Going It Alone: How Mobile PCs Protect Themselves Outside of the Network
By Tony Bradley, Microsoft Security MVP
In an increasingly mobile world, where even ‘desktop’ users are issued laptop computers so they can take their work home with them, the traditional concept of a network perimeter holds little value. While on the corporate network, they are protected by the enterprise firewall, antivirus, spam, network access and authentication and other security controls. But, once they leave they are islands unto themselves and must be able to hold their own in a hostile world of malware and malicious attacks. This article examines how you can use these features to help mobile computers remain secure outside of the corporate network.
On this page:
The laptop has increasingly replaced the desktop as the hardware platform of choice. Many organizations have embraced alternative and flexible work arrangements, allowing employees to work hours outside of the established “standard” work week and to work remotely from home or the coffee shop on the corner if they choose. Some organizations are more draconian in their stubborn allegiance to the work week, but still provide laptops so that employees can feel free to work additional night and weekend hours as needed.
Regardless of the reasoning for migrating from the desktop to the laptop, the mobile computing platform introduces security risks and unique challenges that don’t exist for computers that stay put safely within the confines of the corporate offices. Computers that are connected inside the company network are protected by perimeter firewalls, gateway antivirus, intrusion detection systems, and other enterprise class security solutions that exist at the network level to shield the desktops (or laptops) from ever seeing most threats.
Once an employee takes their laptop and leaves, they are on their own. The laptop becomes an island unto itself and must be able to defend itself against malware, unauthorized access, and other malicious activities. The added buffer provided by the enterprise network security is gone and the laptop itself must provide the defense-in-depth necessary to protect itself.
If you have to defend an island, it is better to choose the one in shark infested waters, surrounded by a barrier reef, with forbidding rock walls towering into the sky rather than the one that anyone in a row boat can paddle up to and walk onto the beach. In that regard, a Windows Vista laptop provides a significantly more secure foundation than laptops running previous versions of Microsoft Windows, or even other operating systems.
Windows Vista was developed using Microsoft’s Trustworthy Computing initiatives. It is the most secure version of the Windows operating system Microsoft has created for the endpoint systems. Let’s take a look at some of the components that go into Windows Vista’s security, and why Windows Vista should be the operating system of choice when securing your mobile computer is a priority.
The Microsoft SDL is a software development process that is part of Microsoft’s Trustworthy Computing initiative. As Windows Vista was being developed, it had to pass through a variety of quality checks designed to identify and resolve security issues proactively. Microsoft also conducted internal code analysis and threat modeling, and engaged third-party developers from outside of Microsoft to validate the code as well. The result is that Windows Vista has fewer vulnerabilities overall than previous operating systems, and the vulnerabilities that are found have a generally lower impact.
When an attacker is developing malware or trying to create an exploit that will allow them to gain unauthorized access to a system or perform malicious activities, they need to know where certain threads or functions exist in memory. In previous operating systems these memory addresses were static and could be discovered. With ASLR, the memory locations of key functions and processes are randomized, making a successful attack significantly more difficult.
One of the most used form of exploit is a buffer overflow. These attacks can be executed against poorly written code and result in an attack or malicious software executing in an area of the system that should contain data. Data Execution Prevention identifies those areas that are marked for data and protects the system from any attempts to run code from a designated data area.
The Windows Vista firewall is greatly improved over the firewalls found in previous versions of Microsoft Windows. First, the Windows Vista firewall monitors and restricts both inbound and outbound traffic. Monitoring outbound traffic can help to block or identify suspicious behavior on your system if the computer does become compromised. In addition, the Windows Vista firewall provides more granular control and customization for enabling the ports and programs that need to communicate through the firewall.
Microsoft has built spyware protection right into the operating system with Microsoft Windows Defender. Windows Defender monitors your system and protects against known spyware threats and other unwanted software. Microsoft regularly updates the database of signatures to ensure that Windows Defender can identify and block the latest threats.
It seems that there is a news headline almost weekly about a lost or stolen laptop compromising thousands or millions of employee or customer records. Laptops can contain hundreds of gigabytes of sensitive and confidential information and they are relatively easy to lose or steal. Microsoft created BitLocker disk encryption for some versions of Windows Vista to ensure that the data on the system is secure even if the laptop falls into the wrong hands. With BitLocker enabled, only authorized users will be able to unlock the system and decrypt the data.
The world of computing is increasingly web-based which also means that threats and attacks are increasingly web-based as well. With Windows Vista, Microsoft introduced WIL (Windows Integrity Levels), which assign mandatory access restrictions to users, data, and processes. By default Internet Explorer runs at a Low Integrity levelin a state called Protected Mode. Protected Mode protects the system by ensuring that any malware or exploits encountered via the Web are unable to affect the operating system or core functionality.
It is possible by adding additional software and third-party applications to provide additional layers of security and protect laptops running other operating systems or previous versions of Microsoft Windows. However, even with additional reinforcements, those operating systems aren’t equipped with features like ASLR and DEP.
Running Windows Vista on your laptops means that the operating system is more secure by default and that defense-in-depth is built in to the foundation of the computer. If you have to defend an island, pick the one with the most natural defenses already in place and work from there.
Tony Bradley is a CISSP, Microsoft MVP. and a Director with Evangelyze, a Microsoft Partner focused on consulting, research & development, and training primarily in the areas of unified communications and VoIP (Voice over IP) products and services. A respected expert and author in the field of information security, Tony contributes regularly to a variety of web and print publications, and has written or co-written 8 books. In addition, he is the face of the About.com site for Internet/Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. He has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.