Security Best Practices: The Desktop.

Printable View

Show 40 post(s) from this thread on one page

January 7th, 2004, 11:45 PM
gore

Re: Re: Re: Security Best Practices: The Desktop.

Quote:

Originally posted here by chsh
You are allowed to make any recommendation you like.

I'm sorry I wasn't clearer, I will edit the OP and make this clearer for ya, but the development is all web oriented, and the clients log in via a custom-designed web script that provides them access to their apps and only their apps. For the purposes of this excercise, however, vulnerabilities on the server are irrelevant to the measures you take on the desktop.

Oh ****, I'm sorry Chris. I'v been awake a while and need some sleep and prolly should have reread this. Ok, the SSH thing I'll toss out as that method seems fine. I either missed the logging in part or didn't see it, but now it sounds much better ;)
January 8th, 2004, 12:35 AM
neel

I could be really wrong now, but I was told a long while ago that for a https connection (setup A) to initiazise you also need a http connection first to get the certificates... they told me you need an open port 80 (or at least a different port then 443 for the "normall" http stuff). It's pretty some while ago though, but that's what I recall.
I quite hope they explained wrong.

I didn't really think about improvements yet (drunk), but to add something to my post... You could add to the firewall to restrict outgoing connections from netbios ports (in this case 137-139) to dns (port 53). Or in general, how is the firewall setup besides the port 443? Just allow all other stuff?
January 8th, 2004, 01:09 AM
chsh

Again, I STRESS desktop security only. This is targeted at host-based best practices. We will get to the network level stuff soon enough.
January 8th, 2004, 01:13 AM
neel

blah... give everyone a knoppix cd and a thumbdrive
January 8th, 2004, 01:35 AM
Juridian

Just to toss out a cookie here since no one mentioned it, how about a host based ids such as tripwire?

Maybe set up a central logging server so if a desktop is compromised they will have to work further to wipe out the logs.

And maybe, just maybe, setting up a script or commercial application to monitor the logs and notify an admin or list of people if something wacky is going on.

#3 would have helped greatly with the gaming house chsh mentioned since the compromised machine belonged to a user who was out of town and couldn't access his machine at the times/dates involved.
January 8th, 2004, 05:15 AM
Tim_axe

I'm not quite as expirenced in security as someone who acturally works it, but after a recent career test in school showed that "I'm not made for" Taxi Driving and Lifeguarding (I am a lifeguard?) but I had some stuff a System Admin/Security etc used in work...

As mentioned, Outlook / Outlook Express would need to go since the Preview Function leaves the system vulnerable to all sorts of IE bugs in HTML E-mails. I have heard that Endura is a good e-mail client, but have never used it myself. Since xmaddness mentioned it...

Since Mail Services are provided by the ISP, there is no guranteeing security on their end. I know we are to focus on desktop security, so assuming that there is encryption from the Network -> ISP when getting the e-mail off of the server (I think there is), I would set up the mail client to remove the e-mail from the e-mail server and store a local copy. I know Outlook does this, but since I recommended Endura I can only hope that it offers this basic feature also.

I would keep the current Microsoft Office (unless a higher version is avaliable) but would take time to secure it first by disabling macros from ALL sources. I have yet to run across a valid use of macros in my highschool career, except for maybe creating a document with the correct date/time. I doubt that retyping that information would be too critical to the workers, and it would protect them from macros in untrust worthy (all) sources. A company MS Word template would be created with basic company report format outlined, etc., so the workers wouldn't worry about re-enabling the macros (assuming you can't lock them off).

I would only allow the Administrator and System account write access to C:\WinNT\, so none of the users can try adding new screen savers that have potentially malicious code. I would also require logins to go through a CTRL+ALT+DEL screen to prevent fake login screens, and educate users to only type passwords into these login screens. I realize this won't protect too well against hidden key-loggers, but is a (an albit small) step in that direction.

These computers would also have the floppy drives physically disconnected and unplugged from the motherboard, the CD-ROM/DVD drives would not support burning CDs/DVDs, since the users have access to their personal folders via the Internet which we are assuming is secure. The BIOS would also be locked down, and boot order would be set to HDD, FDD, None. This makes it so that if the system fails for whatever reason, I do not need to retype the BIOS password and risk it being seen by others and spread around the workroom, and eventually into e-mail, forums, et al. I would simply get my (physical) key, unlock the PC case, plug in the FDD, put in my CD or whatnot, and a FDD with LILO/GRUB or other software (found one: http://btmgr.sourceforge.net/ ) that allows booting to continue from the CD/DVD. A password would never need to be entered. Although it could be a pain in the butt to do this a lot of times... Of course before I leave the open computer case would prompt me to disconnect the FDD before locking it back up.

Since all incomming connections (except 443) are dropped/blocked, and since we don't need to be able to connect to all of the 65535 or so ports outgoing, the allowed outgoing port connections would be basically limited to HTTP/HTTPS (80;8080;443), MAIL (???), and FTP (23?). A proxy would probably be used and a history of websites visited can be kept. Unfortunately I do no know how to go about doing this on any computer systems (proxy). Of course the users would be notified of this logging via the legal dialogue box following login to the system. I just looked this up, and http://www.ntop.org/Monitoring.html has some links to monitoring a network with Linux. From that, http://www.ntop.org/ntop.html looks like it could be useful to ensure the network is used as intended and to look up problems. Of course that touches the servers though...

And I don't quite understand how printing is managed. :confused: You say that the Linux server is dc?/Print/File Server. How exactly is it the print server if all of these printers have NICs (which make them serve up themselves on the Windows Protocol)? Or am I not understanding how a print server works? In either case, since the Printer Server I had used a kind of Telnet login for configuration (password sent in clear text), I would put those behind the Linux computer so that if the emploies riot and attack the router to make it act as a hub, the printers wouldn't be effected. Done with three NICs on the Linux Box. (DSL, Printer Network, Windows Network; Printer and Windows Network joined together, DSL connection through proxy...although I don't understand how to do this)

Unfortunately I don't think I could remove Internet Explorer from the 2K boxes, so I'd simply have to patch it ASAP (though there are unpatched problems) and probably disable ActiveX controls with security policy. Also the My Computer section would be locked down, or the cache on the browser would be set to 0 to hopefully prevent loading unsafe pages from cache into the My Computer / Trusted section from doing their dirty work. A pop-up stopper (google toolbar? or anything else...) and programs to prevent home page hijacking (???) would also be installed on these machines so that emploies are not tricked into clicking or loading weird pages.

Also to protect emploies from going to NSFW (Not Safe For Work) sites or other related things, I would get a net filter for the server. I don't know anything thing about this company, but http://www.n2h2.com/index.php might be a net filtering program I'd look at for supporting Red Hat Linux (and possibly other distros). Combined with the NTOP program this would let me see what users are doing on the Internet and I could probably step in if problems occured...

I don't quite know what to do for System B though. At least some stuff from System A could be put into System B, but I don't really know anything about how those systems interact with each other to have any ideas...At this point in time I probably couldn't implement a lot of the stuff I talked about for System A either...

This is a neat discussion. I like reading through what other people would do. Helps get a better grasp of security on the whole. :)
January 8th, 2004, 07:13 AM
chsh

Quote:

Originally posted here by Tim_axe
This is a neat discussion. I like reading through what other people would do. Helps get a better grasp of security on the whole. :)

That was entirely the point. I'm glad it is appreciated. :)
Eventually, I would like to take all the good points people make throughout a thread, and I'll do up a post based on those, both in summary and in case study format.
January 8th, 2004, 10:32 AM
MURACU

i didnt notice if anyone mentioned it but one simple operation would be to rename the local administrator acount on the windows boxs. i would take it one step futher giving the size of the installation and create a new account which would have administrator permissions and disactive the local admin as any real attack will try to find the admins sid rather than its name.
January 8th, 2004, 10:33 AM
anjali

To put things dirrently.. Let me focus on Macro aspect of desktop security.... I shall prefer segregating PC's as Critical Desktops and Non-critical Desktops....

The Best Practices for Desktop should include following points.

1. Installation of only standard OS as decided by the company.

2. All Desktops should be patched with the latest available service pack

3. All Desktops to have Password protected Screen Saver with would activate automatically after 15 Minutes (customizable)

4. All desktops shall be sited behind the main firewalls and protected from external networks. Desktops outside the organizations firewall must have personal firewalls and hardened configurations

5.All desktops shall have authorised anti-virus software installed and configured with latest signature updates also take due care to update Virus engine at regular intervals. Ensure that the users cannot disable the antivirus on their desktops. Try using tools like MCAfee EPO for automatic patch deployment.

6. Train all critical desktop users to backup their data regularly. Try using softwares like stellar for the above purpose

7. No sharing of folders on the desktop.. Instead allocate a file server for common file that need to shared for Projects.

8. Very critical desktops should have boot password

9. In event of Mobile laptops ensure that encryption software is used to secure critical files..., also ensure that all mobile computers have a good personal firewall installed and an upto date Antivirus program installed on it....

10. Conduct security audits of desktops every month.......

11. Ensure standard desktop deployment with only standard desktop softwares (Try using Novell Identity Management services) for universal desktops....

12. Regular User awareness and training programs......

13. Follow Clear screen policy.. i.e No programs to be left active while the user is away....

14. Restrict accecss to outsiders to your work area....... Use visitor badges for clear identification of external users from internal.....

15. Well defined acceptable usage policy for every user

16. Implement a procedure to ensure that the critical data is permanently delted before giving the PC for repairs / replacements / disposal...

I guess this is what I can think of at this point of time.... But this would encompass the activities that organisation has to undertake to secure its desktops. It looks at Technical, process and training related measures which will help organization to raise its level of assurance as regards Desktops are concerned.

Regards

Kalp
January 8th, 2004, 07:48 PM
hogfly

ok,
As I mentioned before, it's nearly impossible to secure the desktop without enforcing server side policies but here goes.

Strictly desktop or desktop related.

--Physical
password protect the bios, and don't allow booting from removable devices.

The pc's should lock the desktop after 15 minutes of inactivity.

Policy: all users must lock their desktops when they leave their pc station. Logon hours. Users should only be allowed to login during normal operating hours. Users should not be able to logon locally to the machines.

If the computer case has the ability, lock the case via padlock or other device. (i.e. dells)

--
configure the systems to use ntsyslog or other syslogging type utility to log events to the server. Might as well utilize it...
configure an audit policy for logon events that succeed or fail.
--

IPsec filters on each windows host. Relatively easy to configure. Blocking traffic on key ports to the desktops except from internal hosts, adds an element to the whole buzzword 'defense in depth'. It's not much but it's something.

--
Get rid of IPC shares. They aren't neccessary. The desktops don't need to talk to eachother, Just the server. If an admin share is needed, create it with a non standard name, create a specific account that can use it, and give only that user permission to the share.

--
Centralize Antivirus. considering that linux is used as the server here, I'd switch to kapersky AV. Symantec is a good tool, consider this though, Live update only gets definitions once per week, regardless of how many times you tell it to update(this is barring "emergency" situations with a new and lethal virus.)You'd have to use SARC updates, which is possible and symantec provides a script for it, but you have no centralized control over your clients.
So, switch to Kapersky and centralize the control over AV services.

--
I know this one isn't really "desktop security" but it sure has a lot to do with it.
spam/junk mail etc...specially those containing viruses.. Set up an MTA for the network using something like exim, spamassasin or other BMF and also kill common virus laden attachments(.pif,.exe etc..). After a while spam should disappear for the most part.
--
get rid of outlook express. It's a piece of **** and should be replaced with a better client. Euroda is atleast a bit better even though it is crap as well. Hell, screw the MTA, set up a full blown mail server and use IMAP. oh wait...desktop only... /me hangs his head.

--
patch patch patch, use SUS like ammo said or something of the sort to automate patch rollouts. Keep everyone at the same level of software.
--
I'm tired of this, so that's all for now.

Show 40 post(s) from this thread on one page