Would you be surprised to learn that the greatest security risk to most firms is probably their own users?  IT security has traditionally concentrated on preventing unauthorized users from gaining access.  But what are we doing to prevent our own users from compromising security once they have access?  Although intentional security breaches probably happen with alarming frequency inside the firm, the risk of unintentional security breaches is far higher.  The good news is that there are some simple things you can do to mitigate this risk.  One of those things is to implement key controls over what happens on the firm’s PCs.

What Are the Risks?
In many firms, once a user has authenticated to the network, he or she has relatively unchecked access to information.  That also means that any malware (i.e., a virus, Trojan or spyware) that somehow found its way onto that PC also has that same access.  The potential for access or damage is limited only by the resourcefulness of those who devise such malware, many of whom are very creative and intelligent!  Address books can be mined and used.  Files can be copied or deleted.  Outsiders may even gain complete control of a PC.

What Can Be Done?
There are a multitude of things you can do to improve desktop security, but if you do nothing else, heed these three.

Restrict Outbound Internet Access
Why?  Those who write malware know that most organizations allow users to have access to anything on the Internet.  With unrestricted Internet access, malware can be unintentionally downloaded, run on the target PC and subsequently communicated through the corporate firewall.

How?  Reconfigure your firewall.  Deny all outbound traffic, then add exceptions to control the access people need.  Use your firewall’s proxy services, not just packet filters.  That helps to prevent open outbound ports (like port 80 for Web traffic) from being used in unexpected ways.  This does require some discovery and experimentation, but once you start paying attention, you might be surprised to find what your users are actually doing on the Internet!

Restrict Use of the Administrators Group
Why?   Administrators have full control of the PC, which also means any malware a user may click on also has full control.  That reason alone is enough to restrict user access, but if you need more:

Administrators can install anything, which raises several concerns.  Someone other than the end user should be making decisions about what hardware and software is installed on the firm’s PCs.

Administrators can access other users’ local data.  If the PC is used by more than one person, or even if someone logs onto it once, there is personal data stored there.

How?  Just make sure user accounts are not in the local Administrator’s group!  Windows was designed to work this way, but many people bypass this feature.

Manage the Patching Process
Why?  Microsoft releases security patches on a regular basis to correct vulnerabilities, and you must apply them in order for them to work.

How?  Use Software Update Services (or the soon-to-be-released Windows Server Update Services.  This free software package will allow you to control exactly which patches your PCs get and when they get them.  This is a bandwidth saver as well; there is no need for all of your PCs to download the same patch over the Internet when you can do it once.

Caveats
There are a few downsides to securing the desktop, however.  For example:

Poorly-written software (typically older applications) may expect to run with Administrator privileges, and may not operate correctly if run as a normal user.  This can usually be remedied by granting specific file and registry permissions to the Users group.  Finding the exact permissions required may take a bit of digging, though, especially for legacy applications.

Microsoft’s definition of what a regular user should be able to do may differ from yours.  Most of these differences are easily rectified, but you may find one or two that are more difficult.  An example is installing local printers:  A regular user cannot install a local printer, which can be a problem for laptop users.

You can expect some backlash from users who feel restricted and untrusted.  You need to explain that the goal is not to restrict them, but to prevent the unintentional damage that could be caused by a virus hijacking with unrestricted access.  Diplomacy and tact are key here.

Case Study
McInnes Cooper is a regional firm in Atlantic Canada with about 150 lawyers and 350 total users across six offices.  In 2003, the firm was using Novell NetWare and had a variety of tier-1 desktops and laptops, as well as many clone desktops running Windows 95, 98, ME, NT 4.0, 2000 and XP.  During that year, the firm migrated from NetWare to Active Directory, standardized on Windows XP on the desktop and replaced all clone hardware with tier-1 desktops.  A standard desktop was implemented, using all three of the recommendations above (and dozens more).  Some of the results:

Reliability has improved dramatically.  A standardized and controlled desktop means there are far fewer things to go wrong, and the user has less opportunity to “experiment.”  As an indicator, the helpdesk ticketed 272 calls in December 2002, and 131 in December 2003.

There has not been a single virus outbreak since implementation of a managed desktop (knock wood!).

Administration is far easier.  A user can be assigned a fully-patched and custom-configured version of Microsoft Office in seconds and have it fully functional in minutes.  Rolling out the latest Office service pack to every PC in the firm takes about an hour of IT time.  Critical Windows Updates are installed on every PC throughout the firm, with about five minutes of IT effort weekly.  Users are sometimes required to reboot, but need do nothing else.

Securing the firm’s desktops has brought us greater ease of administration and greater peace of mind.

Resources
Firewall egress traffic filtering:
http://hhi.corecom.com/egresstrafficfiltering.htm

Microsoft’s thoughts on managing Windows XP desktops:
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/ Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/ prda_dcm_xkxu.asp

Microsoft’s patch management software:
http://www.microsoft.com/windowsserversystem/wus/default.mspx

About our author . . .

Shane T. Callaghan is a Chartered Accountant and IT management consultant specializing in infrastructure services and information security.  He manages technology and telecommunications for McInnes Cooper in Atlantic Canada.  Shane can be reached at shane@lanmark.ca.