This site is dedicated to my father and in his memory, endeavors to offer some small service to the world computing community.
  DOWNLOADS  ·  ENHANCEMENTS H O M E FIXES  ·  ARTICLES  



REMOTE ASSISTANCE - CONSIDER THE NEED
As with Automatic Updates, Windows XP ships with this option turned on by default. The average user may not be aware that the Remote Assistance service even exists at first, much less that there is a choice to be made. This service should not present a security problem unless of course, someone figures out a way to exploit the feature--a distinct possibility.

Remote Assistance is similar to third party remote control applications such as Symantec's pcAnywhere, or AT&T's Virtual Network Computing. Both of these are powerful point to point networking systems which allow a remote user to gain access and if you allow it, complete control of your computer. This might come in very handy if you need a support representative or someone else to help you fix a problem with your computer.

However, published reports indicate that at least one computer manufacturer, eMachines, have already stated that they intend to ship XP equipped machines with this feature enabled. The intent of this feature presumably, is to help the manufacturer reduce support costs. While I have no qualms with the basic premise, it is arguable at best that the feature would in fact live up to its promise. Dell, who along with Gateway, Sony and other manufacturers have had similar features installed on computers they sell for some time, state they have not had great success in reducing support costs through the use of remote manipulation software and are in fact planning to discontinue its use.

Of course, if you do not have a problem, or if you are able to analyze, diagnose and repair most problems on your own, there is no reason for this service to be on. Therefore, this is just one more service that I would prefer to turn on when and if needed rather than have it enabled all the time, and again, I think that the end user should be able to more easily access this application so that it can be turned on or off at will.

If you'd like to review the settings for Remote Assistance, do the following:
  1. Click Start
  2. Click Control Panel (or Settings/Control Panel if you have the Classic Start menu enabled)
  3. Launch the System applet
  4. Click the Remote tab
  5. Either leave Allow Remote Assistance invitations to be sent from this computer checked or uncheck it, as you please.
Lets take a moment to look a little deeper into Remote Assistance and its significance to the common user. If you are logged in as the Administrator (the default setup for Windows XP and itself a security issue, but more on that a little later), and if you have enabled the Administrative Tools item in the Start Menu, launch the Computer Management console and expand the Local Users and Groups item. Now open the "Users" folder.

Surprise! Aside from the Administrator and whatever other User accounts you established either while installing XP or after it was set up, I would draw your attention to another "User" account that is by default enabled called "HelpAssistant". This account is there to provide "Remote Assistance". What we have here is Windows XP by default creating user accounts for your computer, ostensibly without your knowledge. This is not insignificant and is yet another aspect of XP that creates doubt in my mind as to the overall level of security and privacy offered.

By now you've noticed that there is also a "Guest" account, fortunately disabled by default, that is described as "Built-in account for guest access to the computer/domain" (emphasis added). Additionally, and also disabled, note the account described as "SUPPORT_58468a0" (or similar). This is a vendor's account for support services and is presumably what the folks at eMachine will enable in their shipping versions.

These accounts may be disabled (or enabled, as the case may be) by right-clicking the account Name and selecting Properties. Under the General tab you will find a checkbox for Account is disabled. When unchecked, the account is enabled and that User may at any time log into the machine assuming he/she has the username and password. Fair warning given.



THE POWERFUL REMOTE DESKTOP FEATURE
While you are reviewing the Remote Assistance feature in the Control Panel applet, take a look immediately below at the Remote Desktop feature. Unlike Remote Assistance, this is very much like those programs I named above, pcAnywhere and Virtual Network Computing. This is a very useful feature, and Microsoft should be commended for including it in Windows XP, but yet again, I would prefer to enable this feature on an as needed basis. This is yet another program which I would like to see listed somewhere in the Start menu along with Internet Connection Firewall and Remote Assistance.

This service has the potential to present a greater security risk than Remote Assistant. The bad guys out there use something called a Password Sniffer to attempt to find passwords on vulnerable computers. Sniffing is a popular form of attack, but at present Windows NT based operating systems like Windows XP use very effective security against this form of intrusion. Consequently, at present, sniffers aren't a problem for Windows NT, 2000 or XP. Should that happy circumstance change, all those Windows XP computers with this service on by default will be more vulnerable than I believe they need to be. This risk could easily be minimized by giving the user the option to enable this feature only when it is needed.

Remote Desktop can be toggled on and off in the same Control Panel applet in which you found the Remote Assistant. You can read up on this feature by clicking the live link right there in the Control Panel applet that says "Learn more about Remote Desktop".



THE ADMINISTRATOR DEFAULT AND THE ASSOCIATED DANGERS ~ THE RAW SOCKETS ISSUE
Unlike Linux, Windows NT operating systems use the Administrator as the default log in. In other words, unless you set up and then use a separate User account for which you may limit certain permissions, you will always be logging in with full privileges. Knowledgeable users with a thorough understanding of security issues can safely work as Administrators and enjoy the full range of freedoms this log in offers. However, as with any well set up local area network, for the average user that doesn't need to have full permissions in order to be productive on a day to day basis, it might be safer to log in as a User. This offers another layer of security as even if someone were able to hack in, or if the User were to inadvertently contract a virus or Trojan, the environment is restricted by the nature of the permissions set for that User and thus the damage would be minimized.

This is a one reason why there are so few viruses and Trojans written for Linux and so many written for Windows. Under normal circumstances, the default log in for Linux is a User, though every machine must have a "Root" log in (which is analogous to the Administrator in Windows). Linux sets rather restrictive permissions for the Users, so viruses or Trojans cannot perform tasks that might be damaging because they just won't work.

In Windows XP, it would be wise to create another account for yourself, a User, and make that account a member of the User Group, which would thereby be prevented from making accidental or even intentional system-wide changes. This User account can run certified applications, but not most legacy applications. To do this, go to Start/Control Panel (or Settings/Control Panel if you have the Classic Start menu enabled) and launch the User Accounts applet. Under Pick a task… click Create a new account. Follow the simple prompts to name the account and then pick the Limited account type.

The significance of all this is currently being brought home by the developing situation between Microsoft and Steve Gibson of GRC.com over Denial of Service Attacks and Raw Sockets in Windows XP. Basically, per the standards set forth in 1981 at U.C. Berkeley by the CSRG (Computer Systems Research Group), a Raw Socket short-circuits the TCP/IP stack to open a "backdoor" directly into the underlying network data transport. Fortunately, all previous versions of Windows actually used a non-standard implementation of Raw Sockets that was more restrictive than that standard. However, Windows XP will implement the CSRG standard version of Raw Sockets.

To quote Steve Gibson's page predicting that Windows XP will be the Exploitation Tool of Choice for Internet Hackers Everywhere: "Beyond their use for supporting simple "ping" and "traceroute" commands, the original Berkeley designers intended Raw Sockets to be used for Internet protocol research purposes only. Because they fully appreciated the inherent danger of abuse of Raw Sockets, they deliberately denied Raw Socket access to any applications not running with maximum Unix "root" privileges. User-level applications were thus prevented from accessing and potentially abusing the Raw Sockets capability." But remember that this standard was created before Windows operating Systems were around; operating systems that use the Administrator as the default log in. When you understand these facts within this context, it becomes clear that Gibson may have some very legitimate concerns. Hopefully you will be encouraged to create and use a non-Administrator account for your Windows XP installation. Even if Gibson's Raw Sockets concerns turn out not to be an issue, it is good practice to utilize a User account for most of your everyday activities in Windows XP.



DOES ANYBODY KNOW WHAT TIME IT IS? DOES ANYBODY REALLY CARE?
Remember that old Chicago tune? Listen to that song while reading this next segment.

Anything that acts as a server on your computer has the potential for being exploited by the nasties of this world. Heck, even innocent little non-server features can be exploited. Remember the "Favicon" exploit that came out just after Windows 5.x was released? Who would have thought that something as innocuous as the "'Favicon" feature could be used to breach your computer's privacy? Nevertheless, it really isn't likely that anyone will ever figure out a way to backdoor your Windows XP installation via this next item, but if you know about this you can make your own decision. I don't want to worry about it, and in my world, the time of day down to the last second just isn't important enough for me to leave this on.

This item is only available if your computer is not a member of a domain. If your XP qualifies, try the following:
  1. Right-click the clock in the System Tray and select Adjust Date/Time
  2. Click the Internet Time tab
  3. Note that leaving Automatically synchronize with an Internet server checked, which is the default setting, will allow the time synchronization service to dial out to the time server.
Again, this isn't anything to be alarmed about, it's just here for your information.



OF WINDOWS XP AND CHOICES - MY DIATRIBE
Windows XP offers the user fewer configuration choices during installation than Windows 2000 and Windows 9x did, and hides other options that I feel should be readily available to the user. I might be a little (but only a little) less critical if I found these conditions in the Home Edition, but this is inexcusable in an operating system designed for professionals. Perhaps Microsoft really intend the version I tested to be used by both professionals and home users in spite of its name. If this is so, perhaps some of the decisions about configuration are understandable, but I wish they would make up their minds. If it's a "Pro" version, make suitable choices available to that caliber of user.

I don't know what criteria Microsoft uses to select their beta testers, but I would like to think that rather than just simply testing the operating system for bugs, many of them asked Microsoft to include features such as being able to choose what bundled applications are installed when loading the operating system. Over the years, I availed myself of this capability every single time I clean installed either version of Windows 9x or Windows 2000. After all, many "professional" level users don't want screen savers and games and other frivolous features installed with the operating system. Some of us don't play checkers on our computers or look at floating blob screen savers that do not "save" the screen anyway.

Don't get me wrong, I think Windows XP is definitely a big improvement over the Windows 9x/ME line of operating systems. Unfortunately, it is definitely not, in my opinion, an improvement over Windows 2000. In fact, XP strikes me as being a candy colored (some would say candy-assed) version of Windows 2000 with some extra features thrown in--features that are for the most part readily and inexpensively available from third party suppliers presently. And in the case of Windows XP's firewall, far superior versions offering a great deal more protection are freely available from several manufacturers. I see no reason to upgrade (side-grade?) from Windows 2000 to XP, but I see plenty of reason to upgrade from Windows 9x or ME to … well, Windows 2000 (unless you're a fervent gamer) and skip right over Windows XP.

I hope this article has been of use to some of you new Windows XP owners. We should all have more choices in life.

;~* … Scotterpops

I would like to express my deepest appreciation to Alex Byron of PC911 and my good friend ROPera for their assistance and encouragement in the creation of this article. Their input has been invaluable, and without it, this article would not have been possible.

page 2 of 2

On To Page Two

 

  DOWNLOADS  ·  ENHANCEMENTS H O M E FIXES  ·  ARTICLES  
©Copyright 2002 · The Gazette · All Rights Reserved   ·   Webmaster   ·   Best Viewed With Any Standards Compliant Browser