Using Windows 7 management tools to your advantage

Using Windows 7 management tools to your advantage





The more enterprises get to know Windows 7, the more useful features they'll find. Among the neatest things in that operating system are the management tools for the Ultimate and Enterprise versions (often in combination with Windows Server 2008 R2). Here are my three favorites:



AppLocker

Arguably the most-needed from a security perspective, AppLocker lets you define and manage via Group Policy Objects (GPOs) exactly which executables run on your user's desktops. It's not unlike third-party whitelisting tools, such as Faronics' Anti-Executable and the Windows Software Restriction Policies, we've had available to us in the past. But now you've got a more feature-rich whitelisting/management application built right into the OS.



DirectAccess

DirectAccess is a virtual private network alternative that allows remote users to connect directly to the corporate network without the hassles of loading a VPN client from their workstations. It's a single-user interface that connects users to the Internet and an intranet at the same time. In my opinion, the coolest thing about DirectAccess is how it pushes Windows updates out any time the computer is connected to the Internet.



Windows XP Mode

Windows XP Mode is a full-blown version of Windows XP SP3 that runs inside a Microsoft Virtual PC session in Windows 7. As long as you have a reasonable amount of memory to support it, all you have to do is download and install Windows XP Mode and Virtual PC, and you've got yourself a working virtual machine in no time.





A great aspect of Windows XP Mode is that it enables users to run virtualized applications. This means that programs are available for use in both a Windows XP Mode virtual session and a Windows 7 session. This is a great way to quickly set up an environment for testing application compatibility, performing security scans and more.



There are numerous other management tools like Federated Search for network searching, BranchCache for speeding up downloads at branch offices, Reliability Monitor for monitoring and troubleshooting OS and application problems, and BitLocker and BitLocker To Go for disk and removable media encryption.



I've always been an advocate of using what you've got as long as it meets your requirements for performance, visibility and control. The new management tools built into the high-end editions of Windows 7 may do just that. You may not be a big fan of the look and feel of Active Directory, GPOs and similar Windows-related administrative functions, but these built-in tools are better than no tools at all.

Read More

Enterprise password protection checklist

Enterprise password protection checklist





Despite the good intentions of IT departments, end-user education and advanced forms of authentication, password protection -- or a lack thereof -- remains a vexing problem for enterprises.



Users still create easy-to-guess passwords, write passwords down, store them in plain text, or email passwords to their friends and co-workers -- even though passwords are often the first, and sometimes only, line of defense against intruders.



Many enterprises still use password-based authentication because it's simpler and cheaper than more secure systems. In addition, organizations often maintain legacy systems that support only password-based authentication. Even enterprises that have implemented more advanced forms of authentication often combine those password management methods.



It's good practice to regularly review your corporate password management policy to maintain a secure environment and protect sensitive data.



Password cracking

When developing a password policy, it helps to understand the methods used to gain unauthorized access to protected resources. Intruders use the following methods to crack passwords:



Brute-force attack: An attempt to access a secure resource by trying all possible combinations of characters that can make up a password.

Dictionary attack: An attempt to access a secure resource by systematically entering common words (which often come from a dictionary file) to determine a user's password.

Sniffing: The process of intercepting wired or wireless network transmissions and capturing password hashes.

Cracking solutions: Software that attempts to decrypt passwords.

Social engineering: The process of using social skills to obtain passwords and other personal information. Intruders will often implement telephone, e-mail or Internet schemes to get users to reveal their sensitive data. Phishing is a type of social engineering.

Spyware: A type of software that users unintentionally install on their computers. Spyware surreptitiously gathers sensitive data or records keystrokes and sends that information to the intruder.

Shoulder surfing: The process of gathering password information or other sensitive data by watching users enter passwords or reading passwords they’ve written down.





These methods are often used in combination. For instance, intruders might use sniffing to intercept a password hash and then use cracking software to decrypt the hash. Or intruders might use social engineering to gather personal information about users, and then run a dictionary program that creates a list of words based on that data.



Strong and safe passwords

An effective password policy should prevent passwords from being guessed, cracked or compromised in any way. Part of that policy should ensure that all users create strong passwords and follow specific guidelines when using and maintaining those passwords.



There's plenty of material that explains what constitutes strong passwords and proper password maintenance. The following guidelines summarize much of that information and provide a quick checklist to reference when developing password standards:



Keep passwords confidential. Don't write passwords down. Don't show or tell them to anyone. Don't store passwords or transmit them electronically, unless you're sure they're encrypted and safe.

Don't include personal information. Don't use first or last names, addresses, birthdays, anniversaries, Social Security numbers, usernames, nicknames, pet names or any other type of personal information.

Don't create passwords that can be easily guessed. Avoid using common words, including abbreviations, foreign words, common misspellings or words spelled backwards. If you're creating a passphrase, don't include common phrases, famous quotations, or words from poems or songs.

Used mixed characters. Passwords should include lower and uppercase letters, numbers and symbols such as @, %, !, &, and ^.

Create long passwords. The longer the password, the better. Most sources recommend passwords be at least eight characters long, often longer. (Microsoft now recommends that a strong password be at least 14 characters.) When passphrases are supported, use them. They should run at least 20 to 30 characters long.

Change passwords regularly. Recommendations vary on how often to change passwords, but 90 days is a common standard. The policy in some organizations is to change privileged (administrative) accounts more frequently than end-user accounts.

Don't reuse passwords. After you've used a password, forget it. And make the new password significantly different from the old one.

Use different passwords for different accounts. Don't use the same password for more than one account.





Not surprisingly, the stronger the passwords, the more difficult they are to remember, and the more difficult they are to remember, the more likely users will write them down, forget them or be calling the support desk.



The trick is to get users to create strong passwords they can remember. One way to achieve this is to base the password on the first letters in each word of a sentence or phrase. For example, the sentence The #3 train arrives this p.m. @ platform 2A! translates to the password T#3tatp.m.@p2A!. Notice that the password includes upper- and lowercase letters, numbers, and symbols.



Password management

An effective security strategy should include a documented password policy, and requirements for strong passwords should be part of that policy. However, the policy should also address other issues critical to enterprise password management:



Educating users: All users should be educated in password-related issues -- including details about how passwords can be cracked, what constitutes a strong password, ways to craft those passwords and how to safeguard passwords.

Enforcing standards: Password policies should be enforced systemically, that is, through security policies and other network and operating system mechanisms that prevent users from creating weak passwords or mismanaging their passwords. For instance, passwords should be set to expire at preset intervals, password histories should be retained to prevent passwords from being reused, and new users should be required to change their passwords upon first login.

Detecting intruders: Set controls to manage the number of times a bad password can be inputted before an account is locked out.

Auditing passwords: Passwords should be periodically audited to ensure compliance. Such auditing should be done without providing visibility to the passwords themselves.

Storing and transmitting passwords: Passwords should always be encrypted whenever being stored or transmitted.

Managing privileged passwords: Privileged passwords -- those used to access administrative accounts, let computers access one another or run service programs -- should be stored centrally on a system that supports a secure access and change process.

Implementing password management: Password management solutions can help mitigate the problems associated with compromised passwords. Such a system might be a centralized technology (such as single sign-on or password synchronization) or one that lets users store usernames, passwords and other sensitive information locally. If your organization implements one of these methods, your password policies should incorporate the technology's operation and use.

Clearly, the factors that contribute to an effective password policy go beyond simply making sure that users create strong passwords. The goal must be to grant all authorized users access to protected data, while preventing unauthorized users from gaining such access.



To that end, you should create a policy that takes into account all issues related to managing passwords. The points above provide a starting point, but your policy must be specific to your enterprise. In other words, your password policy should reflect every step necessary to reduce the risks of compromise to any of your organization's systems.

Read More