Enhancing Endpoint Security for Windows Desktops (Part 1)

If you would like to be notified on when Derek Melber releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.

Introduciton

When I say the phrase “Windows desktop endpoint security”, what vision snaps into your mind? I am sure that for most the vision is rather similar. However, for some, like me, the vision is just a little slanted from the normal solution, as I have been trying to work with corporations for years to help develop endpoint security solutions. In this article, I will list some of the most important aspects of endpoint security, including endpoint firewalls, endpoint password policy, endpoint least privilege, and endpoint data leak protection.

Defining an Endpoint

An endpoint in the context of this article is one that is running a Windows operating system, is used by someone outside of the IT department, and is sitting on a corporate network in some manner. If we were to look at the landscape of what most endpoints are running today, we will see that well over 90% of all worldwide endpoints are running Windows XP or Windows 7. Windows 9X, Windows 2000, and Windows Vista are no longer that popular and compared to the typical corporation these operating systems are either considered legacy or not all viable for the corporation.

The endpoint is typically joined to a Windows Active Directory domain, or some other type of enterprise directory. For this article, I am going to focus on a typical corporation, which has Windows Active Directory as the main enterprise directory. Endpoints here will typically be physical desktops, virtual desktops (accessed within the physical network somewhere), laptops, tablets, and possibly Windows phones. The only device here that we are going to exclude from our discussion is the Windows phones, as they are handled differently than the other endpoints mentioned.

Endpoint Security: Endpoint Firewall

There was a time in the world of Windows desktops that the word firewall conjured up a very bad image. Windows 2000 and Windows XP were not very powerful with regards to endpoint firewalls. Ok, we can be honest, they were both just horrible. Then to consider spending even more money per desktop to provide an endpoint firewall seemed foolish or just out of budget.

Today, starting with Windows Vista, Microsoft has spent a ton of time and effort to make the firewall that comes with the operating system a valid solution for helping secure the endpoint. Everyone that has installed or obtained Windows Vista or Windows 7 already has the firewall running, as the firewall is installed and enabled by default.

The default Windows firewall comes with only the required applications, ports, and services supported to get the endpoint running on the network. For most organizations this might not suffice to solve your complete endpoint firewall security needs, but it is a great place to start. Most organizations will find that they need to alter some of the firewall settings that are default in Windows 7, but altering these settings is easy.

The firewall settings can be managed in a few different ways with Windows 7 endpoints. First, you can alter them manually on each endpoint that needs to be modified. This is done in the Windows Firewall applet within the Control Panel. Another option that provides for more granular control of the firewall is to use the Windows Firewall with Advanced Security, which can be seen in Figure 1.


Figure 1: Windows Firewall with Advanced Security interface.

When there is a need to configure multiple endpoints across the enterprise, including mobile endpoints, you need to look at a more powerful and efficient solution, like Group Policy. Since our definition of endpoint includes only those computers that are within Active Directory, this is a free and already installed solution. All settings that can be made from the local Windows Firewall with Advanced Security applet can also be managed using Group Policy.

Please check under my author link on WindowsSecurity.com for articles on how to configure the firewall locally and using Group Policy.

Endpoint Security: Endpoint Password Policy

In order to understand how the endpoint password policy works, we must first start off with an endpoint that has not joined a domain. For an endpoint that has not joined the domain yet, there is a local Group Policy which controls the endpoint password policy. You can view this local password policy in a few ways. First, you can view the password policy configuration by accessing the local Group Policy Editor, which is done by typing gpedit.msc at the Start Search box on Windows 7 or Vista. You can see this output in Figure 2.


Figure 2: Local Group Policy editor can display and configure the local password policy.

You can also view the password policy by typing “net accounts” in a command prompt window, which the output can be seen in Figure 3.


Figure 3: Net Accounts displays the password policy for the local computer.

Once the endpoint joins the Windows Active Directory domain, the rules change substantially. First, the local Group Policy displayed in Figure 2 no longer will control the local password policy. Instead, the local password policy is controlled by the Default Domain Policy, which is stored and controlled centrally within Active Directory.

Note:
The Default Domain Policy is just where the default password policy is configured and stored. Any Group Policy Object (GPO) linked to the domain can house the password policy for the domain and endpoints. Also, with Windows Server 2008 and later domains, the password policy can also be housed in AD using fine-grained password policies. You can read more about fine-grained password policies here.

In order to verify what the local password policy is on your endpoint, you have the following options:

  • View the local Group Policy using gpedit.msc
  • View the Net Accounts output using a command prompt
  • Run secpol.msc from the Start Search text box
  • Run rsop.msc from the Start Search text box

This is only the default behavior and alternate behavior can be configured with ease, but the evaluation of the local password policy can be difficult to discover. Configurations like Block Inheritance, Enforce, and alternate GPOs linked to the domain can alter how the password policy takes effect.

Summary

Endpoint security is essential for every corporation. With new vulnerabilities, new attacks, new data leaks every day, endpoint security should be getting a high percentage of our attention. There are methods that can help protect endpoints, which are not very expensive. First, in this article, we looked at the endpoint firewall and the endpoint password policy. Both of these can help reduce the attack surface and protect the endpoint from attacks both over the network and physically at the keyboard. In our next installment of this article, we will look at solving least privilege and providing protection over data leaks.

If you would like to be notified on when Derek Melber releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top