1
Chapter 8
HARDENING
CLIENT
COMPUTERS
Chapter 8: Hardening Client Computers 2
OPERATING SYSTEM SECURITY FEATURES
Microsoft Windows 98/Windows Me
Windows NT 4.0
Windows 2000 Professional
Windows XP with Service Pack 2
Chapter 8: Hardening Client Computers 3
DESIGNING CLIENT SECURITY TEMPLATES
Create a custom security template for each
client role:
Desktop
Laptop
Kiosk
Base custom templates on default
workstation templates
Never modify default security templates
Chapter 8: Hardening Client Computers 4
DESIGNING A CLIENT COMPUTER OU MODEL
Create OUs for different operating system
versions
Avoid using Windows Management
Instrumentation (WMI) filtering
Create OUs for different computer roles
Create OUs for organizations with special
security requirements
Use security groups to apply GPOs to cross-
sections of client computers
Chapter 8: Hardening Client Computers 5
CLIENT COMPUTER OU MODEL SAMPLE 1
Chapter 8: Hardening Client Computers 6
CLIENT COMPUTER OU MODEL SAMPLE 2
Chapter 8: Hardening Client Computers 7
CLIENT COMPUTER OU MODEL SAMPLE 3
Chapter 8: Hardening Client Computers 8
THIRD-PARTY SECURITY SOFTWARE
Antivirus protection
Antispyware protection
Network backups
Host-based firewalls for earlier versions of
Windows
Chapter 8: Hardening Client Computers 9
DESIGNING SOFTWARE RESTRICTION
POLICIES
Hash rules
Certificate rules
Path rules
Internet zone rules
Chapter 8: Hardening Client Computers 10
RESTRICTING THE DESKTOP ENVIRONMENT
Windows components
The Start menu
The desktop
The Control Panel
Chapter 8: Hardening Client Computers 11
RESTRICTING THE DESKTOP ENVIRONMENT
(CONT.)
Shared folders
The network
System settings
Printers
Chapter 8: Hardening Client Computers 12
RESTRICTING THE START MENU: BEFORE
Chapter 8: Hardening Client Computers 13
RESTRICTING THE START MENU: AFTER
Chapter 8: Hardening Client Computers 14
PROTECTING DESKTOP COMPUTERS
Grant users only local User privileges or
less
Remove unnecessary items from the
desktop and the Start menu
Leverage the Hisecws.inf security template
Use Group Policy settings to rename default
accounts
Chapter 8: Hardening Client Computers 15
PROTECTING MOBILE COMPUTERS
At greater risk than desktop computers, mobile
computers might be:
Stolen
Damaged
Used forpersonal use
Mobile computers require greater flexibility
than desktop computers:
Connect to home networks and wireless
hotspots
Users might need to install printer drivers
Mobile computers use EFS to protect
confidential files
Chapter 8: Hardening Client Computers 16
PROTECTING KIOSKS
Very likely to be abused
Should be extremely restricted
Should not be connected to the internal
network
Chapter 8: Hardening Client Computers 17
THE .NET FRAMEWORK
Next-generation application environment:
Required for many new applications
Dramatically more secure
Included with Windows Server 2003
Free download for earlier operating systems
Chapter 8: Hardening Client Computers 18
CAS OVERVIEW
Role-based security restricts what users can
do
CAS restricts what applications can do
Grants access to the file system, registry,
printers, the network, and other resources
based on permissions assigned to an
application
Enables you to run potentially malicious
applications safely
Works only with .NET Framework
applications
Chapter 8: Hardening Client Computers 19
CAS AT WORK
Chapter 8: Hardening Client Computers 20
CAS ELEMENTS
Evidence
Permission
Permission set
Code groups
Chapter 8: Hardening Client Computers 21
CAS AND OPERATING SYSTEM SECURITY
Chapter 8: Hardening Client Computers 22
GUIDELINES FOR USING CAS
Use the principle of least privilege
Test applications thoroughly after restricting
CAS
Push developers to use the .NET Framework
Encourage software vendors to migrate to
the .NET Framework
Chapter 8: Hardening Client Computers 23
SUMMARY
Earlier versions of Windows lack important
security features
Use security templates and GPOs to
implement client security
Create different configuration settings for
client roles, operating systems, and security
requirements
Use .NET Framework and CAS to reduce the
risks of malicious or vulnerable software