Summary of Best Practices for Windows desktop installations.
There are a plethora of different best practices and guidelines around the Windows desktop environment. We have tried to focus on information around security and secure deployment of Windows desktop systems. This document summarizes the different best practices we found, and includes a listing of the most relevant items. A number of best practice documents are geared towards networked “enterprise� environments, which are outside the scope of the PCF project.
At the outset, there are a number of best practices that are “common knowledge�, practices that are in common use and already part of CompuMentor’s standard technology practices. Though often part of best practices documents, they are set out here as core techniques that all Windows installations should take into account.
Windows update, Microsoft update, and automatic update.
Microsoft created Windows update services to provide a simple to-use method to distribute and install software updates, patches, hotfixes, service packs, and optional software. This is the primary method for maintaining Microsoft software. Originally focused on Windows, Microsoft has recently expanded this technology to cover many more of its products, including the MS Office product family, and has renamed this service Microsoft Update. Windows update requires Internet access to operate.
Windows / Microsoft update can be run manually, but there is an automatic updating capability included with Windows, which should be enabled, set to check for updates daily, and should be set to install updates automatically. This is not the default behavior of this service. Automatic update runs with the system account privileges, will run even when a non-administrator is logged in, and does not require user input.
Under most circumstances, automatic update is the preferred method for installing updates. However, on new un-patched installations, or on computers without Internet connections, it may be preferable to install updates from previously downloaded installers or CD-ROM. All software updates available from the Windows update service are available as stand alone installers that can be saved to disk and run manually.
Firewall.
All computers with Internet connections should have some form of firewall regulating their Internet connection. For organizations with an Internet connected local area network, a network firewall, usually incorporated into the router, is the preferred firewall technology. These are robust, easy-to-use, and effective.
Software firewalls are common as well, as both Windows XP Service Pack 2 and Norton Internet Security software include firewalls, and are often enabled. However, for most organizations that have a solid network firewall, a desktop-level software firewall is redundant, and can often cause more problems, mostly through excessively stringent filtering, than the amount of protection they provide is worth. As a result, we generally recommend against installing or enabling a software firewall on most Windows computers.
Administrative accounts.
Windows software has an integrated user account system that is the primary method for enforcing security on the desktop. All windows computers have, by default, an administrator account and often a set of accounts as defined by an administrator group, that has permissions to modify all the features of Windows and access all files and folders. Often the main user account of a computer has administrator rights. We strongly recommend limiting administrator rights to the administrator account only, as well as changing this accounts name and insuring that it has a strong password. The only time an administrator account should be used is during the installation of software that requires administrative rights, and during maintenance. General users should not have permissions to install software.
Security templates.
As part of the group policy infrastructure, the technology that allows for central management of Windows desktops, and which is included as part of stand alone machines as well, Microsoft supplies a number of predefined security templates, which compile a number of policy settings secure machines. These templates are generally very useful, and may wind up being the core of the HSC implementation protocols.
Anti-virus and anti-malware software.
Microsoft Windows, for a number of different reasons, is the target of a large number of malicious programs. As a result, all Windows computers, no matter how securely configured, need to have Anti-virus and anti-malware installed, to guard against these threats. CompuMentor recommends the Symantec Anti-Virus Corporate Edition product to address this need. SAVCE provides a single product that addresses almost all malware threats, as well as providing for centralized management of the software installed on all the computers on a network.
Sources of best practices information
There are many sources of information around best practices for desktop security, each with it’s own focus on different aspects of security, and with different target audiences. The following is a summary of the sources that have informed the PCF / HSC security research to date.
Computer Emergency Response Team (CERT)
http://www.cert.org
Based at Carnegie Mellon University, CERT was developed in 1988 as a response to the first Internet-wide security threat, the Morris worm. CERT is a public / private partnership that provides a number of different services, including vulnerability and incident reports, best practices, and training and education resources. CERT’s focus is mostly on larger scale “enterprise� class system, though they have resources relevant to organizations of all sizes. Of most relevance to the PCF project are CERT’s materials intended for home users, which provide excellent security awareness materials for non-technical end users. CERT also provides a basic set of precautions to take before attaching a computer to the Internet.
The Center for Internet Security (CIS)
http://www.cisecurity.com/index.html
CIS is a non-profit memberships organization that identifies security threats and develops appropriate responses to these threats. One of the outcomes of this work is a detailed set of benchmarks for major operating systems, that can be used to determine the security posture of a given computer installation. These benchmarks come in a number of different “flavors� with security appropriate to different situations. CIS is developing an auditing tool that, when released, may form the basis of a PCF security audit protocol.
Evil Network Overlord
http://www.techsoup.org/fb/index.cfm?fuseaction=forums.showSingleTopic&f...
Evil Network Overlord is a TechSoup Star who has written a couple of long posts around how to prevent malware infections on Windows XP computers. These posts are a key resource for the PCF work, as they provide a field tested, NTAP developed best practice that has been commented upon by the TechSoup community.
Tech Republic
http://techrepublic.com.com/
TechRepublic, part of the CNET network of web sites, includes a great many resources around securing various technologies. Of most value to the PCF project are a number of “X steps to secure Y technology� guides, simple straight-forward step-by-step guides to securing many common technologies. They also have a large number of bite-size technology articles that focus on single technology, or a single aspect of a large technology, in a simple and straightforward fashion.
Microsoft
http://www.microsoft.com
Microsoft provides a large number of technology guides on its various websites. Microsoft’s main target audiences for many of these materials are large enterprises and professional consultants, which are not always appropriate for our target audience of less tech-savvy small to medium organizations. That said, there is a wealth of information, much of which can be re-interpreted for use in the PCF project.
National Security Agency
http://www.nsa.gov/snac/
The NSA provides, as a free public service, a series of detailed security configuration guides for a larger number of common technologies.
Summary
There are a great many different approaches to windows security best practices. As is often very common, these best practices tend to over shoot the mark, locking machines down more than may be necessary, and requiring more technical knowledge than is common in our target NPO community.
URLs
Windows 2000 step-by-step install instructions
Vanilla installation method, not up to level of security we would like, but has screen shots of the whole process.
http://www.windowsreinstall.com/install/win2k/installw2k/page1.htm
Center for Internet Security Windows security benchmarks
These are a set of bench marks for modern Windows operating systems that are very secure, stronger than the middle road that HSC is trying to follow.
http://www.cisecurity.com/bench_win2000.html
Security Awareness toolbox
A collection of materials around improving security awareness in organizations, including materials for management, IT staff, and end users.
http://www.iwar.org.uk/comsec/resources/sa-tools/index.htm
How to Configure Windows XP SP2 Network Protection Technologies in a Small Business Environment
Microsoft recommended procedures for setting up Windows XP securely.
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windows...
CERT
http://www.cert.org/tech_tips/before_you_plug_in.html
http://www.cert.org/homeusers/