Overlooked Features of Windows Security

IT security consultancy firmComsecand training consultancy firmXTSeminarslaunched a new advisory paper on April 16, 2009, which outlined the five key areas that companies are overlooking when securing their Windows environments. So, how exactly can Windows security be utilized to save money? Let's find out.

Enhancing Five Key Areas of Window Security

The paper, which is entitled"Enhancing Five Key Areas of Windows Security,"has one major goal: to help organizations bolster security without having to spend any additional money. Though the information for the report was compiled by both Comsec and XTSeminars consultancy firms, the bulk of it was written by XTSeminars' very own John Craddock, who is no stranger to Microsoft-related subjects.

Craddock has designed and implemented computing systems ranging from high-speed industrial controllers to IT systems with a focus on security and high availability. He has routinely been a key player in many IT projects for countless industry leaders, including Microsoft. Not only that, but Craddock has written many in-depth technical training courses and is the co-author of a highly-successful book onMicrosoft Active Directory Internals. All of this is just to say that the man obviously knows what he's talking about, which is why companies looking to save money should take the advice outlined in the report quite seriously.

One of the strategies outlined in the document -- all of which we'll discuss in a moment -- is to improve authentication by substituting easy-to-guess passwords with "pass phrases," which are generally easier to remember and harder to break. The paper also examines how organizations can use Microsoft Windows Server Update Services to deploy security updates as well as how to use the Microsoft Baseline Security Analyzer to check for successful deployments.

Comsec UK's general manager, Stuart Okin, was previously Microsoft UK's chief security adviser, and he believes that companies have a lot to learn when it comes to making the most of software and cutting costs. "A lot of people spend so much on patch management solutions, which is unnecessary because there is so much out there that's free these days," Okin said.

Key Area No. 1: Password Strength

Readers should consider Craddock's theme in this paper to be "Are you making the most of what you have?" In most cases the answer is no, which is why these tips will show companies how to benefit from and improve their security with technologies they'vealready purchased in the base Microsoft OS license.

The first key area is password strength because, as unbelievable as it may sound, many organizations have been found guilty of usingveryweak passwords to protectveryimportant information. Simply put, an inadequate password for even an administration account is inexcusable.

Obviously, the problem with weak passwords is that they can be easily guessed. Even if the authentication protocol is usingKerberos, it is possible to capture the Kerberos pre-authentication packet from the network and perform an offline dictionary attack, so strong passwords are a must.

This is why Craddock recommends using a password generator, which can provide a very strong, if not unusual password. Of course the password may be very difficult to remember, but that is why Craddock suggests users think about pass phrases. Users should consider taking something that's recently happened to them, like the purchase of a new car, and turning it into their pass phrase. Take, "I just bought an expensive car," and jazz it up to create the perfect pass phrase: "$$ My Car Cost 10,000 $$".

Key Area No. 2: Administrative Access

Craddock recommends that all administrators abide by the same mantra: never log on to a system with more privileges than needed to do the task in hand. This is the principle of least privilege access. If a user is doing a non-administrative task, they should log on as an ordinary user.

The reason they should do so is because of a Microsoft-introduced User Account Control (UAC) in Vista. UAC prompts the user to elevate their privileges every time the Microsoft OS license or an application requires administrative privileges. If a user logs on as an administrator, their administrative privileges are stripped from their security token. Then, when the user requires administrative access, the UAC dialog pops up.

The frequency with which the UAC pops up has made grown men and women cry, which is why they routinely disable it. Keep in mind that UAC is a good thing and its use should be encouraged. To help push the UAC=good theory along, Microsoft is making a considerable number of changes for Windows 7.

It has been reported that one of the key changes will be the introduction of the UAC Control Panel. The control panel will make it possible to change the behavior of UAC. For example, if a user is logged on as an administrator, UAC can silently elevate when Windows settings are to be changed, but prompt the user when an application requires administrative privileges.

Key Area No. 3: Updates Management

A common complaint is that users do not deploy Windows security updates, yet updates are still not being deployed. Many reasons are always offered as to why systems have not been updated. Some stem from the fear of breaking systems during patching, while others cite a lack of time and adequate resources. If users don't patch, they're living with a ticking time bomb. According to Craddock, there are three Microsoft- based options for patching: 

Microsoft Update (MU)

• Consumer/small businesses

Windows Server Update Services (WSUS)

• Businesses requiring simple low-cost solutions

System Management Server SMS

• Flexible and advanced patch management

The problem users may face while updating the system is that they may end up breaking something when a patch is applied. While Microsoft is now very responsible about testing patches, they cannot possibly test every patch with every combination of software running on different systems.

In a business-critical environment it is essential that a company's IT department tests patches before deploying them onto critical systems; this requirement rules out the use of Microsoft Update. According to Craddock, a good patch management strategy should encompass:  

• Monitoring for security bulletins and updates

• Determining the risk level

• Testing an update

• Deploying an update

• Checking for a successful deployment 

Once an update has been tested, it is recommended that a phased deployment is carried out either by department or region. This limits the exposure in case the user has missed something during testing; some company's use third-party solutions for patch management. For those on a tight budget who don't already have a system in place, Craddock recommends taking a look at Microsoft Windows Server Update Services (WSUS), which is available as a free download.

Key Area No. 4: Security Lockdown through Group Policy

Active Directory includes a powerful mechanism that provides central management and security lockdown through group policy. Group policy allows administrators to configure thousands of settings that can apply to servers and workstations. It's quite common to seeinstallations of AD where minimal use is made of group policy, yet group policy is one area where companies can proactively enhance their security posture. When deploying security settings through group policy, it is important that users follow a few simple rules:

• Start with the Microsoft security guidance.

• Take ownership for all of the changes you make.

• Never deploy a configuration you do not understand and document.

• Never deploy a security change without first testing it in your test environment.

• Create the appropriate OU structure to support the required group policies.

• Use base and incremental policies.

• Know how to back up and restore policies.

Microsoft provides good documentation and templates for security lockdown, and according to Craddock, these should be taken as a starting point andnotas a definitive solution.

Key Area No. 5: Unmanaged and Noncompliant Clients

The last key area in Comsec and XTSeminar's paper is unmanaged and non-compliant clients, which was touched on earlier in this article. All computers that sit on the network should be fully managed by the IT department. The IT department can impose requirements for group policy lockdown, check that firewalls are enabled, use scripts to check that virus scanners are up to date, implement patch management, etc.

In reality, though, the network will contain a mixture of managed and unmanaged systems. Unmanaged systems can belong to contractors, consultants, developers or even an interloper.

The best way to protect valuable resources is through the use of IPSec, which we discussed earlier. There are two components to IPSec: authentication and encryption. Authentication can be used without encryption; it allows us to configure our systems so that they cannot communicate at the network level unless they have been authenticated. The authentication is between the two hosts and is not dependent on user authentication.

Depending on how IPSec rules are configured, if a system cannot authenticate, it will not be able to communicate with other hosts and will effectively be invisible on the network. Unless Windows security specifically denies its use, Craddock recommends allowing the use of ping without the need for authentication.

According to Craddock, security is a balance between keeping the bad guys out and not interfering with the way users build a company's assets. These key areas are intended to show companies how they can increase their security posture without burning through their precious budget on additional license fees and network appliances. It may not pull the economy out of the gutter, but these key areas are definitely worthy of consideration.