Deploying Secure Clients in a Business Environment

  • Article

By Debra Littlejohn Shinder, MCSE and Microsoft Windows Security MVP

See other Security MVP Article of the Month columns.

In many business environments, the IT security focus is on the network’s servers. After all, that’s where most of the mission-critical data is typically stored. However, it’s equally important to secure the client computers that connect to those servers. This article provides an overview of the basic components involved in deploying secure Windows client computers in small to midsize business environments, with the main focus on using security mechanisms integrated in the Windows XP operating system and those available free from Microsoft.

The importance of a multilayered security strategy

To be effective, any security strategy must be multilayered. There is no single solution to protect client computers from the multiplicity of threats that exist on the Internet and internally. Further, client systems don’t exist in a vacuum. By definition, they interoperate in a client-server environment with other network devices, and the security of those devices and the network is an important element in securing the clients.

A multilayered approach, then, involves two prongs:

  • Client-side security features and tools

  • Network-based security features and tools

Special challenges arise in conjunction with securing client computers that connect to the network via remote access and those that connect over a wireless link. And because of these challenges, remote access and wireless security should form another layer in your overall security strategy.

In this article, we’ll focus on client-side features and tools, but administrators should keep in mind that this is only half the picture. The security of client computers also relies on network-based and server-side features and tools such as:

  • Perimeter (network-based) firewalls and IDS/IDP

  • Active Directory Security/Domain - based Group Policy

  • Public Key Infrastructure/certificate services

  • Network Access Protection (NAP)

  • IP Security (IPsec)

  • Server-based patch/update management solutions such as Windows Server Update Services (WSUS) and System Management Server (SMS)

  • Forefront Client Security (currently in beta testing)

  • Exchange Intelligent Message Filter

Attack vectors

There are many means by which attackers and intruders can get into client computers. Some of these include:

  • E-mail (both HTML mail messages themselves and e-mail attachments).

  • Malicious Web sites (embedded Active X controls, Java applets, scripts, and other “drive-by downloads”).

  • Instant-messaging programs and IRC.

  • Peer to peer (P2P) file-sharing programs and services.

  • “Piggybacking” on legitimate downloads (often used by spyware).

  • Taking advantage of vulnerabilities in the way networking protocols work or vulnerabilities in the operating system or application code.

  • Taking advantage of misconfigured software.

  • The human element (exploited by social engineers to discover passwords and other information that can be used to infiltrate the network).

The benefits of integrated security

There are a plethora of security tools available that can help businesses protect against the most common security threats, including third-party commercial products and freeware. However, security tools that are integrated into the operating system offer some distinct advantages:

  • Cost-effectiveness. Tools that are built into the Windows client OS, that come with the Windows servers with which the clients interact, or that are designed by the OS vendor and offered as a free download to users of the OS don’t add extra costs to tight budgets.

  • Compatibility. Tools that come with the OS or that are made by the OS vendor are more likely to install and perform their tasks without causing conflicts and crashes.

  • Usability. Integrated tools, in many cases, provide a more familiar interface than third-party products, resulting in a less-steep learning curve.

The top security threats

Some of the top security threats to client machines include:

  • Attacks, including operating system, application and protocol exploits that can crash the system, flood the network and result in denial of service, or allow intruders to view, change, or destroy files on the computer or on the network.

  • Viruses, worms, Trojans and other malicious software that can be introduced via e-mail attachments, Web pages, infected removable disks, etc., and can crash the system, create a “back door” allowing attackers to take control of the computer, erase data, and so forth.

  • Spyware, often installed from a malicious Web site or as a “ride along” with applications installed by the user, that can collect information from the user’s system and send it to the spyware author’s site or e-mail address.

  • Access to files stored on the hard disk, either across the network or locally on a shared computer, allowing unauthorized persons to view, change, or delete the data.

  • Interception of communications sent across the network by packet “sniffers” (protocol analyzers, network monitors), allowing unauthorized persons to read the data inside the packets.

Microsoft provides mechanisms to address all of these security concerns, which can be used in place of or in conjunction with third-party security products.

Client-side security features and tools

Client-side security features and tools include those that are built into the Windows XP (and later, Vista) operating system or that can be downloaded to run on it. These include patch/update management services, host-based firewall protection, virus/malware and spyware protection, the NTFS file system, and the Encrypting File System (EFS).

Patch/update management
To protect against attacks that exploit vulnerabilities in the operating system, applications, and protocol stacks, those vulnerabilities must be patched as quickly as possible once a security update has been tested and released. Client systems should be running the latest service pack, which includes numerous security enhancements. Windows XP includes the Automatic Update feature, which can be configured to automatically download and install critical updates, download updates but wait for the user to choose when to install them, or notify the user that updates are available and let the user decide whether/when to download and install them.

When Automatic Updates is enabled, Windows checks the Microsoft Update Web site periodically to determine what new updates are available. Microsoft Update provides operating system security updates like Windows Update, but also includes updates for Microsoft Office and other Microsoft software. The Microsoft Update site is at https://update.microsoft.com/microsoftupdate.

You can select the frequency (every day or a specified day of the week) and time of day to automatically download and install updates. With the updated version of Automatic Updates in XP SP2, you can choose to install updates that have been downloaded before shutting down the computer. The Automatic Updates feature is configured through the Control Panel applet.

To determine what security updates are missing on your client computers, you can use the Microsoft Baseline Security Analyzer (MBSA) to scan multiple systems simultaneously. MBSA 2.0 scans for security updates based on the Microsoft Update catalog, as well as for misconfigurations and administrative vulnerabilities in Windows 2000, Windows XP, Windows Server 2003, IIS 5.0, 5.1, and 6.0, Internet Explorer 5.01, 5.5, and 6.0, Microsoft SQL Server 7.0 and 2000, and Microsoft Office 2000, XP, and 2003.

The MBSA is designed to be used with Microsoft Update and, in larger organizations, with Windows Server Update Services (WSUS) and Systems Management Server (SMS). It can be downloaded at https://www.microsoft.com/technet/security/tools/mbsa2/default.mspx#E3C.

Firewall protection
Many types of attacks can be preventing by using firewalls to block the attack vectors. Many of the ports commonly used by attackers can be blocked to reduce the attack surface. A multilayered security strategy utilizes both a perimeter (network-based) firewall such as Microsoft ISA Server at the edge of the LAN and a host-based or “personal” firewall on the client machine. All versions of Windows XP ship with the Internet Connection Firewall, which is updated to the Windows Firewall by SP2 and automatically turned on by default.

The Windows Firewall blocks unsolicited connections by default. When you run a program that needs to receive information from the Internet, you are prompted to allow the connection or continue to block it. You can also manually create exceptions for programs and services you trust or open specific TCP or UDP ports. The firewall is configured through the Security Center applet in the Control Panel. You can read more about manually configuring the Windows Firewall at https://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx.

Of course, in an Active Directory environment, client firewall configuration is best handled via Active Directory GPOs, with the option of allowing users to create exceptions or otherwise configure it.

The Windows Firewall in XP is one-way only (that is, it only addresses inbound connections). The firewall in Windows Vista provides two-way functionality (both inbound and outbound traffic) for even greater client security.

Virus/malware/spyware/spam protection
Malicious software -- including viruses, worms, Trojans, rootkits, malicious Active X controls, scripts and Java applets, and spyware/adware -- present one of the greatest threats to security, because malicious code can do harm in so many different ways.

Microsoft provides a number of tools for dealing with malicious software, including:

  • Malicious Software Removal Tool (MSRT). This is a free tool that you can use to scan your client computers for the most prevalent viruses, worms, rootkits, and other malware. It doesn’t remove the need for a good network-based and/or client-based antivirus program, but it can detect and remove many malware infestations. It is updated monthly and delivered through Windows Update/Microsoft Update or downloaded at https://www.microsoft.com/security/malwareremove/default.mspx.

  • Windows Defender. Spyware presents a serious security threat in the business environment because it can collect personal information from your client computers and send it to someone else over the network, usually without the users’ knowledge or permission. This is a free tool that detects and removes known spyware programs, either on demand or according to a schedule you specify. A voluntary network of users (SpyNet) exists to report potential threats so they can be identified and quickly added to the database. In beta testing at the time of this writing, Windows Defender can be downloaded at https://www.microsoft.com/athome/security/spyware/software/default.mspx.

  • Windows Live Safety Scanner. This is a free Web-based service by which users can receive a free scan for viruses, along with a disk cleanup and a performance tune-up. The safety scanner can be downloaded at https://www.microsoft.com/athome/security/update/windows_live_safety_center.mspx.

  • IE security settings. To protect against malicious software that can infect client computers via Web pages, Internet Explorer provides numerous safety features and settings that can be configured to provide a high level of security. Using the security zone concept, you can specify according to where the site is located (Internet or intranet) whether and how Active X controls run, script behavior, how and whether applications can be launched, and so forth. You can populate a Trusted Sites zone where the security level is lower, and a Restricted Sites zone with the tightest security (most behaviors are disabled). In Advanced settings, you can configure many security mechanisms, such as forcing IE to empty the browser cache on exit, prohibiting saving encrypted pages to disk, having IE check digital certificates for revocation, and so forth. IE 7 provides additional security, such as a phishing filter, Active X “opt in” feature, and, when run on Windows Vista, a “protected mode” that takes advantage of the new operating system’s User Account Control (UAC) security. As with the Windows firewall, in an Active Directory environment, IE settings are best managed through AD GPOs.

  • Outlook Express/Outlook junk mail filtering. Spam (junk mail) may consist merely of unwanted advertising messages, but it’s often used to distribute malware, as well, and thus can present a security threat to client computers. Microsoft mail clients, Outlook Express and Outlook, include junk mail filtering features that allow you to block specific senders or domains (blacklists) and create message rules. In Outlook, you can create lists of safe senders and safe recipients (whitelist), enable heuristics-based filtering, block messages with foreign character sets, and much more.

NTFS file security and EFS
Some attackers want to crash your computer, but others want to snoop on, steal, or destroy your precious data. Operating systems and applications can always be reinstalled, but user-created data is often unique and can be irreplaceable. To protect against unauthorized persons accessing or manipulating users’ files stored on their computers, Microsoft provides built-in solutions:

  • File level access controls on NTFS partitions. The owners of files can set permissions specifying what other users can and can’t access and the level of access granted.

  • Encrypting File System. SUsers can encrypt sensitive documents on NTFS partitions with EFS, which uses a combination of secret key (symmetric) and public key (asymmetric) encryption technologies to encrypt the contents of files so that only the user who encrypted them and those to whom permission has been granted can decrypt them. Recovery keys can be saved to removable media. A PKI is preferred but not required. Best practices for EFS usage can be found at https://support.microsoft.com/kb/223316/.

Securing remote access clients

Security of remote access clients is particularly important because these systems may connect to unsafe networks, become infected with viruses or malware, and pass these on to other computers on the LAN. Laptop computers are often used to connect to the Internet from home, hotels, wireless hot spots, and other networks that may or may not have strong perimeter protection. A remote access client could even be connected to the Internet over an unsecured connection while at the same time connected to the company network via VPN (split tunneling), becoming an unwitting vector for an attack on the LAN.

More so than with on-site computers, remote access clients should have all the latest service packs and security updates, run good antivirus software, and have personal firewall software installed and enabled. Network Access Protection (NAP) is built into Windows Vista and a NAP client will be available for Windows XP. NAP allows you to enforce “health” requirements on client computers so that you can allow them to connect to the LAN only if they are properly updated and configured with up-to-date antivirus signatures and proper firewall settings. For more information about NAP, see https://www.microsoft.com/technet/itsolutions/network/nap/napfaq.mspx.

Securing mobile/wireless clients

Security is likewise particularly important for wireless clients. Because wireless transmissions travel across the airwaves, they are easier to intercept than are transmissions on a wired network. “War drivers” with wi-fi - enabled laptops and high-gain antennas can sit parked on the street and gain access to your company’s network.

Many wireless security measures are implemented at the WAP, or consist of infrastructure design issues such as ensuring that the wired and wireless networks are on separate subnets. However, client computers must be configured properly to take advantage of some of these security measures.

Due to the inherent weaknesses of Wired Equivalent Protocol (WEP), wireless clients should be configured to use Wi-fi Protected Access (WPA) encryption instead. In addition to stronger encryption, WPA can provide public key-based user authentication through Extensible Authentication Protocol (EAP). A WPA client is included in XP SP2; for SP1 clients, the WPA client can be downloaded at https://support.microsoft.com/kb/826942/ as part of the wireless update rollup package.

For a guide to best practices in deploying wireless clients, see https://www.microsoft.com/technet/prodtechnol/winxppro/deploy/wideprec.mspx.

The future of client security

This article touches upon some of the mechanisms built into the Windows XP operating system that can be used to secure client computers. The battle to stay ahead of hackers and attackers is an arduous and ongoing one, but the future of client security looks bright for organizations that deploy Windows clients.

Windows Vista, the next generation client operating system, includes many additional client security features. In addition to the two-way firewall and built-in NAP, new Vista security features include:

  • User Account Control to protect against malware using elevated privileges even when users are logged on with administrative accounts.

  • Windows Defender built into the operating system.

  • IE protected mode that leverages UAC to reduce the browser attack surface.

  • Improved smart card support for easier deployment of multifactor authentication.

  • BitLocker full-volume encryption to better protect the data on lost or stolen laptops.

These features will be complemented by new security mechanisms in the next version of Windows Server and Microsoft’s new security applications such as the Forefront family of security products, which includes Forefront Client Security to protect clients from viruses, spyware, and other malware in the enterprise environment.