Security Considerations for End Systems

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
By Tom Dodds, Ken Pfeil

Program Manager: Markus Vilcinskas

Contributor: Peter Van Niman

Microsoft Solutions Framework

Best Practices for Enterprise Security

Note: This white paper is one of a series. Best Practices for Enterprise Security ( ) contains a complete list of all the articles in this series. See also the Security Entities Building Block Architecture ( ).

On This Page

Creating a Security Team
Responsibilities of the Corporate Security Officer
Creating a Security Policy Document
User Responsibility, Training, and Awareness Measures
Physical Security
E-mail Usage
Virus Protection
Remote Access Control
Encryption Strategies
Securing the Server
Controlling the Workstation


The starting point for any security model is to assure that security standards and policies are in place to protect the system from external attacks and unauthorized internal usage. Securing computer resources, applications, and related data is an integral part of securing an enterprise. Securing a system involves implementing a set of procedures, practices, and technologies to protect the information technology (IT) infrastructure as well as software and associated data throughout the organization. In this white paper, we will take a close look at the common steps needed to secure a Microsoft Windows system. We will use a real world example based on a Microsoft Consulting Services project in the banking industry to show how to develop a security plan.

Creating a Security Team

The first step in securing an enterprise is to form a security team headed by a corporate security officer. The security team is normally internal to the organization and is empowered to effectively define security standards and implement security policies. Its size depends on the size and complexity of the organization, as well as the level of security needed. Team members should be assigned roles and responsibilities with clear goals and objectives.

The corporate security officer (CSO) is the officer in charge of the security team. The CSO is responsible for articulating the overall shared vision that will be used to develop the corporate security policy and define the work of all other security team members.

The security team's primary responsibilities are as follows:

  • Develop a corporate IT security policy for securing systems

    Identify the level of security that the organization needs. You can approach this task by segmenting the organization according to some function or aspect of the business. Use a basic model, such as one of the following, that is most relevant to your organization:

    • Geographic locations

    • Business functional units

    • Business organizational structure

    • Administrative responsibilities

    • Object security requirements

    • Hybrid of several models

    Then determine the security requirements for each individual business unit and/or object within the scope of the overall corporate IT security policy. In the bank's case, we created a corporate level security plan and then customized that plan for each business unit.

  • Develop a formalized roadmap for planning, organizing, and implementing this identified level of security.

  • Define specific security standards based on the level of security needed as well as the risks assessed for data protection.

  • Oversee the implementation of the security standards.

  • Develop and implement a training methodology to make users and administrators aware of the security guidelines and policies of their organization.

  • Manage the overall security infrastructure after the security plan is implemented.

  • Manage and address all new security-related issues within the organization as they arise.

Responsibilities of the Corporate Security Officer

The CSO has the following major responsibilities:

  • Recommend security strategies.

  • Ensure that information security policies and procedures are established and implemented to protect the information assets of an organization.

  • Participate in the creation and review of these policies and procedures.

  • Keep information security systems current.

The company needs to have procedures for preventing, detecting, containing, and recovering from information security breaches that have internal as well as external sources and that result from natural as well as man-made disasters. The CSO has a duty to ensure that these procedures are in place.

In order to develop and implement a successful information security plan, the CSO depends upon an organizational commitment to the plan. Success requires a stable resource base in terms of personnel, funds, and other support so that security programs and projects can be planned and executed effectively. It also requires company wide cooperation in the implementation phase.

In the CSO's role as the senior officer with overall responsibility for information security, the CSO must:

  • Strike a balance between security and the company's mission by assessing risk and determining organizational needs.

  • Coordinate and call upon others in the company for assistance.

  • Establish links to security personnel in other parts of the organization, to CSOs in other companies, and to external security sources.

  • Ensure that the security model is communicated to the highest levels within the company and that the security plan has a sponsorship commitment at the appropriate senior executive level.

It is recommended that the CSO establish an advisory board of employees who represent different functions/disciplines across the organization. In the planning phase, this board can help to develop policies and procedures, and after implementation, maintain information security continuity across the organization on an ongoing basis.

Specifically, the CSO's role in the bank is to:

  • Be responsible for the development, implementation and revisions of a company information security policy.

  • Be part of the decision-making team when the company is designing, planning, procuring or upgrading technologies.

  • Promote information security awareness throughout the company.

  • Be the company's authority on information security.

  • Be the single point of contact for all issues involving information security including, but not limited to, questions, alerts, viruses, and breaches.

  • Inform company executive management of breaches, information security activity, and risks.

  • Recommend appropriate separation of duties and responsibilities for IT functions.

Creating a Security Policy Document

The security policy will outline a series of guidelines and standards that attempt to protect the organization against the common kinds of attacks and issues. For example, the goals set by the bank's CSO for the preventative aspects of their Web security policy were to:

  • Outline general principles of conduct with respect to behaviors that affect the organization's information security.

  • Define who has access to the site, the nature of the access, and who authorizes it.

  • Define who is responsible for security, upgrades, backups, and maintenance

  • Specify the kinds of material allowed on served pages.

  • Establish what we need to protect on the site and from whom we are protecting ourselves

  • Define the testing and evaluation that must be performed on software and pages before they are installed in production.

  • Explain how complaints and requests about the server and page content are to be handled.

The bank's CSO also asked that the policy address breaches of security, requiring that the following be defined:

  • Who is allowed to speak to members of the press, law enforcement and other entities outside the organization in the event of questions or an incident.

  • Who is contacted in case of an emergency.

  • How the organization reacts to security incidents including responding to a disaster. This included addressing issues such as the disaster response team, choosing an alternative work site, testing the ability to respond, handling evidence, backup, and restoration.

General Security Guidelines

The next step in the bank's security process was to outline a set of general security guidelines. For example, the bank set appropriate precautions to be taken while engaging in any activity on external network services (any process that runs outside the normal corporate network, including the Internet) to ensure that corporate information is protected from unauthorized access, modification, destruction or disclosure. Below is an example of their policy:

Server Security

The internal corporate network cannot be connected to the perimeter network (also known as DMZ or demilitarized zone) without firewall protection. A complete firewall architecture must be in place to protect the corporate network from the Internet. All access to the configuration and setup of that firewall will be strictly controlled. The security committee must approve any changes to the current configuration. No internal network is allowed to circumvent this security by directly connecting to a multihomed server in the perimeter network. In particular:

  • Any device placed in the perimeter network (server, router, sniffer, printer etc.) that is accessible by non-bank personnel must be approved by the Security team before it is placed on the network.

  • All perimeter network servers must be kept in a secured locked location.

  • Keep server backups away from the server in a secure location. Also, keep emergency repair disks stored at another location away from the server.

  • Access to the server floppy drive will be controlled. The ability to boot from the floppy drive of all perimeter network servers will be disabled. If possible, remove the floppy drive completely.

  • No non-bank employee can be given direct access to the perimeter network from either an internal location or an external location without authorization from the security team. All access must take place through the firewall unless explicitly approved by security team management.

Classes of Information Allowed on External Servers

Only information classified as public may be posted on a perimeter network server.

Restrictions on Posting or Downloading Copyrighted Materials

All users are required to comply with copyright and software licensing agreements. It is explicitly against the Corporate Information Security Policy to violate such agreements. Uploading or downloading copyright protected material is expressly prohibited. Displaying or posting copyrighted material on any intranet or Internet server (servers placed in the perimeter network) is expressly prohibited.

Reporting Security Problems

Any suspicious activity or suspected security compromises to the perimeter network must be reported to the information security department.

Virus Precautions

All information downloaded from external services or posted to the perimeter network must be immediately scanned for viruses using the corporate approved virus-scanning software.

Terminating External Session not Actively in Use

If you are not actively using a session, it will be disconnected. A timeout procedure for all idle connections to the perimeter network is in place.

Password Management

Users must maintain the confidentiality of user accounts and passwords. Furthermore, passwords used to access external services must not be identical to any password used on an internal corporate system. User account IDs and passwords transmitted over external services, such as the Internet, may be transmitted in clear text and are easily susceptible to discovery. Strong passwords must be used on the external perimeter network.

Some guidelines for password use are:

  • Passwords must contain at least eight characters, and preferably nine (recent security information reports that many cracking programs are using the eight character standard as a starting point). Also, each password must follow the standards set for strong passwords.

  • All passwords used by the built-in Windows 2000 accounts (including service accounts) must be changed to conform to the password standard.

  • It is mandatory that all accounts have passwords. No blank passwords are permitted.

  • Never loan your password out. If for some reason you must share your password, remember to change it immediately.

  • Passwords must be changed every 30 days. The system will keep a history of the last six passwords used and not allow repeats. This forces users to use at least seven unique passwords.

  • Never write your password or send it via e-mail.

  • Accounts will be locked out after three bad password attempts (administrators should set lockout duration to more than 30 minutes or until an administrator unlocks the account).

Unacceptable Usage:

The bank's external services usage policy is as follows:

The bank characterizes as unethical and unacceptable any activity that purposely:

  • Seeks to use the bank's services for private or personal business.

  • Seeks to gain unauthorized access to any resources within or outside of the bank.

  • Disrupts the intended use of the bank and/or the perimeter network services.

  • Wastes resources (people, capacity, computer) through such actions.

  • Destroys the integrity of or misuses any information assets.

  • Compromises the privacy of any user or other departments.

  • Compromises proprietary or otherwise sensitive corporate information.

  • Places material on any perimeter network platform that would be considered inappropriate, offensive, or disrespectful to others.

    The bank reserves the right to monitor any and/or all external perimeter network service-related activity. Any users found in violation of the above External Services Usage Policy may be subject to penalties. These could range from denial of access, at a minimum, to termination of employment and/or criminal prosecution.

It is hoped that the bank's sample policy shows some of the general considerations to bear in mind when creating a security policy.

User Responsibility, Training, and Awareness Measures

The most sophisticated security model possible can be completely undermined if users do not fully understand their roles in maintaining the integrity of the environment. Every organization, therefore, must implement a plan to inform and train the users. The training and security awareness program should reach all areas of the company, from senior managers to end-users. This program should explain the IT security policy and ensure that the rules and regulations regarding security are understood. Understanding and positive motivation are essential for the fulfillment of IT security goals.

The bank's training and awareness program will communicate the following information:

  • An outline of the security goals and policy of the bank.

  • The reasons that security at the bank is important.

  • The effects of security-related incidents upon end-users and the company.

  • Descriptions of staff responsibilities, procedures, and jobs in connection with security.

  • The plans for implementing internal security standards and checking their observance.

  • The consequences of a person's failure to adhere to the security regulations.

  • The necessity to report security breaches.

End user training will make or break a network security implementation. End users who are not properly informed about and trained on the corporate security structure could easily and innocently compromise the network, leaving it vulnerable to a social attack. A social attack consists of gaining the user's trust and having the end user willingly give out vital security information. It is the single most effective way to circumvent software- and hardware-based security, according to recent articles about IT security. For this reason, end users must be empowered with the knowledge to combat these types of attacks.

The following are important precautions a company can take to ensure that its security measures are communicated, trained on and abided by:

  • Publish the policy and make sure that all levels of management and users understand and are committed to it.

  • Include the policy as a part of the introduction packet for all new employees. Institute background checks for users hired to do security-related work. (Keep in mind that the biggest threat to any company comes from within its own organization.)

  • Ask all users to sign a statement attesting that they understand and are willing to abide by the policy.

  • Create a mechanism for all users to provide feedback and suggest changes to the policy.

  • Hold training sessions that educate users on the use of their hardware and software, help them understand the importance of observing good security practices, and learn how to recognize and report a security incident.

  • Rotate certain key assignments to ensure that everyone is cross-trained and to prevent attacks that take a long time to execute from taking place.

  • Stage incidents that pose security risks to validate the policy's effectiveness and to assess how well the organization is trained and can react to an issue.

  • Require that all contractors and business partners agree in writing to abide by the organization's security principles.

  • Establish a set of defensive actions that will be taken in the case of an internal or external violation (for example, shutting off all access, taking servers offline, tracking the intruder for prosecution, complete server rebuild process in case of a complete security failure etc).

  • Include a section in the policy that outlines non-technology security violations (such as dumpster diving, copier violations, posing as an employee, and discussing confidential company information at trade shows or offsite meetings) and the consequences of these actions.

The training and awareness courses should be repeated at regular intervals in order to refresh employees' existing knowledge. Further, security training that is appropriate for their positions should be provided for all new, promoted, and transferred employees. The most important aspect of a training and awareness program, however, is that it is planned and implemented in good time. Training and internal security standards are not effective if they are implemented long after these measures have been introduced.

Physical Security

General Considerations

When the bank looked at physical security, they realized that the computer system must be protected from external as well as internal malicious activities. Generally, this involves housing the computer in a building that is locked and out-of-bounds to unauthorized users. The things we considered when defining the bank's physical security model included securing network connections and controlling physical access to the servers.

Networks and Security

Creating high-level security requires not only user validation and protections on files and other objects, but securing the network itself. In some cases , the computer must be completely isolated. The two risks from network connections are other network users (internal risk) and unauthorized network taps (external risk). If everyone on the network needs to access your secure computer, you will probably prefer to include it on the network to make it easier for them to access the data it contains.

The risk of unauthorized taps is minimized or eliminated if the network is entirely contained in a secure building, If the cabling must pass through unsecured areas, use optical fiber links rather than twisted pair cabling. This will foil attempts to tap the wire and collect transmitted data. Try to control network links as much as possible and use built-in hub, router, or third party tools to track and manage connections to and from the servers.

In the bank's case they chose to disallow any direct internal connections to the perimeter network (also known as DMZ or demilitarized zone). All traffic was set up to be controlled by the outside firewall (currently a Cisco PIX Firewall)and no direct connections between machines and outside servers were allowed.

Controlling Access to the Computer

No computer is completely secure if people other than the authorized user(s) can physically access it. Here are some examples of security measures taken by the bank to restrict physical access:

  • Ensure that only authorized people are allowed to log in at a server's console (audit logins in order to alert administrators if someone other than an authorized user logs in).

  • Provide only administrative access to the floppy drive and CD ROMs on all servers.

  • Install a lock on the CPU case, keep it locked, and store the key safely away from the computer at a secure location.

  • Format all hard disks with NTFS file systems (NTFS).

  • Control access to the power and reset switches, exposing only the computer's keyboard, monitor and mouse. Keep the CPU and removable media drives behind a locked door.

Securing the Server Location

A key component of any physical security model is the security of the location of the company servers. Establishing a secure server location is essential to the success of other security measures. The bank built a new server farm for the servers that are now running the set of online branch offices. Some of the bank's key considerations in constructing the server room included:

Location and space factors

  • Anticipate the need for growth as the online branch network grows, by providing enough extra space to expand the installation to at least double its initial capacity. Also provide enough room to easily maintain, install, relocate, and uninstall equipment.

  • Locate the room in the center of the building in a location with no exterior walls and no windows. However, make sure that the location does not inhibit delivery and removal of equipment.

  • Locate the room close to the building cabling ducts that carry the networking cables to other parts of the building. Ensure that this core "backbone" facility is also secured and that the security control room is set up to monitor all access points.

  • Plan for a security monitoring room adjacent to or in close proximity to the computer room. The staff in this room will monitor all access points and all environmental checkpoints relating to the system on a 24 hour, 7 days a week basis.

  • Ensure that the room is large enough to allow the air-conditioning plant to operate effectively.

Special installations and room modifications

  • Install an air-conditioning system, capable of maintaining a temperature of between 18 and 20 degrees Celsius and sized to cope with a fully loaded room.

  • Install a false floor to accommodate the cabling for the systems and deep enough to allow easy access and reconfiguration.

  • Install a sophisticated alarm system with sensors on all doors, access points, in the ceiling, and in the false floor. These sensors need to include smoke detectors and water detectors as well as movement sensors. Also, include an access control system.

  • Install an emergency power supply that will keep equipment running for eight hours in the event of a power failure.

  • Build solid walls all around and extend the walls above the false ceiling to prevent entry from above.

  • Build a secure, fireproof doorway, wide enough to allow easy delivery and removal of the largest piece of equipment.

Instituting new procedures

  • Limit computer room access to only those people who require it, and have them pass a security clearance check. Include in-house, support and maintenance staff as well as contractors in the check.

  • Implement a regular audit process that tests all monitor points, access points, and environmental checkpoints in addition to testing the manual procedures.

  • Implement a regular Disaster Response exercise to test the validity of the backup media and documentation as well as the ability to restore the system within the minimum time necessary to ensure business continuity.

  • Implement a fully functional change control system. Additional information on this topic is available on the Microsoft Operations Framework (MOF) site

E-mail Usage

Another important task of a security policy is to outline the proper usage of e-mail within the environment that is being secured. Users who do not fully understand the risks involved in sending and receiving mail can provide a simple way for hackers to subvert any security plan. For the bank, we created the following e-mail policy, applicable to all system users.

  • Prohibited: Impersonating someone else or misrepresenting themselves through the use of another's e-mail account, computer, or other bank asset.

  • Prohibited: Bypassing the user-security mechanisms of the mail system (by creating or requesting a fake account, for instance).

  • Prohibited: Modifying the internal mail transport header to forge a routing path that a message takes through the Internet.

  • Required: All e-mail or attachments that are classified or secret be encrypted before they are sent over a public infrastructure (i.e., the Internet) The standard will be to use Secure Multipurpose Internet Mail Extensions (S/MIME)) to secure e-mail when confidential information is being sent across an unsecured link.

  • Required: An automated process must be put in place to make sure that all e-mail Virus software is kept current.

  • Required for users on all systems (especially laptops): Using a password to secure users' personal folder (pst) e-mail store file when the file resides on the local system.

  • Recommended: Using disk encryption on laptops to secure confidential information downloaded to the local system.

  • Recommended against: Opening unknown e-mail attachments. The attachments may contain viruses or hidden malicious code that could steal passwords or damage corporate data.

Virus Protection

It is very important to take precautions to protect your computers, servers, and their data from viruses. There are many types of viruses that can cause serious damage to a computer system. For example there are:

  • File viruses that attach to program files and run when the infected program is launched. After the virus is finished loading, it loads and executes the program that it has infected.

  • Master Boot Record (MBR) viruses that exploit the master boot code that runs automatically when the computer starts up. MBR viruses are activated when the basic input/output system (BIOS) activates the master boot code, before the operating system is loaded. Many viruses replace the MBR sector with their own code and move the original MBR to another location on disk. When the machine boots, the virus loads and runs.

  • Macro viruses that attach their macros to program templates and other files. When the application opens the file, the template is loaded and the virus instructions are executed.

  • Hidden viruses that hide as a piece of system code or other system file. The system thinks it is launching a mail program, but instead the virus runs and gains system level privileges.

  • Worms. They are similar to viruses, but differ in that they seek out other systems to infect, then copy the virus code to them.

This list continues to grow everyday. Therefore, it is imperative that a completely automated virus protection scheme be put into place. The bank elected to use a commercial anti-virus program designed for Windows 2000 (Norton Internet Security 2000) to deal with this issue. They also created procedures for ensuring that all systems are not only updated on a regular basis but also checked regularly for compliance with the current virus patch level. Also, to make sure viruses were not distributed via removable media, the bank established a procedure for scanning all removable media.

Also, Microsoft provides a customized anti-virus tool, AVBoot, that can be used for many types of viruses. AVBoot is located in the \Valueadd\3rdparty\Ca_antiv folder of the Windows 2000 Setup CD. This tool scans the memory as well as the MBR and all boot sectors of every locally installed disk.

Remote Access Control

Windows 2000 lets you set dial-in privileges for accounts through the Remote Access Control Policy by default. This is the preferred method for controlling remote access securely. You can explicitly grant or deny dial-in privileges by selecting "Allow Access" or "Deny Access." It is important to control remote access by policy and to communicate that policy to all users. Some of the key components of the bank's virtual private network (VPN) strategy are:

  • All VPN connections must use user-level authentication and be disconnected when authentication fails.

  • All Remote Access Service (RAS) servers must grant administrators administrative access to these systems at all times.

  • No unauthorized RAS servers are allowed inside or outside the corporate network (Rouge RAS servers, private RAS servers, desktop modem access, etc. will not be tolerated).

  • All Remote Access policies apply to all external networks.

  • All shares must use specific user-level permissions (no anonymous, guest or "everyone" access is permitted).

  • All communications must be encrypted.

  • Intrusion detection tools are required for auditing and security assessments on all external network connections.

From a desktop user's perspective, remote access has many options an organization can use to maintain a secure network environment. The options are:

  • Require users to change their Windows 2000 account passwords periodically.

  • Store all passwords using reversible encryption.

  • Require use of a Smart Card for interactive logon from secure VPN-based workstations.

  • Set Data Encryption Standard (DES) encryption types for individual accounts.

Auditing System Resources

Auditing policies are essential to ensure the security and integrity of an organization's systems. Every computer system in the bank's environment was configured with security logging. This was accomplished using audit policies defined within Group Policy. Through group policy, the bank set auditing policies for each site, domain, and organizational unit within the perimeter zone's Windows 2000 Active Directory. Policies were also set for an individual workstation or server (see the white paper, Data Security and Data Availability, for details). General auditing options include:

  • Audit account logon events

  • Audit account management

  • Audit directory services access

  • Audit logon events

  • Audit object access

  • Audit policy change

  • Audit privilege use

  • Audit process tracking

  • Audit system events

The Bank decided upon the following levels of auditing:


Level of Auditing

Account logon events

Success, failure

Account management

Success, failure

Directory service

No auditing

Logon events

Success, failure

Object access


Policy change

Success, failure

Privilege use

Success, failure

Process tracking

No auditing

System events

Success, failure

Encryption Strategies

It is important to realize that you can configure many security barriers to prevent unauthorized users from getting into the network. However, it is still probable that someone will get through. Using network encryption ensures that if they do get through, they still can't read the information they find. Some of the key encryption strategies that should be considered are S/MIME, Digital Certificates, Authenticode and the Encrypting File System (EFS).


The bank's security policy document contains a section that deals with sending e-mail to vendors. In order to be considered secure, all e-mail must be encrypted using Secure Multi-Purpose Internet Mail Extensions (S/MIME), the emerging standard for encrypting e-mail. It is a secure method of sending e-mail that uses the Rivest-Shamir-Adleman (RSA) encryption system. S/MIME is included in both Microsoft and Netscape's Web browsers. It has been submitted as a standard to the Internet Engineering Task Force (refer to RFC 1521).


Part of the security template that is applied to the domain includes policies for Internet Protocol Security (IPSec). (IPSec is covered in detail in other parts of this guide.) Basically, IPSec provides encryption for network sessions using the Internet Protocol (IP). IPSec promises to offer transparent and automatic encryption of network connections.

For example, the bank set an IPSec packet-filtering policy on every Web server in production, which provides an extra level of security in case the outside firewall is breached. Multiple levels of security technology are often considered a good practice. The administrator can use the IPSec graphical tool or the IPSecPol command-line tool to deploy IPSec policy.

Secure Sockets Layer (SSL) Digital Certificates

The bank decided to make use of the Windows 2000 Public Key Infrastructure (PKI). This allows them to create an encrypted pipe for all confidential business transactions. Also, they will be issuing certificates using the Windows 2000 PKI to remote business partners over the Web. The primary components of the Windows PKI are: 1) Certificate Services, a core operating system service that allows businesses to act as their own certificate authority (CA), and issue and manage digital certificates, and 2) Active Directory™ directory service, a core operating system service that provides a single place to find network resources. Active Directory serves as the publication service in the PKI.

Digital certificates are used to guarantee that the person the confidential information is sent to is the only person who can read it. This is because only the recipient has the secret key that can be used to decipher the message. In the bank's case, the bankwill act as the issuing authority, digitally sign the digital certificate and send it to the user. The user will then use these certificates to encrypt all confidential information being transmitted on the network. Also, all partner workstations that have direct access to confidential or secret corporate information stored in the perimeter network will be required to use client side certificates that will be issued by the bank's certificate server.


The Encrypting File System (EFS) is a very important technology in our security model. EFS is the core file-encryption technology for storing files and directories encrypted on disk. It is based on public key technology, and runs as a service. It is very difficult to attack and it addresses security concerns when third party tools or remote users attempt to gain access to a file. Also, if the security of a laptop is breached and the drive is confiscated, it is basically useless to the attacker if EFS is used. Bank policy states that all users who use laptops and carry confidential or secret materials (top secret materials may not be removed from their secure location and placed on a laptop) must use Windows 2000 and EFS.

Securing the Server

As Windows NT and Windows 2000 systems become pervasive and ubiquitous, they are also receiving more and more attention from hackers. A secure system today may be made vulnerable by a new discovery tomorrow. There are many decisions to make when securing your Windows 2000 servers. In this section, we will cover general tasks involved in securing a Windows 2000 server. Refer to the white paper Data Security and Data Availabilityfor End Systems for step-by-step procedures and a detailed description of our approach at the bank.

Controlling the Workstation

Controlling Downloadable Content

One part of the security model that is often overlooked is the client workstation. User machines sitting directly on the Web with the ability to receive or download any type of file or executable can represent a serious security hole. This is particularly the case when these users are directly connected to the Web via some type of "always on" device (for instance, digital subscriber line (DSL) and cable modem). Therefore, the importance of including measures in your security plan that help users to understand and control the security of their own workstations cannot be stressed enough.

Let's take a look at ways to understand this by looking at how Authenticode works for IE users and other important steps to securing the workstation.


Authenticode enables developers to digitally sign their software code, allowing remote users to verify the publisher of the software before they download it from the Internet. Verifying the digital signature also ensures that the software hasn't been tampered with during downloading. For the bank, we set the browser safety level for active content to "High" for users and "Medium" for administrators. If, during an attempt to download a file, users receive a message that looks like

Security Warning

Warning: The authenticity of this software cannot be verified, therefore this software cannot be trusted.

Problem/s listed below: <description of problem>

Are you sure that you want to install and run <program> distributed by <Publisher>?

The users are instructed to contact their local administrator. This administrator will contact the administrator of the Web site that contains the self-extracting executable file in order to report the problem and seek a resolution. Only after the administrator has tested and verified that the content does not pose a security risk will the user then be allowed to download the file.

Auditing and Monitoring

A risk is not a defined risk until it is uncovered and actions can be put into place to mitigate the concerns. This same type of reasoning applies to securing workstations on the periphery of the network architecture. Many users are unaware of the types of doors they have unknowingly left open on their local workstation. These types of risks are often discovered only after a serious security incursion has occurred.

For example, a hacker might try to contact the Internet Server on a local PC that many users are unaware they have and start using it without the users' knowledge or permission. They may also try to gain access to the local shares on the workstation and start grabbing confidential or even personal files. For example, most Windows systems, with the Network Neighborhood installed, hold the NetBIOS ports wide open to solicit connections from all passing traffic. Many hackers rely on these types of oversights to gain access to an unsuspecting user's machine.

To prevent these types of problems from occurring, the bank made all internal machines subject to scans by the bank's internal security tools. All local accounts and shares are secured by policy. If a machine has no reason to share files, that function is removed from the system.

At a more tactical level, begin by categorizing all information on each local workstation. Information categorized as unclassified can be shared freely. However, anything categorized as confidential or secret must be placed on an EFS volume on a Windows 2000 workstation, and all sharing of this information must be controlled by the administration staff. Information categorized as "Top Secret" must never be placed in "unsecured" locations. It can be placed only on tightly controlled servers or in an EFS volume on a Windows 2000 workstation that is completely off the network.

The security policy for all remote workstations requires that they run some type of Internet security software and be subjected to internal security audits. One tool that has been particularly effective at providing a first look at the security of a workstation is Shields Up™ by Gibson Research. This is an excellent tool that can show users the true extent to which their machines are unsecured. It can be found at

Lastly, two tools to consider using to proactively monitor and configure security on remote workstations are: BlackICE and Norton Internet Security™ 2000. BlackICE (from is a tool that:

  • Detects unauthorized intrusions on any Windows 95, 98, NT or Windows 2000 (in beta) system connected to the Internet via DSL, Integrated Services Digital Network (ISDN), cable, or standard modem.

  • Is a silent, passive operation, like its namesake. Hackers cannot detect BlackICE running and therefore cannot disable it.

  • Gathers information about attackers using sophisticated backtracing features. Dynamic filters and advanced monitoring algorithms ensure that legitimate Internet or network traffic is unaffected.

  • Can automatically block all inbound traffic from an intruder without any effect on legitimate traffic.

The Norton Internet Security 2000 tools for Windows 95 and Windows 98 ( ) are more of a set of packaged tools. Some of the features include (from their Web site):

  • Virus scanning

  • Security alerts

  • A personal firewall and the ability to create filters and rules

  • Ability to control and monitor downloaded Java/ActiveXControls

  • Offline protection that prevents any Internet activity until a user logs back in

  • Controls to safeguard personal and confidential information online

The bank security team's plan is to require that all remote Web workstations use a tool such as BlackICE or the Norton Internet Security 2000 tools (if they don't already have a virus checker and are running Windows 98) to secure their remote workstation. Securing these remote workstations completes our end-to-end security model.