Networking / Beginners

IPsec Filters

IPsec filters can be used in many different ways on clients. Between the discussion about IPsec filters on servers above, and we have probably beaten that horse to death. As a general recommendation, we recommend that you use IPsec filters to prevent your clients from talking to each other.

Software Restriction Policies

SRP is more difficult to use on clients than on servers, because clients are more general-purpose machines. Setting up SRP to allow a client to actually function is a significant upfront time investment. However, if you spend the time doing this, you will be rewarded with a much more secure machine. We recommend that you use SRP as much as possible to protect clients from malicious code.

Anti-Malware

Antivirus software is the traditional malicious code prevention technology. The problem with antivirus software is that it is only signature based. It cannot prevent viruses that it does not know about, which SRP can by allowing only trusted code to run. As a defense-in-depth measure, antivirus is tremendously important, but it is important to understand its limitations.

Do not forget about other types of anti-malware programs either. Anti-spyware is rapidly becoming a requirement as well. Of course, if you run as LUA, it is unlikely you will get much spyware on the system, but it is very useful if you have to run as an administrator.

There is also the problem that not all machines can use antivirus tools. For instance, we do penetration testing, and the antivirus products delete the tools we use in that job. Therefore, we cannot run them. As a general rule, however, we recommend using antivirus products on most, if not all, clients.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools