Home / Windows 7

Host Security

As technology advances, we add more device types to the network. Most organizations have some type of handheld device that connects to the network such as a BlackBerry or an iPhone. With tablets becoming more popular, organizations will not only incorporate them into the network but also will have to determine security policies for these devices, especially when the device belongs to the employee. When dealing with host security issues, two general areas need to be covered. The first one deals with using protocols and software to protect data. This covers software that can help protect the internal network components, such as personal firewalls and antivirus software. The second one addresses the physical components such as hardware, network components, and physical security designs that can be used to secure the devices.

Operating System Security and Settings

In security terms, hardening a system refers to reducing its security exposure and strengthening its defenses against unauthorized access attempts and other forms of malicious attention. A "soft" system is one that is installed with default configurations or unnecessary services or one that is not maintained to include emerging security updates. There is no such thing as a "completely safe" system, so the process of hardening reflects attention to security thresholds.

Systems installed in default configurations often include many unnecessary services that are configured automatically. These provide many potential avenues for unauthorized access to a system or network. Many services have known vulnerabilities that require specific action to make them more secure or ones that might just impair system function by causing additional processing overhead. Default configurations also allow for unauthorized access and exploitation.

Note:
A denial-of-service (DoS) attack against an unneeded web service is one example of how a nonessential service could potentially cause problems for an otherwise functional system.

Common default-configuration exploits include both services such as anonymousaccess FTP servers and network protocols such as the Simple Network Management Protocol (SNMP). Others may exploit vendor-supplied default logon/password combinations, such as the Oracle Db default admin: scott/tiger.

Hardening of the operating system includes planning against both accidental and directed attacks, such as the use of fault-tolerant hardware and software solutions. In addition, it is important to implement an effective system for file-level security, including encrypted file support and secured file system selection that allows the proper level of access control. For example, the Microsoft New Technology File System (NTFS) allows file-level access control, whereas most File Allocation Table (FAT)-based file systems allow only share-level access control.

It is also imperative to include regular update reviews for all deployed operating systems to address newly identified exploits and apply security patches, hotfixes, and service packs. Many automated attacks make use of common vulnerabilities, often ones for which patches and hotfixes are already available but not yet applied. Failure to update applications on a regular basis or to update auditing can result in an unsecure solution that provides an attacker access to additional resources throughout an organization's network.

IP Security (IPsec) and public key infrastructure (PKI) implementations must also be properly configured and updated to maintain key and ticket stores. Some systems may be hardened to include specific levels of access, gaining the C2 security rating required by many government deployment scenarios. The Trusted Computer System Evaluation Criteria (TCSEC) rating of C2 indicates a discretionary access control environment with additional requirements such as individual logon accounts and access logging.

Operating system hardening includes configuring log files and auditing, changing default administrator account names and default passwords, and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. File-level security and access control mechanisms serve to isolate access attempts within the operating system environment. Make sure to understand the principle of least privilege which states that every user or service of a system should only operate with the minimal set of privileges required to fulfill their job duty or function.

Security Settings

To establish effective security baselines, enterprise network security management requires a measure of commonality between systems. Mandatory settings, standard application suites, and initial setup configuration details all factor into the security stance of an enterprise network.

Types of configuration settings you should be familiar with include the following:

  • Group policies:
    Collections of configuration settings applied to a system based on computer or user group membership, which may influence the level, type, and extent of access provided.
  • Security templates:
    Sets of configurations that reflect a particular role or standard established through industry standards or within an organization, assigned to fulfill a particular purpose. Examples include a "minimum-access" configuration template assigned to limited-access kiosk systems, whereas a "high-security" template could be assigned to systems requiring more stringent logon and access control mechanisms.
  • Configuration baselines:
    Many industries must meet specific criteria established as a baseline measure of security. An example of this is the health-care industry, which has a lengthy set of requirements for information technology specified in the Health Insurance Portability and Accountability Act (HIPAA) security standards. Unless the mandated security baseline is met, penalties and fines could be assessed. Security baselines are often established by governmental mandate; regulatory bodies; or industry representatives, such as the Payment Card Industry Data Security Standard (PCI DSS) requirements established by the credit card industry for businesses collecting and transacting credit information.

Anti-malware

All host devices must have some type of malware protection. According to the Sophos Security Threat report, the amount of malware affecting computers had almost doubled for the year 2010 as compared to 2009. In 2010, some 95,000 different malware were discovered, with 40% of the malware coming from the social networking sites. According to the "Malicious Mobile Threats Report 2010/2011," a report compiled by the Juniper Networks Global Threat Center (GTC) research facility, the number of Android malware attacks increased 400 % since summer 2010.

Antivirus

A necessary software program for protecting the user environment is antivirus software. Antivirus software is used to scan for malicious code in email and downloaded files. Antivirus software actually works backward. Virus writers release a virus, it is reported, and then antivirus vendors reverse-engineer the code to find a solution. After the virus has been analyzed, the antivirus software can look for specific characteristics of the virus. Remember that for a virus to be successful, it must replicate its code.

The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. When the virus software detects the signature, it isolates the file. Then, depending on the software settings, the antivirus software quarantines it or permanently deletes it. Interception software detects virus-like behavior and then pops up a warning to the user. However, because the software looks only at file changes, it might also detect legitimate files.

In the past, antivirus engines used a heuristic engine for detecting virus structures or integrity checking as a method of file comparison. A false positive occurs when the software classifies an action as a possible intrusion when it is actually a nonthreatening action.

Antivirus software vendors update their virus signatures on a regular basis. Most antivirus software connects to the vendor website to check the software database for updates and then automatically downloads and installs them as they become available. Besides setting your antivirus software for automatic updates, you should set the machine to automatically scan at least once a week.

In the event a machine does become infected, the first step is to remove it from the network so that it cannot damage other machines. The best defense against virus infection is user education. Most antivirus software used today is fairly effective, but only if it's kept updated and the user practices safe computing habits, such as not opening unfamiliar documents or programs.

Despite all this, antivirus software cannot protect against brand new viruses, and often users do not take the necessary precautions. Users sometimes disable antivirus software because it might interfere with programs that are currently installed on the machine. Be sure to guard against this type of incident.

Anti-spam

Roughly 90% of all email sent during 2010 was spam. Spam is defined several ways, the most common being unwanted commercial email. Although spam may merely seem to be an annoyance, it uses bandwidth, takes up storage space, and reduces productivity. Spam spread on social networking sites has become a big problem, and in late March 2011, a federal court in California held that Facebook postings fit within the definition of "commercial electronic mail message" under the CAN-SPAM Act. The CAN-SPAM act makes it unlawful for persons to initiate the transmission of commercial electronic mail messages that contain materially false or misleading header information.

Anti-spam software can add another layer of defense to the infrastructure. You can install anti-spam software in various ways. The most common methods are at the email server or the email client. When the software and updates are installed on a central server and pushed out to the client machines, this is called a centralized solution. When the updates are left up to the individual users, you have a decentralized environment. The main component of antispam software is heuristic filtering. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. The software reads the contents of each message and compares the words in that message against the words in typical spam messages. Each rule assigns a numeric score to the probability of the message being spam. This score is then used to determine whether the message meets the acceptable level set. If many of the same words from the rule set are in the message being examined, it's marked as spam. Specific spam filtering levels can be set on the user's email account. If the setting is high, more spam will be filtered, but it might also filter legitimate email as spam, thus causing false positives.

Additional settings can be used in the rule set. In general, an email address added to the approved list is never considered spam. This is also known as a whitelist. Using whitelists allows more flexibility in the type of email you receive. For example, putting the addresses of your relatives or friends in your whitelist allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a blacklist. Other factors might affect the ability to receive email on a whitelist. For example, if attachments are not allowed and the email has an attachment, the message might be filtered even if the address is on the approved list.

Anti-spyware

Many spyware eliminator programs are available. These programs scan your machine, similarly to how antivirus software scans for viruses. Just as with antivirus software, you should keep spyware eliminator programs updated and regularly run scans. Configuration options on anti-spyware software allow the program to check for updates on a regularly scheduled basis. The anti-spyware software should be set to load upon start-up and set to automatically update spyware definitions.

Pop-up blockers

A common method for Internet advertising is using a window that pops up in the middle of your screen to display a message when you click a link or button on a website. Although some pop-ups are helpful, many are an annoyance, and others can contain inappropriate content or entice the user to download malware. There are several variations of pop-up windows. A pop-under ad opens a new browser window under the active window. These types of ads often are not seen until the current window is closed. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups. They are essentially "floating popups" in a web page.

Most online toolbars come with pop-up blockers; various downloadable popup blocking software programs are available; and the browsers included with some operating systems, such as Windows, can block pop-ups. Pop-up blockers, just like many of the other defensive software discussed so far, have settings that you can adjust. You might want to try setting the software to medium so that it will block most automatic pop-ups but still allow functionality. Keep in mind that you can adjust the settings on pop-up blockers to meet the organizational policy or to best protect the user environment.

Several caveats apply to using pop-up blockers. There are helpful pop-ups. Some web-based programmed application installers use a pop-up to install software. If all pop-ups are blocked, the user might not be able to install applications or programs. Field help for fill-in forms is often in the form of a pop-up. Some pop-up blockers might delete the information already entered by reloading the page, causing users unnecessary grief. You can also circumvent pop-up blockers in various ways. Most pop-up blockers block only the JavaScript; therefore, technologies such as Flash bypass the pop-up blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the pop-up filter.

Host-based Firewalls

Desktops and laptops need to have layered security just like servers. However, many organizations stop this protection at antivirus software, which in today's environment may not be enough to ward off malware, phishing, and rootkits. One of the most common ways to protect desktops and laptops is to use a personal firewall. Firewalls can consist of hardware, software, or a combination of both. This discussion focuses on software firewalls that you can implement into the user environment.

The potential for hackers to access data through a user's machine has grown substantially as hacking tools have become more sophisticated and difficult to detect. This is especially true for the telecommuter's machine. Alwaysconnected computers, typical with cable modems, give attackers plenty of time to discover and exploit system vulnerabilities. Many software firewalls are available, and most operating systems now come with them readily available. You can choose to use the OS vendor firewall or to install a separate one.

Like most other solutions, firewalls have strengths and weaknesses. By design, firewalls close off systems to scanning and entry by blocking ports or nontrusted services and applications. However, they require proper configuration. Typically, the first time a program tries to access the Internet, a software firewall asks whether it should permit the communication. Some users might find this annoying and disable the firewall or not understand what the software is asking and allow all communications. Another caveat is that some firewalls monitor only for incoming connections and not outgoing. Remember that even a good firewall cannot protect you if you do not proper level of caution and think before you download. No system is foolproof, but software firewalls installed on user systems can help make the computing environment safer.

Patch Management

Improperly programmed software can be exploited. Software exploitation is a method of searching for specific problems, weaknesses, or security holes in software code. It takes advantage of a program's flawed code. The most effective way to prevent an attacker from exploiting software bugs is to keep the latest manufacturer's patches and service packs applied as well as monitor the Web for new vulnerabilities.

Because of the emergence of blended-threat malware, which targets multiple vulnerabilities within a single attack, all major operating systems and application solutions must be considered in system-hardening plans. Automated reverse engineering of newly released patches has significantly reduced the time from an update's initial release until its first exploits are seen in the wild, down from months to hours before unpatched applications can be targeted. Types of updates you should be familiar with include the following:

  • Hotfixes:
    Typically small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update.
  • Service packs:
    Major revisions of functionality or service operation in an installed application. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Service packs are usually cumulative, including all prior service packs, hotfixes, and patches.
  • Patches:
    Like hotfixes, patches are usually focused updates that affect installed applications. Patches are generally used to add new functionality, update existing code operation, or extend existing application capabilities.

Because updates are now released on a schedule, it might be easier to put a sensible plan into place. Should an attacker learn of a vulnerability and release an exploit for it before the update date, the hotfix will be posted ahead of schedule if the situation warrants.

The patch management infrastructure of an organization includes all of the tools and technologies that are used to assess, test, deploy, and install software updates. This infrastructure is an essential tool for keeping the entire environment secure and reliable, and therefore it is important that it is managed and maintained properly. When it comes to managing your infrastructure, chances are good that you might have many different types of clients in your network and that they might be at many different levels in regard to the service packs and hot fixes that are applied to them. The most efficient way to update client machines is to use automated processes and products. Many vendors provide regular updates for installed products, managed through automated deployment tools or by manual update procedures carried out by a system user.

Regular maintenance is required to meet emerging security threats, whether applying an updated RPM (Redhat Package Manager, a file format used to distribute Linux applications and update packages) by hand or through fully automated "call home for updates" options such as those found in many commercial operating systems and applications.

Systems Management Server (SMS) assists you in security patch management by its ability to scan computers remotely throughout your network and report the results to a central repository. The results can then be assessed and compared to determine which computers need additional patches.

Microsoft maintains the Automatic Updates website, which contains all of the latest security updates. You can configure your Windows host computers to automatically download and install the latest updates on a schedule that you specify. Alternatively, you can choose to download and install the updates yourself. You can configure these settings using Automatic Updates or Windows Update in Windows-based computers.

[Next...Hardware Security]