Armed with the list of new Vista security features
and with the five layers of the Castle Defense System, you can now begin
to view how you will protect your own Vista PCs. Table 1 outlines each of the five layers of the CDS and identifies how you can use the Vista feature set to secure each PC.
Table 1. Applying the CDS to Vista PCs
| Layer | Contents | Contents |
|---|
| Layer 1 — Critical information | Data categorization | Categorize all data to determine the level of protection each type of data requires on your PCs. |
| | Application hardening | Make sure the applications your users have access to are well-designed and provide a protection layer of their own. |
| Layer 2 — Physical protection | Physical environment | Make sure entry to your offices is protected.
Make sure your PCs are tagged and identified.
Make sure the external systems you allow to connect to your network can provide a clean bill of health. |
| | Physical controls | Pay attention to the physical access to your PCs. |
| | Communications | Make sure all users, including administrators, understand their responsibilities in terms of security practices. |
| | Surveillance | Make sure everyone in the organization understands their responsibilities in terms of vigilance. |
| Layer 3 — OS hardening | Security configuration | Pay
special attention to the following: service hardening, security
configuration settings for the base PC installation, BitLocker Drive
Encryption for portable systems whose configuration is sensitive,
Encrypting File System data protection for others, User Account Control
(UAC) for all users and administrators, Device Control to ensure that
unauthorized USB disk drives cannot be connected to any PC, and wireless
networking security. |
| | Anti-malware | Implement Windows Defender along with proper antivirus technologies. |
| | General Active Directory Security | Implement very tight permissions management.
Implement Software Restriction Policies to ensure no malicious code is allowed to run in your domain. |
| | File System | Secure the file system to protect PC stability.
Implement access-based enumeration to further protect information.
Rely on digitally signed Windows Installer Packages for all third-party or custom product installations. |
| | Print System | Implement a full security strategy for all printers. Make sure standard users can install their own printers. |
| | .NET Framework Security | Any
PC that includes this Framework needs special care. For example, PCs
running Windows PowerShell will also include the Framework. |
| | Internet Information Services (IIS) | If you choose to install IIS on PCs, then make sure it is securely configured. |
| | System redundancy | Redundancy
on PCs is provided through the application of sound principles, the
protection of user data and the availability of additional systems for
replacement. |
| Layer 4 — Information access | User identification | Rely on smart card or two-factor authentication for administrators in very secure environments.
Highly secure environments will use two-factor authentication for all users. |
| | Security policies | Assign proper policies for the PC pool. |
| | Resource access | Tightly control all resource access.
Implement EFS for mobile users. |
| | Role-based access control | Applicable only at the server or application level. |
| | Access auditing/monitoring | Turn on auditing to track all changes on critical systems. |
| | Digital rights management (DRM) | Rely on Rights Management Services to apply DRM to all documentation that is copyrighted or sensitive in any other fashion. |
| Layer 5 — External access | Perimeter networks | Configure the Windows Firewall with Advanced Security to control access to Vista PCs and mobile workstations. |
| | Virtual Private Networks (VPN) | Rely on Virtual Private Network (VPN) connections for all remote access. |
| | Routing and Remote Access (RRAS) | Implement a remote access authentication service for users working remotely. |
| | Secure Sockets Tunneling Protocol (SSTP) | Ensure all remote communications as well as sensitive internal communications are encrypted. |
| | Public Key Infrastructures (PKI) | Implement PKI in support of smart card deployment and software restrictions. |
| | Identity Federation | Rely on Active Directory Federated Services for Extranet access if it is required. |
| | Network Access Protection (NAP) | Implement Network Access Protection (NAP) to ensure all machines that link to your network have approved health status. |
1. Layer 1: Protecting information
Information is the basis of any effort that
relies on the PC, but if organizations are properly structured at the IT
level, then this information will most usually be stored on networked
servers. That's because when it is stored centrally, information is
easier to protect, back up, and secure. But, given the distributed
nature of the client-server system, you'll often find that information,
sometimes information that is critical to your organization, will be
located on PCs. In those cases, you must protect the information as much
as possible, especially if the PC is a mobile PC that is used outside
of your offices.
Ideally, you will have performed some form of
information categorization, one that will give you a better
understanding of the information you need to protect if your
organization is to run properly. There are usually four categories of
information:
Public information is information that
may or may not be related to your organization, but that does not
require protection. For example, information on products your
organization sells through your Web site is deemed public information.
Private
information is information that you need to run your operations, but
this information is not sensitive and may not require heavy protection.
For example, information on how you run your Web site is usually
private, but if it is leaked outside your organization, it will not be a
major disaster.
Confidential information
is information that should only be divulged to authorized personnel.
For example, the salaries you pay to your employees are usually deemed
confidential.
Secret information is
information that is critical to the operation of your business. If
secret information is leaked out, it may have a negative impact on your
organization's ability to operate.
Each category of information can find itself on a
PC at some point in time. For this reason, you need to make sure it is
protected at all times.
In addition to protecting the data on your PCs,
you must make sure that your applications — the applications that
generate and manipulate your organization's information — are hardened
or otherwise configured in a fashion that makes it difficult for
unauthorized personnel to obtain it. Stories about organizations that
have leaked out information, such as credit card numbers of their
clients because their applications are not hardened are too often on the
news.
2. Layer 2: Working with protection
Physical protection is also more difficult with
PCs because they are distributed by nature. There are four categories of
PCs to protect.
The first category focuses on the workstations
that are located in your office are easier to protect because they are
on your physical premises; hopefully, you have system checks in place
for anyone who wants to remove them from your premises.
However, physical protection becomes more
difficult when you consider the second category: mobile or tablet PCs.
According to researchers, more than 600,000 PCs are lost or stolen in
the U.S. each year. That is a considerable number, so you want to make
sure you've properly protected them.
In addition to mobile systems, you might also be
faced with a third category: working with or preparing kiosk PCs. Kiosk
PCs are still under your control, but they present a different problem
because they are exposed to users over whom you have little or no
control. Therefore, these PCs must have a very tight physical security
mechanism put in place so that they are locked down and cannot be
removed from your facilities.
The fourth category of PC that requires some
form of physical security is the teleworker's PC. Although these are
often mobile systems, they sometimes include actual workstations that
you provide to your users so that they can perform work from home. In
this case, you are faced with two issues:
You must find a way to protect the system at a physical level in an environment — the user's home — where you have no control.
The
second is that this corporate PC will often be accessed by noncorporate
users in the form of the user's family members. One feature of Vista
that makes it easier to deal with this aspect is the ability to use Fast
User Switching, assigning a personal account to each family member. But
in some cases, families all use the same user account and this can
cause a major risk since any family member will have access to the data
on your network — at lease the same level of access as the user has.
With each of these different categories of systems, you have few choices for protection at the physical level. You can
Tag each system and include them in an
asset inventory. Bar code tags are the ideal method because they can be
entered into a database.
Use a loss
tracking mechanism, one that will offer an online reward for the return
of your lost items. Several exist. One that is well rated is www.trackit.com, but you can find many more if you search for them.
Load
your PCs with tracking software, software that will automatically
identify the location of the system if it is lost or stolen and someone
tries to use it. A good example of this software is AbsoluteTrack from
Absolute software (www.absolute.com). Once again, you can search for others as there are several choices.
Make sure your kiosk PCs are bolted to the
casings that hold them so that they are impossible to remove. It would
be nice to do the same with mobile PCs, but that is unlikely. You can
however protect your mobile systems with cable locks. You should include
these with each mobile system you provide to your users and instruct
them in their use. As for systems that you provide to your teleworkers,
you can only recommend that they place them in secure rooms. The best
way to do this is to provide your teleworkers with information and
procedures they should follow when bringing a computer home.
