I know we all deal with computers on a daily basis. With so much computer use, why is security so complex? Well, I have an answer, which might not ring a perfect tone in your ear. My perception is that people are lazy! Of course not everyone! However, enough for security to take a backseat to productivity and making money. If your local bank, where you keep your retirement funds, were to say to you "our employees keep losing their keys to the vault and can't remember the vault passcode, so we are going to just keep a zip-tie on the vault from now on", how would you feel about keeping your money there? Well, why do corporations continue to use zip-ties to secure intellectual property (IP), social security numbers, credit card numbers, etc.? I feel that security needs to start at the endpoint and then continue to be more secure all the way back to the file where the data is stored. Here, we are going to discuss endpoint security.
Step 1: Force User to be Non-Administrator On Desktops
For corporate America, this is becoming a standard which all desktops, even IT employees, must adhere to. When a user is a non-administrator on a desktop, the overall security of the desktop is increased more than any other setting possible. When a user is a local administrator of a desktop, so many things can go wrong, and usually do. For example, when a user is a local administrator, the following issues can occur:
- Viruses and malicious applications are 90% more likely to infect the computer
- Users can bypass corporate network policies, yet still access data to perform their job duty
- Illegal applications can be installed, causing licensing issues for the corporation
- Attack software can be installed and used to attack the network and servers
- IT loses all control over the desktop
As soon as users become non-administrators, all of these issues are either eliminated or reduced to a level that is very easy to manage.
Step 2: Implement a Local Firewall
Nearly everyone that I come in contact with is running Windows 7 on all or at least the majority of the computers they work on. I am here to tell you that Windows 7 Firewall is awesome! It is stable, functional, and effective. Windows 7 enables the firewall by default and there are very few issues with corporate network communications with the firewall enabled.
Sure, you can dive into the firewall and enable some amazing features such as isolation, encryption, port filtering, etc., but just having the firewall enabled and limiting the ports and services that the computer can communicate on with other computers is amazing.
No, the firewall is not an end all security feature. I am not saying that. However, to have a firewall enabled and limiting the communication streams is key for any corporate network.
Step 3: Keep Anti-Virus Signature Files Up to Date
I am not a huge fan of anti-virus, due to the fact that I keep getting viruses on computers with anti-virus software installed. The reason that anti-virus software is so ineffective for the majority of malicious applications is that the attackers are always one step ahead of the signature files. Signature files are only as smart and good as what they are aware of. If there is a new virus, the signature file will not know about it.
However for corporations, having anti-virus is key. The reason is that there are "users" on your network who you can't trust! I don't mean that in a bad way, just real way. We need employees. We need employees that know a variety of skill sets. Not all employees know how to handle a computer securely.
Anti-virus helps IT and the corporation protect against users that click on all links in emails. We need anti-virus to protect desktops where users bring in USB thumb drives from home, where the home computer is infected with a virus.
If you can obtain an anti-virus solution that goes beyond just relying on a signature file, it is even better. Solutions from companies like Eeye provide advanced firewall solutions and can take your corporate desktop to a new level.
Step 4: Use Group Policy
As one of the few Group Policy Microsoft MVPs in the world, of course I have to include this one! However, it is not like I am poisoning the list with some odd suggestion. Group Policy is the only way to secure a Windows corporate network. If you are not using Group Policy, I can guarantee you there are numerous computers that are not secured!
Group Policy is free, already installed on every Windows computer in your environment, and very powerful. If you have not used Group Policy...then START NOW! You can control nearly every aspect of the Windows desktop with Group Policy settings, including security settings such as:
- Password controls
- Auditing and logging of activity
- User rights and what users can control
- Authentication protocols (Kerberos, NTLMv2, NTML, LM)
- Anonymous access, including access through IPC$
- SMB signing
- LDAP signing
- User Account Control
- Internet Explorer
Good list? Absolutely! Start using Group Policy today!
Step 5: Whitelist/Blacklist Applications
Windows 7 provides two built-in alternatives to configure application controls. The older technology is Software Restriction Policy and the newer technology is AppLocker. Both provide a mechanism to list approved (whitelist) and denied (blacklist) applications.
Before you jump into this, think about the entire article as a whole. If you have the very first step implemented, which applications can a normal user run? That is right, only those that which can be run by a non-administrator. Which applications are included in this list... not many!
So, if you implement step 1, you only need to create a denied list of applications that can be run by non-administrators! If you don't care if the user can run the application as a non-administrator, then don't add it to the list. If you do care, then add it to the list!
There is no need to create an approved list of applications, as this is what you provide in the desktop image and what you allow the non-administrator to run. Of course, you will need a solution like PowerBroker Desktops from BeyondTrust to elevate applications that do require local administrator privileges, but that is easy to install and implement.
Desktop security is not something you can take lightly. You must take precautions to ensure the user of the computer is not going to do something foolish, or even malicious. Making the user a standard user, which is a non-administrator, is number one priority. Everything after this is just icing. If you implement the steps shown here for all corporate desktops, your overall support calls will reduce, employee efficiency will increase, and attack surface will decrease immediately!