Here we will discuss one of the most problematic aspects about securing the internal network, securing the operating system on each workstation on the network. This principally why that securing the internal network is often left undone, because it is a relatively complex task, and it traditionally needs to be done by hand, machine by machine, which implies high costs in workforce and is prone to errors. Corporate IT departments usually don't have the required knowledge necessary to deploy securely-configured PCs in the first place, and even if it is the case, it often needs to checked and updated due to new vulnerabilities that keep coming out.
To give you an idea of the size of the task, you will find in Appendix A a link towards the Microsoft webpage containing the checklist of all the steps that need to be done in order to secure a default installation of Windows NT 4.0. The document the NSA published a while ago is also very informative to this effect. Among the things to do, there is the deactivation of the guest account, forcing a complex password for the local admin account, removal of unnecessary services and components (such as the Posix and OS/2 subsystems), restrict access to the LANManager hash, restrict access to folders and registry hives, applying service packs and fixes, just to name a few. The list is rather long, and it is easy to understand why this aspect is so often left aside: the time required to do all this manually an all PCs on a network is an enormous task.
In order to solve this problem, Pedestal Software created a graphical interface tool, called Security Expression, that lets you audit and configure remotely Windows NT and 2000 machines by comparing it to a set of pre-defined security policies that correspond to the secure configuration we wish to obtain (I tried to stay vendor-independent in this article, but I actually don't know of another similar product. If you do, please let me know). Some sample configuration files comes with the program, which you can download from the company's website for evaluation: one of the sample file corresponds to the recommendations made by the SANS Step-by-Step, another one corresponding to the "Microsoft Security White Paper", and three others corresponding the standard US Navy configuration for workstations and servers. These files are redundant in the fact that they cover at least partially the same holes, but I prefer the Navy files, as they are more thorough, which you can modify to make suits your needs.
This software doesn't need any installation of agents on the workstations. We only have to install it on a machine that is connected to the network (administrator's machine is a good idea), and we simply have to give it the administrator's login information of the domain we want to secure. The software will then proceed to a complete scan of the machines on the domain, matching their configuration against the security policy we want to implement. Once the scan is complete, the program presents an easy to understand report that shows item by item if the configuration complies with the security policy or not. With a single click of the mouse, we can start a similar process that will take care of modifying the workstations configuration to make it comply with the security policy, thus securing the various parts of the operating system on each workstation. We can also use Security Expression on a regular basis to test the integrity the configuration base, or to update new policies to cover newly discovered vulnerabilities.
Security Expression passes its requests by using the NetBIOS protocol, which is the basis protocol in a Microsoft Network, along with the administrator's credentials, to audit and configure the workstations. It is also possible to create your own configuration files, which can be drafted from the sample files that come with the program. In its simplest usage, Security Expression can add, modify or delete registry keys, user accounts and groups, files or ACL's, and probably a bit more. But if you want more flexibility, it is possible to include scripts or programs to give you more tools to deploy your secure configuration. You can also use this to deploy service packs and hotfixes, or other programs like the ones that we discussed above.
4. Setting up personal firewalls
6. Optimising applications security