Microsoft

Increase security by clearing your server's page file when you shut down

Unsecured information may reside on your server's page file at shutdown. John Sheesley explains how to keep this data away from prying eyes by making a few changes to your registry.


Imagine that something physically goes wrong with a server and you have to take it to a repair facility. Or suppose the physical security you’ve placed around your server room fails and someone steals a server or its hard drive. Even if you’ve gone to the extent of encrypting important information using Windows 2000’s Encrypting File System, potentially vital information may still exist in the page file. All someone would have to do is install the server’s hard drive as a secondary drive onto another Windows 2000 machine and read Pagefile.sys with a sector editor. The way to prevent others from getting to this important data is simple: Empty the page file when you shut down your Windows server.

Danger! Danger! Danger!
This Daily Feature suggests making changes to your server's registry. Make sure you have a complete backup of your server before performing any technique in this article. If you make a mistake when making changes to your server's registry, you may cause your server to be unbootable, requiring a reinstallation of Windows. Proceed with extreme caution.

Why worry about the page file?
The page file, Pagefile.sys, is a large area of your hard drive set aside in Windows NT and Windows 2000 to temporarily store information that can’t reside in RAM. If you’re a new Windows server administrator but are familiar with Windows 9x, you’ll know this area as the swap file. As your server loads additional programs into memory, it occasionally swaps to disk any information it’s not currently using. This frees RAM, which is faster than any hard drive, to do more pertinent things. If in the course of regular operations, the server needs to access the program that’s no longer in RAM, it swaps another low priority program to the hard drive and reads in the program it next wants to work on.

Both Windows NT and Windows 2000 dynamically create the default size of the page file and adjust the size of the file as needed. Most network administrators prefer to set the page file to a fixed size to increase performance. For more information about the page file, see the Daily Drill Down “Swap files: The truth is out there.”

The security problem with the page file involves the actual way it operates. As your server swaps data in and out of the page file, invariably, sensitive information will be written there. This information can be just about anything including user IDs, passwords, database records, or text files.

When you shut down your server, all of the running programs and services stop and unload. Unfortunately, as the server shuts down, it swaps information out of the page file and doesn’t replace it with anything. Therefore, as programs and services end in RAM, there are still copies of them left in the page file. After you shut down the computer, traces of information still exist on the server’s hard drive.

Going where angels fear to tread
To prevent someone from reading the information left in the page file after shutdown, you simply need to make a few changes to the registry. To force Windows NT and Windows 2000 to clear the page file at shutdown, log on to your server as Administrator or as a user with administrator rights. Start the registry editor by selecting Run from the Start menu, typing regedt32 in the Open text box, and clicking OK.

When the Registry Editor window opens, navigate the left pane until you get to the KEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management hive. In the right pane, look for the value named ClearPageFileAtShutdown.

To change the value, double-click it. You’ll then see the DWORD Editor. Enter a value of 1 in the Data field and click OK.

If the value doesn't exist, you'll need to add it. To do so, select Add Value from the Edit menu. When the Add Value menu appears, enter the name of the value in the Value Name field exactly as listed above. Make sure the Data Type list box contains the value REG_DWORD and then click OK. You'll then see the DWORD Editor screen. In the Data field, enter a value of 1 and click OK.

After you've changed or added the key, you're finished. Quit the Registry Editor and restart your server for the change to take effect. After that, every time you shut down your server, Windows will clear the page file and you’ll have nothing to worry about.

Editor's Picks

Free Newsletters, In your Inbox