According to Microsoft, applications are one of the five biggest areas that you should concentrate on when securing your network. Applications often contain bugs and other vulnerabilities that attackers can exploit to gain unauthorized access to your network. Here are some steps that you can take to secure your network against such attacks.
In-house vs. canned applications
There are two main types of applications: in-house and “canned.” Your in-house programming team develops your in-house apps. Canned apps are purchased from a vendor. There are some big differences in how you treat these two types of applications. As I go along, I’ll point out which techniques are appropriate for each type of application.
Staying up to date
If your company uses applications that were developed in-house, the best recommendation that I can make is to keep your applications—and your developers’ skills—up to date.
To see why this is so important, consider this: One of my consulting clients uses several in-house applications. These apps are little more than front-end applications to Fox Pro databases. The problem is that the company is using an ancient version of Fox Pro. Further complicating the situation is the fact that everyone at the company has read and write access to the directory containing the database.
Because of this, it would be easy for anyone with a little computer experience to hack the database and possibly extract sensitive data or modify critical information, such as salaries, within the database.
So what can this company do to prevent its extreme vulnerability? For starters, it could migrate its database to something more current and secure, such as SQL 2000. The company should also look at recoding the front-end application in Visual Studio .NET, which allows developers to integrate operating system-level security into the applications they write. By staying up to date, they could avoid a lot of security problems.
Service accounts are frequently used when an application needs a higher level of access to the system than is granted to the users who are running the application. Typically, the service account receives administrative or even Enterprise Admin privileges. Although some applications require it, assigning such a high level of access to a service account is generally a bad idea.
Remember that service accounts seldom, if ever, require password changes. Furthermore, if the application does have a security hole and is running under the service account, then anyone who exploits that hole will have service account privileges. Therefore, you should check out exactly what privileges the service account needs and assign only those privileges. If the service account really does require administrative privileges, you can increase security by assigning the service account an explicit deny to all directories and resources that you know it will never need to access.
Hot fixes for canned apps
The need to stay current isn’t limited to in-house applications. Canned applications tend to be more vulnerable to attacks than in-house applications. This is because canned applications are so widespread that it’s easy for hackers to get their hands on a copy and test it for weaknesses.
There are some things that you can do to avoid a security breach due to a canned application. Again, the most important thing is to keep your applications up to date. This doesn’t mean that you have to upgrade to the newest version the minute it hits the street. We all know that new products tend to have the most bugs. Instead, focus on keeping your existing versions up to date, and try not to fall more than one or two versions behind the latest releases.
Updating Microsoft products
The process of keeping applications up to date varies widely, depending on where the application came from. If you have Microsoft products such as Office, staying current is easy. The first thing that I’d recommend is to get a copy of the Microsoft Baseline Security Analyzer (MBSA). You can acquire this tool at Microsoft’s TechNet Web site. The MBSA scans your computer for potential weaknesses. Although the MBSA doesn’t focus specifically on Office, it does provide lots of useful information, as shown in Figure A.
Another way that you can keep Microsoft products up to date is to use the updates available on the Microsoft Web site, such as the Office Updates site. One click of the Go button, and you’ll receive a report outlining exactly what you need and where to get it.
As important as it is to keep your applications up to date, it’s equally important to be aware of the applications running on your network. If you don’t know what applications are on your workstations, then you can’t expect to keep those applications up to date. Frequent software audits will help you keep track of the applications on your network.
Another reason to perform frequent software audits is to spot unauthorized software, which could potentially expose your company to piracy-related litigation. Likewise, unauthorized software can interfere with your network’s overall health.
Unauthorized software can contain Trojan horses, viruses, or known weaknesses that can be exploited by a hacker. Furthermore, such applications consume system resources, such as memory, hard disk space, processing power, and bandwidth.
These applications could even harm legitimate business applications. For example, how many times have you seen one application overwrite a DLL file or a driver that was implemented by another application? For reasons such as these, it’s imperative that you create a software policy dictating which applications—and which versions of those applications—are allowed on your workstations. You must then hunt down and remove all other applications.
Centralized application management
One of the best ways of enforcing your software usage policy is to control the distribution of applications. Active Directory lets you publish or assign applications to workstations. This allows you to automatically install applications or to require users to install authorized applications by going through the Control Panel’s Add/Remove Programs applet.
There are several advantages to controlling software through Active Directory. First, if a user somehow removes or destroys an application, you can set Windows to automatically reinstall the missing or damaged application. Another advantage is that by centralizing and automating the process, you can be sure that all updates are rolled out to all users in a timely manner. There will be little need to wonder if your PCs are up to date, although random spot checks are never a bad idea.
For the ultimate in centralized application control, why not implement Terminal Services? Terminal Services works similarly to a mainframe/dumb terminal system. Your workstations run a small client program that allows them to attach to a terminal server. All applications are actually running on the terminal server, and only screen refreshes are sent to the clients.
The cool thing about Terminal Services is that, because all of the applications are running on the terminal server, there’s only one copy of each application. This means that the application should be much easier to maintain than if you had a thousand copies of the application spread across a thousand PCs.