The "No Network is 100% Secure" series
- Personal Computer (PC) Security -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Personal Computer (PC) security white paper audience: This white paper
is geared towards personal computers in the work place. However, many of the
factors described in this white paper equally apply to PCs in the home or
small office (SOHO) environment. For the purpose of this white paper, it is assumed
that the PCs under discussion are installed in a corporate setting, are protected
by a firewall at the WAN border and that the user PCs are supported by a Helpdesk
and/or IT staffing function. This white paper is written for IT managers who may or
may not be technically oriented.
PCs are usually the most neglected computers in the enterprise: This is not always the case although I've seen this situation frequently enough to feel that a white paper on the subject would probably have value at many companies. Servers, routers, firewalls and other infrastructure gear tends to get the lion's share of IT attention. Interestingly enough, a fair percentage of server security threats, problems, infections, outages and down time actually result from successful attacks on one or more company PCs.
As the careful reader has no doubt seen by reading the other white papers in this series, there is no "magic pill" that will protect company networks and data centers against problems. Rather, good computing health, just like with people, requires living a healthy lifestyle (employing best practices), education (knowing how to protect yourself), regular check-ups (periodic security audits) and getting vaccinated against various viruses that happen to be flying around. And even as in real life, doing all of those things is no guarantee that you'll live forever. But it's pretty much guaranteed that if you ignore good health practices, you most likely will not get to enjoy a healthy life for long. The premise of this white paper is that your IT organization would prefer to spend it's time planning for the future rather than running around dealing with viruses, trojans, denials of service, hackers, crackers, spammers and the like. If that's so, read on!
Company PCs become infected in several different ways. The most common is "tricking" users into installing a virus, trojan, spyware or other malware using techniques described in other white papers in this series. The other main attack method is to exploit vulnerabilities in the PC operating system or running applications via the Internet or via another infected computer. This method is commonly accomplished without the PC user's knowledge or participation.
Proxy Servers: There are several important performance and control reasons for implementing a proxy server in your environment. But even if you don't care about those benefits, a proxy server is still worth considering because of it's security features. Linux (Red Hat, for example) proxy (Squid) software is free and the operating system is free. Proxy servers will run fine on a very basic hardware platform so the cost to deploy this technology is minimal. You will, however, need to invest some time configuring the security functions in Squid or whatever you are using to get significant benefits. But this is an investment of time that will be well worth it. Note that most proxy servers block very little when configured "out of the box". But most products have very rich feature sets that will allow much more restriction to web surfing than you would probably want to implement in your environment. And this is not to say that your users will be impervious to malware once a proxy server is in place. However, a proxy server would be a very good first step towards that goal.
Safer browsers: We have nothing against Microsoft or their products. But for a variety of reasons, Microsoft Internet Explorer (IE) has been a magnet for hackers for years. I use a Eudora e-mail client rather than Microsoft Outlook simply because very few exploits have been created to attack it. It's not that IE is "bad".... it's more a situation where IE is an attractive and bountiful target for hackers to attack. So what to do? For your less technical users, you may be stuck with IE. But I would suggest that offering an option such as Firefox makes a lot of sense. Firefox is a much more secure browser and there is a lot of development activity regarding all sorts of plug-ins, including security related plug-ins. Firefox does tend to be a resource hog and it's an app that users would probably want to shut down at the end of the day if they don't power off their PCs when they go home. And again, I have experienced nearly successful attacks even when running Firefox with a full boat of security plug-ins installed... but had I been running IE I doubt I would have been protected at all. Remember: the end game is to not get sick! Every PC that doesn't get infected is one less virus fire drill that IT doesn't have to spend the following week cleaning up after. Netscape/Mozilla has been around longer than IE. Firefox is free, it's easy to use and it is a lot more secure than IE. Mozilla also has an e-mail client called Thunderbird, also free and also fully featured and very easy to use.
Frequent updates: Hopefully, you are on the CERT mailing list so that you are getting regular security update notices. It used to be that you had plenty of time to protect yourself after a new CERT bulletin came in before you started seeing the actual threat. No so any more. Nine times out of ten, the new threat is already going full blast before a CERT bulletin is issued and long before a patch or a definition update is available. Still, getting and reading CERT bulletins is an important thing to do.
Companies that use a Linux workstation such as Fedora are a lot less vulnerable to most attacks as compared to Microsoft Windows. But even still, automatic updates are the order of the day. I recently did some work at a company that used Windows 2000 as the desktop standard. The company systems administrator had decided that all PCs would have only mortal user privileges. No power users and no one with administrator rights. Because of this, NONE of the 80 or so PCs at the company had been patched or upgraded in years. Literally. As you can imagine, the joint was a snake's nest of problems, most of which could have been easily avoided by giving a little attention to allowing automatic updates.
And while you're thinking about it, don't forget to check periodically for patches and updates for your PC applications! Bear in mind that even if you are set to receive automatic updates for Microsoft Windows (the operating system), you will NOT hear about or receive updates for their other suite of products such as Microsoft Office and so on.
On-the-box Firewall: Installing a firewall (and configuring it aggressively) on every PC is a "must do" in my opinion. I use Zonealarm which is now owned by Checkpoint. They do charge for commercial use of this product although well worth the money IMO. The last several releases of Microsoft Windows included a security suite that includes a firewall. Not as good a Zonealarm (IMO) but certainly way better than nothing. If you decide to go this route, also install and configure Windows Defender (including configuring for automatic definition updates). I would also include in this section making adjustments to IE, Firefox or whatever you are using to block pretty much everything from the Internet. I generally set my browser to the most restrictive settings possible that still allow me to do actual work. You might also consider installing ad aware, blocking third party cookies, disabling scripts, blocking pop-ups and a whole list of other nasty things to further tighten up your PCs. When it comes to the Internet, I trust nothing and I allow very little.
Anti Virus: Even with the World's best and most expensive anti virus product(s) you are still beaucoup vulnerable. But here's a case where the more you do, the less vulnerable you will be. I have had the best success with AVG anti virus from Grisoft. Again, they do charge for commercial use but IMO, this is money well spent. I am not a huge fan of Symantec even though I know a lot of IT organizations are subscribers. In my experience, Symantec has been problematic and is just not worth the money. IT managers should decide for themselves though. Do a Google search for Symantec user feedback and compare it to the experience folks have had with AVG and other products that are out there.
And don't forget to configure your AV software to do frequent definition updates. Once a day would be the absolute minimum. I have AVG set to update every four hours which is what they recommend. New viruses are coming along every few hours, it seems. I don't know that you would necessarily need to scan the entire PC every day but I do scan most of my PC file systems several times a week. There can be a substantial performance hit if user PCs are shut down at night. Working hours scans will significantly slow down your user's PCs...or worse yet, scans may be skipped!
And don't forget to scan floppies, CDROMS and other removable media (INCLUDING) stuff that comes from a Vendor before accessing any of the files on them! There's lots of CDROMs/DVDs leaving the factory with viruses these days.
Disabling un-needed services: As discussed in other white papers in this series, it is a best practice to disable any service that is not needed. This is especially true of PCs. And it is particularly true if the PC in question does not have an on-the-box firewall running on it. If you run netstat -a, you should not see any connections to anything other than what's supposed to be there.
User education: Frequently training your users on safe computing practices is always helpful. But even still, you will probably always have problems with people opening attachments, clicking on "OK" buttons and doing lots of other things that you clearly instructed them not to do just days ago. Still, if even a few people actually listen to the instructions and understand what they are being told, that's at least a few problems that you won't have to deal with later on.
SPAM, e-mail viruses, phishing, etcetera. Tips for Exchange users: I am not a huge fan of using Microsoft Exchange as an primary MX server. Your organization may be Microsoft centric or there may be other reasons for deploying Exchange. That discussion is beyond the scope of this white paper. However, if you have any *NIX expertise in your IT organization, I would strongly recommend using a UNIX sendmail MX server to "front end" your mail delivery. If nothing else, having this buffer will help avoid mail service outages due to a lost Internet connection or a DoS. Additionally, there are a plethora of UNIX applications, tools and open source projects that support safe e-mail operations. Spamassassin, milters, virus detection, open relay black listing and so on can be easily and inexpensively implemented to "clean up" your e-mail before Exchange ever sees it. This can be done transparently and has done an excellent job at reducing SPAM and other problems in networks where I have implemented it.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro