Contrary to what most people think, I believe that Windows is one of the most secure popular OSs in use today. Windows has security features that other OSs only dream of. For example, what other OS gives you the management tools to control every aspect of an end user's experience? What other OS has a tool like Group Policy, which lets you turn services off and on across your entire collection of PCs with a few clicks of the mouse? What other OS has 14 separate security permissions that you can configure for each file and folder? What Windows lacks is stronger default security. Let me show you how to leverage Windows' security management capability and proactively lock down the desktops under your control. When you follow my practical advice, your computers will be among the most secure Windows desktops anywhere, and electronic burglars will leave your enterprise in search of easier victims.
Locking down desktops so bad things and bad people can't gain a foothold involves many tasks, which I've consolidated here into 10 essential steps. One way to guarantee that Windows security isn't implemented correctly is to make it hard for administrators to accomplish or manage the steps involved in the implementation. There are far too many tasks involved in security implementation to manually touch every computer on your network. Automate instead. You can easily execute every recommendation I make in this article by using Group Policy or security templates (which you can use on Windows 2000 and later OSs).
Step 1: Don't Allow End Users to Log On as Administrator
As much as 70 percent of all attacks on desktops could be avoided if the machine's end user weren't logged in as a member of the Administrators group. Most forms of malicious mobile code won't install correctly if the end user is logged on with a Least-Privilege User Account (LUA). Administrators often give end users local administrator permissions so the users can install or run software on their machines, but if you do this, you're giving away the keys to the kingdom. You can prevent new programs from being installed by not allowing regular users to have administrator rights. Non-administrators typically can't install programs.
If you must allow regular users to be administrators and you have Windows XP clients, use Software Restriction Policies (SRP) to restrict program execution. SRP lets you set an overall execution policy; either all programs are allowed to execute by default except those you explicitly define, or all programs are denied execution except those you explicitly define. The latter policy, which is similar to a deny-all-by-default firewall policy, is more secure but requires more testing. SRP lets you define exceptions by file path, registry path, program hash value, digital signature, or Microsoft Internet Explorer (IE) security zone.
Ultimately, if you can't stop unauthorized programs from executing, you can't guarantee security. Using appropriately set NTFS permissions is the best way to prevent currently installed programs from running. To do so, simply remove the Read and Execute permission from the files and folders that unauthorized users should not have access to.
Step 2: Disable Booting on Everything but a Machine's Primary Hard Disk
To allow booting from anything but the primary hard disk is to allow malicious intrusion. By disabling untypical booting, you effectively deny almost every password resetter and many cracking programs, prevent boot viruses, and deflect malicious programs that are designed to boot around the protections of NTFS. If you need to boot to another drive during a troubleshooting session, change the boot sequence and reboot—and don't forget to reset the sequence. Disable USB ports unless they're needed for a specific purpose.
To prevent modification of the boot-order settings you specify, password-protect the machine's BIOS. Make sure to use a password that's different from your administrator password in case you have to give the password to an end user or service technician during a troubleshooting session.
Step 3: Rename the Administrator and Other Highly Privileged Accounts
Most attacks are automated and are programmed to look for Administrator accounts. Although you can't change the well-known administrator SID, most malware and hackers don't work at the SID level. Rename sensitive accounts to something that appears to be a normal user account. Then, create bogus replacement accounts, simulating even the default descriptions. Heavily restrict these accounts and give them long, complex passwords (15 or more characters), then audit them for inappropriate access.
Step 4: Defeat Password Crackers with 4 Practices
You can defeat most password cracking programs by implementing four practices for desktop security. Make it a habit to disable LM hash storage, disable the LM and NTLMv1 protocols, require strong passwords, and enable account lockouts.
Disable LM hashing. LM password hashes are extremely easy to hack by brute force. Unfortunately, all Windows systems store the very weak LM password hash, even though much stronger alternatives exist. It's a good idea to use a GPO or regedit to disable LM password hashing. Windows will continue to store and use the much stronger NTLM password hash. With this one tactic, you'll defeat most password crackers and remote machines trying to forcibly grab weaker credentials.
Require NTLM version 2 and above. All Win2K and later Windows systems use Kerberos for domain authentication by default. Such systems must also use at least one non-Kerberos authentication protocol (i.e., LM, NTLM, or NTLMv2) for nondomain logins and other tasks. After testing thoroughly to make sure legacy applications and systems (and even some newer applications) won't break, disable the use of the LM and NTLM protocols. There are no password cracking programs available for cracking NTLMv2 authentication if the passwords are appropriately complex.
Enable a strong password policy. A weak password can defeat a lot of good intentions. Require your users to choose, at the least, a complex, 15-character password, and set it to expire every 90 days or sooner. You can enable all three of these options by using GPOs or by editing the registry.
Enable account lockouts. Configure account lockouts to lock out all security principal accounts after three consecutive bad password attempts. Instead of requiring an administrator to unlock a locked account, allow it to automatically reset in 1 minute. Simply enabling account lockouts, no matter what the lockout duration period is, will defeat online brute-force password cracking programs.
Step 5: Strengthen Service Security
You can significantly harden a Windows computer against attack by turning off unneeded services and running services on nondefault ports when possible.
Turn off unneeded services. Microsoft has more than a hundred services that can be enabled during a new Windows installation. Fewer services running means a smaller attack surface for a hacker. The rule of thumb is: If you don't need it, disable it. Service-disabling recommendations abound on the Internet. But start with Microsoft's recommendations (available at http://go.microsoft.com/fwlink?LinkID=14845) and modify, test, and create your own baseline set. Do you need Zero Wireless Configuration enabled by default? Research and find out. This advice applies to any software you install.
Run services on nondefault ports. If a service doesn't need to be on a default port, put it somewhere else—preferably randomly high, where port scanners won't readily find it or know what to do with it. For example, although Microsoft Telnet server hasn't been exposed to a publicly announced exploit, I run it where it can't easily be found. If an exploit does occur, it will most likely be thrown in a worm and hit every possible victim in a few hours or days. I won't be found so easily.
I frequently change even extranet Web servers to nondefault ports. For example, I have a lot of clients in the healthcare industry who use HTTP Secure (HTTPS) to exchange financial and patient data over the Internet. In addition to using data encryption, I move the Web server's default port to a number that's random and high. Then, all participating parties are told to connect to the nondefault port. It's as simple as sending the link (e.g., https://www.example.com:38093) in an email message. I tell the users to save the link as a shortcut on their desktop. With this tactic, legitimate users have no problem gaining access, and Web worms are frustrated.
Step 6: Block Access to Dangerous Files
A standard Windows installation contains many executable files that are far more likely to be used maliciously by an intruder than legitimately by an authentic user. Have you looked in your System32 folder lately? Do your end users need access to debug.exe, format.com, sys.com, or regedit.exe? Probably not. When reviewing your NTFS permissions, remove non-administator users' ability to read and execute those files. (By default, all authenticated users have Read and Execute permission to all files in the Windows and System32 folders.) Make sure that you only remove permissions. Don't do something like Deny-All to the Users or Everyone group—Administrators are included in those groups, too.
Step 7: Secure the Registry
Hardening the registry is an often-overlooked security practice. By blocking access to registry keys that are likely to be used maliciously, you can significantly strengthen the security of any Windows computer.
Block write access to dangerous registry keys. Most malware wants to write a rogue startup program to your auto-run registry keys or startup folders. More than two dozen registry keys exist that can damage your computer if a bad program manages to write to them. To learn which registry keys are susceptible, run the Sysinternals freeware Autoruns utility (available from http://www.sysinternals.com/utilities/autoruns.html). Then, using NTFS permissions (yes, registry keys have permissions), make sure non-administrator users can read only those keys. And make sure to secure the HKEY_CURRENT_USER hives. HKEY_LOCAL_MACHINE isn't the only dangerous hive.
Block unneeded file associations.Firewalls work on a deny-by-default rule. Why shouldn't our desktops? Typically, any file (and file extension) that reaches the desktop can launch its associated program. This is how VBS email worms are launched and executed by Windows Script Host (WSH—wscript.exe), even though most administrators don't use VBS to manage their environment (or if they do, they could use another file extension instead). Should regular end users be able to execute every Control Panel application (.cpl), batch file (.bat or .cmd), or scrap file (.shs) they receive in email? Do these files have a legitimate use in your organization? If not, lock 'em out. You can find most file associations in HKEY_CLASSES_ROOT or HKEY_COMPUTER_USER. Make a list of the file types you don't want your end users to be able to execute. Then, use registry NTFS permissions defined in a GPO to take away their Read and Write permissions (after running the changes in a test environment). You'll be glad you did.
Step 8: Convert All Email HTML Content to Plain Text
You will never stop the onslaught of spam, spyware, and hacking if you allow anything but plain-text content to be delivered in email. Using whatever mechanism you have at your disposal (you can enable plain-text-only capability in Outlook 2000 and later), force all email to be plain text. If doing so ruins someone's beautifully constructed HTML email, too bad! This is a war against malware, and being nice is for people who don't mind troubleshooting machines all day long.
Step 9: Use Firewalls and Antivirus, Antispam, and Antispyware Solutions
The days of running only a perimeter-based firewall are over. Internet worms frustrated at the front door are sneaking in on remote VPNs, vendor PCs, and roaming laptops. Every PC should be protected by a host-based, or personal, firewall. Windows Firewall (or Internet Connection Firewall—ICF) is perfect for the job. Forget what you may read from critics— Windows Firewall works and works well. It will deny by default all incoming connections not initiated previously by an outgoing connection. This functionality defeats malicious mobile code beating on the door.
Although firewalls and antivirus programs won't stop all bad programs from getting to your desktop, they do a good job of preventing most of the threats. You should always have an antivirus program running on your network, if not directly on hosts, as well as on the email server or Internet gateway. You will need antispam and antispyware programs, as well. Some vendor products combine antivirus, antispam, and antispyware functionality into one program. However, I've found that in practice, no single program has done a very good job with protection on all three fronts at once. On the bright side, I see some of the major players getting better and better at combining the functionality—I just wish I didn't have to buy four different products while these vendors get up to speed.
Step 10: Keep Patches Up-to-Date
Very few zero-day vulnerabilities are introduced each year. A few exist, and they are increasing in number, but you can avoid most exploits by keeping current on patching. There are dozens of good vendors to choose from. Consider using Microsoft's free Windows Server Update Services (WSUS—http://www.microsoft.com/windowsserversystem/updateservices/default.mspx) to patch Windows software. Unfortunately, good patching practice includes keeping all applications, firmware, hardware patches, and device drivers updated.
As Strong As It Gets
Although all these steps can seem like lot of work, you'll spend far more time and effort if you must constantly detect and remove spyware and worms. When you implement these 10 steps, your network will be significantly less susceptible to malicious mobile code and hackers. You'll not only find infection much less often, but you'll discover that a nice benefit of instituting this type of control is that all the other problems "the user didn't cause" will be minimized too. As every administrator knows all too well, flexibility is the antithesis of security and reliability.
To be honest, even if you implement all 10 steps, you won't realize perfect security—nothing can guarantee that for you. PCs will always be vulnerable to zero-day exploits, and networks will always have end users who can't resist installing every program they find on the Internet, opening every file attachment, and clicking on every link. But starting here will put you well on the way to making desktop security in your enterprise as strong as it can be.
|Project Snapshot: How to|
PROBLEM: Windows desktops lack effective default security.|
WHAT YOU NEED: Security Templates for Windows 2000 and later OSs; antivirus, antispam, and antispyware software
DIFFICULTY: 2 out of 5