14.1 General Workstation Security Guidelines

   

The single most important, and sometimes controversial , aspect of workstation security is choosing the right operating system or systems. It is okay to run multiple operating systems, as long as the staff exists to properly support them, especially in a large organization. However, the operating systems have to be able to facilitate administrative security, and should ideally allow administrators to use one or two network protocols for communication across the network.

The less traffic there is on the network, the better. It is significantly more difficult to sift through network data looking for patterns when there is a lot of network noise. Because there are more workstations on the network than any other device, most network traffic originates from the workstations.

Limiting the number of unique operating systems deployed on the network can help reduce network traffic, especially if the number of protocols those machines are speaking is limited. It is important to understand that it is not always possible to limit everyone in an organization to a single operating system. Some operating systems are simply better than others at performing certain tasks , and the needs of employees have to be taken into consideration. Your engineering staff may need access to Unix workstations, while marketing may need access to Macintosh systems, and sales and billing may prefer Windows systems. Again, as long as the support staff exists to support these operating systems, running three different types is not a detriment to security. However, within each operating system, a single version should be used.

For Windows users this generally means running Windows 2000, or possibly Windows XP Professional ”although Windows XP Professional is still relatively new and may contain serious security holes that have not been uncovered. Windows 98, Windows XP, or Windows ME should not be run in a secure networked corporate environment. The lack of proper authentication capabilities can hinder efforts at security protection.

As with server security, Unix workstations are often a much more hotly debated topic. All modern implementations of Unix have the tools available to properly secure them, but some Unix-based systems are more secure out of the box than others. The two most commonly used Unix-based workstations in the United States are Sun Solaris and Red Hat Linux; this mirrors the server market. Traditionally, Sun Solaris was the only option that server administrators would consider running on an enterprise network. As the security track record for Red Hat has improved, and the number of enterprise applications available for Linux has increased, Linux, especially Red Hat, has become more prevalent in the enterprise environment.

Some organizations have also opted to run one of the many BSD variants, such as FreeBSD and OpenBSD, on workstations that require a Unix operating system. The BSD variants have a reputation for tight security and stability that makes them very popular among technical staff. The downside is that not many applications have been ported to BSD, so it may not fit the business needs of an organization.

Until recently security has not been a primary focus for Macintosh users or systems. As the Macintosh operating system has increased in market share over the last few years , Apple computers have started appearing in corporate environments where they have never been before. Older versions of the Macintosh operating system did not have the native security requirements to run in an enterprise network. There are third-party applications that will allow an administrator to remotely manage network logins, but that means managing another application, and the expense may not be justified if there are only a few Macintosh users.

The latest version of the Macintosh operating system, Mac OS X, changes that. Built on the BSD kernel, but with a Macintosh interface, Mac OS X provides the same level of security that BSD does, including remote login management, while still maintaining the Macintosh interface. As with Windows XP Professional, Mac OS X is still relatively new, and security holes are constantly being discovered . If Apple properly addresses security problems, Mac OS X may become a viable operating system for enterprise networks.

14.1.1 Version Control

The primary reason for wanting to limit the number of operating systems allowed on a network is version control. When dealing with a program as large and complicated as an operating system, security holes will undoubtedly be found. If there are 10 different operating systems in use on a network, it becomes infinitely more difficult to maintain all of the patches and bug fixes for the different operating systems.

Version control is not only a component of operating system security, it is also important for all approved applications installed on the network. There should be one approved version of an application for each operating system, and all workstations that are running that application should have the application installed.

Software security updates are a part of life for administrators; the idea is to make it as easy as possible to perform the updates. This starts by having a base image installed on all workstations using a tool such as Symantec Ghost or a Kickstart server for Solaris or Red Hat Linux. If hardware configuration is generally not done in-house, many hardware vendors will allow companies to send them a workstation image. The image is used whenever a new system is ordered, so the new workstation is a replica of existing workstations.

For a Ghost or Kickstart image to work, workstations have to be configured with the same hardware. Again, this is generally not a problem. Most hardware vendors will support a standard configuration for a company and keep that information on file. This process can also be aided by ordering workstations, as opposed to standard business machines, from manufacturers. Systems labeled as workstations by hardware vendors tend to be more expensive, but they also use uniform parts from one year to the next . The last thing an administrator wants is to have to keep drivers on hand for 10 different types of LAN cards, in case there is a problem with one of them.

With some vendors, such as Sun and Apple, hardware consistency is not usually a problem. Both companies manufacture their own hardware as well as creating the operating system. When a company buys a specific model from Apple or Sun, the hardware configuration remains pretty stable from one year to the next.

After the operating system and hardware platforms have been selected, the next step is to select what software will be installed by default on each system. Generally this includes a productivity suite (e.g., Microsoft Office), calendaring software and groupware (e.g., Notes/Domino), a mail program (e.g., Eudora, Outlook, or Notes), and antivirus software (e.g., Norton Anti-Virus or McAfee VirusScan). Again, it is important to standardize on certain versions of these programs and create the image from those versions.

Starting from a small number of base systems in this manner makes version control much simpler. As new patches for operating systems, drivers, or applications are released, they can be stored on a server within the network and thoroughly tested by the operations staff to ensure the patches do not cause additional problems.

Most network operating systems allow administrators to schedule tasks, so the workstations on the network can often be configured to automatically check the server on which the patches reside, and download and install the necessary patches. Depending on the size of the network, it is usually a good idea to stagger the scheduled task so all the machines on the network are not trying to access the patch server at once.

14.1.2 Desktops vs. Laptops

A common problem facing administrators is the decision to use desktops or laptops. Desktops are often easier to manage, because they don't move. When an administrator needs to access it, the desktop is there. Laptops, on the other hand, are more popular with users, especially users who are on the road a lot or do a lot of work from home.

As laptops become more powerful they are slowly displacing desktops in the corporate environment. Employees want to telecommute, and they want to be able to work from home without having to install special software on their home machine.

While the benefits of laptops are obvious, they can be an administrative and security nightmare. Employees who use the laptops both at work and at home tend to view the laptops as "theirs" and treat them as such. This can mean installing software, or operating systems, that are not approved and may not be licensed by the company. A user who does not like Windows 2000 may decide to load Windows XP on the laptop. Not only will this prevent the laptop from performing automatic updates, leaving it open to possible security holes, it may make the organization liable for having unlicensed software.

Laptops are also harder to back up. If the laptop is not plugged into the network when the backup is scheduled, it may not be done. File servers are, therefore, much more important to laptop users, and they should be manually copying files to the file server whenever possible.

The only remedy for this problem is good communication on the part of the security and operations staff. The importance of leaving the laptop intact has to be explained to all users when they are issued a laptop. Many organizations resolve this problem by issuing desktops to users automatically. If the user requests a laptop, the request has to be approved by the manager, and the employee has to read and sign a security document that explains the security issues surrounding a laptop.

Some companies require new laptop users to attend a security seminar, which details many of the security problems associated with using a laptop. Depending on the size of an organization, this may be a little excessive. On the other hand, if laptop training is already part of a new-employee orientation then it should be easy enough to add a section about laptop security.

14.1.3 Physical Security

Physical security involves access to the computer. There are two areas of concern when it comes to physical security:

  1. Someone stealing a workstation

  2. An unauthorized person gaining access to the network through a workstation

Laptops are especially prone to the first problem. A user leaves the laptop sitting in a docking station overnight, and it is gone the next morning. But, the security of desktop systems should not be discounted. A random, or spontaneous , thief will generally not walk off with a workstation, but someone who is committing corporate espionage will.

All desktop machines should be anchored to a desk or, when possible, something more secure. Again, this will not dissuade someone who intends to get a particular desktop, but it makes the desktop machines less attractive to random thieves .

Security can be increased for both workstations and laptops by ensuring that files are stored on the file server, and not on the local hard drive. This makes backups easier, and it means that if someone does steal a workstation, there will be very few useful documents on it.

Monitoring other aspects of physical security can also enhance workstation security. Aside from the standard measures taken to secure an organization's physical premises, senior level staff should lock their office door when they are not in the office. This makes it more difficult for even a determined thief to steal a machine.

Laptops that are not being taken home should be locked away overnight, either in a filing cabinet or in a secure storage area. The harder they are to get at, the less likely they will be to be stolen.

The second area of physical security ”unauthorized users gaining access to the network through a workstation ”is most often accomplished because users don't lock their workstations. All network operating systems allow users to lock the workstation when they are away. The machine does not have to be shut down and the user does not have to logout. The lock simply prevents anyone from using it while the user is away from the workstation.

Workstation locks should be common practice when someone goes to a meeting, steps out to lunch , goes to get a cup of coffee, or even goes to the lavatory. Anytime a user does not have a direct view of his or her workstation, it should be locked. After all, there is no point in taking extensive network security measures if an attacker can just sit down at an unused workstation and have instant access to the network.

Many operating systems also allow a workstation to go into lock mode automatically if it sits idle for a certain period of time (five minutes is generally a sufficient time). The lock mode takes into account the fact that a user may be reading a document online, or writing notes based on a document, but does not provide an attacker with a large window of opportunity. The very paranoid may want to set this timer to two minutes.

   


The Practice of Network Security. Deployment Strategies for Production Environments
The Practice of Network Security: Deployment Strategies for Production Environments
ISBN: 0130462233
EAN: 2147483647
Year: 2002
Pages: 131
Authors: Allan Liska

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net