Unless managing a few Windows boxes is your full-time job, if you want to have any hope of keeping them secure, you have to have a well-reasoned strategic approach. The most important input to this strategy is an understanding of attack vectors and how they change.
Back in the early days of Windows 3.1, before Windows for Workgroups 3.11, and long before Windows NT, or 2000 or XP or 2003, the most common attack vector by far was from a virus hiding in the boot sector of a floppy disk. I think it's been about 7 years since I've seen a computer infected by a boot sector virus. In the past few years, we've seen several other attack vectors come and go, such as hostile macros in Word and Excel.
Today, the most common attack vectors for Windows machines are
- e-mail worms that rely on users to click an executable
- attacks that exploit bugs in services via TCP or UDP ports
- Web pages that install spyware, adware and occasionally much worse
- and the perennial favorite, "social engineering"
It's pretty obvious to most security professionals, that to develop a strategy, you need to know how your Windows systems are used, so you can implement the appropriate controls, because for instance, a SQL Server needs a completely different strategy than a Windows laptop used by a road-warrior. Business critical applications may run on the SQL Server that require constant availability. You may only get one change window each month in which to do your security updates and patches, which may force you to separate your server from the rest of your LAN with a firewall. The laptop, obviously, has an entirely different set of problems.
The point though, is to understand that the popularity of attacks tends to revolve around how your users do business. And thus, as business habits change, so will attack vectors. We don't swap floppy disks anymore so boot sector viruses are a thing of the past. Or are they? Perhaps the popularity of all those USB drives, and SD cards and compact flash cards will present a target too tantalizing for virus writers to pass up. Consider that just last month we saw a proof of concept virus for cell phones. Passing hostile code from Windows CE to Windows XP is not outside the realm of possibility.
A good Windows security strategy is more than just updating your virus scanner; like preventing their biological cousins, it involves minimizing high-risk behavior. So, consider what your users are doing, and try to offer them safer alternatives.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.
This was first published in August 2004