HARDENING CLIENT COMPUTERS Chapter 8 HARDENING CLIENT COMPUTERS
OPERATING SYSTEM SECURITY FEATURES Chapter 8: Hardening Client Computers OPERATING SYSTEM SECURITY FEATURES Microsoft Windows 98/Windows Me Windows NT 4.0 Windows 2000 Professional Windows XP with Service Pack 2
DESIGNING CLIENT SECURITY TEMPLATES Chapter 8: Hardening Client Computers DESIGNING CLIENT SECURITY TEMPLATES Create a custom security template for each client role: Desktop Laptop Kiosk Base custom templates on default workstation templates Never modify default security templates
DESIGNING A CLIENT COMPUTER OU MODEL Chapter 8: Hardening Client Computers DESIGNING A CLIENT COMPUTER OU MODEL Create OUs for different operating system versions Avoid using Windows Management Instrumentation (WMI) filtering Create OUs for different computer roles Create OUs for organizations with special security requirements Use security groups to apply GPOs to cross-sections of client computers
CLIENT COMPUTER OU MODEL SAMPLE 1 Chapter 8: Hardening Client Computers CLIENT COMPUTER OU MODEL SAMPLE 1
CLIENT COMPUTER OU MODEL SAMPLE 2 Chapter 8: Hardening Client Computers CLIENT COMPUTER OU MODEL SAMPLE 2
CLIENT COMPUTER OU MODEL SAMPLE 3 Chapter 8: Hardening Client Computers CLIENT COMPUTER OU MODEL SAMPLE 3
THIRD-PARTY SECURITY SOFTWARE Chapter 8: Hardening Client Computers THIRD-PARTY SECURITY SOFTWARE Antivirus protection Antispyware protection Network backups Host-based firewalls for earlier versions of Windows
DESIGNING SOFTWARE RESTRICTION POLICIES Chapter 8: Hardening Client Computers DESIGNING SOFTWARE RESTRICTION POLICIES Hash rules Certificate rules Path rules Internet zone rules
RESTRICTING THE DESKTOP ENVIRONMENT Chapter 8: Hardening Client Computers RESTRICTING THE DESKTOP ENVIRONMENT Windows components The Start menu The desktop The Control Panel
RESTRICTING THE DESKTOP ENVIRONMENT (CONT.) Chapter 8: Hardening Client Computers RESTRICTING THE DESKTOP ENVIRONMENT (CONT.) Shared folders The network System settings Printers
RESTRICTING THE START MENU: BEFORE Chapter 8: Hardening Client Computers RESTRICTING THE START MENU: BEFORE
RESTRICTING THE START MENU: AFTER Chapter 8: Hardening Client Computers RESTRICTING THE START MENU: AFTER
PROTECTING DESKTOP COMPUTERS Chapter 8: Hardening Client Computers PROTECTING DESKTOP COMPUTERS Grant users only local User privileges or less Remove unnecessary items from the desktop and the Start menu Leverage the Hisecws.inf security template Use Group Policy settings to rename default accounts
PROTECTING MOBILE COMPUTERS Chapter 8: Hardening Client Computers PROTECTING MOBILE COMPUTERS At greater risk than desktop computers, mobile computers might be: Stolen Damaged Used for personal use Mobile computers require greater flexibility than desktop computers: Connect to home networks and wireless hotspots Users might need to install printer drivers Mobile computers use EFS to protect confidential files
Chapter 8: Hardening Client Computers PROTECTING KIOSKS Very likely to be abused Should be extremely restricted Should not be connected to the internal network
Chapter 8: Hardening Client Computers THE .NET FRAMEWORK Next-generation application environment: Required for many new applications Dramatically more secure Included with Windows Server 2003 Free download for earlier operating systems
Chapter 8: Hardening Client Computers CAS OVERVIEW Role-based security restricts what users can do CAS restricts what applications can do Grants access to the file system, registry, printers, the network, and other resources based on permissions assigned to an application Enables you to run potentially malicious applications safely Works only with .NET Framework applications
Chapter 8: Hardening Client Computers CAS AT WORK
Chapter 8: Hardening Client Computers CAS ELEMENTS Evidence Permission Permission set Code groups
CAS AND OPERATING SYSTEM SECURITY Chapter 8: Hardening Client Computers CAS AND OPERATING SYSTEM SECURITY
GUIDELINES FOR USING CAS Chapter 8: Hardening Client Computers GUIDELINES FOR USING CAS Use the principle of least privilege Test applications thoroughly after restricting CAS Push developers to use the .NET Framework Encourage software vendors to migrate to the .NET Framework
Chapter 8: Hardening Client Computers SUMMARY Earlier versions of Windows lack important security features Use security templates and GPOs to implement client security Create different configuration settings for client roles, operating systems, and security requirements Use .NET Framework and CAS to reduce the risks of malicious or vulnerable software