Protecting Client PCs | Protect Your Windows Network: From Perimeter to Data

Protecting Client PCs

New kinds of threats are appearing that take advantage of physical access to office computers and other kinds of networking equipment. We know of at least one customer whose entire network got infected with a virus from an Ethernet-enabled photocopier a virus on a repairperson's diagnostic laptop copied itself to the equipment and then wiped out the entire LAN! Another threat that immediately comes to mindand really isn't all that new anymoreis the keystroke logger. These things keep us up at night.

Keystroke-logging software has been around for a while now; more recent are small hardware devices that do the same thing:

Figure 6-4. A keystroke logger.

Perhaps some of you have even experimented with one or two. Hardware keystroke loggers are small electronic devices that attach to the end of the keyboard cable and then plug into the back of the computer. Both PS/2 and USB loggers are available. The devices record every single keystroke, meaning that in the logger's memory (in clear text, of course, there's no encryption between the keyboard and the computer) is every single thing the user typed: incriminating passwords, credit card numbers , valuable trade secrets, sensitive chat sessions, and so on.

An attacker requires physical access to install the logger. Passive loggers are pure recording devices; the attacker must return at a later date to retrieve the logger and dump its data. Active loggers include device driver and even Web server software that allow an attacker to remotely access the logger's memory; in this case the attacker doesn't need to make a second visit but does need to convince the user to install the software somehow (perhaps by sending it through e-mail, with an alluring subject line promising an entertaining experience). Regardless of its operation, after the logger is installed and recording, no visible clues reveal the logger's presence: a user must visually check the back of the PC to notice the thing. And who regularly crawls around and under a desk to do that?

About the only way we know of to thwart keystroke loggers is to adopt some practice by which you don't enter your password in sequential order. This is completely useless advice, however: your password is complex enough already (we hope); it's highly unlikely that you'll convince executives to enter the third character, click the mouse cursor to that character's left, enter the first character, click at the end, enter the fifth character, click after the first character, enter the second character, and so on. (Don't laugh ; we've actually read this!)

One-time password systems such as RSA SecurID can help here, too. In fact, if you require access from anywhere , SecurID is really your only choice because it's unlikely you'll encounter smart card readers on the computers at the Kinko's down the street. We like the new version of RSA SecurID for Windows that integrates with Active Directory, because now there's a link between your SecurID PIN and your Acitve Directory user account. Previously, SecurID authentication was a separate step. You'd authenticate to the RSA ACE/Server first, and then separately log in to your account. Because there was no link between the two, Alice could use Bob's SecurID (if she knew his PIN) to authenticate to the ACE/Server, then log in to her own AD accountor possibly someone else's account if she knew the password. The lack of integration led to some interesting social engineering attacks. Regardless of which method you chooserandom password order or one-time passwordsall you've really done is made your recorded password pretty much unusable. The logger still captures everything else you type after you log in.

Public computers and kiosks are very popular places to attach keystroke loggers. ^[6] Often these are the worst-managed computers you're likely to encounter: running Windows 95/98/Me or NT/2000/XP logged in to the local administrator account with no security settings at all. Because you don't know anything about public computers, they can be some of the most dangerous places from which to access your corporate networkand it doesn't matter whether that access is to corporate Web-based e-mail (Outlook Web Access), a VPN, or remote control software such as Terminal Server, VNC, or GoToMyPC. We deny that there is any legitimate use in the business world for products of this ilk to access corporate desktops . Allow us to be very direct here: your security policy should absolutely prohibit the use of any kind of software like VNC or GoToMyPC to directly access desktop computers from outside the network. These products bypass server authentication, they tunnel inside HTTPS, and they sometimes lack logging. Fire anyone who violates this policy.

^[6] See "US arrests Queens man on computer fraud charges" (http://www. cybercrime .gov/jiangIndict.htm) and "Ex-student accused of spying on campus" (http://news.com.com/2100-1023-983717.html). Both of these stories describe software-only keystroke loggers.

Before you deploy any kind of systemsuch as Web-based e-mailthat allows access into your corporate network from anywhere, be sure that you go through a proper risk assessment first. Allowing access to Web-based e-mail from any computer in the world is very convenient , yes, and often there is strong business justification for that. It's up to you to work with your business units to help them understand the risk of such access. And like all access decisions, together you must decide whether the benefit outweighs the risk.

Disabling USB Drives

USB drives have got to be the coolest, handiest things ever invented: more convenient than ad-hoc networks, faster than infrared, ideal for large-volume backup. Their very expediency and ubiquity is their valueand their threat. Not a day goes by that we don't hear of pleas for ways to disable these things.

Alas, trying to do that is an exercise in futility. Sure, there are ways to disable USB drivesuse an SRP or file system ACL to deny access to c:\windows\system32\drivers\usbstor.sys, enable the StorageDevicePolicies Registry key in Windows XP Service Pack 2, ^[7] deploy third-party software such as DeviceLock from SmartLine, ^[8] or pour glue into the USB ports. However, before you do any of these, consider several other ways people can abscond with data from a computer:

^[7] "Controlling block storage devices in USB buses" (http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx#ECAA)

^[8] http://www.protect-me.com/dl/.

Corporate e-mail
Web-based free e-mail
Instant messengers
Peer-to-peer file-sharing utilities
USB drives that install their own drivers
Digital cameras and MP3 players
1394 FireWire drives
CD and DVD recorders
Parallel port hard drives
Floppy disks
Infrared ports or network transfer to other computers
Printouts
Digital photographs and screen captures
Telephone dictation

The real problem here is that you're trying to stop unauthorized removal of sensitive or confidential information from your organization. If someone wants to make off with data from your computers or network and has access, generally that person can accomplish his or her goals. A product such as Windows Rights Management Services can prove very helpful here, because it enforces access controls on protected objects regardless of where that object happens to live: on a share, in an e-mail, on a local hard drive. But even RMS won't stop what we call "analog attacks," like, for instance, placing the monitor face on a photocopier and pressing the Print button.