally managing the Windows Firewall through the group policies under Computer configuration | Administrative templates | Network |Network connections | Windows Firewall. When configuring the Windows Firewall, different profiles can be created so that the Windows Firewall can be configured differently depending on the given environment (internal network of the organisation or mobile use). At this point, it is also conceivable that certain exceptions can be allowed for ingoing traffic (e.g. for remote access to the computer) in an internal network in the organisation. For mobile use, on the other hand, the Windows Firewall should not allow any exceptions and the entire ingoing traffic should be blocked. If a domain controller is within the reach of the client, the domain profile is applied; otherwise, the mobile profile is enabled.

By default, the Windows Firewall is enabled at all existing network interfaces after Service Pack 2 has been installed. Depending on the given context in the respective company or government agency, this can result in problems under certain circumstances (see also S 2.329 Introduction of Windows XP SP2).

Both the ICF and the Windows Firewall provide a logging option. By default, the logging option is disabled after the Firewall has been activated and must therefore be explicitly enabled. The logging of accepted and rejected packets can be enabled separately so that logging can be adjusted to the individual requirements. Logging takes place in the Extended Log File Format standardised by W3C. If the maximum size of the log file is reached, a copy of the file is generated with the file name extension old. If the log file reaches the maximum capacity once again, the saved log data is overwritten and lost. For this reason, the log file must be large enough. Since log data is stored locally, a mechanism to collect the data must be implemented. In this respect, Windows XP does not provide a mechanism of its own to do so.

If Windows XP computers are to be protected against attacks from the local network or the Internet (mobile use), the use of a personal firewall offered by third parties is generally more recommendable, because they usually possess an expanded scope of functions (e.g. filtering outgoing connections or restricting authorised programs for Internet access).

If no personal firewall is installed and enabled, Windows-Firewall (or ICF prior to SP2) should at least be set up for mobile IT systems (see also safeguard S 5.91 Use of personal firewalls for clients).

Review questions:

• Is the data worthy of protection encrypted on all mobile Windows systems?
• Was a personal firewall or the Windows Firewall (or ICF prior to SP2) installed and enabled on all mobile Windows systems?