Optimizing Windows Security and Business Needs

By CIOReview | Friday, August 5, 2016

Imagine the modern workforce as a chess board: a collection of unique pieces working together to achieve a common unified goal. Each piece on the corporate chess board has productivity preferences when it comes to how, when, and where their best work gets accomplished. As innovations in technology are expanding enterprise networks beyond the traditional office environment, these productivity preferences probably include working on their favorite mobile devices and apps.

In today’s constantly changing world, mobility has become synonymous with productivity and the number of mobile workers in the U.S. is expected to swell to 105.4 million by 2020. As enterprise parameters continue to acquire new meanings, how can business leaders answer the call for increased employee freedom and protect corporate information at the same time?

With all of the technological and compliance-related changes taking place in the IT arena over the last decade or so, one would think the battle between security and convenience would be debatable. But as it stands, the security concerns remain the same and the need to find a proper balance between Windows security and business needs remains the topmost priority for any organization.

Information security and locking down Windows systems is not an easy process. In real and simple terms, Windows security is an infinite gray area that depends on the organization's culture and most importantly, management buy-in. The problem is that many Windows administrators have their priorities out of order and forget that their main responsibilities are to facilitate business and provide support to the users.

There are relatively stringent controls in many organizations, especially with regard to passwords and internet usage and the users face a tough time doing their day-to-day tasks. Users say that they are advised to change passwords every 30 to 45 days, and are unable to connect and sync their smartphones, receive email attachments, use instant messaging and connect removable storage so they can back up their own laptop (which is typically their responsibility).

Even with strict controls and regulations in place that are keeping users from doing their work there are some big security vulnerabilities, such as the following:

• Missing patches on workstations and servers (even when Automatic Updates and WSUS are being used) that can be exploited to gain full access of the system.
• No personal firewall software in place which allows system enumeration, share perusal, etc.
• Disabled anti-virus software
• Systems (especially databases and network infrastructure devices) with default passwords or no passwords at all that can be completely controlled, reconfigured, shutdown, etc.
• Unencrypted laptop drives that facilitate the exposure of sensitive information stored on any given system.

Based on the security assessments, most Windows shops have a lot more basic stuff to worry about than just locking everything down. One of the most common methods to configure an office full of Microsoft Windows computers is with group policy. For the most part, group policies are settings pushed into a computer's registry to configure security settings and other operational behaviors. Group policies can be pushed down from Active Directory (actually, pulled down by the client) or configured locally.

Given below is a list of ten things, which will go a long way in making Windows environment more secure and also bestow the flexibility to cater to business needs.

• Rename the local administrator account: If the hackers or bad guys don't know the name of the Administrator account, they'll have a much harder time hacking it. Renaming the Administrator account is not automatic, so one will have to do it by themselves.

• Disable the Guest Account: One of the worst things to do is to enable this account. It grants a fair amount of access on a Windows computer and has no password. Fortunately, it's disabled by default.

• Disable LM hash storage: LM password hashes are easily convertible to their plaintext password equivalents. Don't allow Windows to store them on disk, where a hacker hash dump tool would find them. It is disabled by default.

• Disable Lm and NTLM v1: The LM (LAN Manager) and NTLMv1 authentication protocols have vulnerabilities. Force the use of NTLMv2 and Kerberos. By default, most Windows systems will accept all four protocols.

• Minimum Password Length: The minimum password length for regular users should be at least 12 characters -- 15 characters or longer for elevated user accounts. Windows passwords aren't even close to secure until they are 12 characters long. To be truly secure, 15 characters is the magic number in the Windows authentication world.

• Maximum Password Age: Passwords 14 characters or less in length should be used no longer than 90 days. Windows’ default maximum password expiration period is 42 days, so one can either accept the default or increase it to 90 days. 

• Event Logs: The vast majority of attack victims would have detected the breach sooner if their event logs had been turned on and they made a habit of checking them. Make sure of using the settings recommended in the Microsoft Security Compliance Manager tool and use the audit subcategories instead of the legacy category settings.

• Disable Anonymous SID Enumeration: Security Identifiers (SIDs) are numbers assigned to each user, group, and other security subject in Windows or Active Directory. In early Windows versions, non-authenticated users could query these numbers to identify important users (such as Administrators) and groups, a fact hackers loved to exploit. Fortunately, enumeration is disabled by default.

• Enable User Account Control: Lastly, ever since Windows Vista, UAC has been the No. 1 protection tool for people browsing the Web. Many clients turn it off due to old information about application compatibility problems. Most of those problems have gone away, and many of the remaining ones can be solved with Microsoft's free application compatibility troubleshooting utility.

• Don’t Let the Anonymous Account Reside in the Everyone Group: This setting, if set incorrectly, could allow an anonymous (or null) hacker far more access on a system.

There are no silver bullets in cyber security and new tools and security measures are being developed to combat a constant rush of threats and attacks and the industry has started to catch up with the threat caused by criminals and hackers. Striking a proper balance between business needs and regulatory compliances is becoming increasingly difficult: business wants ever more access while regulators and the threat of a breach or compromise pull the other way: less access and greater control.

The big oversight is the fact that there’s also a business component to IT and security that can’t be overlooked. There should be a balance of convenience and usability in place. It shouldn’t be done in a haphazard way without taking the users’ needs into account.

The way forward is to provide a proper balance of caution and usability and look for the right mixture to provide a reasonable security cover over a long period of time.