Many people say information security is a journey: No action you take to secure Windows will make much difference if you don't keep doing more and stay one-step ahead of your nemesis. Even if you spend lots of money, hire the best people, know security backward and forward, implement Fort-Knox-like physical security and anti-logic bomb bunker technologies, you're still going to lose. Someone will be one step ahead of you.
Hogfeathers! This kind of attitude will leave you open to attack. Sure as letting a bull loose in a glass shop, it will result in damaged goods -- your network and your computers will be penetrated.
Instead of bemoaning what you don't know, what you can't do and what the enemy knows, get a grip and start hardening systems. Truth be told, doing so, like eating good food and not standing on a hill during a lightening storm, can protect you from an extraordinary percentage of common attacks.
You have to modify Windows system defaults. Defaults are established to help the most people get the most use out of their systems. You should address this issue from the standpoint of what you want your users to be able to do with their systems. If you reduce their possibilities, you also reduce risk.
Start by disabling unnecessary network connections. These network connections are enabled by default. The key word here is not 'disable' -- it's 'unnecessary.' You may need these connections on some systems but you should have a security policy that defines how and when to use these connections and how they may be secured. Meanwhile, take the attitude that all things should be locked down, and loosened only after need versus risk has been evaluated.
You may download a printer-friendly version.
|Checklist: Tighten default settings to prevent unauthorized access|
|Disable 802.11 wireless network connections|
If enabled, 802.11 wireless cards can serve as connection points for attackers even if users don't know that they have wireless capabilities. Even administrators and trained technical users may indivertibly expose their systems to risk by leaving wireless unprotected. If secure wireless networks are implemented and security practices extend to the workstation, then and only then should you enable them.
Before disabling, open the 802.11 network connection property page and use the advanced tab to firewall the connection. This protects the connection when it is enabled.
|Disable Bluetooth connections|
Bluetooth connections are used for short-range wireless synch or to communicate with a range of wireless devices, such as phones and printers. However, many systems do not need this capability, and your security policy may deny it to others. If you have to rely on Bluetooth, you're taking a risk, which each organization must weigh for itself. But by all means, turn off Bluetooth unless you know you absolutely need it for wireless devices to work.
|Disable infrared connections|
Infrared technologies allow wireless connectivity primarily for synching with handheld systems, but they may also be used for printing or file transfer. When another infrared system is in range, and its owner wants to transfer a file to your system, a popup asks you if you want the file. It will not distinguish between malware or important files -- that's your job. Files are stored using your privileges. Unchecking the Allow others to send files to your computer using infrared communications box in the Wireless Link Control Panel applet prevents accidental transfer.
FireWire -- a fast, short-range network connection often used for connecting audio and video devices -- may be used to network computers together and can be bridged with an Ethernet connection that enables a system with only Firewire access to access your network. Firewire is configured using the 1394 network connection viewable in Network Connections. It is enabled by default. Firewall the connection, and then disable this device.
Windows Security Checklists offer you step-by-step advice for planning,
setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.
|ABOUT THE AUTHOR: Go back|
|Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.|
This was first published in September 2004