How to tighten the security of Windows workstations

11:54 AM
How to tighten the security of Windows workstations -

The most important man board is the ability to set priorities and identify the most effective approach to achieve objectives of client project. Pareto principle (also known as the 80/20 rule or law of the vital small number) is essential to the success and every professional consultant should be aware of (and benefit). Pareto principle allows us (consultants) to offer something of value to the customer - it helps us to identify what is important and what is not and how to get the maximum value with minimum resources. When you see a document with 100 recommendations, it is sometimes difficult to identify what is really important and what is just a minor defect or discomfort.

Pareto principle also applies to security. Although tons of articles and blog about securing your virtual office environment and they range from very high to very low, is there real key to securing your Windows environment (except the well-known recommendations as patching strategy)?

to understand the message of the following article, we need a look into the past to understand why Windows was not considered truly secure operating system (which is longer the case, Windows XP SP2 has played a major role in this change, followed by the critically acclaimed, but a large SDL Windows Vista engineering stage)

it years ago, there were three main entry points badware how could infest your computer -. first cases were viruses that spread by using e-mail (you remember Melissa and Iloveyou virus?). Second common infection were supposedly driving by viruses (or to be more precise drive-by spyware) - the virus that requires no cooperation on the part of end users, Internet Explorer and certain specific file formats (Have you ever noticed that .HLP was removed later?) were quite popular entry points. And of course, the number one winner of all time is badware that simply asked to be executed - and most simple end users decided to click the button tempting "Run." End users generally represent weak links and it does not matter what operating system they use.

Step. 1 - You set the rules, not the users
Are they really the fault of the operating system itself? This is the subject that is still very hot, even after all these years. Could any operating system is really secure if users got elevated permissions and are ready to run something voluntarily? I do not think it's possible - so you need to educate your users and limit their permissions to the minimum required set (together)

This principle is called LUA -. In the less privileged user. 6 years ago, I participated in the Microsoft article called "Applying the Principle of Least Privilege to User Accounts on Windows XP", which was the predecessor of Windows Vista UAC (at least I like to think this way ) and I'm still big supporter of the principle of LUA. Principle of least privilege simply indicates that you grant only the privileges that are really essential for users work.

This should prevent your users from damaging your environment by simply removing the rights they do not really require. The situation is much better these days (with new hardened operating systems), but I can still see that some administrators to grant additional permissions just to fix crappy applications. Require permissions that are not needed is a bug. Treat it like one.

Step. 2 - You choose which directories are safe, not users
Now what is the next step, is it finally antivirus and firewall? . Not really

I mentioned viruses that spread through e-mails in the past - why do not we see more people these days? ? Is it because of antivirus deployed on all gateways and Exchange servers

Based on my experience, the most important step to ensure e-mail is to limit attachments - once it became the best common practices, all those. .exe and .vbs simply disappeared virus (or maybe I'm living in a perfect world where the son is no longer present).

instead of just fixing the questions as they appear, you must block them proactively. So why should not you use the same approach when securing your workstation?

The most powerful weapon you have in your hands to secure Windows desktops for end users is Software Restriction Policies (SAFER). I can not stress this enough - if you want to secure your desktop environment, start by SAFER. IF YOU WANT TO GUARANTEE YOUR DESKTOP ENVIRONMENT, STARTING POLICIES RESTRICTION SOFTWARE.

The software restriction policies, you can specify which areas are safe and which areas are not safe. They allow you to create simple but powerful rules - "I want to allow users to run programs only Windows and Program Files. - Ignore any other place" And it does not matter if the profile, his USB key or a network share
This approach is also called white list. - you blacklist all, then implement the exceptions - as you can imagine, the list approach black contrary, allow any and exceptions to the blacklist.

secure by default

Step 3 -. You choose what is in these directories, and not users
Thus, users are allowed to run applications only from specified directories and they do not have enough permissions to modify these rules, I'm finally safe [1945005?] There is one more step - and it is also critical. If you allow your users to run applications that the specified location and you have made sure they can not change the rules, you must also ensure that they are not allowed to add anything to these records. Otherwise, they could simply copy Solitaire allowed path and your policies are completely useless.

So make sure your users are not allowed to record anything in these special folders.
If your thinking this is common sense, make sure to check your C: drive permissions (on both XenApp and XenDesktop VMs) - users are allowed by default to create new folders and files in the root of the C: drive (even on Windows 8). So do not forget to change this through Group Policy or other method you prefer.

Is this your really secure environment? Be aware of "special permits"

I like to call this approach "security ouroboros" - it is very easy to implement solution how to strengthen your safety and until something breaks the circle, it is very solid course, you must also implement all other security measures -.. patches, firewalls, certificates, antivirus, but I find these 3 simple rules the most important when securing desktops from Windows

Zugec Martin

Previous
Next Post »
0 Komentar