Myths of Securing Windows Desktops (Part 2)

If you would like to read the first part of this article series please go to Myths of Securing Windows Desktops (Part 1).

Introduction

In part one of this article, we reviewed the most basic elements of security for your desktop, which is anti-virus. We also tackled the myths regarding least privilege management. These two areas of desktop security are two of the most common, yet not the only areas that need to be addressed. There are also myths around endpoint firewalls, data protection, and whitelisting of applications, which also need attention to ensure that everyone is fully aware of the capabilities and limitations of each security solution. The reason for this focus on securing windows desktops is multifold. First, most organizations are looking to rollout Windows 7, and there are significant myths around this operating system. Second, over the past 10 years I have heard so many false statements about how administrators are securing their desktops that I feel it is important to set the record straight. Finally, as an MVP in Group Policy and Active Directory, I wanted to ensure that everyone get the most up-to-date information on securing Windows desktops. It’s my nature!

Endpoint Firewall

Historically, this would be a very short and simple section. Over the years this section would be a slam on the Windows firewall and point everyone to a third-party firewall for all Windows desktops. However, times have changed and so has the Windows firewall. Now, we can have a lengthy discussion about what the firewall that comes with Windows 7 is and what it is not.

The new Windows firewall that comes with Windows 7 provides a solid solution to endpoint firewall security. The firewall is enabled by default, allowing standard communications both inbound and outbound. The firewall also comes with advanced security capabilities, which is encryption, isolation, and detailed communication rules.

The inbound and outbound rules are quite obvious and have standard configurations. The firewall is enabled and contains a full list of allowed and denied rules, which can be seen in Figure 1.


Figure 1: Inbound rules are already configured for you and enabled.

Both inbound and outbound rules provide options for controlling the communication via program, port, Windows feature, or customizing your own rule, which can be seen in Figure 2.


Figure 2: Inbound and outbound rules provide granular controls.

The connection security rules provide some sophisticated options for controlling communications and security of your Windows desktop, which can be seen in Figure 3.


Figure 3: Connection security rule options.

These connection security rules provide you with the ability to control which other computers, networks, users, etc. the desktop can communicate with. It also allows control over “how” the computer communicates with other computers, by ensuring authentication as well as the form of authentication.

What the Windows firewall does not do is protect against applications that run locally, such as viruses and malware. The firewall might limit the outbound communication of the malicious code, but not the running of the code on the desktop. The firewall also fails to control which applications can run, the elevation of the application (for least privilege), and access to data and the protection of the data. In short, the firewall does a great job of protecting the desktop from communication attacks, but not from the rest of the items mentioned in the rest of the article. Therefore, firewall alone is not enough to protect your Windows desktops.

Data Leak Protection

Data protection and stopping data leaks is essential for the corporate network of today. With so many data related issues over the past year or more, data protection should be at the top of your security need list. Data protection is not just a single need, but a multitude of security related solutions. In my opinion, your data protection solution(s) should not be one product, however, whichever product you choose is your choice. I just know there are many products that solve the array of issues that you need in order to protect your data.

The full list of issues that your data protection solution should solve includes:

  • Wikileak protection
  • Mass data transfer
  • Copying to removable devices
  • File extension association to applications
  • Copy/pasting to Internet and email
  • Encryption of mobile devices
  • Categorizing of data for advanced controls over data

Solutions by BeyondTrust, Symantec, McAfee, and many others provide these levels of control. Make sure you choose a solution that is easy to implement and manage, as complexity of the solution will usually mean that it will not ever be implemented!

The myth of data protection solutions is that it will be sufficient to control all of your endpoint security needs. There are two forms of data protection that typically exist on a corporate network – Network data protection and endpoint data protection. Network data protection provides security controls over anything that is on the network or that goes to the Internet. However, endpoint data protection can take this security to a new level helping secure any data that goes through the desktop. What endpoint data security does not do is provide security for the desktop itself, which is where the other technologies in this article come into play.

Whitelisting

Seems like this term and technology is getting a lot of press lately. The concept of whitelisting (and blacklisting) has been around for a long time. Some vendors have made an entire business around providing solutions for this technology. So, why the press and attention to a technology that seems like it has been around? Well, in my opinion it is due to the “myths” of what whitelisting can solve.

Whitelisting is a great way to control which applications can and cannot run. In essence, whitelisting provides a technology to check if an application is on the approved or denied list before it is allowed to run. There are many permutations for these lists, but in essence applications are allowed or denied.

Where whitelisting falls short is the elevation of applications. The mainstream solutions for whitelisting don’t address whether the application needs to run with local admin privileges or not. So, if there is even one application that needs local administrator privileges and there is no privilege management solution in place, the user must be a local administrator (or have local admin credentials) in order to be productive. Once the user is granted local admin privileges there is little that can be done to control the desktop from the network admin perspective thus, making the whitelisting solution void.

However, combining a privilege management solution along with a whitelisting solution is a very powerful security technique. A solution like BeyondTrust PowerBroker and Windows 7 AppLocker can provide a Windows security solution that is hard to beat.

Summary

Securing your Windows desktops is essential for your corporation. Most organizations have over 90% of all desktops running Windows, so the volume alone is already an important factor. However, there is not one security technology or feature that alone is enough. Also, no matter how much marketing, writing, or salesmanship is put into a technology, if the technology does not provide a solution beyond what you know it does, don’t let the myths sway you into false security. Security of the applications, privileges, data, and communications are all essential for your desktops. Yes, there are levels of risk if one area is left out of your security solution, however, it does not mean that security is solved! It just means you are willing to take the risk to not have that area protected. If you implement anti-virus, privilege management, Windows firewall, data protection, and whitelisting you will have a very solid Windows desktops security solution!

If you would like to read the first part of this article series please go to Myths of Securing Windows Desktops (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top