Securing the Workspace Part 2: A few security basics for your Workspace
Security is a chess game, we on one side and the bad guys on the other. In my previous Workspace related article I discussed whether we should chase bad or ensure good. In this blog I’d like to get a bit deeper with the options we have to ensure good. Like I also mentioned in my presentation, for who was present, no advice in this blog will 100% guard you from future infection or hacks. Hackers evolve, weaknesses are found. We need to adapt and learn to be prepared. Security is a chess game that will never end.
Before we go into how to work on securing your desktop further without investing heavily, let’s talk a bit on security basics. I touched on this topic already a little bit in the first blog with repeating it you will remember it. So when we think about security basics my first thought is to only allow what is required. That sounds simple but if you give it a thought you realize there is more to it. Ensuring good will only work if you know very well what should be allowed, what application use, how user interact. Once you know that why keep all the other communication lines open? Also check the poster from HP which I think is pretty awesome, live by that and a lot of what is next is less required. Because people don’t live by that poster we need security, so here we go.
This goes for networking, where all external communication from the users workspace is either over port 80 or 443. If that is the case then why can any attacker setup a communication of port 667 for instance. If the user doesn’t need that port don’t allow them to use it. Of course disabling ports is chasing bad so why not only open port 80 and 443? Attacks with communication over these ports are not disabled by this but a lot of others are. for security audits it would be very powerful to show them that you only allow certain communication (depending on access scenario’s).
File Type Association
One of the more effective ones is FTA or File Type Association. Applications use FTA to open certain files, Microsoft Word for one uses DOCX these days. There are many of those but not all of them are being used in the workspace. We leave them alone and fight the threats coming in when we could also only allow the FTA’s our users need and make sure the others are not effective anymore.
A few common FTA’s that are used are listed here; .js, .jse, .wsf, .wsh, .vbe, .vbs, .hta, .pif
In the past we used to use VBS a lot for login scripts and so on but these days better alternatives are available. So if you don’t need these FTA’s what if we redirect them to e.g. Notepad? If you redirect them to Notepad they become useless. If a user accidentally open a link with something bad it will open Notepad and show the content. Before you post comments that the world is not black or white let me already react on that. further on you will see that indeed the world is a mixture of colours and a redirect should be set where possible but only in when not hindering users. This can be done very nicely as I will show you later on.
A very effective way of ensuring good is to white list applications, files, folder a user can use. By default users have access to several programs or utilities available in Windows that are great but can be used to harm them. Several of these utilities are used to e.g. extract the payload or the execute it. Think of Extract.exe which is used to well extract files, pretty handy right? Right, pretty handy but when in the wrong hands it can be used to extract a payload you don’t want. So what if we only allow (ensuring good, remember?) the user to access applications they need and not e.g. Extract.exe. That would close donw the attack surface a bit more wouldn’t it? Again, of course everything in a colourful world, users that need access get it, just in time and only when needed.
White listing is a bit of work to setup but the minute your finished it is a blessing. control of who accesses what is suddenly easy to view. You could create a report about what application a user can access in a certain scenario. That’s pretty awesome also when you think about security audits.
What more can we think of?
I could have placed this one under FTA as .ps1 is a file type association but decided against it. PowerShell, as Microsoft puts it, is a very powerful framework. It is capable of doing a massive amount of tasks that you can automate with it. In every organization I presume PowerShell is used for day to day management tasks or dpeloyment of printers and so forth. PowerShell is also a very much used framework for criminals. As it is such a powerful framework they realized that once they got access to that they can do almost anything on your machine.
I would suggest, and I know this is a hot debated topic, limiting the access to PowerShell to all users. Implement certain safeguards with the use of PowerShell so you can raise the wall for attackers to gain access. I’m not suggesting to block PowerShell, however if they don’t need it why let them access it, but make sure you are in control of who, when and where it is used.
This is a tough one. I’ve been in IT since ’93 and since ’94 I’ve seen users with admin rights. Why? because it was convenient, it was handy as IT didn’t need to come around to install that printer or application. Well as a history fan I remember a poster I once saw. Loose lips sink ships, a poster from World War II when they didn’t have twitter, Facebook or email. A time when telling you were to sail to Europe on a freighter would possible be sunken by a German sub.
Why is this relevant in security and your Workspace?
Well, what if we changed the poster to “Convenience kill your company”? or “Loose clicks hijack your files”? I think we should ask your brilliant minds to create posters like that, I’m not one of them, to create awareness. Convenience is one of the toughest nuts to crack, users don’t need to be admin on a local Workspace, they don’t.
Certain tasks on a Workspace require admin rights, certain tasks not all of them. Users only should get admin rights for these tasks. These tasks are installing a printer, installing specific software or changing settings. First you need to ask yourself if any of these tasks apply to your users, do they need to install applications or change settings? If they do read on for the UEM section (which seeing the length of this blog will be a new blog article).
Context awareness versus GPO/GPP
A little more on security but a little deeper. In my next blog i will show the effect context awareness but first a explanation. This is very important and something we need to understand when designing a secure Workspace. Think of a funnel, a user will at any time when he or she is working be in certain states. States we see as context parameters.
Context parameters are for instance location, time, IP address, device model, windows version but also Compliance checks as Anti virus up-to-date or device not rooted. Any of thee checks determine who the user is, where the user is (at that specific moment) what device he or she is using and so on. You might, no lets rephrase you should have different security scenarios depending on your users/devices whereabouts. As we all know working from public WiFi connection is unsafe. So when you notice your users working from a fast food restaurant instead of their home, this should be a seen as a security risk.
with Group policies you can also create some sort of security framework but they have their limitations. Group Policies are applied at logon and never again until you logon again. With our modern workplaces we see that users logon in the morning, perhaps from home. Disconnect to drive to a customer, reconnect. Disconnect when they leave and reconnect at the office again. Never will a Group Policy reapply here as the session will be there all the time. In these circumstances you need a smart solution, for almost two decades a alternative has been around, called User Environment Management. It’s a local agent running that will check those context parameters each time the user connects. If anything you specified changed their Workspace will change, they will have less or more applications and so forth.
Modern Workspaces can’t do with smart solutions like this. UEM is just one of them and they work great with virtual environments. For mobile devices I think a solution like AirWatch is more applicable where you can set compliance check for devices.
So with all these guidelines and thoughts you wonder what is next. Next is to show you, in a next blog, the smart solution(s) that offer solutions to implement this. I think there are two areas to focus one is User environment management and the other one is device management (also called mobile device management). With smart solution you can make it harder for attackers and offer a better user experience as you tailor it with the solutions. It does not only sound like a win-win, it is.
So in a next blog (someone once told me not to write that long blogs) I will show User environment management and Device management compliance. Keep safe until then.