Either way, you've got some tough decisions to make and, potentially, a lot of work ahead of you if you don't think through your hardening strategy before you get started.
The simple -- seemingly logical -- thing to do would be to download your favorite hundred-page document on how to harden Windows from your favorite security "non-profit" on the Internet and implement its thousands of recommendations. Or, you could just take your auditor's report and proceed down the list. Not so fast! Too much time, effort, context, criticality of systems and more come into play here. So, instead, do you start up a formal "security awareness program" and place most security responsibilities in the hands of your users? Absolutely not!
In my humble opinion, based on the vulnerabilities I see over and over again on Windows-based networks, locking down Windows per the well-known hardening checklists isn't necessarily what it's made out to be. In fact, if you fall in line and believe that what an auditor tells you is golden or if you implement everything that organizations developing the Windows hardening checklists recommend, then you're setting yourself up for failure.
In order to effectively protect your Windows systems, you must know what you're up against. That requires an in-depth risk assessment that looks at threats, vulnerabilities, your overall environment and the general context in which your systems will be used. You'll also need to develop some corresponding security standards that support the minimization of these risks and weaknesses. Only you or an outside security expert that really knows your environment and your business will be able to come to these conclusions.
Once you identify your enemies, you can determine which security controls you need and then consider the security hardening recommendations you want to roll out. Don't make the mistake of hardening first and then assessing risks and creating security standards later.
Having said that, once you're on your way to Windows security nirvana (yeah right), certain things will guarantee a solid baseline toward locking things down effectively and keeping external hackers and rogue internal users at bay. Yes, I do have a minimal security hardening checklist, but, trust me, my controls are much less painful than implementing everyone else's "secure practices" that most likely won't make a difference in your environment.
Other than the obvious antivirus software and OS/application/firmware patches, here are three Windows client settings to implement:
- Personal firewall software to help block unsolicited inbound traffic and, if you choose, unauthorized outbound traffic. Ideally, you need software that can be managed centrally via Group Policy (i.e., Windows Firewall) or through a third-party management interface (i.e., Symantec's Host IDS).
- Properly set share and NTFS permissions to keep network snooping to a minimum and unauthorized users out of sensitive files stored locally.
- Hard drive encryption -- especially for laptops -- to keep unauthorized people out of the local system. Encrypting specific folders via EFS is nice, but why not encrypt the entire disk? It would serve as a safety net for when users store sensitive information outside of their encrypted drives by keeping all information secure.
When it comes to hardening checklists, one size definitely doesn't fit all. There's hardly any business or technical reason to lock down every system in the same way. Keep in mind the criticality, context and usage of the systems you're hardening. Not all systems are made or used in the same manner. A good comparison would be the security settings and software needed to keep Wi-Fi-enabled laptop computers secure compared to desktop systems inside your network and behind your firewall. If hardening a subset of your systems that are exposed to greater threats and vulnerabilities are all you need to do, that's OK. Just document the business reasons and/or be able to defend your choices when another audit takes place.
Work with the mindset that nothing's ever truly secure. Keep up your testing and tweak your hardening as you move forward. Get in the habit of doing that and you'll be better equipped to avert and adapt to new security issues as they come up. Also, remember that more security changes don't necessarily make a system more resilient. That only tends to create short-term job security for those who haven't yet figured out this business function we call information security.
Most importantly, stand up for yourself and your decisions. Become educated in what's really happening on your network. Find out how security risks are affecting your business and what makes practical sense to implement based on your organization's needs -- not on what someone else tells you is a "best practice."
About the author: Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at email@example.com.
This tip originally appeared on SearchWindowsSecurity.com.
This was first published in May 2006