Protect Your Desktops and Laptops | Protect Your Windows Network: From Perimeter to Data

Protect Your Desktops and Laptops

"Wait, I can't handle even a few steps!" some of you might be thinking. "All I want to do is run my business, and this computer and software can help me. Why do I have to worry about all this security stuff?"

We feel for you, we really doalthough if it weren't for all the bad guys and girls , we'd have to find other jobs. But think for just a moment about all the security- related decisions you already make every day: you drive defensively, looking out for all the maniacs on the road; you rely on some hidden sense when walking around unfamiliar areas, staying away from places that give you the "willies"; you keep the contents of your office physically secure with a lock on the door. Every one of these security measures helps to mitigate some threat: unaware drivers, roving muggers, slippery thieves . Sure it's annoying to have to deal with these threats, but everyone does, every day.

It's the same with information security. There really are bad people afoot, people who want to cause you harmor use you and your resources to harm another. It's imperative that you realize this and that you take appropriate actions. If you do nothing else after reading this chapter (or, we hope, the entire book), three tasks are absolutely essential for you to incorporate into your routine of managing your business: keep your software up-to-date, use antivirus and anti-spyware software, and set up firewalls. If you do these three things, you will thwart most attacks.

Keep Your Software Up-to-Date

In the beginning, there was no testing: if the program compiled without errors, it went into immediate production. And, of course, bugs abounded. Then developers started testing their programs, using only valid and expected input. This process "improvement" helped ensure programs wouldn't barf during regular use, but didn't reveal any holes that might otherwise exist. Finally, most software houses now realize that testing is a specialized discipline and hire dedicated people for this purpose; these testers intentionally try to break programs by supplying unexpected input to make sure that the programs gracefully recover and don't fail in insecure ways. Good testers think like attackers .

Yet, software is imperfect: indeed, it can't be any different, because all software is written by fallible human beings. Software is improving because authors understand not everyone uses software as intended and because testers are starting to think like attackers, but patches and updates will be a fact of life for all time.

The best way to keep your software up-to-date is to rely on any automatic updating capabilities present in Windows and that might be present in whatever applications you're running. The Windows automatic update feature regularly checks with the Windows Update pages on Microsoft's Web site and downloads and even installs all updates for your computer as they become available.

To enable automatic updates, click Start, right-click My Computer , choose Properties , and then choose Automatic Updates . Configure either automatic download or (better) automatic download and install; if you choose the latter, be sure that your computer is switched on during whatever time you enter in the dialog; if updates are downloaded but not installed, your computer will install them when you next switch it on.

Updating Multiple Computers

If you have more than one computer in your organization, you can control automatic updating of all machines centrally , which helps you keep all of your configurations current. Two tools can help you here: software installation and maintenance and Windows Update Services (WUS). In Active Directory, which you have if you're using Small Business Server (SBS), you can configure software installation and maintenance for the computers in your domain. It's a fairly minimal tool, however; all it really does is provide you with a mechanism to require software to install itself on computers the next time they boot. You need to download and maintain all updates and services packs yourself and make them available someplace in your network for the feature to install from.

Because the software installation and maintenance feature can be pretty geeky , ^[2] a better approach is Windows Update Services. ^[3] Think of WUS as a version of Windows Update that works from inside your own network. The WUS server downloads all updates Microsoft publishes; you configure your computers (through Group Policy) to pull updates from your WUS server rather than directly from Microsoft.com. This gives you time to download, test, and approve patches, and then require their installation on your computers. WUS helps get you out of patch management hell by automating most of the work. A nice touch is that WUS is free and works with the auto-update clients already built in to Windows 2000 and Windows XP.

^[2] We won't cover this feature further here. Although it's already included in Active Directory, it's very difficult to configure, prone to mistakes, and requires a lot of testing. It really isn't intended for small businesses.

^[3] Visit http://www.microsoft.com/windowsserversystem/wus/default.mspx for more information and to download WUS, which is in beta as of this writing but should be available by the time you read this.

Use Antivirus and Anti-Spyware Software

Malicious code manages to sneak into computers in so many ways. It's easy to trick people into installing something they really shouldn't, whether it's through some e-mail attachment with an alluring subject line or a script or control "required" by a Web site. We see over and over again that if people are given the choice between making a security decision and watching some cute dancing pigs, the cute dancing pigs win every time. Alas, often hidden within the cute dancing pigs is some very ugly malware that just might wreak havoc across your systems and the systems of anyone you might connect to.

Malware comes in many forms: viruses, worms, Trojan horses, spyware, adware, porn dialers, keyloggers. No single utility can detect and remove them all. Generally you need at least one antivirus program (to eliminate viruses, worms, and Trojans) and one anti-spyware program (to eliminate the rest). The antivirus industry is pretty mature, ^[4] and all the products generally find all the virus-type malware. The anti-spy industry is newer ; not all products find everything, and many security experts recommend running more than one. To us, that approaches more work than typical small business people want to bother with, so choose one product from a reputable vendor and you'll be fine.

^[4] It has been promulgated that the antivirus companies themselves are the purveyors of most viruses and worms running amok, that they do this to keep people afraid and to ensure a continual revenue stream. There is, however, no evidence to support such an assertion, and we do not believe the notion at all.

WARNING: Many products that claim to be spyware detection and removal tools are in fact monstrous spyware installers . Stay away from anything you see on Web sites with ridiculous URLs such as www.spyware-reviews-and-removal-utilities.com or similar. We've had excellent luck with AdAware (http://www.lavasoft.nu); with Computer Associates' PestPatrol (http://www.ca.com/products/ pestpatrol /), especially its centralized management capabilities; and with Microsoft's new anti-spyware program acquired from GIANT (http://www.microsoft.com/spyware).

Don't forget that antivirus and anti-spyware programs are only as good as their scanning signature databases. Hundreds of new or variant pieces of malware materialize every month; you must keep your scanners up-to-date or they'll quickly become useless. Don't forget to tune the update engines of these programs. Many small business administrators we know have tuned the engines to update hourly.

If you have multiple computers in your organization, and you use Active Directory to centrally manage security settings and WUS to deploy updates, be sure that you follow the same thinking with your antivirus and anti-spyware programs. Select products that give you centralized control of installation and updating on all computers in your organization. The more you can rely on automation, the more secure you become: automation guarantees that all your computers are configured the way you want them to be and eliminates a lot of complexity from your environment (and from your life, too).

Set Up Firewalls

You need firewalls in two locations: one between your network and the Internet, and one on every computer in your network. The network ("perimeter") firewall keeps much of the bad stuff from getting into computers that are attached to the network. But what about when mobile computers leave? You take your laptop home, right? Personal firewalls on individual computers serve two roles: they protect mobile computers when they're away from the network, and they protect computers on the network from the rest of the network . Even though you have up-to-date antivirus and anti-spyware programs on all your computers, there's a slim chance that some piece of malware might get onto one computer anyway, especially if it's mobile and enters the computer through, say, an e-mail attachment. When that infected computer returns to the network, the perimeter firewall is powerless to stop it. Personal firewalls on all the rest of the computerslaptops and desktopsjust might be able to keep the malware from spreading.

Small Business Server Premium Edition includes an excellent firewall in the box: Microsoft Internet Security and Acceleration (ISA) Server. (SBS Standard Edition includes the RRAS firewall, which performs stateful packet filtering but not the more advanced application layer inspection of ISA Server.) Economic realities for many small businesses simply don't permit any other option: it's perfectly OK to run a firewall on the same computer that runs the rest of SBS. ISA Server inserts itself so low into the IP stack that it blocks exploit code before that code hits a running application. In Chapter 7, "Protecting Your Perimeter," we discussed how the VPN service in Windows protects itself. In much the same way, installing ISA Server on a Windows computer protects the computer itself from attack. Figure 15-1 shows a conceptual view of the IP stack in Windows.

Figure 15-1. Conceptual view of the Windows IP stack.

Figure 15-2 shows the stack with ISA Server installed and running.

Figure 15-2. The stack with ISA Server installed.

Just like with RRAS, ISA Server's various inspection and filtering bits are so low in the IP stack that there's nothing for an attacker to exploit. Applications running on the computer are protected.

If you aren't running SBS, consider at a minimum a SOHO-type firewall like a SonicWall SOHO3 or WatchGuard Firebox SOHO 6. These are preferable to home routers because they give you more granular control over what individual users can do. But recall our discussion of firewalls in Chapter 7: packet-filtering firewalls really aren't sufficient to protect against modern attacks. If your budget allows, deploy an application layer firewall like ISA Server that inspects all traffic entering and exiting your network. They cost more, but they offer significantly improved protection. Several vendors have released ISA Server firewall "appliances" that are entirely appropriate for small businesses. ^[5]

^[5] See http://www.microsoft.com/isaserver/howtobuy/hardwaresolutions.asp.

Returning to personal firewalls, the question of which firewall to use arises. Windows XP includes a personal firewall; in Service Pack 2, it becomes something that you can manage better with its support for multiple profiles and group policy. ^[6] The firewall in Windows XP blocks only unsolicited inbound traffic; that is, it blocks stuff from trying to enter your computer unless it's a response to some outbound request your computer previously made. The firewall allows all outbound traffic (but it does block outbound traffic with spoofed source addresses).

^[6] Susan Bradley, the SBS "Diva," writes an excellent blog about Windows XP Service Pack 2 that's imminently useful for all small business administrators. See http://msmvps.com/bradley/archive/2004/10/14/15825.aspx.

This approach contrasts with that of many other personal firewall products on the market. Windows Firewall has been criticized for not offering "outbound protection." When the service pack was in development, Microsoft in fact considered outbound protection, but decided to eliminate it for some very sound reasons. In testing builds with outbound protection, Microsoft discovered that the constant dialogs from the firewall were confusing to most users (recall the mental dancing pigs substitution we showed in Chapter 5, "Educating Those Pesky Users"), and people quickly developed the habit of answering "yes" all the time or simply switched the firewall off completely to avoid the hassle. For the techies in the audience, such prompts are never a problem, but for ordinary users (which constitute the vast majority of people on the planet), a firewall that isn't so chatty and that blocks the greater source of danger (inbound traffic) is certainly better than a switched off firewall that serves no purpose at all. But more importantly, Microsoft's testers discovered that outbound protection is trivially easy to circumvent. It isn't all that difficult to create malware that simply hijacks or rides along with permitted outbound traffic; indeed, this is becoming the most popular way of bypassing many of the personal firewall products on the market. So Microsoft narrowed the focus of the firewall to do two things very well: to block the bad stuff from getting in and to give you a way to manage its configuration across your organization.