I am currently reading the book Professional Windows Desktop and Server Hardening by publisher Wrox (http://www.wrox.com/WileyCDA/WroxTitle/productCd-0764599909.html), and will be posting tips that administrators missed out most of the time.
Today, I’ll be giving some quick tips about Conventional and Unconventional Defences. I won’t be surprised that some of you already know about them, but just don’t remember about these defences when you implement a network.
1. To Linux fans out there: Whatever is Popular Gets Hacked. How true is this statement? You might be saying that Windows is full of exploits because it is unstable and vunerable. If it’s the days of Windows 9x/NT, I would agree with you that Windows isn’t that secure. However things have changed, thus vunerabilities have decreased tremendously.
If you think about Apache, you’ll notice that it has more vunerabilities than IIS. (Since Apache is more widely used).
2. Don’t Let End Users Make Security Decisions. Heck I don’t even trust end users myself, so why should we let them make security decisions? They will only increase our workload when they submit support tickets!
3. Security-by-Obscurity Works! Change to some random port for our RDP (remote desktop protocol) instead of the usual 3389. Change to some random port for our HTTP instead of the default port 80 (do this only for internal users, not external users).
4. Assume Firewalls and Antivirus Software Will Fail. I’ve been doing some consulting for a few companies, and this statement is true. Updated antivirus software with properly configured firewall isn’t enough. Malware nowadays comes through port 80 and Antivirus doesn’t work as great when it comes to detecting new viruses.
5. Minimize Potential Attack Vectors, Decrease Attack Space. Everybody knows this. Disable services or programs that you do not need. Close the ports you do not need. Use IPSec for communications between machines.
6. RunAs. Remember the long forgotten RunAs? Administrators should provide users (and themselves) with limited user accounts (LUA) and use the RunAs if they want to install applications. Also, I’ve learnt not to provide users with the permission to install new applications. It must be done by an administrator.
7. Keep Patches Updated. To cut things short, Keep Patches Updated. All of you know why.
8. Use a Host-Based Firewall. Who said Windows XP SP2′s firewall isn’t good? It is a host based firewall… Nah, it doesn’t provide Outgoing firewall monitoring. So use a 3rd party instead.
9. Rename Admin and Highly Privileged Accounts. Scripts or hackers will try to hack through the system through the default administrator account. So on every installation of Windows (or any OS or applications), rename the default high privileged accounts.
10. Install High-Risk Software (IIS) to Non-Default Folders. I know lots of you out there will just install everything to the default folder, but here’s a tip: Don’t! Take the hassle to reconfigure things if you have IIS installed to the default folder. I know it will break some web app (if you have any) but do you want to fix your web app or secure your server?
Here’s 10 tips from the book and has been forgotten by most IT Pros out there. Stay tuned! There’s more coming in the coming days/weeks!