Getting back to the Low Hanging Fruit series, let’s take a look at the endpoint and see what kinds of stuff we can do to increase security with a minimum of pain and (hopefully) minor expense. To be sure we are consistent from a semantic standpoint, I’m generally considering computing devices used by end users as “endpoints.” They come in desktop and laptop varieties and run some variant of Windows. If we had all Mac endpoints, I’d have a lot less to do, eh?
Yes, that was a joke.
Run Updated Software and Patch
We just learned (the hard way) that running old software is a bad idea. Again. That’s right, the Google hack targeted IE6 on XP. IE6? Really? Yup. A horrifyingly high number of organizations are stuck in a browser/OS time warp.
So, if you need to stick with XP, at least make sure you have SP3 running. It seems Windows 7 finally makes the grade, so it’s time to start planning those upgrades. And yes, maybe MSFT got it right this time. Also make sure to use IE7 or IE8 or Firefox (with NoScript). Yes, browsers will have problems. But old browsers have a lot of problems.
Also make sure your Adobe software remains up to date. The good news is that Adobe realizes they have an issue, and I expect they’ll make big investments to improve their security posture. The bad news is that they are about 5 years behind Microsoft and will emerge as the #1 target of the bad guys this year.
Finally, make sure you tighten patch windows as tightly as possible for the high risk, highly exploitable applications, like browsers and Adobe software. Studies have proven that it’s more important to patch thoroughly, as opposed to quickly. But as seen this past week, it takes one day to turn a proof of concept browser 0-day into a weaponized exploit, so for these high risk apps – all bets are off. As soon as a browser (or Adobe) patch hits, try to get it deployed within days. Not weeks. Not months!
Use Anti-Exploitation Technology
Microsoft got a bad rap on security and some (OK, most) of it was deserved. But they have added some capabilities to the base OS that make sense. Like DEP (Data Execution Prevention – also check out the FAQ) and ASLR (Address Space Layout Randomization). These technologies make it much harder to gain control of an endpoint through a known vulnerability.
So make sure DEP and ASLR are turned on in your standard build. Make sure your endpoint checks confirm these two options remain selected. And most importantly, make sure the apps you deploy actually use DEP and ASLR. IE7 and IE8 do. IE6, not so much. Adobe’s stuff – not so much. And there you have it.
To be clear, anti-exploitation technology is not the cure for cancer. It does help to make it harder to exploit the vulnerabilities in the software you use. But only if you turn it on (and the applications support it). Rich has been writing about this for years.
Enforce Secure Configurations
I have to admit to spending a bit too much time in the Center for Internet Security’s brainwashing course. I actually believe that locking down the configuration of a device will reduce security issues. Those of you in the federal government probably have a bit of SCAP on the brain as well.
You don’t have to follow CIS to the letter. But you do have to shut down non-critical services on your endpoints. And you have to check to make sure those configurations aren’t being messed with. So that configuration management thingy you got through Purchasing last year will come in handy.
Encrypt Your Laptops
How many laptops have to be lost and how many notifications sent out to irate customers because some jackass leaves their laptop on the back seat of their car? Or on the seat of an airplane? Or anywhere else where a laptop with private information will get pinched? Optimally you shouldn’t allow private information on those mobile devices (right, Rich, DLP lives!), but this is the real world and people take stuff with them. Maybe innocently. Maybe not, but all the same – they have stuff on their machines they shouldn’t have.
So you need to encrypt the devices. Bokay?
VPN to Corporate
Let’s stay on this mobile user riff by talking about all the trouble your users can get into. A laptop with a WiFi card is the proverbial loaded gun and quite a few of your users shoot themselves in the foot. They connect on any network. They click on any emails. They navigate to those sites.
You can enforce VPN connections when a user is mobile. So all their traffic gets routed through your network. It goes through your gateway and your policies get enforced. Yes, smart users can get around this – but how many of your users are smart that way? All the same, you probably have a VPN client on there anyway. So it’s worth a try.
Training
Let’s talk about probably the cheapest of all the things you can do to positively impact on your security posture. Yes, you can train your users to not do stupid things. Not to click on those links. Not to visit those sites. And not to leave their laptop bags exposed in cars. Yes, some folks you won’t be able to reach. They’ll still do stupid things and no matter what you say or how many times you teach, you’ll still have to clean up their machines – a lot. Which brings us to the last of the low hanging fruit…
When in doubt, reimage…
Yes, you need to invest in a tool to make a standard image of your desktop. You will use it a lot. Anytime a user comes in with a problem – reimage. If the user stiffs you on lunch, reimage. If someone beats you with a pair of aces in the hole, right – reimage.
Before you go on a reimaging binge, make sure to manage expectations. That means making sure the users realize the importance of backing up their systems and keeping their important files on some shared drive. It’s hard to clean up malware infections – most of the time it doesn’t make sense to even try.
Yummy. That low hanging fruit tastes good, eh?
Reader interactions
5 Replies to “Low Hanging Fruit: Endpoint Security”
@dave: from a secure configuration standpoint, ensuring local users don’t have admin rights is a very good idea. It’s not always achievable, but it will definitely reduce the amount of trouble a user can get in.
Some apps work like crap in standard user mode. Those apps are fewer, as Vista and now Windows 7 are more prevalent, but they still exist.
As with everything else, it’s a trade-off. You have to balance your political capital with how inconvenient it would be for users, who then can’t install their favorite apps.
What are your thoughts on giving (or taking away) business users
Yeah I tried to spend my holidays with family and friends in Phoenix, Vegas, and San Francisco. Worked out pretty well. Sorry I had been gone so long… it appears too much bullshit fluttered into the security industry again.
Plus, you guys got some great topics and excellent writing going on… can’t wait to see what’s next!
Oh my goodness. The elusive Dre. Welcome back to the jungle.
That’s a great topic for a follow up post. Obviously not having a traditional O/S changes things a bit. And VDI is kind of a hybrid, but admins have a lot more control.
I need to finish up with a LHF: Security Management post early next week, and then this is a good topic to work into the mix.
Thoughts on WebDesktops, ThinClients, VirtualDesktopInfrastructure?