Step 7: Secure the Registry
Hardening the registry is an often-overlooked security practice. By blocking access to registry keys that are likely to be used maliciously, you can significantly strengthen the security of any Windows computer.
Block write access to dangerous registry keys. Most malware wants to write a rogue startup program to your auto-run registry keys or startup folders. More than two dozen registry keys exist that can damage your computer if a bad program manages to write to them. To learn which registry keys are susceptible, run the Sysinternals freeware Autoruns utility (available from http://www.sysinternals.com/utilities/autoruns.html). Then, using NTFS permissions (yes, registry keys have permissions), make sure non-administrator users can read only those keys. And make sure to secure the HKEY_CURRENT_USER hives. HKEY_LOCAL_MACHINE isn't the only dangerous hive.
Block unneeded file associations.Firewalls work on a deny-by-default rule. Why shouldn't our desktops? Typically, any file (and file extension) that reaches the desktop can launch its associated program. This is how VBS email worms are launched and executed by Windows Script Host (WSH—wscript.exe), even though most administrators don't use VBS to manage their environment (or if they do, they could use another file extension instead). Should regular end users be able to execute every Control Panel application (.cpl), batch file (.bat or .cmd), or scrap file (.shs) they receive in email? Do these files have a legitimate use in your organization? If not, lock 'em out. You can find most file associations in HKEY_CLASSES_ROOT or HKEY_COMPUTER_USER. Make a list of the file types you don't want your end users to be able to execute. Then, use registry NTFS permissions defined in a GPO to take away their Read and Write permissions (after running the changes in a test environment). You'll be glad you did.
Step 8: Convert All Email HTML Content to Plain Text
You will never stop the onslaught of spam, spyware, and hacking if you allow anything but plain-text content to be delivered in email. Using whatever mechanism you have at your disposal (you can enable plain-text-only capability in Outlook 2000 and later), force all email to be plain text. If doing so ruins someone's beautifully constructed HTML email, too bad! This is a war against malware, and being nice is for people who don't mind troubleshooting machines all day long.
Step 9: Use Firewalls and Antivirus, Antispam, and Antispyware Solutions
The days of running only a perimeter-based firewall are over. Internet worms frustrated at the front door are sneaking in on remote VPNs, vendor PCs, and roaming laptops. Every PC should be protected by a host-based, or personal, firewall. Windows Firewall (or Internet Connection Firewall—ICF) is perfect for the job. Forget what you may read from critics— Windows Firewall works and works well. It will deny by default all incoming connections not initiated previously by an outgoing connection. This functionality defeats malicious mobile code beating on the door.
Although firewalls and antivirus programs won't stop all bad programs from getting to your desktop, they do a good job of preventing most of the threats. You should always have an antivirus program running on your network, if not directly on hosts, as well as on the email server or Internet gateway. You will need antispam and antispyware programs, as well. Some vendor products combine antivirus, antispam, and antispyware functionality into one program. However, I've found that in practice, no single program has done a very good job with protection on all three fronts at once. On the bright side, I see some of the major players getting better and better at combining the functionality—I just wish I didn't have to buy four different products while these vendors get up to speed.
Step 10: Keep Patches Up-to-Date
Very few zero-day vulnerabilities are introduced each year. A few exist, and they are increasing in number, but you can avoid most exploits by keeping current on patching. There are dozens of good vendors to choose from. Consider using Microsoft's free Windows Server Update Services (WSUS—http://www.microsoft.com/windowsserversystem/updateservices/default.mspx) to patch Windows software. Unfortunately, good patching practice includes keeping all applications, firmware, hardware patches, and device drivers updated.
As Strong As It Gets
Although all these steps can seem like lot of work, you'll spend far more time and effort if you must constantly detect and remove spyware and worms. When you implement these 10 steps, your network will be significantly less susceptible to malicious mobile code and hackers. You'll not only find infection much less often, but you'll discover that a nice benefit of instituting this type of control is that all the other problems "the user didn't cause" will be minimized too. As every administrator knows all too well, flexibility is the antithesis of security and reliability.
To be honest, even if you implement all 10 steps, you won't realize perfect security—nothing can guarantee that for you. PCs will always be vulnerable to zero-day exploits, and networks will always have end users who can't resist installing every program they find on the Internet, opening every file attachment, and clicking on every link. But starting here will put you well on the way to making desktop security in your enterprise as strong as it can be.
End of Article
)
Register
schmida October 21, 2005 (Article Rating: