Security Best Practices: The Desktop.

[chsh]

Okay, so what I'm getting from people is the following:
Setup A:
- Swap out Outlook Express for an alternate mail client. Perhaps Eudora or (my suggestion) Thunderbird.
- Install a proxy, and block outbound connections from the machines themselves.
- Disable all unneeded desktop shares.
- Disable booting to removable media in the BIOS
- Password protect the BIOS configuration.
- Lock cases that have the ability to, and favour cases with such security features over ones that do not when looking at upgrading.
- Configure desktops to log to a central logging server.
- Utilize SUS to handle automated critical updates.
- Set domain and local machine policies to restrict logon hours, local logons, etc.
- All desktops should be set to lock the desktop after 10-15 minutes of inactivity.
- Centralize and Homogenize the AV for the network. Consider alternatives to Symantec AntiVirus, as it does not update as frequently.

Setup B
Identical to A, with the additional step of DMZing the network, and blocking traffic between the clients and servers except for on the necessary ports.

Missing anything?

[Juridian]

HIDS like tripwire.

[gore]

I still think the redhat server should be changed. Not just because I don't like 6.X, but also because there won't be any support for it. Might as well change to another distro. They already have Slackware running, and I think that would eb a great replacement for it.

Again, thanks for the great thread, and thanks to everyone for the input/discussion. We need alot more threads like this one, so Chris, make sure the next one is coming soon lol.

EDIT: Scratch that last part, heh, I see the new one

[chsh]

Originally posted here by Juridian
HIDS like tripwire.

I'm not entirely convinced that's necessarily a desktop solution. HIDS is more designed for systems that are not constantly in use on a user level. I agree in principle with what you're saying, but I don't know if it's practical to stick a HIDS on every desktop...

Originally posted here by gore
I still think the redhat server should be changed. Not just because I don't like 6.X, but also because there won't be any support for it.

Servers are irrelevant gore.

[slarty]

I agree mostly with the other posters' comments, with a few exceptions.

Setup A:
- Ensure all users are using non-admin logins wherever possible (i.e. hopefully everywhere)
- Only allow domain administrators (and any log on to any other servers with admin or special privs) to log on from authorised locations (by policy, not technically enforcing this rule)
- If you need local admin rights on an individual PC, use the local admin user not the domain admin, ensuring that all workstations have different local admin passwords and different from the server (perhaps you can create some sort of script to set the local admin passwords). This ensures that if a keylogger is present, you don't give it the domain admin pw.

Setup B:

This is a tricky one. Basically, you've got a load of developers, no doubt all of whom have different setups on their workstations. Additionally, it's almost certainly the case that they need admin / root access for their day to day work.

The Windows developers will moan unimaginably loudly if you remove their local administrator rights, even if they have the admin password - due to the fact that the "su" command (what equivalent(s) exist in Windows) are not widely know about, or used, or even can be used. Things like M$ Visual Studio assumes that all web developers are going to have local admin rights, and won't even let you do anything (web dev wise) if you don't.

Slarty

[gore]

Sorry, forgot the desktop only thing. I posted that when I was waking up and...Sorry, heh.

[MrLinus]

MsMittens comes in and sticks a magnet over every hard drive

HA!

[chsh]

Shall I add "Lead-lined cases" to the list?

[Juridian]

When I did physical security in an old boeing building they were renovating there were entire rooms lined with copper plating to stop any kind of surveilance. Maybe that would be helpful?

[anjali]

I guess a personal firewall solutions for critical desktop is missing....

Again we have listed down all technical points...

Remember you Network is as secured as your waekest link Many a times Humans form this weakes link...

So any best practice which ignores User training / awareness shall fall short of a complete defense program.

Also a mention has to be there for backup solutions aswell.... Remember the three fundamentals of Information Security...

Confidentiality
Which will include

Swap out Outlook Express for an alternate mail client. Perhaps Eudora or (my suggestion) Thunderbird.
- Install a proxy, and block outbound connections from the machines themselves.
- Disable all unneeded desktop shares.
- Disable booting to removable media in the BIOS
- Password protect the BIOS configuration.
- Lock cases that have the ability to, and favour cases with such security features over ones that do not when looking at upgrading.

Integrity

Configure desktops to log to a central logging server.
- Utilize SUS to handle automated critical updates.
- Set domain and local machine policies to restrict logon hours, local logons, etc.
- All desktops should be set to lock the desktop after 10-15 minutes of inactivity.
- Centralize and Homogenize the AV for the network. Consider alternatives to Symantec AntiVirus, as it does not update as frequently.

But we missing on the availailty front...

I guess it should include following

A proper backup solution for backing up the systems to the last good use... Proper backup of critcal files on a separate network Server...

Proper network design to ensure high uptime....

Dependance on trusted carriers in event of mobile communications....