Exam 70-124: Objective 1.5: Creating Secure Workstations

Until now we have spent a lot of time looking at how to secure our servers. But what about all those client computers on the network? In this section we examine some of the actions you can take to ensure that your workstations are secure and contribute to the overall security level of your entire network.

Client (workstation) computers can be categorized in two large groups: They are either desktop workstations (and hence not portable) or they are portable (laptop) computers and hence easily removed from the safe confines of your network. Later in this section, we examine extra precautions that can be taken for portable computers.

Desktop Workstations

It should come as no surprise that the first and most important thing you can do to increase the security of desktop clients is to ensure that they are up to date with all required service packs and hotfixes. Chapter 3 examines this process in great detail. Although this might sound like a small matter, don't make the mistake of thinking that it is; once you've identified and downloaded the required updates, you must test them in lab before deploying them.

After the deployment, you must ensure that all updates were received as required and then start the entire process again. There are some means in place (as we discuss in Chapter 3) to make this process an easier one, but none of them ever relieve you, the administrator, of your responsibility to ensure that the required updates are being applied to the appropriate computers.

Both Microsoft and the National Institute of Standards and Technology (NIST) have put forth some guidelines on creating more secure desktop clients. You can view these guidelines at:

• http://csrc.nist.gov/itsec/guidance_W2Kpro.html

• www.microsoft.com/technet/security/tools/chklist/dsktpsec.asp

The NIST information includes a security template that you can apply to your workstations. Alternatively, you can use the securews.inf and hisecws.inf templates included in Windows 2000.

A full discussion of the multitude of things you can do to secure a workstation is beyond the scope of this chapter, but we do examine a few things you can do in an effort to secure your workstations:

• Apply all required service packs and hotfixes (as previously mentioned).

• Apply a more secure template than the basicwk.inf template.

• Remove the local computer Recovery Agent keys.

We examine the ways to apply service packs and hotfixes in more detail in Chapter 3. Analyzing and configuring computers using the Security Configuration Tool Set was discussed in great detail in Chapter 1. Removing the local computer Recovery Agent keys is fairly straightforward—but it must be done correctly. Removing these keys will prevent users (authorized or not) from being able to use the local computer Recovery Agent to decrypt files that have been encrypted with the Encrypting File System (EFS). Exercise 2.08 presents this process.

Exercise 2.08: Removing the Local Computer Recovery Agent Keys

1. Log into the local computer (not the domain) using the built-in Administrator account—not an account that is a member of the Administrators group.

2. Open the Local Security Policy console from the Administrative Tools folder. If the console is missing, enter secpol.msc from a command line to open it.

3. Expand the Public Key Policies node and open the Encrypted Data Recovery Agents folder, as shown in Figure 2.20.

   
   Figure 2.20: Finding the Data Recovery Agent

4. Right-click the Administrator File Recovery certificate and select All Tasks | Export from the context menu, as shown in Figure 2.21.

   
   Figure 2.21: Exporting the Administrator File Recovery Certificate and Keys

5. Click Next to dismiss the Certificate Export Wizard opening page.

6. Select Yes, export the private key, and then click Next to continue.

7. Select the Delete the private key if the export is successful check box to remove the private key (see Figure 2.22). Click Next to continue.

   
   Figure 2.22: Deleting the Private Key

8. Enter and confirm a password that will be used to secure the exported key, and click Next to continue.

9. Enter the filename and path for the exported key file to be saved to. Click Next to continue.

10. The Completing the Certificate Export Wizard is displayed (see Figure 2.23). Verify that the settings are correct, and click Finish to export the certificate and keys to the selected file.

    
    Figure 2.23: Completing the Certificate Export Wizard Summarizes Your Actions

11. Click OK to close the wizard.

12. Restart the computer to complete the process.

13. You should now place the certificate file in a secure location, such as a safe or secure off-site storage facility, to keep it from falling into the wrong hands.

After ensuring that you have done the big three items in desktop security (updates and hotfixes, security templates, and exporting the Recovery Agent certificate), you can begin to look at the other things you can do to keep a workstation secure. Things such as keeping antivirus software up to date and other changes to the operating system, such as those recommended by NIST, can all go a long way toward creating more secure workstations.

Be aware, though, that no increase in security comes without a corresponding decrease in usability, with the most secure workstations being almost completely unusual. Of course, this type of thought process has been used for many years quite successfully by thin-client workstations that posses almost no capability of their own and instead must rely on a server for almost everything. With careful testing and analysis, you will discover the settings and configuration that provide you the ideal balance between security and usability.

Portable Computers

Portable computers present all the same security problems as desktops—and then some. You, at a minimum, must perform all the same actions for portable computers that you would for desktop computers. You might even want to take your precautions further for your portable computers. A good rule of thumb in seeking to secure portable computers is to limit the amount of sensitive data that they contain. Allow users to place on their portables only what they absolutely must take out of the security of your building. Enforcing the use of EFS on all files on portable computers will also go a long way toward making them more secure. Some other things that you can consider to make your portable computers more secure are:

• Do not save passwords for RAS or VPN connections; make users enter the passwords each time.

• Use the BIOS password so that it must be successfully entered before Windows will even get to the boot sequence.

• Rename the built-in Administrator account and remove it from the Administrators group. (Note that you cannot actually delete this account.)

• Assign very strong passwords to all accounts, especially the account being used for Local Administrative access.

Although a discussion of how to do so is beyond the scope of this exam, moving all your portable computer users to Windows XP could prove to be a very good idea. One feature of Windows XP—the ability to encrypt offline folders and files—makes it particularly attractive to portable computer users.

Of course, there are downsides to rolling out Windows XP on portable computers. Windows XP makes it impossible to control many of the properties of wireless LAN cards (known as profiles) that you can control in Windows 2000. Windows XP also adds the odd behavior that users can still encrypt files on the local computer even after the Data Recovery Agent has been removed—something that is not allowed in Windows 2000. This is not an issue when you have Windows XP computers in a Windows .NET Server 2003 domain, because changes to the Certificate Services in .NET Server 2003 make this change in Windows XP a nonissue.

Obviously, you can do many other things to make more secure portable computers. The bottom line is that you take proactive measures to protect your laptops should they be lost or stolen.