An unpatched and unmonitored Windows desktop is an open gateway for viruses and trojans to sneak onto your network. Besides malware, these desktops can also act as a portal for malevolent users to steal or delete critical company data. If a criminal hacker can access your machine, they will try different options to steal company data or gain access to your network looking for bigger prizes.
Let’s look at the basic steps you need to take to secure your desktops.
OS and third party vulnerabilities
Mark the first Tuesday of every month on your calendar, this is Microsoft’s ‘Patch Tuesday,’ the day Microsoft releases new security fixes for consumers and enterprises. Microsoft recently announced the MyBulletins site to help personalize and track security updates for your MS products including IE, Office, Server and Developer tools. The My Bulletins site is a great tool for the small-medium sized business looking to track status of deployed software and save on costs.
For enterprises and mixed environments, Microsofts’ System Center Configuration Manager provides remote control, software and patch deployment/management for Windows, Unix/Linux and OS X. Other popular software management solutions include Symantec’s Altiris. But patching the base OS is only the first step…
If you don’t have your desktops locked down and allow users to install applications, then there will be unpatched third party software programs, some with malware attached, sitting on your enterprise. If you can’t restrict local admin rights, then take the necessary defensive steps to neutralize your environment:
1) Deploy and update antivirus and anti-malware software on the desktops. Find an established product that also offers rootkit and keylogger detection. A few free Windows options include Defender on Win8, MSE on Vista & 7. For an independent summary of AV solutions, check out http://www.av-comparatives.org/
2) Perform daily malware scans for known software threats and rootkits using a third party solution or free solutions such as Microsofts’ Malicious Software Removal Tool or Windows Defender Offline
3) Proactively keep on top of updates for third party software, Including Java, Adobe Reader and Flash. These common applications, in use everywhere, are responsible for more than half of the vulnerabilities exploited by malware.
Set a desktop idle time-out lock
Institute a policy to lock desktops automatically after a certain number of minutes of inactivity. There are differing opinions, and situations, that call for a timeout from five minutes to fifteen. Depending on the proximity of the desktop to publicly exposed areas, and the confidentiality of the data on the desktop, best practices for timeout will vary.
Encrypt the hard drives
For Windows users, there are a few free options including BitLocker from Microsoft and CompuSec from CE-InfoSys. For OS X, the option is FileVault. For best practices, keep your encryption passwords separately stored and offsite in a secure location. In enterprise environments, look at the Bitlocker MBAM tool. it allows for detailed management, key recovery, compliance monitoring and reporting.
– Note that as of May 28, 2014, the freeware drive encryption software TrueCrypt has been deemed insecure and should not be used.
Lockdown USB ports
Unsecured USB ports are an invitation to hackers to upload key loggers or provide access to steal data. Locked USB drives should be the default rule, not the exception. With Windows registry changes or group policy objects, storage devices can be blocked from USB mounting but keyboard, mice and printers can still be plugged in and connected. For more flexible enterprise options, products such as USB Lock RP provide extended USB port management and USB encryption options.
Password Protect BIOS / Boot Loader
Modern PC’s have the ability to password protect the system BIOS. Consider this the critical first, step to take to help secure your desktops from compromise. As with all passwords, try not use one standard one across all desktops and don’t use the same BIOS password as your Windows admin password.
Add network port security
Imagine visitors coming into your workplace and plugging their personal laptop into your network. Often it’s an innocuous salesperson or contractor who only wants to get internet access at work, but unchecked, their personal pc can be act as open portal for malware and network infiltration. The easiest way to manage what machines are allowed to connect on your network ports is to configure port security at the switch. Work with your network administrators to implement a strategy for port security and you’ll have one less worry about rogue devices connecting into your LAN.
Secure Physical Access
Require use of cable locks on laptops, and in less secure public areas, desktops. Make sure the cable lock is secured to a solid, re-enforced stationary object. Looping it around the leg of a desk that can be easily moved won’t provide any protection.
Finally, implement a company-wide computer security training module and consider hosting computer security training seminars across the enterprise. Inspire employees to take a proactive approach to best practices computer use.
Happy and Safe Computing!
By Brian Thomas
Passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance.
https://twitter.com/InfoSec_Brian
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.