A Whitepaper- Best Practices For Desktop Security
By Michael Johnson CMC '03

Introduction
With the growing threat of malicious activity directed toward workstations connected to a network, the need for security on the individual desktop has greatly increased. End users, and corporations, however have not responded to the growing threat, and now face the danger of their system or data being compromised, or even destroyed.
This white paper covers solutions that can be implemented to respond to the various ways attacks are now being made against systems.
 
Why secure the desktop?
The desktop needs security because of its new position in accessing corporate information, both on a wired network, and remotely over VPNs and similar connections. As remote connectivity progresses, more confidential information will be transmitted between desktops and servers, requiring both sides to be immune to intrusion attempts.

Hackers are already trying to break into the corporate and home desktop with the intent to cause harm or collect information, targeting these systems because to their historically low levels of protection. Using information stored on the desktop, or even the desktop system itself, hackers can then attack larger, more secure systems. 

How do break-ins occur?
Break-ins can occur at any weak point of a computer system. The methods used by hackers vary widely, but there are several ways of compromising security that are very common. These ways are Viruses, Trojans, and ‘Active’ Hacking.

Viruses are most commonly used for the purposes of damage, both direct and indirect, and for the thrill of compromising systems. They typically do not send information back to the hacker, but rather comprise as many machines as possible before delivering a pre-programmed payload. Viruses can be used for possible attacks, like DDOS, but the fact that the speed of infection varies makes them unlikely vehicles for this technique. Currently, the most widespread method of infection is through email.

Trojans are better suited for arranging attacks and information gathering. Worms are also used for the purposes of direct and indirect attacks, but their method of infection is different than a Trojan. Trojans are either directly planted by their creator, or run by a user who does not know the program they are using contains a Trojan. Worms spread by exploiting a vulnerability or multiple vulnerabilities in the desktop or computer system they were targeted for.  Worms do not need to be executed to infect a machine and propagate. A Trojan needs to be executed before it can infect a system. Because of their high infection rate, worms are particularly useful for a hacker to launch massive attacks on a target.

There is also a separate class of methods used to compromise the security of a system, and that is what could be called ‘Active’ Hacking. Active Hacking is active in that the attack is initiated and carried out by a single individual actively cracking a system, rather than the distributed, automated attack of a virus. Active Hacking includes the interactive exploitation of vulnerabilities, and the use of the human factor.

Before a hacker can begin to exploit vulnerability, the hacker must know that the system he is targeting possesses one.  The hacker checks for the presence of vulnerabilities (and systems) with the use of a port scanner. Port scanners are excellent tools for finding holes in a secure configuration, and can be used both to fix the security of a system and to find computers to attack. Port scanning alone does not constitute what this whitepaper classifies as hacking, but it does provide a hacker information on what services (WWW, FTP, POP, etc.) are running. These services can have vulnerabilities, which the hacker can then begin to exploit. Many of these vulnerabilities are known, and patches are usually provided that fix these flaws, once the flaws are known by the software maker.

The other way a hacker actively attacks a system is by using the human factor of computing. In any network, there is always someone who can reassign passwords. A hacker will try to exploit the trust of someone who holds the ability to change passwords, or to acquire the password of a user who has been granted trusted access. This method of hacking is the most used, and also the most difficult to detect. Since logons and attempted access are validated, no regular security audits can uncover the access of the hackers.

 

Solutions to combat security breaches


Antivirus
To combat the threat of a virus on the desktop, a system administrator can install a program that will scan for a virus infecting a program every time an executable file is run.  These programs are known as antivirus scanners.
What it does
Antivirus scanners are excellent at performing their primary task of keeping viruses from infecting a system be scanning for infection attempts, and fixing files that have been infected.  Antivirus scanners can search both for known viruses, variations of the known viruses, and possible viruses that have not been discovered yet. Because of this last ability there is always a chance for a false positive, but these are very rare.
What it does not do
Antivirus programs will not protect a system against hacking attempts or vulnerabilities in the operating system or programs. They cannot protect against a hacker accessing the desktop system using authentic passwords and identification.  While these are serious deficiencies, the growing threat and spread of viruses makes the anti-virus an important part of a total security plan.

Firewall
Firewalls combat the threat of hackers attacking the desktop trying to find and exploit vulnerabilities of the software installed on the system. Firewalls can be either hardware-based or software-based.  With either of these types, their basic mode of operation is similar.
What it does
The main task of a firewall is to accept or deny access to a computer’s ports.  A firewall accomplishes this through manual configuration or automatic determination.  Manual configuration allows a system administrator to determine which ports will be blocked or left open.  A firewall with automatic settings will determine which ports will be blocked and opened.  This type of firewall can also respond to attacks by blocking the attacker or the port they are using to break in.  The best firewalls offer both options.
What it does not do
A firewall will not protect against a virus.  Firewalls are only concerned with internet activity, and will not check the desktop for activity that does not concern network operations. This is also a very major deficiency, but an antivirus scanner and a firewall will provide good protection.

Securing NT with Registry Settings
Keeping desktop systems that run the Windows NT or Windows 2000 operating system is a much easier task, but many of the default settings are not secure, and several steps can be taken to further secure the desktop when using one of these Operating Systems.

 

Keep NT and other files on separate partitions
One of the easiest ways to secure a Windows NT-based Operating System is to keep applications and data separate from the boot partition. This helps avoid damage from a hacker trying to access your application data by exploiting a hole in the operating system.
 
Remove "Everyone" from root drive privileges
By default, NT allows the Everyone group full control to the NTFS partitions on the desktop system.  These permissions are dangerous since anonymous users will also have access, and the Everyone group should be removed from accessing the partitions.  The recommended replacement is to allow the Authenticated Users group full access, or to place stricter permissions as needed.
 
Lock workstation when away
When a user is away from their desktop system, any user can access resources with the permissions of the logged-on account.  To prevent this, it is recommended that users be told to lock their systems when leaving them unattended.  It is further recommended that policies be set in place that will penalize a work that does not lock their system.
 
Disable boot from floppy
To prevent the spread of viruses, and to prevent hacking by persons with physical access to a system, it is recommended that the system be set to disable booting from a floppy disk.  This prevents booting a password changing program, or becoming infected by a boot sector virus.
 
Logon banner warning
System administrators should also enable a logon banner warning on all NT systems.  This will notify unauthorized users that the system is for private use, and warns them that they can be held legally liable if they proceed to use the computer.  The absence of this message could act as an invitation, without restriction, to enter the system and browse the files and information stored on it.  The recommended warning message is as follows:

This is a Claremont McKenna College computer system. This computer system, including all related equipment, networks and network devices (specifically including Internet access), are provided only for authorized use. CMC computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized CMC entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this CMC computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.

 

Don’t Show last user
Windows NT displays, by default, the username of the last user to log on the machine.  While this is helpful for desktops that have one main user, it is still a large security hole. By displaying the last username used, it broadcasts a valid username for possible hackers to compromise.  It is recommended that the display of the last username is turned off.
 
Don’t cache logons
If logons are cached, the local desktop can be used to authenticate an interactive logon if the domain controller is not available.  While convenient, a desktop can be unplugged from the network and used to break into a network later.  It is recommended that cached logons not be allowed.
 
Use only NTLM v2
For maximum security, it is recommended that NTLMv2 is the default authentication.  It should be the only authentication protocol allowed over a network between desktops and servers.  NTLMv2 will only work with Windows 2000 and NT4.0 with Service Pack 6a.
 
Remove remote registry access

To protect the Windows Registry and the SAM database, remote access should be disabled. This will keep hackers from accessing the registry of a remote machine running Windows NT.

 

Train Users in Security Procedures

To reduce the chance of security being compromised, end users need to be trained in basic security procedures, and need to implement them in their computing experience.  Users should be able to understand security when working with email attachments, verify the identity of a caller or individual before changing passwords, never give a password out, and operate a simple firewall.

 

E-Mail attachment security
With the rise of viruses transmitted through email, users need education in the correct way to handle attachments.  The user should also be able to spot possible viruses sent through email.  A good internal policy would be to explain the contents of the attachment in detail.  "Here is the entire VPN Web Site in a zip file" is a better explanation of the attachment than "Here is the material you asked for."
 
Verify identity of caller before changing passwords
Users need to remember that they need to be sure that the person requesting a password change is indeed an authorized user.  The user should also not rely on the phone extension as proof of identity.  A policy should be implemented requiring authentication, and providing for penalization for users who do not follow this.  Furthermore, every user needs to know not to give their password to anyone else, even administrators.  Administrators can change the user’s password if they need to work under the privileges of the user.
 
Install firewall and antivirus on home machines

All users who connect to a private network from their home machines, and those who work on job-related tasks from a home computer needs to have an up-to-date antivirus scanner and an effective firewall on their home computer to protect the private network from breaches in security, and from viruses.  Users who do not have such measures in place should not be allowed to access the private network or work on job-related material at their house.  Users should also know how to administer their antivirus and firewall.

 

Cost Analysis

The cost of securing the desktop in a business environment is considerably less than repairing damage after a break-in has occurred. The cost of repairing one workstation for an employee of the rank of Administrative Assistant is $109.23. This figure accounts for a three hour downtime for the employee, three hour repair time for the technician, and hourly salaries of $14.50 for the employee and $21.91 for the technician.

 

Deploying Antivirus
The cost of deploying an antivirus solution, including file servers and exchange mail server is approximately $53,540.00 for 2000 users. This amounts to $26.77 per user, a lower cost than repairing damage.  The difference grows if the infected / compromised desktop workstation causes other workstations on the network to also become compromised.
 
Deploying central hardware firewall
The low-end corporate hardware firewall costs close to $10,000. The cost spread over 2000 workstations is $5 per user, without counting any servers. This cost is considerably lower than the cost to repair a workstation.
 
Repairing damage
Due to large differences in hardware costs, it is difficult, if not impossible to estimate costs of repairing damage. Instead of making an estimate for a range of equipment, all the calculations in this paper are based on a certain set of numbers.  The estimated cost of desktop workstations is $1,200 per unit, not counting a display.  The estimated cost of a server is $7,500. The hourly wage of a technician is estimated at $21.91.
If a server is affected, it could take up to five hours to reconfigure and restore.  This would cost $109.55.  If the server is not available for more than one day, the costs multiply by the number of workers affected by the outage and the amount of time that it is off-line.

Costs multiply further if multiple machines in the network become compromised.  With no security on any machine in a 2000 user network, an infection or security compromise could extend to every machine on the network. With a downtime of only three hours for every infected workstation, at a repair cost of $109.23 per machine, the total cost of repairing the machines of 2000 users is $218,460. This is $154, 920 over the cost of an antivirus solution for 2000 users, and a $10,000 hardware firewall.

 

Conclusion
Attacks will continue to increase in complexity and frequency. Procedures will have to be implemented and education will be necessary to decrease the threat of security breaches. No security measure can completely protect against a determined attacker, the lack of measures will result in a certain breach of security.
The cost of deploying a security solution and educating users on safe computing measures is significantly lower than the cost of repairing damage caused by a security breach. Deploying a hardware firewall and an anti-virus solution costs $154,920 less than repairing damage. These savings multiply even further as the numbers of workstations on the common network multiply.