Securing the Client Infrastructure
Security MVP Article of the Month – June
See other Security MVP Articles of the Month
by Debra Littlejohn Shinder, Microsoft MVP (Enterprise Security)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Creating a secure computing environment is a multi-layered process. Previous articles have discussed securing the network and securing the server; in this article, we turn our attention to the element closest to the end user: the client computer. An Internet-connected client is exposed to a wide variety of threats, but Microsoft security technologies can protect against the threats posed by attacks, intrusions, malware and more. The keys to keeping clients safe are proper configuration settings, secure application development, and deployment of the appropriate security mechanisms based on how and where the client computer is used.
Client Security Basics
For best security, client computers in the business environment should be joined to a Windows domain. This allows the clients to benefit from the security technologies built into the Active Directory and subjects them to domain Group Policy Objects.
Regardless of environment and circumstances, all client computers should meet basic security requirements:
- Have current security updates installed and be configured to automatically update, either through the Windows Update web site or through Windows Server Update Services (WSUS).
- Have a host firewall (such as Windows Firewall) enabled and configured
- Have anti-spyware software enabled
- Have an anti-virus solution deployed
Forefront Client Security (FCS) can provide policy-based protection against spyware and viruses with centralized management that integrates with the Windows domain infrastructure and the Windows Vista Security Center, and interoperates with Network Access Protection (NAP) to ensure that the security agent is updated and active protection is enabled before the client is allowed to connect to the network remotely. The agent software is installed on the client, and then administrators can manage the clients from a centralized management server. FCS SP1 provides the ability to run the agent and the management console on Windows 2008 Hyper-V.
The FCS agent is currently supported on the following client operating systems:
- Windows 2000 Professional with SP4 and Update Rollup 1
- Windows XP SP2 or later (Home, Professional and Tablet PC editions)
- Windows Vista SP1 or later (Business, Enterprise or Ultimate editions)
Both 32-bit and 64-bit versions of the operating systems are supported. FCS v 2.0 (currently in beta) will also be supported on Windows 7 Professional, Enterprise and Ultimate editions. FCS v 1 will run on the Windows 7 Beta/RC, but is not officially supported at the time of this writing. For more information about FCS, see http://www.microsoft.com/forefront/clientsecurity/en/us/default.aspx.
Access to the client computer and the company network is granted only after the user’s identity has been authenticated. Most organizations still depend on passwords for authentication, but passwords can be cracked via technological means or obtained through social engineering tactics. For best security, users should be required to provide multi-factor authentication. Two types of multi-factor authentication supported by Windows client operating systems are:
- Smart card authentication
- Biometric authentication
Smart Card Authentication
Windows XP, Windows Vista and Windows 7 support smart card logon, including for terminal services users. Smart cards are certificate-based, and Windows Vista enabled support for a wider range of certificates and removed some of the requirements for smart cards that were present in XP (CRL as a required field, Enhanced Key Usage and Subject Alternative Name as required fields, Key Exchange field); however, the changes are not enabled by default because the restrictions comprise best security practices. For more information about the changes to smart card authentication in Vista, see http://technet.microsoft.com/library/cc721959(WS.10).aspx
Windows 7 further increases smart card support and makes smart cards easier to deploy, enabling use of cards made by vendors who have published their drivers through Windows Update without the need for middleware. This is in keeping with the National Institute of Standards and Technology’s PIV (Personal Identity Verification) standard. Windows 7 attempts to download the driver when you insert a PIV smart card into the reader, and if it can’t be found, will use a PIV-compliant minidriver that’s included with the operating system.
Windows 7 users can authenticate to the Windows domain with
a smart card, using the PKINIT protocol, with no need to install or configure
additional software. With Enterprise and
Ultimate editions of Windows 7, a smart card can be used to unlock a
BitLocker-encrypted removable drive. For
more information on new smart card features in Windows 7, see
While not entirely foolproof, authentication based on unique physical characteristics – such as fingerprints, retina or iris patterns, facial features and bone structure or DNA - provides the most accurate form of identity verification. Biometrics can be used in conjunction with a smart card or username/password credentials or a PIN.
Many Vista laptops come equipped with a fingerprint scanner and loaded with biometric software that enables the user to log on by swiping a fingerprint in lieu of entering a username and password. However, this requires third party software such as the UPEK Protector Suite QL that runs on both 32-bit and 64-bit Windows Vista and is also backwardly compatible with Windows XP and even Windows 2000. Microsoft has gotten serious about biometric support in Windows 7, providing the Windows Biometric Framework with a common API to make fingerprint based applications easier to integrate. There is now a Control Panel applet through which you can manage fingerprint sensors and register users’ fingerprints and associate the saved prints with the users’ accounts. You can choose to allow users to log onto Windows and/or the domain using fingerprints. Use of biometric data can also be enabled, disabled or limited through Group Policy settings.
To find out more about the Windows Biometric Framework’s
components and how developers can use the WBF to enable fingerprint support in
Secure Application Development
Regardless of how secure the operating system is or how well protected the network may be, the client is not safe unless the applications that run on it are designed with security in mind, as well. Otherwise they will either present a security vulnerability security vulnerabilities or they won’t work due to OS security restrictions. Application code should be written to a set of security standards and reviewed to ensure that it complies with best security practices.
With User Account Control (UAC), Windows Vista introduced the principle of least privilege: users should have only the least amount of privileges necessary to perform their tasks, and no more. Thus applications should be designed to run with least privileges, to prevent malware from gaining access to administrative privileges where it can do more damage. Develop applications with a standard user account unless higher privileges are required for administrative tasks, accessing system files and registry keys, etc. The application’s user interface should be designed for UAC compatibility.
For information about designing applications for Windows Vista’s security environment, see http://msdn.microsoft.com/library/aa905330.aspx
Windows Vista introduced the Windows Sidebar, where users can install desktop gadgets. These are small applications that can give you information such as weather forecasts, calendar information, system information (processor and memory usage, hard disk space free/used, etc.), unit conversion information, and much more. Windows 7 does away with the sidebar but retains the gadget concept, allowing them to be placed anywhere on the desktop.
Web Browser Security
The web browser is one of the most commonly used applications on most client computers and thus a favorite target of attackers, so browser security is of utmost importance.
Internet Explorer 7 (IE7), as Microsoft’s first browser to be entirely developed according to the Security Development Lifecycle (SDL) process, introduced many new security features, including:
- Protected Mode (available in Windows Vista but not in IE7 on Windows XP), which runs IE with very low rights and writes only to the temporary Internet files directory and a limited part of the registry unless explicit user permission is given
- ActiveX opt-in, which means most ActiveX controls are turned off by default to keep attackers from exploiting controls that don’t need to be exposed to the Internet
- The phishing filter
- Inclusion of an address bar in all windows, including pop-up ones, to protect against malicious sites not displaying their URLs
- A newly designed URL handler that parses data more consistently to reduce exploits
For more information about IE7 security features, see
You can further harden IE7 by changing the default Security settings (Internet Options | Security tab) to disable active scripting, disallow status bar updates via scripts, disable XAML, disable running of ActiveX controls, disable launching of programs and files in an IFRAME, etc. However, for best browser security, upgrade to Internet Explorer 8 (IE8).
IE8 further extends the security focus by increasing the effectiveness of the phishing filter to block known malware sites and potentially dangerous downloads with SmartScreen, a reputation-based technology. Users can report unsafe web sites to be added to the database after verification.
Additional security mechanisms in IE8 include:
- XSS Filter, which seamlessly blocks “type 1” cross-site scripting attacks that take advantage of XSS vulnerabilities that exist in many web sites without requiring action on the part of the user. For more information on the XSS filter, see
- “ClickJacking” defenses, which protect against a technique that tricks users into unknowingly initiating financial transactions by overlaying parts of a frame with misleading content. For more information about clickjacking and how IE 8 can prevent it, see
- Safer default settings and enhancements to ActiveX security, whereby ActiveX installations can be restricted to a user profile so if a malicious one is installed, other users and the rest of the system won’t be affected (per-user ActiveX). Group Policy can control whether per-user ActiveX is mandated or optional. In addition, per-site ActiveX prevents ActiveX controls from being repurposed maliciously; users can restrict the use of a particular control to a specific web site. For more information about ActiveX security in IE8, see
Some of the same hardening suggestions in the section on IE7 are also applicable to IE8 in a high security environment.
Operating System Security
Security mechanisms built into the client operating system should be leveraged to provide the level of protection appropriate for your organization. Windows Vista was designed to provide a high level of security with new features such as UAC, BitLocker, improvements to EFS, DEP, application isolation, Windows Service Hardening, support for Network Access Control (NAP), additional security for the TCP/IP stack, and more.
Windows 7 builds on all of these, adds subtle enhancements and introduces new security features such as DirectAccess, AppLocker and BitLocker to Go, as well as improvements to the Windows Firewall to allow multiple active firewall policies.
User Account Control
UAC protects the client computer by prompting for permission when a system-level change is about to be made or any action is going to be taken that requires administrative privileges. The computer is put into Secure Desktop mode for the entry of credentials to prevent spoofing of the user interface and ensure that the prompt for elevation is valid. The Secure Desktop and UAC itself can be disabled in the Local Security settings, and unfortunately many Vista users did this because of the “in your face” nature of the feature and the inability to control UAC’s behavior.
Windows 7 allows more flexibility in configuring when UAC notifications will be made, so that it can be set to prompt when programs try to make changes but not when the user does so. This is the default setting for the default administrative account. There are four different notification levels available through the UAC Settings dialog that’s available from the Action Center in Control Panel. Secure Desktop can be disabled here, as well.
UAC behavior can also be controlled through the Administrative Tools | Local Security Policy console (Security Settings | Local Policies | Security Options) and in a Windows domain, administrators can force all clients’ UAC settings to conform to the highest level if desired.
BitLocker and BitLocker to Go
Many client computers today are portables, and thus more vulnerable to physical access by an unauthorized person. BitLocker as originally implemented in the Enterprise and Ultimate editions of Windows Vista allows you to encrypt the system volume to prevent unauthorized access to the operating system and the data on that volume, using a Trusted Platform Module (a special hardware cryptographic chip on supported computers) or a USB key to store the encryption key. It can also be used on desktop systems but is particularly useful for laptops and notebooks due to the increased risk of the computer falling into the wrong hands due to loss or theft.
Windows Vista Service Pack 1 added the ability to encrypt other volumes on the hard disk in addition to the system volume. Windows 7 further expanded the usability of BitLocker with its new BitLocker to Go feature, which allows you to encrypt removable USB drives as well as internal ones.
Windows 7 also makes encryption of internal drives easier because it automatically creates the hidden boot partition used by BitLocker to protect the system volume so you don’t have to repartition the drive. BitLocker is turned on or off through a Control Panel applet. Best of all, administrators can require BitLocker protection when users write to a USB device, or can require strong passwords, domain credentials and/or smart cards to access BitLocker-encrypted removable devices. All of this is done through Group Policy. A USB drive that’s encrypted on one Windows 7 computer can be unlocked on a different Windows 7 system, as long as you know the password or recovery key.
The Group Policy settings to control BitLocker are found in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption and allow you to set drive encryption methods and cipher strength, choose how users can recover BitLocker protected drives in Windows Server 2008 and Vista, determine whether to allow a data recovery agent to recover data on removable drives, and much more. For more information about the changes to BitLocker in Windows 7, see http://technet.microsoft.com/library/dd630628(WS.10).aspx
In keeping with our earlier statement regarding the importance of application security, Microsoft’s latest Security Intelligence Report shows that third party applications are being increasingly targeted by malware and now account for more exploits than operating system issues. Thus it is essential for organizations to be able to control what applications can run on client computers.
Windows XP and Windows Vista offer Software Restriction Policies, which can be used by administrators to enforce policies regarding which applications can run. Windows 7 introduces a new feature called AppLocker, which enables companies to much more easily and flexibly control what programs can run on the desktop using allow, deny and exception rules that are simple to set up and can be applied to executables, installers, scripts and DLLs. AppLocker is configured through the Local Security Policy or a domain Group Policy (Application Control Policies node). For more information about AppLocker, see http://technet.microsoft.com/library/dd548340(WS.10).aspx
Remote Access Clients
Client computers connecting to the network from outside the LAN present special security challenges. Microsoft client operating systems include support for technologies that help reduce the risks posed by remote clients.
Network Access Protection
NAP was introduced with Windows Server 2008 and support for NAP is included in Windows Vista and was added to Windows XP by Service Pack 3. In Windows 7, the NAP user interface is integrated into the Action Center.
With NAP, you can enforce requirements that clients have the proper security updates installed, have anti-virus software enabled and up to date, and are configured with the best security settings. You can also enforce IPsec policies, 802.1X compliance, and VPN policies.
For more information about NAP, see
One of the most exciting new features in Windows 7 and Windows Server 2008 is DirectAccess, which allows users to establish a secure remote connection to the company network without using a VPN. Security is maintained, while making access easier for users because the connection is established even before the user logs on. This makes it possible for administrators to control the remote computers at any time, even though they aren’t connected to the VPN. If the Internet connection is lost, the DirectAccess connection is automatically established when the Internet connection returns.
Direct Access uses IPv6 with IPsec and authenticates both the client computer and the user. For better security, you can require smart card authentication. Triple DES (3DES) and AES can be used to encrypt the transmissions for confidentiality of communications, and clients can connect from behind a firewall. If application servers on the company network run Windows Server 2008 with IPv6 and IPsec, the clients can benefit from end-to-end protection. Otherwise, an IPsec gateway server can provide edge-to-edge protection. Unlike a VPN, DirectAccess can separate intranet and Internet traffic, so that Internet traffic doesn’t go through the DirectAccess server. This reduces traffic on the LAN, and you can use the Windows Firewall with Advanced Security to control how clients connect (for example, to allow them to connect to the Internet but restrict them to a particular subnet on the intranet). DirectAccess can be used in conjunction with NAP to require DirectAccess clients to comply with NAP health requirements.
For more information about DirectAccess, see
The client computer is where it all happens – where users get their work done by connecting to servers on the local network and over the Internet. Because they are most often operated by people who are not IT professionals, and because of the variety of tasks they perform and connections they make, client computers are particularly vulnerable and are often the means by which malware, attacks, intrusions and other security threats enter the corporate network.
Securing the client infrastructure is an essential part of a multi-layered security strategy, and numerous technologies are built into Microsoft client operating systems to help you make the clients on your network as secure as possible.