Simplifying Client Security Without Sacrificing Protection

By Ian Hameroff, CISSP
Senior Product Manager, Security and Access Product Marketing, Microsoft Corporation

See other Viewpoint articles.

It’s a common challenge faced by IT professionals today: how to mitigate the risk of a growing number of network-born threats without creating a management nightmare. Windows administrators have no shortage of tools to help combat malware, unwanted software, Denial of Service attacks, and other related threats. However, managing these various security products, especially when deployed together, can create a different kind of risk: complexity. Striking the right balance of protection and manageability is not only important; it can ultimately become the lynchpin of a successful, layered security model.

The best practice of defense-in-depth is nothing new, yet its application continues to evolve with the introduction of faster-moving and more targeted attacks. Defense-in-depth at the client is relatively new for many organizations. Thanks to the widespread use of desktop antivirus software and the growing use of host firewalls, like the Windows Firewall in Windows XP Service Pack 2, multilayered security is helping narrow the attack surface area of client computers. Antivirus protection and firewalls form a great foundation of a secure client solution, but the ever-evolving threat landscape often necessitates additional controls to further reduce a host’s vulnerable surfaces. This becomes even more critical with today’s highly mobile work force and the increasing number of unmanaged devices connecting to the corporate network, e.g., guests, partners, and contractors.

Securing clients to address these challenges means not only layering anti-malware protections, but also properly using operating system mechanisms and network level security controls. This includes enforcing a policy of “least privilege” for a user’s day-to-day computing activities, isolating runtime applications (e.g., Web browser objects), and enabling end-point authentication between trusted hosts to limit network access to only authorized clients. Adding to these key factors is an improved awareness of the client’s current security posture, so users know when they may be connected “without a net.”

Once again, these additional layers can come with the increased risk for greater management complexity. So, how can administrators achieve simplified client security without sacrificing protection?

With the upcoming release of Microsoft Forefront Client Security, Windows administrators will have another choice for malware protection for business desktops, laptops, and servers. This single, agent-based, anti-malware solution will help address a broad array of threats, ranging from viruses and worms to spyware and other emerging attacks. What sets Forefront Client Security apart from other stand-alone offerings is its ability to easily integrate with existing Windows infrastructure and provide critical visibility into threats and vulnerabilities through a unified console. It complements the platform security advancements coming in Windows Vista and the end-to-end network layer protection provided by Server and Domain Isolation.

At the heart of this integration is Active Directory, already a core infrastructural component in the vast majority of Windows environments. Active Directory enables administrative simplification by centralizing the policy management of all of these security layers. Let’s take a closer look at the three parts of this integrated, secure client solution and see how Active Directory provides the means to bring them together.

First, there is Forefront Client Security (currently in beta), which provides a single agent for real-time protection against spyware, rootkits, and other emerging threats as well as traditional attacks such as viruses and worms. As with other Microsoft Forefront security products, it employs the same highly successful Microsoft protection technology already used by millions of people worldwide in products such as Windows Defender, the Microsoft Malicious Software Removal Tool, and Windows Live OneCare. These protective services are backed around the clock by Microsoft’s global security research organization. Fast and efficient response to new malicious software threats is powered by expert analysis of multiple data sources, such as Hotmail, Microsoft Exchange Hosted Services, Dr. Watson, and ongoing industry collaboration.

Forefront Client Security helps reduce administrative overhead through the creation of a single policy to manage all aspects of client security events and alerts. This single policy can be deployed through Active Directory, using the same rich client-targeting functionality already used for Group Policy management. Signature updates are also easily and rapidly delivered to clients through the use of an existing software distribution solution, like Windows Server Update Services.

Next is Windows Vista, with its numerous platform security enhancements. Among the long list of new and updated security features are Windows Firewall with Advanced Security, User Account Control, Internet Explorer 7 (IE7), and the enhanced Security Center.

The new Windows Firewall builds on the functionality delivered in Windows XP Server Pack 2, adding both inbound and outbound filtering, tighter integration with IPsec and expanded Group Policy support. Together with Forefront Client Security, the Windows Firewall with Advanced Security helps limit unwanted network communications, and these policies are centrally manageable from Active Directory using Group Policy.

User Account Control (UAC) adds another layer of defense by enabling users to run with lowered privileges, helping prevent malware attacks from gaining elevated access rights. This feature can help contain malicious outbreaks or simply stop them in their tracks. Working in concert with UAC and other Windows Vista platform security advancements is Internet Explorer 7. IE7 helps isolate potentially malicious applications by preventing them from taking over the user’s browser and executing code. Adding to this is a new Protected Mode that further limits the ability of Web-borne attacks from escaping the browser and infecting the client.

To help keep users informed of their current security state, Window Vista includes an updated Security Center to monitor the status of anti-malware protection installed on the client, the Windows Firewall, and automatic updates. It alerts the user when any of these fundamental security controls are either switched off (perhaps by a piece of malicious code) or becomes out-of-date, so that he or she can take corrective actions to return the client back to a more secure state. As with all the aforementioned features (and many more not covered in this article), Active Directory Group Policy may be used to administer settings and automate deployment.

The last component of this solution is Server and Domain Isolation, which adds the ability to enforce end-point authentication, enabling Windows administrators to dynamically segment their networks based on policy instead of physical topology. Through Group Policy settings, managed clients are logically isolated from unmanaged or rogue devices. These policies are enforced at the host using the built-in IPsec functionality in Windows Vista and Active Directory-based credentials (either a Kerberos ticket or an automatically enrolled X.509 certificate). Trusted (managed) hosts must successfully authenticate at the network layer before any communications can begin. Since IPsec is used to manage this process, it remains transparent to both the user and the applications running on the host. If an unauthorized client attempts to establish network connectivity with a trusted host, this authentication will fail, leaving the protected host virtually invisible to the initiator.

Server and Domain Isolation also helps minimize the risk of network-borne attacks by reducing the attack surface area, verifying the integrity of network packets for virtually tamperproof transmissions, and protecting sensitive data with optional “on the wire” encryption. These benefits are especially important for networks that also play host to devices belonging to guest workers or visiting partners. Server and Domain Isolation, thanks to the IPsec integration with the Windows Firewall, compliments existing host-based security solutions to add another level of defenses at the network layer without changing either the application or the user experience. This network security solution also works with Windows Server 2003, Windows XP, and Windows 2000, and it can also interoperate with non-Windows devices that are compliant with IPsec standards.

All three dimensions of this solution for client security make use of Active Directory for policy management and distribution. Also, each of the three security controls complements the defenses of the others in the true spirit of a defense-in-depth security strategy. Another benefit is the ability to incrementally implement each solution without having to deploy separate management infrastructures. For example, administrators can start evaluating and implementing Server and Domain Isolation today (on Windows XP and Windows Server 2003), and then deploy Forefront Client Security on their existing Windows XP hosts and roll-out Windows Vista as part of the organization’s client hardware refresh cycle (with Forefront Client Security as part of the standard desktop image). In addition, as these hosts join the Active Directory domain, they will automatically receive the policy settings for all three components, resulting in reduced deployment complexity.

Central to any successful security plan, such as securing the client, is a thorough understanding of the risks you seek to mitigate and then developing policies that meet these requirements. The components of this solution -- Forefront Client Security, Windows Vista, and Server and Domain Isolation -- empower Windows administrators to enforce these policies in an integrated and centrally managed fashion. The result is simplification with improved visibility and control to better protect your business with greater efficiency. This helps balance the often-opposing forces of protection and simplicity by building on top of existing investments and complementing other Microsoft security technologies to deliver comprehensive client security without sacrificing manageability in the process.