So, you’ve recently been assigned the task of securing Windows PCs at your company. Prior to today, the job has been piecemeal at best and never a priority. Where to start?
- By Russ Cooper
- May 08, 2006
What follows is a rule-of-thumb guide as opposed to a hardening guide. Your business might very well require more rigorous security; conversely, you may be running something that breaks by implementing the suggestions below. You’ll have to do some research to see if these suggestions are right for you.
Know the enemy
Before you can assert control over your desktops, you must know what’s on the network. All too often, the system that gets compromised is the system you didn’t know you had or the one with a configuration you didn’t expect. Development boxes, for example, are notorious for being ill-secured yet completely exposed.
An easy way to start getting control is to ensure your firewalls don’t allow traffic into any system which it hasn’t been configured for. You can establish a range of allowable IP addresses on your network, and then assign MAC addresses to IP addresses being offered by your DHCP server to ensure only those you expect will be seen on the network.
If you must allow for visitors, ensure a segment is established for them that is heavily blocked (e.g. they can only perform HTTP/HTTPS outbound.)
“Default deny” is a term that simply means that everything you do not explicitly permit is denied. That means establishing rules on your firewall (or router) for both inbound and outbound traffic.
Cisco uses the term “established” to define traffic that’s trying to enter your network in response to a request that previously left your network. Allow all your machines to have “established” traffic. But at the same time block all outbound traffic. Basically, these two rules say that nothing will come in, unless it’s a response to something that went out.
Next you allow HTTP and HTTPS to leave your network. Everything beyond this should be considered a “privilege” which you will have some business case document to account for. The vast majority of desktops will need nothing more than this, but someone might be regularly using a Website that makes itself available on 8080 or some other non-standard port.
Deal with these exceptions as they arise, and when they do, deal with them specifically. That means, if someone needs to get to one website that’s available on 8080, make a rule to that one IP address, not all IP addresses on 8080.
Clearly this approach doesn’t scale, but the effort you have to put into proving this fact may well show management you need a tool that handles such things on a larger scale … thereby providing you with the proof for the funding it will require.
Audit your inventory
Ok, I know there’s a machine on IP address X.X.X.X, but what is it? When you make decisions on whether to allow exceptions to your basic “default deny” rules, they need to be made with some knowledge of what you’re exposing. Since we’re not talking about servers here (which have their own very specific requirements) then typically we’re talking about “role-based” exceptions.
No doubt there is someone in your company who seems to have management’s approval to do anything he desires. Suck it up, there will always be such people on any network your try to secure.
Your audit attempts are not data-mining efforts, remember that, but instead are attempts to figure out what has been installed, why it needs the access they claim it does, and whether or not it can be done so in a restrictive fashion. Those “powers-that-be” will always use the easiest way of granting permission…”They should have access to everything!” Great, but we both know they don’t. If you’re working in a brokerage and the individual manages >$50,000,000…then buy a new firewall just for their segment and charge it to their group. If not, get vendor names, research the software’s requirements, and implement rules as restrictive as you can. There has to be trial and error, don’t let anyone convince you otherwise.
For everything else, what OS, what service pack, what patches? Make a list. Your policies should be according to access group, meaning people with equal access should have equal implementations. Whether you use Windows Update or some patch management software to do this is up to you. Whatever you do, boil your desktops down to a relatively small set of groups.
Determine whether you have a problem
At this point, if there’s a problem, it pre-existed your term in office. Use your anti-virus, and/or anti-spyware, tools to assess your environment. Your question is simply…”Where do I stand?” Check every system, especially those that were harder to find. Know where you stand. If you find something on a machine, expect to find it on others, or in file-sharing repositories. Don’t forget to scan backup tapes that are still in use! If your AV says it can be cleaned, do so, but if there’s any doubt, re-install. Don’t restore backups until the backups have been scanned!
At the very least, you should now know whether or not you deserve a raise for taking over this mess.
If you have an environment that supports the use of Microsoft Active Directory Group Policy, implement control over the ActiveX controls you’ll allowed to be run in Internet Explorer. To do this you’ll have to make sure that everyone is running Windows XP SP2. If you have machines that aren’t, do whatever it takes to get rid of or upgrade them. The ability to control what IE will run, together with other security issues addressed by that OS version make it very much worth the effort.
As for what should be Administrator approved, start with a short list of Adobe, Shockwave, and Microsoft. Maybe you use the Google toolbar, or something else, add it as you feel comfortable with it. Remember, you’re being paid to make secure choices.
Finally, there’s the primary vector of almost every issue you will deal with.
Nope, its not Websites, it’s e-mail. More often it’s simply attachments in e-mail, which should easily be eliminated by your e-mail gateway AV solution. However, spam is notorious for being malware distributions, so a decent anti-spam solution not only will help reduce eye-strain, but will also make an impact on your overall security. If not at your e-mail gateway, then consider desktop deployment of anti-spam.
If none of these are an option, then disable HTML email. 99.99% of all malware links in e-mail are bogus, and don’t even closely resemble what they’re purporting to take you to. More importantly, almost all spam that comes in HTML looks like garbage when you view only the text portion of the message…meaning they haven’t taken the time to carefully craft a text rendition of their HTML lie. So when you see it in plain text it looks 1000% more bogus, practically anyone can recognize it as something to avoid.
There’s certainly more you can do, but hey, this is a career not a life, right? Prioritize your efforts according to this list and march your way through them. If you do, you will definitely be seen as the evil unforgiving matriarch, but you’ll also ensure few “all-weekend” efforts and, maybe more importantly, be able to tell your CEO that “Yes, Sir/Ma’am, I will have your laptop working again within an hour.”
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.