Excerpted from Windows NT/2000 Network Security, by E. Eugene Schultz, published by New Riders.
The starting point of workstation security is realizing that every client workstation is really part of the domain itself. Therefore, protecting each workstation adequately is more important than one might think! Suitable solutions for the types of workstation-level vulnerabilities that surface ... include the following:
- Create an InfoSec policy that discourages or (better yet) prohibits users from storing extremely sensitive and valuable files and applications on their workstations. Such files and applications should be stored on servers (where they are likely to be better protected) instead.
- Run virus-detection and eradication software on every workstation.
- Limit privilege levels according to the principle of least privilege. If you allow everyday users too high a level of privilege, they may be able to plant and execute software on workstations that has negative consequences for security. Running certain cracking tools requires Administrative-level privileges. These tools (such as Netcat, a port listener) can threaten the security of servers within a given local network, and sometimes within an entire wide area network (WAN). Similarly, privilege escalation can result in subversion can result in subversion of systems and/or denial of service. Users have also been known to plant Trojan horses that execute when an administer logs onto the workstation, thereby elevating the privileges of the user.
- Limit cached logons. In general, users with desktop machines that connect to domain servers within the same local network do not need cached authentication. Users who connect remotely within a WAN are more likely to need this capability. Limiting the number of authentication contexts in which cached logons occur can be very beneficial for security because of the potential for retrieving password hashes used in domain access from workstations.
- Do not allow RAS to run on workstations in critical operational environments because RAS may serve as a means of backdoor access.
- Enable security auditing on workstations and inspect log entries regularly. Sometimes the best way to discover an attack on servers is to examine the logs of workstations used to perpetrate attacks.
- Include workstations in your backup strategy. It is so easy to overlook workstations in a backup strategy. Yet if hard drives on workstations become corrupted or users accidentally delete files on workstations, the consequences can be catastrophic.
- Administer workstations from a central console, bur first carefully think through what you want to do and how you want to do it. It is possible to make a mistake in remotely administering any machine that causes considerable disruption. An example is modifying user profiles on workstations objects that determine what desktop each user sees after that user has logged on locally. Changing a profile may disrupt a user's ability to use a workstation.
Related book Windows NT/2000 Network Security
By E. Schultz
This book is intended primarily for LAN administrators, system programmers, information security staff and advanced users. Although the main focus of the book will be technical, many facets of Windows NT security involve practicing sound control procedures. As such, much of the book's discussion will be pertinent to all three groups. Windows NT/2000 Network Security will also thoroughly cover security-relevant technical issues such as controlling services protocols like Web-services and SMB. The book will be carefully sequenced to delve into technical issues increasingly with each chapter, so that the last half of the book will be more relevant to LAN administrators and system programmers than anyone else -- whereas the first half will be equally pertinent to all groups.