Security MVP Article of the Month – June
2009
See other
Security MVP Articles of the Month
by Debra Littlejohn
Shinder, Microsoft MVP (Enterprise Security)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Creating a secure computing environment is a multi-layered
process. Previous articles have discussed securing the network and securing the
server; in this article, we turn our attention to the element closest to the
end user: the client computer. An
Internet-connected client is exposed to a wide variety of threats, but
Microsoft security technologies can protect against the threats posed by
attacks, intrusions, malware and more. The keys to keeping clients safe are
proper configuration settings, secure application development, and deployment
of the appropriate security mechanisms based on how and where the client
computer is used.
Client Security Basics
For best security, client computers in the business
environment should be joined to a Windows domain. This allows the clients to
benefit from the security technologies built into the Active Directory and
subjects them to domain Group Policy Objects.
Regardless of environment and circumstances, all client
computers should meet basic security requirements:
- Have current security updates installed and be
configured to automatically update, either through the Windows Update web site
or through Windows Server Update Services (WSUS).
- Have a host firewall (such as Windows Firewall)
enabled and configured
- Have anti-spyware software enabled
- Have an anti-virus solution deployed
Forefront Client
Security (FCS) can provide policy-based protection against spyware and viruses
with centralized management that integrates with the Windows domain infrastructure
and the Windows Vista Security Center, and interoperates with Network Access
Protection (NAP) to ensure that the security agent is updated and active
protection is enabled before the client is allowed to connect to the network
remotely. The agent software is
installed on the client, and then administrators can manage the clients from a
centralized management server. FCS SP1
provides the ability to run the agent and the management console on Windows
2008 Hyper-V.
The FCS agent is currently supported on the following client
operating systems:
- Windows 2000 Professional with SP4 and Update
Rollup 1
- Windows XP SP2 or later (Home, Professional and
Tablet PC editions)
- Windows Vista SP1 or later (Business, Enterprise
or Ultimate editions)
Both 32-bit and 64-bit versions of the operating systems are
supported. FCS v 2.0 (currently in beta) will also be supported on Windows 7
Professional, Enterprise and Ultimate editions. FCS v 1 will run on the Windows 7 Beta/RC, but
is not officially supported at the time of this writing. For more information
about FCS, see http://www.microsoft.com/forefront/clientsecurity/en/us/default.aspx.
Multi-factor Authentication
Access to the client computer and the company network is
granted only after the user’s identity has been authenticated. Most
organizations still depend on passwords for authentication, but passwords can
be cracked via technological means or obtained through social engineering
tactics. For best security, users should be required to provide multi-factor
authentication. Two types of multi-factor authentication supported by Windows
client operating systems are:
- Smart card authentication
- Biometric authentication
Smart Card
Authentication
Windows XP, Windows Vista and Windows 7 support smart card
logon, including for terminal services users. Smart cards are certificate-based, and Windows
Vista enabled support for a wider range of certificates and removed some of the
requirements for smart cards that were present in XP (CRL as a required field,
Enhanced Key Usage and Subject Alternative Name as required fields, Key
Exchange field); however, the changes are not enabled by default because the
restrictions comprise best security practices.
For more information about the changes to smart card authentication in
Vista, see http://technet.microsoft.com/library/cc721959(WS.10).aspx
Windows 7 further increases smart card support and makes
smart cards easier to deploy, enabling use of cards made by vendors who have
published their drivers through Windows Update without the need for middleware.
This is in keeping with the National Institute of Standards and Technology’s
PIV (Personal Identity Verification) standard. Windows 7 attempts to download
the driver when you insert a PIV smart card into the reader, and if it can’t be
found, will use a PIV-compliant minidriver that’s included with the operating
system.
Windows 7 users can authenticate to the Windows domain with
a smart card, using the PKINIT protocol, with no need to install or configure
additional software. With Enterprise and
Ultimate editions of Windows 7, a smart card can be used to unlock a
BitLocker-encrypted removable drive. For
more information on new smart card features in Windows 7, see
http://technet.microsoft.com/library/dd367851(WS.10).aspx
Biometric
Authentication
While not entirely foolproof, authentication based on unique
physical characteristics – such as fingerprints, retina or iris patterns,
facial features and bone structure or DNA
- provides the most accurate form of identity verification. Biometrics
can be used in conjunction with a smart card or username/password credentials
or a PIN.
Many Vista laptops come equipped with a fingerprint scanner
and loaded with biometric software that enables the user to log on by swiping a
fingerprint in lieu of entering a username and password. However, this requires third party software
such as the UPEK Protector Suite QL that runs on both 32-bit and 64-bit Windows
Vista and is also backwardly compatible with Windows XP and even Windows 2000.
Microsoft has gotten serious about biometric support in Windows 7, providing
the Windows Biometric Framework with a common API to make fingerprint based
applications easier to integrate. There
is now a Control Panel applet through which you can manage fingerprint sensors
and register users’ fingerprints and associate the saved prints with the users’
accounts. You can choose to allow users to log onto Windows and/or the domain
using fingerprints. Use of biometric data can also be enabled, disabled or
limited through Group Policy settings.
To find out more about the Windows Biometric Framework’s
components and how developers can use the WBF to enable fingerprint support in
applications, see
http://www.microsoft.com/whdc/device/biometric/default.mspx
Secure Application Development
Regardless of how secure the operating system is or how well
protected the network may be, the client is not safe unless the applications
that run on it are designed with security in mind, as well. Otherwise they will
either present a security vulnerability security vulnerabilities or they won’t
work due to OS security restrictions. Application code should be written to a
set of security standards and reviewed to ensure that it complies with best
security practices.
With User Account Control (UAC), Windows Vista introduced
the principle of least privilege: users should have only the least amount of
privileges necessary to perform their tasks, and no more. Thus applications
should be designed to run with least privileges, to prevent malware from
gaining access to administrative privileges where it can do more damage.
Develop applications with a standard user account unless higher privileges are
required for administrative tasks, accessing system files and registry keys,
etc. The application’s user interface
should be designed for UAC compatibility.
For information about designing applications for Windows
Vista’s security environment, see http://msdn.microsoft.com/library/aa905330.aspx
Windows Vista introduced the Windows Sidebar, where users
can install desktop gadgets. These are small applications that can give you
information such as weather forecasts, calendar information, system information
(processor and memory usage, hard disk space free/used, etc.), unit conversion
information, and much more. Windows 7 does away with the sidebar but retains
the gadget concept, allowing them to be placed anywhere on the desktop.
Gadgets can use HTML, JavaScript or ActiveX controls, which
can be exploited by attackers just like other programs using these
technologies. Gadgets can be vulnerable to cross-site scripting and other
malicious exploits that can pose serious security risks. Gadget developers
should validate all untrusted input, such as the data that comes from an
ActiveX control. In fact, data that comes from external sources should never be
considered trustworthy. For best
security, gadgets can be developed using Silverlight or Windows Presentation
Foundation (WPF) instead of HTML, to prevent injection attacks. For more
information about ensuring that your gadgets are developed in a secure manner,
see http://msdn.microsoft.com/library/bb498012.aspx
Web Browser Security
The web browser is one of the most commonly used
applications on most client computers and thus a favorite target of attackers,
so browser security is of utmost importance.
IE7 Security
Internet Explorer 7 (IE7), as Microsoft’s first browser to
be entirely developed according to the Security Development Lifecycle (SDL)
process, introduced many new security features, including:
- Protected Mode (available in Windows Vista but
not in IE7 on Windows XP), which runs IE with very low rights and writes only
to the temporary Internet files directory and a limited part of the registry
unless explicit user permission is given
- ActiveX opt-in, which means most ActiveX
controls are turned off by default to keep attackers from exploiting controls
that don’t need to be exposed to the Internet
- The phishing filter
- Inclusion of an address bar in all windows,
including pop-up ones, to protect against malicious sites not displaying their
URLs
- A newly designed URL handler that parses data
more consistently to reduce exploits
For more information about IE7 security features, see
http://technet.microsoft.com/library/cc512583.aspx
You can further harden IE7 by changing the default Security
settings (Internet Options | Security tab) to disable active scripting,
disallow status bar updates via scripts, disable XAML, disable running of
ActiveX controls, disable launching of programs and files in an IFRAME, etc.
However, for best browser security, upgrade to Internet Explorer 8 (IE8).
IE8 Security
IE8 further extends the security focus by increasing the
effectiveness of the phishing filter to block known malware sites and
potentially dangerous downloads with SmartScreen, a reputation-based
technology. Users can report unsafe web sites to be added to the database after
verification.
Additional security mechanisms in IE8 include:
- XSS Filter, which seamlessly blocks “type 1”
cross-site scripting attacks that take advantage of XSS vulnerabilities that
exist in many web sites without requiring action on the part of the user. For
more information on the XSS filter, see
- “ClickJacking” defenses, which protect against a
technique that tricks users into unknowingly initiating financial transactions
by overlaying parts of a frame with misleading content. For more information
about clickjacking and how IE 8 can prevent it, see
- Safer default settings and enhancements to
ActiveX security, whereby ActiveX installations can be restricted to a user
profile so if a malicious one is installed, other users and the rest of the
system won’t be affected (per-user ActiveX). Group Policy can control whether
per-user ActiveX is mandated or optional. In addition, per-site ActiveX
prevents ActiveX controls from being repurposed maliciously; users can restrict
the use of a particular control to a specific web site. For more information
about ActiveX security in IE8, see
Some of the same hardening suggestions in the section on IE7
are also applicable to IE8 in a high security environment.
Operating System Security
Security mechanisms built into the client operating system should
be leveraged to provide the level of protection appropriate for your
organization. Windows Vista was designed to provide a high level of security
with new features such as UAC, BitLocker, improvements to EFS, DEP, application
isolation, Windows Service Hardening, support for Network Access Control (NAP),
additional security for the TCP/IP stack, and more.
Windows 7 builds on all of these, adds subtle enhancements
and introduces new security features such as DirectAccess, AppLocker and
BitLocker to Go, as well as improvements to the Windows Firewall to allow
multiple active firewall policies.
User Account Control
UAC protects the client computer by prompting for permission
when a system-level change is about to be made or any action is going to be
taken that requires administrative privileges. The computer is put into Secure
Desktop mode for the entry of credentials to prevent spoofing of the user
interface and ensure that the prompt for elevation is valid. The Secure Desktop
and UAC itself can be disabled in the Local Security settings, and unfortunately
many Vista users did this because of the “in your face” nature of the feature
and the inability to control UAC’s behavior.
Windows 7 allows more flexibility in configuring when UAC
notifications will be made, so that it can be set to prompt when programs try
to make changes but not when the user does so. This is the default setting for
the default administrative account. There are four different notification
levels available through the UAC Settings dialog that’s available from the
Action Center in Control Panel. Secure
Desktop can be disabled here, as well.
UAC behavior can also be controlled through the
Administrative Tools | Local Security Policy console (Security Settings | Local
Policies | Security Options) and in a Windows domain, administrators can force
all clients’ UAC settings to conform to the highest level if desired.
BitLocker and
BitLocker to Go
Many client computers today are portables, and thus more
vulnerable to physical access by an unauthorized person. BitLocker as
originally implemented in the Enterprise and Ultimate editions of Windows Vista allows you to encrypt the
system volume to prevent unauthorized access to the operating system and the
data on that volume, using a Trusted Platform Module (a special hardware
cryptographic chip on supported computers) or a USB key to store the encryption
key. It can also be used on desktop
systems but is particularly useful for laptops and notebooks due to the
increased risk of the computer falling into the wrong hands due to loss or
theft.
Windows Vista Service Pack 1 added the ability to encrypt
other volumes on the hard disk in addition to the system volume. Windows 7 further expanded the usability of
BitLocker with its new BitLocker to Go feature, which allows you to encrypt
removable USB drives as well as internal ones.
Windows 7 also makes encryption of internal drives easier
because it automatically creates the hidden boot partition used by BitLocker to
protect the system volume so you don’t have to repartition the drive. BitLocker
is turned on or off through a Control Panel applet. Best of all, administrators can require
BitLocker protection when users write to a USB device, or can require strong
passwords, domain credentials and/or smart cards to access BitLocker-encrypted
removable devices. All of this is done through Group Policy. A USB drive that’s
encrypted on one Windows 7 computer can be unlocked on a different Windows 7
system, as long as you know the password or recovery key.
The Group Policy settings to control BitLocker are found in
Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption and allow you to set drive encryption methods and cipher
strength, choose how users can recover BitLocker protected drives in Windows
Server 2008 and Vista, determine whether to allow a data recovery agent to
recover data on removable drives, and much more. For more information about the changes to
BitLocker in Windows 7, see http://technet.microsoft.com/library/dd630628(WS.10).aspx
AppLocker
In keeping with our earlier statement regarding the
importance of application security, Microsoft’s latest Security Intelligence
Report shows that third party applications are being increasingly targeted by
malware and now account for more exploits than operating system issues. Thus it is essential for organizations to be
able to control what applications can run on client computers.
Windows XP and Windows Vista offer Software Restriction
Policies, which can be used by administrators to enforce policies regarding
which applications can run. Windows 7 introduces a new feature called
AppLocker, which enables companies to much more easily and flexibly control
what programs can run on the desktop using allow, deny and exception rules that
are simple to set up and can be applied to executables, installers, scripts and
DLLs. AppLocker is configured through
the Local Security Policy or a domain Group Policy (Application Control
Policies node). For more information about AppLocker, see http://technet.microsoft.com/library/dd548340(WS.10).aspx
Remote Access Clients
Client computers connecting to the network from outside the
LAN present special security challenges. Microsoft client operating systems
include support for technologies that help reduce the risks posed by remote
clients.
Network Access
Protection
NAP was introduced with Windows Server 2008 and support for
NAP is included in Windows Vista and was added to Windows XP by Service Pack 3.
In Windows 7, the NAP user interface is integrated into the Action Center.
With NAP, you can enforce requirements that clients have the
proper security updates installed, have anti-virus software enabled and up to
date, and are configured with the best security settings. You can also enforce
IPsec policies, 802.1X compliance, and VPN policies.
For more information about NAP, see
http://technet.microsoft.com/network/cc984252.aspx
DirectAccess
One of the most exciting new features in Windows 7 and
Windows Server 2008 is DirectAccess, which allows users to establish a secure
remote connection to the company network without using a VPN. Security is
maintained, while making access easier for users because the connection is
established even before the user logs on. This makes it possible for
administrators to control the remote computers at any time, even though they
aren’t connected to the VPN. If the Internet connection is lost, the
DirectAccess connection is automatically established when the Internet
connection returns.
Direct Access uses IPv6 with IPsec and authenticates both
the client computer and the user. For better security, you can require smart
card authentication. Triple DES (3DES) and AES can be used to encrypt the
transmissions for confidentiality of communications, and clients can connect
from behind a firewall. If application servers on the company network run
Windows Server 2008 with IPv6 and IPsec, the clients can benefit from
end-to-end protection. Otherwise, an IPsec gateway server can provide
edge-to-edge protection. Unlike a VPN, DirectAccess can separate intranet and
Internet traffic, so that Internet traffic doesn’t go through the DirectAccess
server. This reduces traffic on the LAN, and you can use the Windows Firewall
with Advanced Security to control how clients connect (for example, to allow them
to connect to the Internet but restrict them to a particular subnet on the
intranet). DirectAccess can be used in conjunction with NAP to require
DirectAccess clients to comply with NAP health requirements.
For more information about DirectAccess, see
http://technet.microsoft.com/network/dd420463.aspx
Summary
The client computer is where it all happens – where users
get their work done by connecting to servers on the local network and over the
Internet. Because they are most often operated by people who are not IT
professionals, and because of the variety of tasks they perform and connections
they make, client computers are particularly vulnerable and are often the means
by which malware, attacks, intrusions and other security threats enter the
corporate network.
Securing the client infrastructure is an essential part of a
multi-layered security strategy, and numerous technologies are built into
Microsoft client operating systems to help you make the clients on your network
as secure as possible.