Security Annoyances
Get the answers you need to 6 big security problems
January 29, 2007
Trying to keep your company's information secure is a lot of work and isunlikely to make you popular with users. Typically, the tighter you try to lockdown a network, the more hassle the networkis to administer as repetitive tasks become necessary for both end users and you. But thereare ways to ease the pain—often by deployingautomation technology. Let's look at six common security annoyances and practical, effective ways to overcome them.
Password Resets
Resetting passwords for users who forget themis the bane of every administrator. A METAGroup survey indicates that this thankless taskalone costs companies with 10,000 users wellover half a million dollars a year (http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/p2pass.mspx). But there are ways to reduce or eveneliminate this problem. My favorite solution isto use electroshock therapy. With a few simplemodifications to a keyboard's wiring and adevice-driver hack, you can deliver 120 volts ofbehavior-changing juice to the nervous systemof your users when they enter their passwordsincorrectly. A couple of jolts and your problemis solved!
You can train users to remember passwords with less violent behavior-modification methods. The most effective password-memorization technique I've found is creating passwords by using the first letter of eachword of a sentence that the user can remember. You'll need to use a sentence that hassome proper nouns and numbers so that thistechnique produces a complex password withupper-case letters and nonletter characters.You can let users come up with their own sentences, but I've had better success assigningusers passwords based on a sentence of mychoosing. Assigning passwords this way carriesthe added benefit of the enjoyment you get byforcing users to mentally recite your brutallyhonest observations about their personalityor appearance. Of course, if you have one ofthose irksome corporate security policies thatsays you shouldn't know everyone's password(like you can't just run a password cracker,right?), then you might have to look at otheralternatives.
Enter the automated password reset tool.Let's think about it. Resetting a user's password isa pretty mundane, clerical process: Authenticatethe person requesting the password reset, findhis or her account, and reset its password. Whynot automate this? A variety of self-service password reset solutions are already on the market totake this burden off your shoulders, and it's nothard to justify the cost when you consider thesavings in IT staff time. Solutions on the marketprovide various methods for letting users reset their own passwords, from Web-based applications to telephone-based systems. Some of theplayers include Avatier Password Station andM-Tech Information Technology's P-Synch. Justdo a Web search for "password reset self-service"and you're on your way.
Protecting Laptop Data
Protection of laptop data is receiving increasingscrutiny from legislators and the media. Whenan organization loses a laptop containing customers' personal information, the organizationis in for some hefty unexpected costs associatedwith notifying each customer of the securitybreach as well as the more-difficult-to-quantifycosts of bad press and loss of good will.
I've watched this problem and the technologies designed to address the risk of stolenor lost laptops for years. Many solutions havecaused more problems in terms of stability or administration than they were worth.Other solutions slowed down systems or weretoo impractical because they depended onusers to encrypt or decrypt files or manage encryption keys. I've used Windows Encrypting File System (EFS) for my clients, but drawbacks and instance, EFS doesn't support whole-volumeencryption, so data can leak out from unencrypted folders.
Windows Vista's new BitLocker DriveEncryption feature for whole-volume encryption and its integration with the Trusted Platform Module (TPM) found in most businesslaptops today provides the best all-aroundsolution for protecting data on laptops. In fact,I'd say BitLocker is the single biggest motivatorfor migrating your laptop fleet to Vista.
With BitLocker, you divide your hard driveinto two volumes. One volume is very small(just a few megabytes) and initially left empty;you install Vista to the partition that occupiesthe rest of the drive. Then you enable BitLocker and wait for it to encrypt the entire large volume. BitLocker installs a bootstrap loader onthe small volume, which is protected from tampering by the laptop's TPM. When the laptop isturned on, the TPM checks, through hashesstored in its tamper-resistant memory, whetherthe tiny bootstrap partition has been modified.If it hasn't, the TPM allows the bootstrapper toload. The bootstrapper retrieves the encryptionkey for the larger volume from the TPM andproceeds to boot Vista on the larger, encryptedvolume. This description is a bit simplified, butthe bottom line is that for the first time, we havelaptop hardware, tamper-resistant key storage,and whole-volume encryption all integratedwith the OS for the most transparent, best performing, and effective encryption solution I'veseen to date. To learn more about BitLocker,see the Windows BitLocker Drive EncryptionStep-by-Step Guide (http://www.microsoft.com/technet/windowsvista/library/c61f2a128ae6-4957-b031-97b4d762cf31.mspx).
Lovely Spam, Wonderful Spam
Spam is such a pain. Kind of the understatement of the decade, eh? We all hate it, and it's a security threat because we can all too easilyopen an attachment containing a virus.
If you aren't careful, though, your antispam solution can become an even bigger pain. No antispam solution is 100 percent accurate. You run two basic risks with an antispam solution: user dissatisfaction with low catch rates and user dissatisfaction with false positives, both of which lead to increased care and feeding of users by IT staff (i.e., support calls).
In my experience, an 80 percent catch rate for spam is pretty reasonable; users shouldn't expect much better unless they're willing to regularly hunt down good email messages that got caught by the spam filter. Many antispam solutions claim a much higher catch rate but don't mention their false positive statistics. Moreover, catch rates vary from organization to organization, and even user to user, because of the content and phrases peculiar to different industries and what each user considers to be spam. A marketing professional may have a view of spam very different from a technician who doesn't have much interaction outside the organization.
In my opinion, Sender Policy Framework (SPF) spam detection has the best potential to significantly reduce spam, but too few companies have taken the time to publish an SPF record for their DNS domain. An SPF record published in your domain's zone file formally declares the official SMTP servers for your domain so that other organizations can determine if email that purports to be from your domain really is. Don't delay: There are great setup wizards on the Internet that will help you build your own SPF record—for instance, http://www.openspf.org.
As seductive as the idea of a Bayesian-based, "self-learning" antispam solution is, I've had better luck with frequently updated signature-based spam-detection solutions. Like antivirus solutions, signature-based spam-detection solutions require the vendor to constantly monitor messages, quickly update their signature database, and just as quickly push the updated file to their customers. Microsoft Exchange Intelligent Message Filter (IMF) would be a much better solution if Microsoft updated it more frequently. I always see a dramatic drop in spam after I install an IMF update, but the amount of uncaught spam immediately begins to climb. Other signature-based spam solutions, such as St. Bernard Software's ePrism, are much more frequently updated. There are also a number of antispam services available that relieve you from installing and maintaining any software by routing your mail through the antispam service's servers first.
Perhaps the biggest risk in implementing an antispam solution is the potential increase in support calls from users trying to find email messages that were apparently eaten by the antispam solution. Any solution that requires you to get involved when a user needs to retrieve a false positive is more trouble than it's worth. My advice is to install only antispam solutions that make all email identified as spam easily accessible to the user—preferably without leaving the email client. As examples, you can configure both IMF and GFI Software's GFI MailEssentials to put all spam into the recipient's junk email folder. Even better, GFI MailEssentials lets you specify a different folder for each antispam method it supports, so you can determine which method (e.g., Bayesian, SPF, Realtime Blackhole List—RBL) is responsible for misclassifying a good email message by the folder in which it ends up.
Wi-Fi Security
Most organizations I run into are still using Wired Equivalent Privacy (WEP) standard or Wi-Fi Protected Access (WPA) pre-shared keys to secure their wireless LANs (WLANs). WEP isn't secure no matter how strong your shared key is due to vulnerabilities in the protocol and associated algorithms. WPA and WPA2 pre-shared keys are secure only if they are at least 22 characters long and drawn from a large character set. Long shared keys, though, are an annoying, time-sapping problem for IT staff and users because of all the management and security issues that arise. Users can't remember them, so you're constantly asked for the key, and frighteningly few users seem capable of typing more than a few characters correctly in sequence. Whenever a new computer is commissioned or a contractor comes in, you must get them access to the WLAN. And what happens if a pre-shared key is compromised?
The solution is elimination. Get rid of WPA with pre-shared keys (WPA-PSK). No, not WPA altogether—just the PSK part. Implement 802.1x in place of pre-shared key authentication. With 802.1x, you configure your Access Points (APs) to interface with Active Directory (AD) via Remote Authentication Dial-In User Service (RADIUS) to authenticate users and computers based on their AD credentials. You have to install Internet Authentication Services (IAS) on one of your Windows servers, such as a domain controller (DC); IAS is Windows' built-in RADIUS server. After installing IAS, you introduce the APs and IAS to each other with some simple configuration settings, and in no time your Windows wireless clients will begin authenticating to your WLAN by using either the computer's or the user's credentials.
By applying a few Group Policy settings, you can make the authentication process transparent to users of computers that belong to your domain. Outside users such as contractors and consultants that need access to your WLAN simply need to enter the user name and password of an AD account that you provide them. IAS allows you to limit access to WLAN and internal wired networks based on group membership, which allows you to restrict external consultants to Internet-only access, for instance. For detailed directions for implementing 802.1x on your WLAN, see the Windows IT Security article "Reaping the Benefits of WPA and PEAP," June 2006, InstantDoc ID 50105. By replacing WPAPSK with 802.1x, you leverage the user accounts you already manage in AD and eliminate the headaches of pre-shared keys.
Restoring Files
Backup and recovery is very much a part of information security, even if it isn't the first thing you think of. There's nothing more annoying than being close to a new high score on your favorite computer game when an inconsiderate user calls up whining about a file he needs restored. While mourning your dead game avatar, you must rouse from the comfortable environs of your cubicle, find the appropriate tape, restore the file, inform the user, and repeat the process when he decides he really needed a version from a week earlier.
Stop the insanity! Get Microsoft System Center Data Protection Manager (DPM), and put users in control of their own restores—right from Windows Explorer. After you install a DPM server and the associated agent on your file server, DPM periodically takes snapshots of your server. It efficiently stores multiple versions of each file in its online Microsoft SQL Server database. After you push out a necessary hotfix explained in the Microsoft article "How to use the End User Recovery functionality of Data Protection Manager in Windows XP" (http://support.microsoft.com/kb/895536) to your Windows XP clients, users will be able to browse available backup versions of any file on the server directly from Windows Explorer. To facilitate offsite backups of your data, DPM lets you back up shadow copies of your file servers from the DPM database, giving you a disk-to-disk-to-tape backup scenario. To learn more about DPM, go to http://www.microsoft.com
Patch Management
Patch Tuesday is many administrators' least favorite day of the month. And zero-day vulnerabilities are rearing their ugly heads more frequently between Patch Tuesdays. I have three recommendations for making your patch-management effort less of a nightmare:
Life is too short to push out patches manually. Implement Windows Server Update Services (WSUS) or another automated patch-management solution. WSUS is free, but many excellent ISV offerings go beyond WSUS's functionality, providing broader platform and application support and better manageability, including those from St. Bernard Software, PatchLink, BigFix, Shavlik Technologies, and ScriptLogic.
Many administrators are reluctant to push out a patch without testing it, but testing is time-consuming and annoying. In addition, the user community usually identifies defective patches soon after their release. Organizations with a small IT staff might consider just sitting on patches a couple of days and monitoring for any advisories or revisions from Microsoft, then deploying them without testing.
An especially annoying type of vulnerability is that for which no patch is available—zeroday vulnerabilities. Most zero-day exploits are related either to a specific file type (e.g., .doc, .xls, .ppt, .bmp, .png) or to a Microsoft Internet Explorer (IE) ActiveX object. More and more antivirus vendors quickly release signature updates for file-format exploits even though they aren't, strictly speaking, viruses. If you cover your file-borne vectors (principally email attachments and Web downloads) with multiple antivirus engines, you'll often be protected against these fileborne zero-day exploits well ahead of patch availability. The easiest way to address ActiveX-related vulnerabilities is to set the kill bit on the ActiveX control. I've created an administrative template that you can use with Group Policy to automatically set the kill bit for an ActiveX control on thousands of computers in a short time. The template and a video demonstrating how to set it up can be found at http://www.ultimatewindowssecurity.com/killbit.asp.
Take Action
In the case of many security annoyances, the key is to automate or implement newer technologies, but often such projects are put off because of the initial setup involved or the purchase costs. However, failing to solve problems and automate tasks leads to a less and less productive IT department that moves in slower and slower motion, dragged down by outdated, manual procedures. The IT department that succeeds in climbing the steep, initial curve to eliminating IT headaches such as those in this article will reap the benefits in the long run. A few weekends at the office now can save you many evenings and weekends in the future.
About the Author
You May Also Like