The Definitive Guide to Securing Windows in the Enterprise

by Don Jones


You can spend a lifetime attempting to master Windows security and spend much of your free time discussing and debating the topic with other IT professionals. However, this guide will concentrate on security as more than just philosophy and policies—security is a practical topic with real-world impact, which is the focus of this guide.

Get the latest information on securing clients, file servers, servers and services, and active directory in The Definitive Guide to Securing Windows in the Enterprise. Additionally, learn about reducing your attack surface as well as security through maintenance and filtering with this essential Windows security guide.


Chapter 1: Windows Security Overview

Microsoft Windows is the most popular desktop operating system (OS) in the world and holds a fair amount of the server OS market share as well. Love it or hate it, Windows has a place in nearly every enterprise, and like any OS, Windows has unique security problems and strengths. Today’s enterprise is placing a greater focus on security—an endeavor driven in no small part by the array of new laws and regulations with a security focus—and securing Windows is becoming an increasingly important task.

You can spend a lifetime attempting to master Windows security and spend much of your free time discussing and debating the topic with other IT professionals. However, this guide will concentrate on security as more than just philosophy and policies—security is a practical topic with real-world impact, which is the focus of this guide.

Chapter 2: Securing Clients

Client computers are often neglected when it comes to security. Everyone tends to focus on servers, and, let’s face it, servers are definitely easier to secure. In addition, servers exist in data centers or other protected locations and are tended to by trained administrators. Client computers, in contrast, sit on the desks and in the carrying bags of mere users, and are subjected to every imaginable stress: physical security threats, spyware, viruses, airports, hotels, and so on.

The reality is that client computers can hold just as much critical information as servers. On their client computers, users store local copies of files (the only copy of those files, in some cases), use Windows’ Offline Files features to retain copies of server-based data, and so forth. The amount of corporate information stored in users’ mailboxes, for example, is staggering—as much as 70 percent, according to a recent survey by VERITAS. Corporate confidential data is more likely to be compromised from a client computer than from a server, yet client computers typically have the least amount of security and the poorest, from a security viewpoint, configurations. This chapter will highlight some of the major security concerns affecting client computers, and give you ideas about how to address them.

Chapter 3: Using Alternative Software to Reduce Your Attack Surface

Attack surface is an IT security term that refers to the number of ways in which a computer can be attacked. For example, a computer running an older operating system (OS) such as MS-DOS has a relatively low attack surface, because the code base for MS-DOS is so much smaller than that of current OSs and few of today’s attack techniques would work against it. A computer running Windows XP Professional, in contrast, has a relatively large attack surface simply because it is such a large, complex OS.

As the previous chapter explored, one way to reduce attack surface is to uninstall software that isn’t being used, such as unnecessary services. Local firewalls, such as the Windows Firewall, can also reduce your attack surface by blocking attacks’ access to specific applications (such as a local Web server). However, it’s still possible in many cases for attacks to get through. Suppose that a Windows XP Professional user has the Windows Firewall turned on full-force, and that user attempts to visit a Web site. The firewall will allow the user to visit the site because the traffic is originating locally and that type of traffic isn’t blocked by the firewall. The Web site’s content, which comes back as a reply to the locally generated traffic, is also allowed. If that content contains an attack—say a virus or other malware—the attack is allowed into the computer where it can do its damage.

Unfortunately, much of Windows XP’s bundled software is rife with security vulnerabilities, allowing numerous types of attacks to be effective (this fact applies to earlier versions of Windows, as well). Thus, a further technique of reducing your attack surface—beyond removing unused software and using a local firewall—is to replace this bundled software with less-vulnerable alternatives.

Chapter 4: Securing Active Directory

AD comes out of the box in a pretty secure state, particularly in WS2K3, which uses secure Lightweight Directory Access Protocol (LDAP) by default and uses a fairly locked-down set of default permissions and configuration settings. (Win2K also uses secure LDAP by default once you install SP3 or later.) Unfortunately, AD is literally what you make of it, meaning it comes out of the box almost entirely useless until you create users, computers, organizational units (OUs), Group Policy objects (GPOs), and so forth.

Initially, most organizations take the time to plan AD deployments and come up with a reasonably secure initial configuration. However, over time—as objects are added, removed, updated, and moved around—AD often becomes somewhat less than secure. Nobody is really to blame: AD itself is designed to give you a lot of flexibility and won’t complain if you don’t follow best practices because you may have specific organizational needs that prevent you from doing so. Administrators can’t be faulted, because too often they’re caught up in the heat of the battle, dealing with less-experienced junior administrators, inheriting environments that weren’t well-configured to begin with, and so forth. In addition, AD itself can be incredibly complex, so it’s hardly surprising that a few security practices drop through the cracks now and again.

But AD is, much like your physical network infrastructure, a core part of your organization’s operations and security. As more applications rely on AD as a central directory, making and keeping AD secure becomes more important to securing everything else in your enterprise. This chapter focuses on how AD becomes less-than-secure, how you can work with AD security more effectively, which AD security items are often overlooked or neglected, and how you can work to keep AD more secure on a continuing basis.

Chapter 5: Securing File Servers

A file server is one of the most common roles for a Windows server. After all, Windows got its start in business as a departmental file server, and file services is still one of Windows’ biggest strong points. Some organizations have had file servers in place for years, so it’s no surprise that security on these servers isn’t at the highest possible level. This chapter will explore the most common security problems with file servers, and show you ways to easily address those problems, resulting in a more secure Windows enterprise.

Chapter 6: Securing Servers and Services

The previous chapter showed you ways to make securing file servers a bit easier; this chapter will focus on security for all servers: Web servers, domain controllers, application servers, database servers, and more. Of course, all of these topics apply to file servers, too.

The crucial consideration to recognize about any server—regardless of OS, although I’ll focus on Windows—is that the OS contains bugs. Some of those bugs will create security vulnerabilities. Thus, the best practice for any server’s security is to try to shield those potential bugs and vulnerabilities, which is much of this chapter will focus on.

Chapter 7: Security Through Software Maintenance and Filtering

Before computers became connected through the Internet, software wasn’t such a scary thing. Sure, viruses existed, but they were definitely limited in their effect by the difficulty of multiplying between disconnected computers. Software in general, in fact, has only recently started to become routinely complex. Ten years ago, the only folks worried about “patches” and software maintenance were typically server operators in large environments, perhaps working on systems such as an IBM AS/400 midrange. Today, however, complex OSs and all their associated maintenance needs live on every desktop, portable computer, and PDA. The high level of connectivity between these systems makes viruses, spyware, and adware—collectively referred to as malware—easy to catch and easier to propagate.

As a technology professional, you’re probably more than a little tired of hearing about patch management; I know I am. In this chapter, however, I want to put patch management in the overall context of software management, and discuss software management—the process of handling everything about all the software in your environment—from a much broader perspective. In keeping with the theme of “overlooked” security issues, I want to focus on software management issues that are often overlooked, or that don’t get the full attention they deserve.

Chapter 8: Securing the Network

Of course, the network—the backbone upon which the enterprise functions—is a major source of potential security problems in a Windows—or any other—environment. Securing the network is a critical requirement in order for the overall enterprise to be secure, so this final chapter will focus on often-overlooked network security problems and solutions.

Security Through Architecture

Many techniques exist for securing the network. Some of the common techniques are probably in use on almost every corporate network in the world:

  • Use firewalls to protect the network from Internet-based attacks
  • Use common wireless security mechanisms, such as Wi-Fi Protected Access (WPA), to secure wireless connections
  • Use authentication and authorization to protect network-attached resources, such as file servers, from unauthorized access

Unfortunately, one area that can provide excellent security but is commonly overlooked is securing network architecture. The reason more secure architecture techniques are often overlooked is that the intranet is often seen as homogenous when it comes to trust, access, and security. In other words, once you’re in the intranet, you can do whatever you want. Of course, nothing could (or at least should) be further from the truth; most security problems come from within the intranet, completely unaffected by the firewalls and other technologies meant to protect the network from attack. It’s these “inside jobs” that can be prevented by better security architecture.