Contrary to what most people think, I believe that Windows is one of the most secure popular OSs in use today. Windows has security features that other OSs only dream of. For example, what other OS gives you the management tools to control every aspect of an end user's experience? What other OS has a tool like Group Policy, which lets you turn services off and on across your entire collection of PCs with a few clicks of the mouse? What other OS has 14 separate security permissions that you can configure for each file and folder? What Windows lacks is stronger default security. Let me show you how to leverage Windows' security management capability and proactively lock down the desktops under your control. When you follow my practical advice, your computers will be among the most secure Windows desktops anywhere, and electronic burglars will leave your enterprise in search of easier victims.
Automate Security
Locking down desktops so bad things and bad people can't gain a foothold involves many tasks, which I've consolidated here into 10 essential steps. One way to guarantee that Windows security isn't implemented correctly is to make it hard for administrators to accomplish or manage the steps involved in the implementation. There are far too many tasks involved in security implementation to manually touch every computer on your network. Automate instead. You can easily execute every recommendation I make in this article by using Group Policy or security templates (which you can use on Windows 2000 and later OSs).
Step 1: Don't Allow End Users to Log On as Administrator
As much as 70 percent of all attacks on desktops could be avoided if the machine's end user weren't logged in as a member of the Administrators group. Most forms of malicious mobile code won't install correctly if the end user is logged on with a Least-Privilege User Account (LUA). Administrators often give end users local administrator permissions so the users can install or run software on their machines, but if you do this, you're giving away the keys to the kingdom. You can prevent new programs from being installed by not allowing regular users to have administrator rights. Non-administrators typically can't install programs.
If you must allow regular users to be administrators and you have Windows XP clients, use Software Restriction Policies (SRP) to restrict program execution. SRP lets you set an overall execution policy; either all programs are allowed to execute by default except those you explicitly define, or all programs are denied execution except those you explicitly define. The latter policy, which is similar to a deny-all-by-default firewall policy, is more secure but requires more testing. SRP lets you define exceptions by file path, registry path, program hash value, digital signature, or Microsoft Internet Explorer (IE) security zone.
Ultimately, if you can't stop unauthorized programs from executing, you can't guarantee security. Using appropriately set NTFS permissions is the best way to prevent currently installed programs from running. To do so, simply remove the Read and Execute permission from the files and folders that unauthorized users should not have access to.
Step 2: Disable Booting on Everything but a Machine's Primary Hard Disk
To allow booting from anything but the primary hard disk is to allow malicious intrusion. By disabling untypical booting, you effectively deny almost every password resetter and many cracking programs, prevent boot viruses, and deflect malicious programs that are designed to boot around the protections of NTFS. If you need to boot to another drive during a troubleshooting session, change the boot sequence and reboot—and don't forget to reset the sequence. Disable USB ports unless they're needed for a specific purpose.
To prevent modification of the boot-order settings you specify, password-protect the machine's BIOS. Make sure to use a password that's different from your administrator password in case you have to give the password to an end user or service technician during a troubleshooting session.
Step 3: Rename the Administrator and Other Highly Privileged Accounts
Most attacks are automated and are programmed to look for Administrator accounts. Although you can't change the well-known administrator SID, most malware and hackers don't work at the SID level. Rename sensitive accounts to something that appears to be a normal user account. Then, create bogus replacement accounts, simulating even the default descriptions. Heavily restrict these accounts and give them long, complex passwords (15 or more characters), then audit them for inappropriate access.
Step 4: Defeat Password Crackers with 4 Practices
You can defeat most password cracking programs by implementing four practices for desktop security. Make it a habit to disable LM hash storage, disable the LM and NTLMv1 protocols, require strong passwords, and enable account lockouts.
Disable LM hashing. LM password hashes are extremely easy to hack by brute force. Unfortunately, all Windows systems store the very weak LM password hash, even though much stronger alternatives exist. It's a good idea to use a GPO or regedit to disable LM password hashing. Windows will continue to store and use the much stronger NTLM password hash. With this one tactic, you'll defeat most password crackers and remote machines trying to forcibly grab weaker credentials.
Require NTLM version 2 and above. All Win2K and later Windows systems use Kerberos for domain authentication by default. Such systems must also use at least one non-Kerberos authentication protocol (i.e., LM, NTLM, or NTLMv2) for nondomain logins and other tasks. After testing thoroughly to make sure legacy applications and systems (and even some newer applications) won't break, disable the use of the LM and NTLM protocols. There are no password cracking programs available for cracking NTLMv2 authentication if the passwords are appropriately complex.
Enable a strong password policy. A weak password can defeat a lot of good intentions. Require your users to choose, at the least, a complex, 15-character password, and set it to expire every 90 days or sooner. You can enable all three of these options by using GPOs or by editing the registry.
Enable account lockouts. Configure account lockouts to lock out all security principal accounts after three consecutive bad password attempts. Instead of requiring an administrator to unlock a locked account, allow it to automatically reset in 1 minute. Simply enabling account lockouts, no matter what the lockout duration period is, will defeat online brute-force password cracking programs.
Step 5: Strengthen Service Security
You can significantly harden a Windows computer against attack by turning off unneeded services and running services on nondefault ports when possible.
Turn off unneeded services. Microsoft has more than a hundred services that can be enabled during a new Windows installation. Fewer services running means a smaller attack surface for a hacker. The rule of thumb is: If you don't need it, disable it. Service-disabling recommendations abound on the Internet. But start with Microsoft's recommendations (available at http://go.microsoft.com/fwlink?LinkID=14845) and modify, test, and create your own baseline set. Do you need Zero Wireless Configuration enabled by default? Research and find out. This advice applies to any software you install.
Run services on nondefault ports. If a service doesn't need to be on a default port, put it somewhere else—preferably randomly high, where port scanners won't readily find it or know what to do with it. For example, although Microsoft Telnet server hasn't been exposed to a publicly announced exploit, I run it where it can't easily be found. If an exploit does occur, it will most likely be thrown in a worm and hit every possible victim in a few hours or days. I won't be found so easily.
I frequently change even extranet Web servers to nondefault ports. For example, I have a lot of clients in the healthcare industry who use HTTP Secure (HTTPS) to exchange financial and patient data over the Internet. In addition to using data encryption, I move the Web server's default port to a number that's random and high. Then, all participating parties are told to connect to the nondefault port. It's as simple as sending the link (e.g., https://www.example.com:38093) in an email message. I tell the users to save the link as a shortcut on their desktop. With this tactic, legitimate users have no problem gaining access, and Web worms are frustrated.
Step 6: Block Access to Dangerous Files
A standard Windows installation contains many executable files that are far more likely to be used maliciously by an intruder than legitimately by an authentic user. Have you looked in your System32 folder lately? Do your end users need access to debug.exe, format.com, sys.com, or regedit.exe? Probably not. When reviewing your NTFS permissions, remove non-administator users' ability to read and execute those files. (By default, all authenticated users have Read and Execute permission to all files in the Windows and System32 folders.) Make sure that you only remove permissions. Don't do something like Deny-All to the Users or Everyone group—Administrators are included in those groups, too.