Security in Windows Environments

Document Sample
Security in Windows Environments Powered By Docstoc
					Windows IT Pro

John Green Darren Mar-Elia Blake Eno John Savill Randy Franklin Smith Orin Thomas

Sponsored by


Security in Windows Environments: 4 Stories
Chapter 1: Turn Security Nightmares into Proactive Solutions  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Missing Something Obvious  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Rogue Systems Administrators  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . The Uninformed Executive  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . User Antics  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Who Could Have Guessed?  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . What To Do  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Tips to Avoid Becoming Your Own Security Horror Story  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Q and A by John Savill and Randy Franklin Smith  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Security Blanket  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

1 1 1 2 2 2 3 4 9

Chapter 2: Endpoint-Protection Products  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
ESET Smart Security Business Edition  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . McAfee Total Protection Service–Advanced  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Sophos Endpoint Security and Control 8 .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Symantec Endpoint Protection 11 .0  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . AVG Internet Security Network Edition 8 .0  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . A Tough Choice  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

10 11 11 12 13 13

Chapter 3: Securing Windows Desktops Using Group Policy  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Core System Security  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Account Policies  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Local Policies  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Restricted Groups Policy  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . System Services Policy  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Registry and File System Policies  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Application Restrictions  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Device Restrictions  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . IE Security  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Resources that Can Help You Get Started  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

15 15 15 17 17 18 18 19 20 20

Chapter 4: Examining Security-Policy Management  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Pillar Protection  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Targeted Systems  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Regulatory Compliance  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Internal Security Threats  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . A Least-Privilege World  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Emerging Technologies  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . Only the Beginning  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

22 22 23 23 24 24 24


Chapter 1:

Turn Security Nightmares Into Proactive Solutions
by Orin Thomas
Security horror stories tend to wake and shake IT pros, forcing them to think about the safety of assets in their organizations . No one wants 15 minutes of fame on Internet security blogs as a prime example of what not to do . To prevent security disasters, the wise systems administrator avoids missing something obvious, watches out for the rogue colleague and the clueless CIO, quickly tackles user antics, and anticipates the unexpected . The shrewd IT leader also turns security nightmares into proactive strategies and follows tips, such as the ones I provide in this article, to protect valuable information .

Missing Something Obvious
One of the most common security mistakes is overlooking obvious threats . For example, I frequently hear stories about a stolen or lost laptop that holds thousands of confidential records or credit card data . Why is it possible to copy private data to a laptop computer in the first place? Why isn’t the data protected by some form of encryption? Another common tale centers on the disgruntled employee who maliciously deletes business-critical data . If the company in question had set up file and folder permissions and had regularly secured file server backups, the amount of damage that such an employee could cause would be minimal . These obvious security holes are easy to plug .

Rogue Systems Administrators
Another security risk is that of the rogue systems administrator . IT managers should beware of laid-off and vengeful colleagues who have planted “dead-man switches” throughout the IT infrastructure . These switches could trigger a routine that deletes critical data . At other times the switches could activate scripts that do more damage, such as reconfiguring or deleting critical domain accounts, changing every password in the environment, and locking everyone in the company out of their computers . These possibilities jar IT pros because of the infinite number of ways that someone who has complete access to the network can cause damage . The rogue systems administrator knows what he or she wants to do and how to bypass any security measures .

The Uninformed Executive
Uninformed executives, although not malevolent, can be dangerous nonetheless . Have you ever heard of a senior executive who blindly ordered a change that ended up making the IT environment less secure? At one organization a CIO insisted on being added to the Enterprise Administrators group because, the CIO argued, managers are higher on the organizational chart than systems administrators . Unfortunately, the CIO brought his son to

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

work with him on the weekend and logged the boy on to the network using privileged credentials . It took the company’s administrators two weeks to put everything back in order, including returning several explicitly labeled user accounts to their original names . In another enterprise, a CIO acting on behalf of a CFO circumvented a policy restricting users from installing software on their own laptops . The CFO’s teenage son wanted to install games on his father’s powerful laptop to use at LAN parties . Unfortunately, the games were laden with viruses and worms . After the CFO reconnected the laptop to the corporate network, it infected other computers . Even CIOs acting in good faith can put your entire network at risk .

User Antics
IT pros have to keep a close eye on users, but you might not realize the extent to which users can unknowingly compromise your organization . Some have actually given their passwords to survey-takers in exchange for a bar of chocolate . Security guards have been known to disable the alarm on the emergency exit to a data center in order to prop open the outer door for a smoke break . Stories of user antics prove the adage “Nothing is foolproof to a sufficiently talented fool .” What IT pros can learn from such stunts is that the average worker can either be oblivious to or very creative about getting around security policies and restrictions .

Who Could Have Guessed?
Some security threats are almost impossible to anticipate . Even the most diligent, proactive security professionals can’t foresee horror stories that don’t fit into the usual paradigm . For example, a worm-infested antivirus update server could infect all the other computers in an organization . Likewise, laptop computers sent to a manufacturer for repair could return riddled with spyware . Although risks such as these are difficult to predict, IT managers should be on the lookout for them and ready to react at the first sign .

What To Do
In their eagerness to tackle any immediate concerns that might arise from other companies’ horror stories, IT pros should remember to continually and analytically examine their entire security configuration . If they become too focused on avoiding the threat of the moment, they could miss more dangerous security problems . Don’t be swayed by vendors offering a quick bandaid for a problem your organization might not have . Also, think about whether to use scare tactics to awaken end users to dangers that are lurking behind the scenes . Shop wisely. Beware of consultants and salespeople who spread disaster tales and then peddle their own wares as the only answer to your potential nightmares . Such marketers might have only limited knowledge of your specific security environment . For example, without looking too hard on the Internet you can find some frightening stories that involve SQL injection attacks . The way to protect against such attacks is to ensure that your web application validates input data . Some vendors sell software that does this . Protecting against SQL injection attacks is a priority if you are running a public-facing website that interacts with a database but is less urgent if the only web application in your organization is a seldom-used intranet site that contains little important data . In one case a decision-maker at a company purchased an expensive piece of data validation software although the only web-driven databases at the business were used by the HR department to schedule annual leave . To avoid such costly mistakes, look at your overall operations before making security decisions .

Brought to you by Symantec and Windows IT Pro

Chapter 1: Turn Security Nightmares into Proactive Strategies


Scare the wits out of users. Although bombarding IT pros with horror stories can lead to misdirected resources, it’s OK to occasionally frighten non-IT staff members to help them understand the reasons behind your sometimes baffling security policies . They might learn, for example, from the experience of a financial institution that hired a company to test its security . The company scattered USB thumb drives around the institution’s parking lot . Workers passing through picked up the devices and promptly connected them to their desktop computers, curious as to the contents of the discarded items . Unbeknownst to the employees, the company had hidden Trojan horse software on each device that activated when users accessed what seemed to be a harmless collection of pictures and then transferred complete control of the user’s computer to outsiders . Such a tactic illustrates why some organizations have a policy disallowing the connection of unauthorized USB storage devices to company computers . It brings a complicated policy into focus and makes security policies seem less arbitrary to the people they affect . Another area in which scare tactics might help is in preparing non-IT staffers for social-engineering attacks . For example, someone phones an employee, pretending to be from the IT department and asking for the employee’s password . The employee reveals the information and suddenly loses control of his or her user account . You could use this kind of horror story to explain why IT staff members must present identification before being allowed to reset passwords . Likewise, clever mischief-makers might go to a user’s workspace, pick up the phone there, and call the IT department for a password reset . This tactic could fool the IT department into thinking that the display of the incoming caller’s extension offered proof of identity . Telling your users stories such as these will make them more aware of security risks and less likely to fall for them .

Tips to Avoid Becoming Your Own Security Horror Story
Think sensibly about the risks your organization faces and deal with them in a structured manner . Avoid diverting all your funds to tackle a specific threat just because you’ve recently heard rumors about it . Consider thunderclouds in terms of how seriously they could affect your organization rather than how they already impacted a victim in a security nightmare . Good IT security practice is not only safeguarding an asset but also realizing why you must do so in the first place . When you understand why, you can prioritize the protection of more important assets over less important ones, thus best utilizing the resources you have available for security projects .

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

Q and A by John Savill and Randy Franklin Smith
An important way to prevent safety snafus is to pay attention to tips designed to help you be proactive in protecting your data . The following seven frequently asked security questions and answers from the Windows IT Pro archives can help keep you out of the disaster maelstrom .


Q: How can I perform a high-level security assessment of my company’s computing

A: Check out the Microsoft Security Assessment Tool (MSAT) at technet .microsoft .com/en-us/
security/cc185712 .aspx . After extracting the content, execute the  .msi file to install the assessment tool and view the user guide . MSAT doesn’t perform system scanning . It’s a series of 172 questions that ascertains technical and business processes and produces a report about security concerns based on the information entered . Although administrators can use the tool directly, Microsoft partners can also run it to help assess their clients’ security status . —John Savill


Q: How can I improve my computer usage safety? A: The amount of malicious software on the web has increased greatly . Here are some guidelines to help protect you . Practice safe browsing . Avoid unfamiliar or untrusted websites, especially sites that advertise deals that sound too good to be true . Don’t install unfamiliar third-party toolbars . I recommend that you use only the MSN toolbar (toolbar .msn .com) or the Google toolbar (toolbar .google .com) . You can increase your browsing security by taking these four steps: 1 . Set the Microsoft Internet Explorer (IE) security level to High . 2 . Add websites you consider safe to Trusted Sites . 3 . Use plain text to read the email messages you receive . 4 . Block pop-up windows in your browser . See www .microsoft .com/athome/security/online/browsing_safety .mspx for directions on how to configure IE to take these precautions . For more tips on safe surfing, visit www .intranetjournal .com/spyware/prevention .html . Apply only approved security updates . Always follow the appropriate method to update your machine and use fixes from windowsupdate .microsoft .com . Be sure that your machine is running the latest patches . Check before you click . Exercise caution when you receive Instant Messaging (IM) file transfers or links from both known and unknown sources . A malicious user can tap your Buddy/Contact
Brought to you by Symantec and Windows IT Pro

Chapter 1: Turn Security Nightmares into Proactive Strategies


lists so that it looks like someone you know is sending you a link to a file . Before you click any links, always verify with the sender that he or she did in fact send you the link . Implement antivirus protection . Always run antivirus products with up-to-date virus definition files . You can also manually run the Microsoft Malicious Software Removal Tool . Finally, you should use antispyware software . —John Savill


Q: When should I log on using the Administrator account? A: Security best practices dictate that you shouldn’t use the Administrator account to perform
everyday tasks because of the risks associated with accidentally introducing problems as a result of using elevated privileges . To steer clear of such problems, you should create a regular user account for day-to-day purposes . Then, when you need to perform a task that requires local or domain administrative privileges, use the Runas command to complete such tasks . This command restricts the administrative abilities to the job that you’re on . For example, to open a command prompt with local administrative privileges, enter the command
runas /user:<local machine> administrator cmd

To open a command prompt with domain administrative privileges, enter the command
runas /user:administrator@<domain name> cmd

Be aware that you can use the NetBIOS naming format with this command . For example, to open a command prompt with domain administrative privileges on my network, I typed
runas /user:savilltech\administrator cmd

Any commands that you enter at the new command prompt will run as the user entered in the Runas command with that user’s associated privileges . You can replace “cmd” with any command . For example, to start the Microsoft Management Console (MMC) Computer Management snap-in, type
runas /user:<computer/domain>\<account> “mmc %windir%\system32\compmgmt.msc”

To start the MMC Active Directory Users and Computers snap-in, type
runas /user:<computer/domain>\<account>

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

“mmc %windir%\system32\dsa.msc”

For example, to open this snap-in on my computer, I typed
runas /user:administrator@savilltech. com “mmc %windir%\system32\dsa.msc”

Be aware that if you run the Runas command on a client computer (e .g ., one running Windows XP or Windows 2000 Professional Edition), the command will fail unless you’ve installed the administration tools . Although using the Runas command is slightly more work, you can create shortcuts for each command that you routinely run and make your system much safer . If you experience problems, be sure that the Secondary Logon service is running, because the Runas command requires this service for operation . —John Savill


Q: How can I protect service accounts from abuse? A: Administrators often create specific accounts for certain services to operate under (although
more products are now taking advantage of Local System to avoid this requirement) . Users who know the password for a service account can log on, making it difficult to track their activities . When an administrator leaves, his or her account might be disabled, but service accounts might not have their passwords changed . One way to protect these accounts is to stop users from being able to employ them to log on . You can do so by removing the following rights: • Log on locally. This right lets you log on at the console with the account. • Access this computer from the network. This right gives access to resources such as a shared folder on other computers . (Be aware that if the service needs to get to remote resources, you can’t disable this right .) • Log on through Terminal Services. This right lets you log on via Windows 2000 Server Terminal Services . Under usual circumstances, service accounts require only the Log on as a service right, so ensure that they have this permission . However, if the service requires remote access to other resources, it might need the Access this computer from the network right . The easiest way to remove the three rights is to create a group and place all the servicetype accounts in this group . Then develop a Group Policy Object (GPO) that denies the rights discussed and apply it at a level that affects all user accounts (e .g ., the domain) . A deny always overrides an allow . —John Savill


Q: How can I generate a hash value for a file or folder? A: You might encounter situations in which you want to ensure that one file is the same
version and has the same content as another file—for example, when you send a file to someone, you might want to ensure it hasn’t been corrupted or altered . A hash is an alphaBrought to you by Symantec and Windows IT Pro

Chapter 1: Turn Security Nightmares into Proactive Strategies


numeric string that’s generated according to a file’s contents . If the file has been changed in any way, the hash value changes as well . Microsoft created a utility to generate hash values . The program is extracted to a folder that you specify and consists of a readme file and the fciv .exe image, which generates the hash values . To generate a hash for a file, use the syntax
fciv d:\temp\yodapepsi.mpg

After you enter the command, you’ll see an on-screen message like the following, the generated hash value, and the corresponding filename:
// // File Checksum Integrity Verifier version 2.05. // 253f066ffa7c50e1e03fa588f23e3230 d:\ temp\yodapepsi.mpg

To generate hashes for every file in a folder, simply specify the folder name, as this example shows:
fciv d:\temp

The command outputs information similar to this on the screen:
// // File Checksum Integrity Verifier version 2.05. // 5d5d1f14c8704e935a87ad78fc535bea d:\ temp\70298Training.pdf 8658bf85ba3ebe184c6d5cd0269a9e89 d:\ temp\BO-DFRS Transcript.doc 427048a497768d91cd57e29fb0199d2b d:\ temp\BODFRS Live Meeting.wmv 253f066ffa7c50e1e03fa588f23e3230 d:\ temp\yodapepsi.mpg

The readme file contains more examples of how to use fciv .exe, including employing different algorithms and generating hash values for entire tree folders . —John Savill

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories


Q: What authentication methods are available for Active Directory (AD)? A: Windows 2000 and AD introduced Kerberos as the principal authentication mechanism
for all Win2K and later machines . However, earlier authentication protocols are maintained for backward compatibility . Here’s a summary of the available ones . LAN Manager. Microsoft and IBM created this protocol for OS/2 . It’s the least secure of all the authentication protocols and is used primarily by Windows Me and Windows 9x . LAN Manager uses a two-part, 32-character password hash . The first seven characters of the password make up the first part of the hash, and the last seven characters make up the second part (thus the 14-character maximum password size) . Consequently, if you have a seven-character password, the second 16 characters of the password hash would be the same as the first 16 characters, thus revealing to an attacker that the password is only seven characters . NT LAN Manager (NTLM). This is a more secure challenge-response authentication protocol than LAN Manager . It uses 56-bit encryption for protocol security and stores passwords as an NT hash . Windows NT 4 .0 Service Pack 3 (SP3) and earlier clients use this protocol . NTLMv2. This version of NTLM uses 128-bit encryption and is employed on machines running NT 4 .0 SP4 and later . This is the most secure challenge-response authentication available . Kerberos. Kerberos is essentially a ticketbased authentication protocol . See the FAQ “What is Kerberos?” at www .windowsitpro .com/article/articleid/15294/15294 .html for a more detailed explanation . Kerberos is the most secure authentication method, and you should use it whenever possible . —John Savill


Q: If I use the Encrypting File System (EFS) to protect confidential files, how can I avoid
losing that information when my organization upgrades its computers, or if a user loses a computer and I need to restore files from backup?

A: The best way to prevent data loss is by backing up the data recovery agent certificate and/
or the user’s EFS certificate and private key . Without one of these certificates and its private key, there is usually no way to recover an encrypted file . If your computers are part of an Active Directory (AD) domain, you can take advantage of a Group Policy feature that lets you set up a single data recovery agent certificate that you can use to decrypt any encrypted files in the domain . If a central data recovery agent isn’t an option, then you must export each user’s EFS certificate along with its private key and store it in a safe place .
Brought to you by Symantec and Windows IT Pro

Chapter 1: Turn Security Nightmares into Proactive Strategies


To export a certificate, log on as the user in question and open the Microsoft Management Console (MMC) Certificates snap-in (not the MMC Certificate Templates snap-in or the MMC Certification Authority snap-in) . Open the user’s Personal\Certificates folder and find the EFS certificate . Right-click and select All Tasks, Export . Click Next on the first page of the wizard, select Yes, export the private key, and click Next until prompted for a filename . Save the file to some type of removable media and finish the wizard . Now store the certificate in a physically safe place . In the future, if a user is unable to access a file—whether it has been restored to a new computer or Windows has been reinstalled— just use the Certificates snap-in to import the certificate, and you have solved your problem . A final note: Your concern about losing data is well placed . There is no back door into EFS; if you lose the key(s) to it, you lose your data . —Randy Franklin Smith

Security Blanket
By following practices such as the ones outlined in these tips and by taking a proactive approach to monitoring your entire security configuration, you can avoid becoming an example of a security horror story . If you invest time and resources in anticipation of a disaster, it’s likely that the calamity won’t occur . You’ll save money in the long run and won’t have to worry as much about the foolhardy folks around you .

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

Chapter 2:

Endpoint-Protection Products
by John Green
Endpoint-protection products incorporate various technologies that monitor common ways in which intruders can compromise your computer system’s functioning and information privacy . Such products include antivirus software, anti-rootkit–scanning tools, client firewalls, and email scanners . (See the web-exclusive sidebar, “Types of Endpoint Protection Products, for a basic explanation of these product types .) I review a sampling of five endpoint-protection products that incorporate these features to help you get decide what will best protect your system .

ESET Smart Security Business Edition
ESET Smart Security Business Edition includes antispam and firewall features in addition to those found in the company’s flagship ESET NOD32 Antivirus . Smart Security Business Edition features remote administration, local update mirroring (which lets local systems get updates from local systems, reducing Internet traffic and the load on the vendor’s servers), and the ability to install the product on both servers and workstations protected by Smart Security . Smart Security Business Edition comprises four installable components . Smart Security is the antivirus, antispam, and firewall client piece that protects servers and workstations . ESET Remote Access Server communicates with client systems, collecting status information and coordinating scan, update, and configuration requests . You can deploy one or a replicated hierarchy of remote access servers in various locations to suit your organizational structure . There’s a GUI console, ESET Remote Administrator Console, which Figure 1 shows, and finally, threat signature updates, which Smart Security systems can get directly from ESET company servers or from update mirrors that you can configure on Smart Security or Remote Access Server systems . Smart Security stores configuration parameters in XML files that you create by using the ESET Configuration Editor . Although Smart Security’s components are highly configurable with dozens of parameters, the basic initial configuration pattern is simple . I used the console to install Smart Security to Windows Vista and Windows XP systems . The console lets you browse the network, drag target systems to a list, select the appropriate installation configuration, and install . Updating a client configuration requires using the Configuration Editor to create or modify an XML configuration file . You apply the update to clients using an update task . You can easily implement Smart Security’s user-defined groups . Each client can belong to several groups, and you can select a subset of systems to display via the console . Administrators can choose one of three ways to manage Smart Security’s firewall: automatic, based on ESET’s predefined rule set; interactive, in which you create a rule the first time you access a program or IP port; or policy-based, in which you configure the rule set to block undefined communications . Likewise, you can configure three levels of action when Smart Security detects an infected file: Ask the user to choose an action, automatically take the action earmarked for that threat, or aggressively clean all infected files . Automatic actions don’t delete infected compressed archives that also contain uninfected files; the aggressive option does so .
Brought to you by Symantec and Windows IT Pro

Chapter 2: Endpoint-Protection Products 11

Smart Security is easy to install and configure . Some users will appreciate the layered configuration approach capability, which lets you create configuration files that affect only part of the full feature set . The lack of named-policy–based configuration makes more work for the administrator, but ESET will tackle that need in an upcoming release . Smart Security Business Edition is the ticket if you’re looking for an easy setup and support for multiple locations .

McAfee Total Protection Service–Advanced
McAfee Total Protection Service–Advanced includes the features of the standard version of Total Protection Service (server and client antivirus, antispam, and client firewall components, McAfee SiteAdvisor, and Outlook client email scanning) and adds licensing to use McAfee Secure Messaging Service for Small Business, which provides additional antivirus protection and spam filtering . You can manage the service using McAfee’s SecurityCenter website, shown in Figure 2, which sends weekly reports and gives you configuration tools and ondemand access to the status of your protected systems . Protected clients communicate with the Network Operations Center to provide status information and download updates . A feature called Rumor Technology lets computers that lack a direct Internet connection get their updates from another Total Protection Service client . Designed particularly for small organizations or those without an IT infrastructure, this product offers an online tutorial that walks users through the client installation . The McAfee Security Center status screen shows the number of clients running up-to-date software and provides summaries of filtered email and license usage . Each client computer belongs to a nonhierarchical group, and each computer in a group takes on the configuration defined by the policy assigned to that set . The default policy performs on-access scanning for files (but not within archives), prompting users to action when it detects potential spyware, and lets users configure firewall rules . Total Protection Service automatically applies policy changes to every client in assigned groups at the next update interval . I successfully used the browser/URL method to install Total Protection Service to Windows Vista and Windows XP systems . You can also add antivirus, firewall, and browser protection and choose a policy group for the system to join . McAfee TPS–Advanced is easy to operate and manage . I recommend it for users who want centrally managed endpoint protection without the fuss of setting up a management infrastructure .

Sophos Endpoint Security and Control 8
Sophos Endpoint Security and Control 8 comprises the Sophos Antivirus engine, Sophos Client firewall, and Sophos Network Access Control (NAC) . The Sophos Enterprise Console, which Figure 3 shows, and the Sophos NAC Console provide centralized endpoint management . Endpoint Security and Control is the only product in this review that incorporates NAC features such as access to USB-based devices . It’s also the only product that lacks built-in email monitoring and spam detection, although you can buy the product bundled with Sophos Email Security and Control . The product also requires a Windows Server OS and Microsoft SQL Server to support its console-management features . I installed the Enterprise Console on a Windows Server 2003 system with Microsoft SQL Server Desktop Engine (MSDE) in place . A wizard helped me configure the EM Library, which lets you subscribe to, download, and maintain files of updates for Sophos . To distribute the client-update load, organizations with several locations can install the EM Library component on other servers or create a remote network share to hold update files for remote clients . Next, I installed NAC Manager on the management server . The NAC features incorporated with the product include endpoint assessment and quarantine .

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

From the Enterprise Console, you can add client software for Windows 2000 and later computers after you ensure that the client meets certain prerequisites . You can also run the installation package directly on the client without using the Enterprise Console UI or Endpoint Security server . Sophos uses policies and named groups to facilitate endpoint management . Policies define how Endpoint Security and Control behaves on managed clients . You need to customize the product’s default policies . The default antivirus policy performs on-access scanning but takes no action when it detects a threat . The default firewall policy blocks all traffic; thus, the first task after installing the client firewall on a system is to create a firewall policy . To apply a policy, you drag and drop it on the appropriate groups . The product has three predefined NAC policies: default and managed for Sophos agent-based clients and unmanaged for guest systems . You can and should edit the managed and default policies, but the unmanaged policy is fixed . Endpoint Security and Control is easy to install and manage . Its antivirus component supports a broad set of platforms, and the policy-based design automatically keeps client systems up-to-date as policies change . The console-initiated installation feature works well when you can configure target client systems to meet the access prerequisites . The integrated NAC assessment, remediation, and enforcement protection is a real plus, helping you know when client systems comply with policies and limit network access of noncompliant systems . This product can serve you well, particularly if the NAC features or antivirus support for non-Microsoft systems are important to your organization .

Symantec Endpoint Protection 11.0
Symantec Endpoint Protection 11 .0 incorporates antivirus and antispyware components, such as rootkit protection, antispam, firewall, intrusion detection and prevention, USB data-device control, and application control measures . The product includes a management server application, Endpoint Protection Manager, which tracks and coordinates the activities of managed clients and uses either an included database or SQL Server . Symantec Endpoint Protection Console is a Java client application supported by Microsoft IIS on Endpoint Protection Manager . I installed Endpoint Protection Manager on a Windows 2003 system configured with IIS and used the migration and deployment wizard to deploy the product on the management server . The wizard created a deployment package and ran it on the client . Because the migration and deployment wizard is available only from the management server’s start menu, the push-deployment feature isn’t accessible when you work from a remote console . I completed my testing by running the console on an XP Professional x64 Edition system . The console is attractive and easy to navigate, although I found its performance sluggish compared with a typical Windows GUI . Each client is a member of a group, and within each group you can define one or more network locations, such as LAN and Home, and can assign configuration policies to each location within a group . You can also divide a group into several administrative domains for distributed management . The location membership can be dynamic within Symantec Endpoint Protection . As you define a location within a group, you can define a characteristic (e .g ., an IP address range or VPN client in use) that causes Endpoint Protection to dynamically assign the client to that location and automatically reconfigure the client with the policy for that location . The product uses six classes of policies: antivirus/antispyware, firewall, intrusion prevention, application and device control, LiveUpdate, and Centralized Exceptions . As I clicked through the policy menu, I was impressed by the variety of configuration options Symantec Endpoint Protection supports . A padlock icon next to most configurable choices lets you determine whether the client system user can alter a particular option . You edit firewall rules from the screen shown in Figure 4 . Editing rules is a bit clumsy because you need to select an option from the right-click menu for each field within the rule .

Brought to you by Symantec and Windows IT Pro

Chapter 2: Endpoint-Protection Products


Symantec Endpoint Protection includes these predefined report types: audit, application and device control, compliance, computer status, network threat protection, risk, scan, and system . You can save on-demand reports in  .mht format, or you can schedule reports to be emailed to you . I found Symantec Endpoint Protection’s features set complete and simple to learn . I was somewhat frustrated with the console’s slow response at times, although the console itself was easy to navigate . I recommend Symantec Endpoint Protection to large organizations with many locations or a mobile workforce that can benefit from the product’s granular configurability .

AVG Internet Security Network Edition 8.0
AVG Internet Security Network Edition combines the antivirus, antispyware, client firewall, email scanning, and web browsing protection found in AVG Internet Security 8 .0 with server-based deployment and clientmanagement features . The product provides heuristic and signature-based antivirus scanning, email scanning that supports Outlook and standard SMTP and POP3 clients, and rootkit scanning . The AVG administrative server has two roles: DataCenter performs all administrative and monitoring activities, and UpdateProxy downloads and distributes updates to managed clients . I installed the admin server on a Windows 2003 system with the default Firebird database, which AVG says can support installations of up to 150 endpoints . You can also opt to use a SQL Server or Oracle 10G database for larger installations . You use the AVG Network Installer Wizard to set up the AVG endpoint-protection components on network-attached systems . The AVG Admin Console, which Figure 5 shows, is the product’s primary administrative interface . I also installed the console and the UpdateProxy role on an XP system . The admin server includes web-based status reporting accessed at a custom port . A graphic reports feature lets you schedule or generate information from the DataCenter role’s database with any of seven predefined report templates . The Network Installer Wizard is your primary tool for AVG installation-related tasks . You use Creation of AVG Installation Script mode to create installation packages to run from a USB drive or network share . Remote Network Installation mode installs AVG to network-attached workstations . The console supports full remote operations, including running the Remote Installation Wizard, and has a customizable interface . In the stations node you can create named groups to organize and manage AVG client systems, which assume the configuration you define in each group’s shared settings or policies . AVG offers many configurable options for user modification that you can allow or prohibit . Firewall policies are separate from the shared settings that arrange the other components of AVG . You can create several distinct firewall policies and assign one per group . AVG 8 .0 has a nice feature set and is relatively simple to implement . The lack of named shared settings for nonfirewall components makes it a little harder to configure those components when you have many groups, but the ability to control which settings you want to enforce on the client and which the user can control is useful . On the downside, AVG provides email notifications for just 10 events and only rudimentary reporting . Also, the remote installation features didn’t work well for Vista systems in my test, but direct installation worked, and the console was able to push the configuration out . I recommend Internet Security Network Edition for midsized organizations that are familiar with and like AVG products .

A Tough Choice
I rated all but one of the products I reviewed four diamonds . (AVG Internet Security Network Edition has configuration management and deployment weaknesses that earned it just three diamonds .) ESET Smart Secu-

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

rity is a good choice for its ease of implementation and layered XML-based configuration . McAfee Total Protection Service would suit small organizations with limited IT resources . Sophos Endpoint Security shines for its endpoint-assessment NAC feature . And large organizations will appreciate Symantec Endpoint Protection’s configurability and extensive reporting . All things being equal (which they rarely are), Endpoint Protection earned Editor’s Choice as the best balanced product .

Brought to you by Symantec and Windows IT Pro

Chapter 3: Securing Windows Desktops Using Group Policy


Chapter 3:

Securing Windows Desktops Using Group Policy
by Darren Mar-Elia
Managing Windows desktop security can be complex, with a myriad of tools and approaches available . However, Windows OSs include a built-in tool that has all the capabilities most organizations need to create secure, lockeddown desktops across any size environment— Group Policy . Group Policy is often thought of by many IT administrators as a tool for performing desktop management tasks such as deploying software, redirecting folders, or locking a user out of regedit .exe . However, Group Policy is also the primary Windows tool for managing security configurations . In fact, Group Policy includes quite a few security capabilities that you might not be aware of . In this article, I explore some of Group Policy’s security features, explain how they work, and give you some tips for getting the most from them .

Core System Security
I break Group Policy’s security configuration capabilities into the following general categories: core system security, application and device restrictions, and Microsoft Internet Explorer (IE) security . The policy settings in the core system security category can typically be found in Group Policy Editor under Computer Configuration Windows Settings\Security Settings, as shown in Figure 1 from a Windows Vista system . Here are some of the features found in the core system security area of Group Policy .

Account Policies
You might be familiar with this section of Group Policy because it’s where password and account lockout policies are set . For example, you can set a minimum password length or require passwords to contain complex characters in this area of Group Policy . If you define these policies in a Group Policy Object (GPO) linked to the domain (e .g ., within the Default Domain policy), the password policy is processed by all the domain controllers (DCs) in your domain and the GPO controls password policy for your domain user accounts . When the password policy is defined in a GPO linked to the domain, it will also be processed by all workstations and member servers in the domain and will set account policy for any local accounts defined on those systems . As you might know, you can have only one domain password policy defined through Group Policy . However, Windows Server 2008 supports a new set of password policy objects, defined in Active Directory (AD), that give you more granular control of password policy within a single domain .

Local Policies
The three security policy areas under Local Policies let you control a variety of security settings on your Windows systems . For example, these policies let you use Audit Policy to configure which events are collected by the Windows Security event logs on your servers, use User Rights Assignment to configure who can access a particular set of servers or workstations via Remote Desktop, or use Security Options to configure whether the Administrator account is enabled on a given set of systems and renamed something other than Administrator .
Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

Audit Policy is fairly straightforward in that it lets you control which types of events will be collected by the Windows Security event log . You can specify success and/or failure events here for auditing types ranging from AD access to system object (e .g ., file and registry key) access . Depending on where a GPO defining auditing events is linked, you can enable auditing on DCs or member servers and workstations . For example, if I link a GPO containing an audit policy that enables directory service access auditing to the Domain Controllers organizational unit, it will be processed by all the DCs in my domain and thus all access to AD will be logged on the DC that serviced the access request . User Rights Assignment is another powerful security tool within Group Policy . This tool lets you control who can do what on a given system . Examples of user rights include the Logon Locally right, which lets you control who can log on interactively at the console of a server or workstation, and the Load and Unload Device Drivers right, which grants a group or user the ability to install device drivers such as printer and display drivers . By creating a GPO that’s linked at the domain level and populating the Deny Logon Locally right with the Authenticated Users group, you would effectively prevent all the users in your AD domain from logging on to their workstations . Obviously, the point of this example isn’t to show how to break things, but to show how powerful User Rights Assignment can be and how careful you need to be when using it . As with other policy settings, you want to make sure that the GPO in which you’re setting user rights applies only to the computers you intend it to and that the rights you’re granting or revoking are granted or removed from the correct user groups . Another thing to keep in mind about User Rights Assignment is that the list of rights that you see in Group Policy Editor changes depending on which version of Windows you’re editing Group Policy from (i .e ., the version of Windows that you’re running Group Policy Editor on) . Newer versions of Windows, such as Server 2008 and Vista, contain more user rights than older versions such as Windows XP . So, if you define a user right in a GPO running on Vista, and that GPO is applied to an XP system that doesn’t know anything about that user right, the XP system will process the policy but then ignore it . You can quickly compare the differences in security settings between versions of Windows by downloading the Group Policy Settings Reference spreadsheets that Microsoft maintains for each version of Windows at download . microsoft .com . Search on the term “Group Policy Settings Reference” to see the spreadsheets for each release . The spreadsheets contain a list of all the default Administrative Templates for that version, as well as security settings . You can use User Rights Assignment, as well as some of the other security areas in Windows, to configure roles that define who can do what within your environment . The built-in groups, such as Server Operators and Backup Operators, are just groups that have been granted a set of user rights and permissions for other resources on a system . You can certainly create a Desktop Administrators group and grant that group rights to perform whatever tasks are needed on your Windows systems, without having to include members of that group in the Administrators group on every system . The final area in the Local Policies section of Group Policy Editor is Security Options, which is located under Local Policies Security Options . I call these settings the “vulnerability controls” because they define security settings that control configuration behaviors related to a system’s security posture . For example, within this section, you can configure Server Message Block (SMB) signing requirements on clients or servers . SMB signing is a form of secure communication that makes it difficult for attackers that have access to the network between systems to hijack that traffic . Within this section, you can also control the behavior of Vista’s User Account Control (UAC) feature, as shown in Figure 1 . Perhaps the most interesting thing about the Security Options section is that the list of security options that are presented in this section, while dependent on the version of Windows you’re running Group Policy Editor from, can be manually changed . The list is configured from an underlying file, called sceregvl .inf, that’s contained within the %windir%\inf folder on the machine you’re configuring . Within this file, each of the policies that you

Brought to you by Symantec and Windows IT Pro

Chapter 3: Securing Windows Desktops Using Group Policy 17

see in Security Options is defined, and you can edit the file for additional settings that you want to control via Group Policy . More information about customizing this file can be found at support .microsoft .com/kb/214752 .

Restricted Groups Policy
The purpose of the Restricted Groups policy is to provide a mechanism for controlling local group membership on member servers and workstations . For example, you can use the Restricted Groups policy to ensure that only Help desk administrators are members of the Remote Desktop Users group on all your workstations . Restricted Groups has two modes of operation—Members and Member Of . The Members mode is the most restrictive mode . It says that for a given local group on a set of workstations, only the listed users and groups are members, and all other groups or users are removed (with the exception of the local Administrator account, which is never affected by the Restricted Groups policy) . By contrast, the Members Of mode lets you add users and groups to other groups non-exclusively . In other words, you can create a policy that says Always make the Desktop Administrators group a member of local Administrators on any computers that process the policy . In that case, Desktop Administrators is added to the local Administrators group, but no other group members are affected . The new Group Policy Preferences feature, which is included in Server 2008 but can be installed on XP and later, also includes the ability to control groups within the Computer (and User) Configuration Preferences\Control Panel Settings\Local Users and Groups policy area . You can use this feature to perform tasks such as rename groups and selectively add or remove specific users and groups from group memberships . Group Policy Preferences provides a much more flexible version of the Restricted Groups policy, and I recommend using it as an alternative if you’re a Restricted Groups fan but don’t like its limitations . I just want to say a final word about using Restricted Groups and Group Policy Preferences . You might be tempted to try and use these policies to control AD group membership . However, these types of policies aren’t designed to be used in AD’s multimaster environment, and you can get into some ugly scenarios in which Group Policy applies group membership changes at different times from different DCs . This can be a problem because group memberships are replicated from the DC that originates the change . Because Group Policy is processed equally by every DC in a domain, each DC would process identical changes to AD group membership as specified by the Restricted Groups policy, and you would essentially be “ping-ponging” identical replication changes of group memberships across all DCs, depending on when each DC processes the policy .

System Services Policy
The System Services policy lets you control which Windows services are started on a given computer . It also lets you control the permissions on a service . For example, you can use this policy area to grant only your server administrators the ability to stop and start the Print Spooler service on all Windows servers acting as print servers . You can use the System Services policy to grant a select group the ability to perform their job without requiring them to be administrators on the systems that they need to access . Group Policy Preferences, located under Computer Configuration\Preferences\Services, also provides a policy for controlling system services . This feature also gives you additional control over service configuration, including the ability to change the service account and the service account password on a set of systems . The latter capability is powerful because previously when you had a service running on a bunch of machines in the context of a user account, you had to visit each machine to change the service account password when you wanted to change the user account’s password . As a consequence, many organizations avoided changing the service account password, which is a big security risk because many service accounts are more privileged than user accounts . With

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

Group Policy Preferences, you also have a mechanism for pushing that change to all of your computers so that you can change your service account password regularly .

Registry and File System Policies
These policies give you the ability to centrally mandate file system and registry key permissions, respectively . For example, say you want to lock down a certain file or folder that exists on all your desktop systems, such as a workstation’s HOSTS file, so that malware that gets onto the system can’t easily modify that file . In that scenario, the File System policy lets you centrally define permissions and permissions inheritance that should exist on that file on all computers that process the policy . But generally speaking, the file system and registry security policies aren’t used very often as a way of centrally managing file system and registry security and can be problematic if misused . These policies aren’t designed to work well when repermissioning large trees of files and folders or registry keys . They simply don’t perform that well during Group Policy processing and have been known to slow systems to a crawl when a policy is being processed . The problem is exacerbated because security policy automatically refreshes every 16 hours by default, even if no policy changes occur . If you need to do some file system or registry permission tightening, I recommend using an out-of-band method that doesn’t rely on Group Policy, such as scripts, Windows security templates, or third-party security tools . That being said, it is possible to use these policies if you’re permissioning only a small number of files, folders, or registry keys, and it can be an ideal way to ensure that these key resources are secured and stay secure, given the recurring processing behavior of Group Policy .

Application Restrictions
In an ideal scenario, you would like to define every process that users can run and exclude all unapproved processes . That way, if users install something on their systems inadvertently, you can ensure that it won’t be executed . This is the general premise behind Software Restriction Policies (SRP), which are located under Computer and User Configuration\Windows Settings Security Settings\Software Restriction Policies . Essentially, you can control, through a variety of rule mechanisms, which code is allowed to run . SRP can be configured to run in three different modes . The default mode lets all code execute and the administrator restrict those applications or scripts that he or she explicitly wants to deny . This process is called blacklisting, and although it’s easy to administer, it’s not very secure because you don’t know what you don’t know and it’s impossible to specify every piece of code that users might run . The second mode is called whitelisting and is the most secure way to use SRP, but it requires more management on the part of the administrator . In this mode, you can set the default execution level to Disallowed, meaning that no code will execute on the system other than core Windows code and any other applications or scripts that you specify . You can set the default mode under the Security Levels folder within Software Restriction Policies, as shown in Figure 2 . When you enable this mode, you must create rules that specify which code is allowed to execute . To do so, you need to know which processes your users will run and keep up with their demands for new applications . Although this can make the process of managing whitelists onerous, it does provide for a very secure environment if your users run only a handful of applications . For example, when you whitelist the applications that are allowed to run, users who inadvertently download malicious code can’t run that code because it isn’t on the list of approved applications . You define allowed and disallowed applications using the SRP rules that I describe later . The final mode, called Basic user, was first exposed in Vista but is also supported in XP . In scenarios in which your users run as administrators, when you set the default level to Basic user, all processes that an adminBrought to you by Symantec and Windows IT Pro

Chapter 3: Securing Windows Desktops Using Group Policy


istrative user runs are stripped of their administrative tokens, which essentially forces the process to run as a nonadministrative user . This approach can be useful if you want to ensure that your administrators aren’t running certain processes using their administrative accounts . The basic approach for using SRP is to first set the default Security Levels to Unrestricted, Disallowed, or Basic user . You can then create rules by clicking the Additional Rules folder within Software Restriction Policy, as shown in Figure 2 . These additional rules provide for exceptions to either enable or disable certain processes’ ability to execute . SRP comes with four rule types: hash, path, certificate, and network-zone rules . • Hash rules—Hash rules are used to uniquely identify an executable piece of code . When you use a hash rule, you pick a particular version of an executable or script and say that only that particular version is Unrestricted or Disallowed . If the user renames the executable, the hash is still valid and the user is blocked, if it’s set to Disallowed . However, any time the application changes versions, you’ll need to create a new hash rule to reflect that change . If applications have different versions for different Windows releases, each version needs its own hash rule . This type of rule is cumbersome to maintain for lots of applications, but bulletproof for ensuring that a particular application can or can’t run . The hash rule is computed by Group Policy Editor at the time that you add the executable to the policy . • Path rules—Path rules are more flexible than hash rules . They let you specify a path in the file system that contains executable code and allow or disallow all code found in that path (and its child folders as well) . You can use wildcards and environmental variables to define path rules, making the rules even more flexible . The downside to path rules is that they’re only as good as the permissions on your local file system . If your users can simply copy code they want to run into a different folder to get around a path rule, your path rules won’t help much . For example, temporary file locations are typically writeable by users, so you should create a path rule that prevents any code execution from the various temporary file locations in Windows . For this reason, a combination of path rules, hash rules, and tight file system permissions might prove to be the best solution . • Certificate and network zone rules— These rules are the least frequently used . Certificate rules let you specify code that can run based on who signed the code with public key certificates . The downside to these rules is that they require you to ensure that all code that’s run is signed, which isn’t always feasible . Network zone rules let you control how files are installed based on where they came from but are almost useless because they apply only to Windows Installer ( .msi) files . Also, if a user downloads a setup .exe file, this rule is ignored .

Device Restrictions
Controlling what users do with your valuable business data is equally as important as controlling which code they execute . Protecting your data involves not only good data security where the data is stored, but also being able to control whether your users can physically take the data off their machines . In this era of $20 multigigabyte USB thumb drives, an awful lot of corporate data can just “walk away” without your knowing it . Enter Group Policy– based device restrictions . These device restrictions were made available in Server 2008 and Vista systems under Computer (or User Configuration)\Administrative Templates\System\Removable Storage Access . You can deny read or write access (or both) for any class of removable storage, including USB thumb drives, writeable CDs and DVDs, and removable hard drives, as Figure 3 shows . Previously, if you were in a pre-Vista desktop environment, you were out of luck unless you bought thirdparty device restriction products . However, with the introduction of Group Policy Preferences, device restrictions are now extended to Windows Server 2003 and XP . You can enable or disable the use of specific device classes by their unique ID under Computer (User) Configuration\Preferences\Control Panel Settings\Devices . Although
Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

this feature doesn’t provide the same level of granularity as the Vista device restrictions policy we discussed earlier to control the ability to read but not write to a given device type, you can at least create a set of policies that restrict, for example, all removable storage devices, as shown in Figure 4 .

IE Security
Of all the areas I’ve discussed, perhaps the most challenging to configure via Group Policy is IE . The reason for this is that there are at least three different ways you can configure IE using Group Policy . The first way to configure IE is by using the IE Maintenance policy (under User Configuration\Windows Settings\IE Maintenance Policy) . The second way is by using the Administrative Template policy (under Computer—or User— Configuration\Administrative Templates\Windows Components\Internet Explorer) . The third way you can configure IE is by using Group Policy Preferences’ features (under User Configuration\Preferences\Control Panel Settings\ Internet Settings) . Each of these three areas has its strengths and weaknesses when configuring IE . For example, if you want to configure settings such as IE’s proxy or home page, you can use the IE Maintenance policy or Group Policy Preferences to do so . Of the two, I recommend using Group Policy Preferences if you can because the IE Maintenance policy has a long of history of not being very reliable in terms of delivering policy settings to clients . Of course, in most cases, Group Policy Preferences are just that—preferences . They don’t prevent users from making changes to, for example, proxy settings, as the IE Maintenance policy does . For that reason, if you use Group Policy Preferences to control something like proxy settings, you’ll need to use the Administrative Template policy to disable the page within IE that lets the user access those settings . The goal behind IE security policy is to ensure that users who are browsing websites aren’t allowed to access or download malicious content . By using features such as IE proxy enforcement, you guarantee that users get to the Internet through your point of control—the proxy server . By locking down elements of IE within Administrative Template policy, you ensure that the user can’t change IE’s configuration to get around your restrictions . If the security configuration task you need to perform is setting IE zone security (which lets you centrally control which websites should be considered safe) or assigning website addresses to popup blocker lists or security zones, you can use all three methods to control these settings . Each method has a different behavior and supports a different set of options . For example, you can use the policies under Computer (or User) Configuration Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page to configure security for each IE zone (e .g ., Trusted, Intranet, Internet), as well as a site-to-zone assignment list that lets you specify which websites should be added to each security zone for your users . If you use this method, users will be unable to add to or change these settings in IE—they will be totally locked out . However, if you use the IE Maintenance policy, you can configure zone security and site-to-zone assignment, but users will still be able to add websites to a given zone . Finally, if you use Group Policy Preferences, you’ll be able to configure zone security but won’t be able to assign websites to zones . However, Group Policy Preferences gives you full access to all the settings on the Advanced tab under IE’s Properties (shown in Figure 3), which the other two methods don’t .

Resources that Can Help You Get Started
Although there are often multiple methods for configuring the same set of items, there are few desktop security tasks that you can’t accomplish using Group Policy . For help getting started securing your desktops, I recommend checking out the security guides that Microsoft has made available for Vista and XP . You can download them from download .microsoft .com by searching on the term “Security Guide .” These guides include best practices for desktop security configuration, as well as security templates and spreadsheets of settings that define secure configurations . In addition, Microsoft provides the GPO Accelerator (www .microsoft .com/downloads/
Brought to you by Symantec and Windows IT Pro

Chapter 3: Securing Windows Desktops Using Group Policy


details .aspx?FamilyID=a46f1dbe-760c-4807-a82f-4f02ae3c97b0), which offers prebuilt GPOs that you can import into your environment and use to implement the best practices specified in the security guides . Although these prebuilt GPOs might not be exactly what you need in your environment, they can give you a starting point to work from as you implement and test secure configurations within your network .

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

Chapter 4:

Examining Security-Policy Management
by Blake Eno
Companies create security policies for many reasons—perhaps you need to comply with corporate security standards, or you want to adhere to certain recommended best practices, or you need to abide by regulatory compliance . Your computing environment is unique, and therefore your security policies need to be tailored to your specific infrastructure . The biggest security-policy management challenge you probably face is accomplishing it all without increasing head count and costs . You’re probably on the lookout for an easy-to-use solution that provides visibility into your organization’s current state, as well as automated remediation . You’ll find a wealth of solutions on the market that seek to protect specific aspects of your organization—whether it’s Active Directory (AD), file servers, workstations, or a combination of these or other areas . Where do you start looking for that perfect solution that targets your specific needs? Let’s examine the various factors that might comprise a security-policy management solution, from AD integration to regulatory compliance to endpoint security .

Pillar Protection
AD is the central pillar of many organizations, and changes made to it can affect users company-wide . Administrators can use AD to push security policies across the entire enterprise, so it’s vital that you know who is making changes, what the changes are, when the changes are being made, where the changes are being made, and why the changes are being made . NetPro considers this “5 Ws” list the centerpiece of its ChangeAuditor for Active Directory product . ChangeAuditor identifies these “5 Ws” for all changes to group and user configuration in the AD environment . NetPro offers similarly functioning modules for file servers and Microsoft Exchange Server . Configuresoft’s Enterprise Configuration Manager (ECM)—although not tied solely to AD—also plays a big role in the Windows security-policy management space, offering support for Exchange, Systems Management Server (SMS), and so on . Recognizing the uniqueness of individual environments, Configuresoft has fashioned a solution that collects thousands of asset, security, and configuration settings from throughout your enterprise and stores them in its Configuration Management Database (CMDB) . You can then use this assembled information to determine which policies are appropriate for your infrastructure . You should also consider NetIQ in this arena . Its Change Guardian for Active Directory is similar to NetPro’s solutions, in that it ensures that all changes to AD are authorized, monitored, and audited .

Targeted Systems
Most vendors in the security-policy management market provide policy templates from popular industry experts or leading IT security organizations to help you secure your organization . Most of these templates are customizable, or if you feel up to the job, you can create your own template from scratch . New Boundary Technologies, like many other vendors, offers policy templates but sets itself apart from the competition in other ways . Its policy-management solution, Policy Commander, automatically implements, monitors, and enforces computer-

Brought to you by Symantec and Windows IT Pro

Chapter 4: Examining Security-Policy Management


security policies across your network, whether internal or remote . The unique aspect of Policy Commander is its specialized targeting of security policies . Targeting—based on each computer’s configuration and role, security level, organization group, and location—lets organizations push a particular policy out to only the appropriate computers or servers that need it . Altiris offers similar functionality but separates itself from the pack with its cross-platform support and agent/agentless structure . Altiris’s SecurityExpressions automatically audits, deploys, and enforces security policies across all Windows, UNIX, and Linux desktops, notebooks, and servers . Such cross-platform support is becoming more and more important, as many IT shops are becoming increasingly heterogeneous .

Regulatory Compliance
Generally speaking, security is a never-ending battle that administrators fight across all aspects of the organization . Lately, security has played a key role in the midst of increasing regulatory-compliance pressures in the wake of Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) Act . Auditors now require that customers provide evidence of compliance policies, so it’s important that you know where you’re compliant and where you aren’t . Security-policy management solutions help you identify your compliance levels, but more important, such solutions help you—and your auditors—address any security gaps and learn how to bridge them . With its Directory Experts Conference Survey, NetPro polled users about their organizational priorities . Whereas 67 percent of respondents answered that improving Windows security was the top organizational priority, 73 percent of respondents marked compliance as the top priority .

Internal Security Threats
Aside from regulatory compliance are the escalating security threats that manifest themselves within your organization . According to a survey conducted by the Ponemon Institute, nearly 70 percent of the threats to network security and integrity come from malicious employee activity or non-malicious employee errors . One reason for the increasing number of internal threats is the rise of increasingly diverse storage technologies . There are many ways by which data can enter and leave a system, from USB flash drives to seemingly innocuous MP3 players . In particular, USB flash drives represent a new threat that nearly every computing environment faces . At first, we all loved USB drives for their size and simplicity, but now, as the tiny devices have become very affordable and ubiquitous, USB drives now have become surprisingly threatening . Who knows what your users are doing with those USB drives when they’re not connected to your network? RedCannon Security extends security policy beyond the network perimeter to manage the USB drive’s entire lifecycle, from provisioning to remote destruction . RedCannon keeps track of all online or offline device activity and history to help provide evidence in support of regulatory compliance . As you know, data can swiftly enter and leave a system without anyone knowing . In fact, according to a recent FBI Computer Crime Survey, 44 percent of organizations reported that they had themselves been responsible for network intrusions . Theft of sensitive data is only one part of the problem . Many removable media devices upload viruses, spyware, or software that can affect the entire infrastructure . Security-policy management solutions can help you implement policies in your organization to safeguard the devices that you allow in your network . However, security policies don’t typically allow for managing and monitoring endpoint devices . Therefore, it’s important to take a look at the solutions in this market that focus strictly on endpoint security . For example, GFI Software’s GFiEndPoint-Security helps you manage, access, and

Brought to you by Symantec and Windows IT Pro


Security in Windows Environments: 4 Stories

log activity to many kinds of devices, including PDAs, memory cards, CDs, and mobile phones . The product also helps you protect against infiltration through such devices as Bluetooth cards and network cards . Layton Technology’s similar solution, DeviceShield, lets you control access to ports, device types, and even specific device models . It lets you assign read and write permissions to removable media devices at every level of your organization, whether across the company or for individual users . Of course, when you’re making buying decisions in this market, you should always consider Symantec, a company that offers a number of solutions in this space . And to check out one more endpoint security solution, see “SmartLine DeviceLock,” June 2006, InstantDoc ID 49916 . For some organizations, managing and controlling endpoint devices might not be enough—and that’s where a company such as NetSupport comes into play . NetSupport adds an additional layer of security on top of endpoint security solutions to protect against unwanted or malicious changes to your system .

A Least-Privilege World
Much of security-policy management is connected to privileges, so it’s important to know who has privileges to a certain file server or who has privileges to a specific application . Winternals Software’s Protection Manager uses the principle of least privilege to provide users with just the permissions they need to perform their jobs efficiently . To comply with best practices and regulatory-compliance directives, this solution allocates only the necessary privileges to users and provides four security levels, including Allow, Run with administrative privileges, Run as limited user, and Deny . Desktop Standard also offers a least-privilege solution: PolicyMaker Application Security lets you use Group Policy conventions and Policy Maker’s own per-setting filters to attach permission levels to applications .

Emerging Technologies
If you’re unfamiliar with Network Access Control (NAC) or Network Access Protection (NAP) technologies, you’d better listen up . NAC is an emerging technology that many vendors such as Cisco, Trend Micro, StillSecure, and Mirage Networks are starting to adopt . NAC solutions determine a computer’s state of health and perform a series of checks (e .g ., antivirus signatures, patches) before granting computers access to your network . Microsoft is also adopting NAClike technologies; however, Microsoft refers to this technology as NAP and is building it into Windows Vista and Longhorn Server .

Only the Beginning
Expect a deepening of security at all levels of the infrastructure . This market is growing, and organizations are starting to make policy management their first priority . Remaining compliant with regulatory compliance and industry best practices will continue to be vital, and you’ll need to make sure you have the appropriate solutions in place . We’ll continue to see security-policy management solutions that once focused on reactionary approaches move more toward proactive approaches . Time is money, after all, and beleaguered IT managers can’t afford to be constantly interrupted to react to the latest security problem . Although increasing security often means new difficulties in learning to adapt, the current security-policy management solutions on the market are well on their way to adapting to future trends .

Brought to you by Symantec and Windows IT Pro

Shared By: