When it comes to keeping desktops locked down in the enterprise, a big focus is on passwords at the operating system level. After all, Windows 7 passwords are pretty simple to crack, fully exposing the system. But there's a lot more at stake -- even beyond personally identifiable information and sensitive intellectual property, and to properly address the problem, IT administrators need to be aware of its full extent.
Many people haven't thought about all the other Windows 7 passwords on computers that can be exposed once a computer is lost or stolen or when someone with bad intent gains access to one of your systems. Simply put, your entire enterprise can be at risk when one or more of the following passwords is exposed on a Windows 7-based system:
- Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access, Preshared Key (WPA-PSK) keys
- Screensaver passwords
- Remote Access Service and dial-up passwords
- Microsoft virtual private network (VPN) connection passwords
- Remote Desktop passwords
- Windows 7 HomeGroup passwords
- Domain cached credential passwords
- Remote assistance passwords
- Web browser cached passwords
It's scary to think about the amount of sensitive information that can be exposed. Don't write off a single incident as a local problem. Instead, consider a breach an enterprise problem, and invoke your incident-response plan -- assuming you even know about it. For example, Figure 1 shows a how Proactive System Password Recovery can easily glean a WPA2 preshared key (PSK) from a Windows 7 machine.
Imagine such information being exposed when you have dozens, or thousands, of systems to reconfigure across the enterprise.
Depending on the tool you used, if you upgraded or migrated older data to your Windows 7 systems, you may also have legacy files containing additional passwords.
What about solutions? There are so many variables involved that it's hard to say exactly how to lock down Windows 7 against such password exposures. I could simply tell you that all you need to do is encrypt your drives using BitLocker or other third-party disk encryption software. That's certainly one of the best defenses. If you do, make sure you encrypt the entire drive and not just a protected partition or folders using something like Encrypting Files System.
Other approaches include the following:
- Performing system inventories/audits using a tool such as Identity Finder to determine which sensitive information is being stored locally
- Disabling password autocomplete in frequently used enterprise Web applications that users frequently tell their browsers to remember the passwords for
- Periodically clearing Web browser caches altogether -- a difficult proposition, but a good solution nonetheless
Outside of data loss prevention (DLP) and endpoint controls, you'll just have to acknowledge Windows vulnerabilities and minimize them as best you can.
The only way to know what's really at risk is to test a sampling of your enterprise desktops and laptops and see what's stored on them. This exercise should confirm the need to rethink desktop and laptop security and, just as importantly, rework enterprise password policies. A document stating policies that employees must agree to follow is not foolproof, but it's a good start, and it can show that your business has taken some basic steps to maintain Windows 7 security. That can go a long way in the eyes of judge or jury when a seemingly minimal problem turns into an all-out breach.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.