PCs

Five desktop security tips that are easily overlooked

A few small tweaks can add up to a more secure desktop. Jack Wallen shares some simple precautions that will provide a bit more protection.

The desktop computer is the heart of business. It is, after all, where business gets done. But so much effort goes into securing our servers (and with good reason), that often the desktops are overlooked. That does not need to be the case. Outside your standard antivirus/anti-malware/firewall, there are ways of securing desktops that many users and techs might not think about. Let's take a look.

1: Patch that OS

Although many updates occur for feature-bloat, some updates do in fact happen for security reasons. One of the first things you should do, prior to deploying a desktop, is apply all the patches available for it. Do not deploy a desktop that has known, gaping security holes. If you are deploying a desktop that has not been fully updated, it will be vulnerable from the start. And this tip applies to all platforms, not just Windows.

2: Turn off file sharing

Those who must share files can ignore this tip. But if you have no need to share files on your desktop, you should turn this feature off. For Windows XP, click Control Panel | Network Connections | Local Area Connection Properties. From that window deselect File And Printer Sharing, and you're good. In Windows 7, open the Control Panel and then go to the Network And Sharing Center. Now click Change Advanced Sharing Settings in the left pane. From this new window, expand the network where you want to disable sharing and select Turn Off File And Printer Sharing. Done.

3: Disable guest accounts/delete unused accounts

Guest accounts can lead to trouble. This is especially true because so many users leave guest accounts without password protection. This might not seem like a problem, since the guest user has such limited access. But giving access to a guest user creates a security risk. You are much better off disabling the guest account. The same goes for unused accounts. This is such a common mistake. Machines get passed around from user to user in many businesses, and the old users do not get deleted. Don't let this happen to you. Make sure the users on your system are actually active and need access to the machine. Otherwise, you have yet another security hole.

4: Employ a strong password policy

This should go without saying. SHOULD. But how many times do you come across the word "password" as a password? Do not allow your users to make use of simple passwords. If the password can be guessed with little effort, that password should never be used. This can be set in server policies. But if you don't take advantage of policies, you will have to enforce this on a per-user basis. Do not take this lightly. Weak passwords are one of the first ways a machine is compromised.

5: Mark personal folders/files private

You can enable folder/file sharing on a machine but still have private folders. This is especially important for personal information. Some businesses might not allow personal files to be saved on desktop machines, but that's a rarity. If you work in a company that allows you to house personal data, you probably won't want your fellow employees to have access to it.

The how-to on this will vary from platform to platform (and is made even more complex by the various editions of the Windows platform). But basically, you change the security permissions on a folder so only the user has access to the folder. To do this, right-click on the folder and select Properties. From within the Properties window, go to Security and edit the permissions to restrict access to just the user.

Other tips?

I wish I could say there was a definitive way to make sure a desktop was 100% secure. But the only way to ensure that is to unplug it from the network and power it off. That doesn't make for a very efficient work environment. But if you follow these tips, those desktops will be more secure than they would be otherwise.

What additional  measures do you recommend for improving desktop security?

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

12 comments
glnz
glnz

At work, my office PC is Win XP Pro SP3, on my company network. When I log on, I have to sign in with a password, and I am not an Administrator. My PC has a My Documents folder with, of course, my many personal docs (with subfolders), and I would like to keep My Documents away from everyone else. Properties - Security indicates there are three Users for this My Documents folder: -  Administrators ([My PC number]\Administrators) -  [My Name] ([My Login Name]@[Company Domain].com) -  SYSTEM All three seem to have Full Control. in Advanced - Owner, I seem to be the owner. It lists only -  [My Name] ([My Login Name]@[Company Domain].com) Before I do anything, consider that, when I'm at home, I can directly access this office PC using GoToMyPC, which is great. I don't want to do anything that interferes with that tremendously useful product. So, in My Documents - Properties - Security, should I click the "Deny" boxes for - Administrators ([My PC number]\Administrators) and/or - SYSTEM? What will happen? Thanks.

derekmelber
derekmelber

I love these types of threads! As a GPO MVP for Microsoft and someone that knows a little about desktop security, the number one thing that anyone can do for securing the desktop is to take local admin privileges away. Group Policy Preferences can do this in about one minute! Then, use a solution like BeyondTrust PowerBroker Desktops to allow users to run apps and OS features that require local admin privileges. It is elegant, fast, reliable, and secure! BeyondTrust has been providing GPO extensions for over 11 years and solving least privilege for over 6! www.beyondtrust.com Derek Melber, MVP

jeroldo
jeroldo

Being a retired IT guy it is automatic for me to set up my home machine with a non-admin user account for myself now that I am using Win7 Ult The only problem is that I need to use the admin enabled acct sometimes. That being said, I have long been looking for a means of using the limited user account normally while still allowing myself the "benefits of some of the tasks which I can access in the admin side. For example, I can open the admin acct and all of my photos show themselves. However, when using the limited user acct, those darned old photos just won't show no matter what I do. There are other similar problems but I won't bother you with all those. I refuse tho, to leave the machine on 24/7 in admin mode. and I hate swithching back and forth and back and forth again and again and,,,,

mail2ri
mail2ri

Besides the above 5 tips, one key consideration which can save the tech support team many a sleepless night is not giving user-logins Administrative Rights. More so for desktops which are part of the office network, which are anyway accessible to the Tech Support team for remore support (should the user need any new s/w to be installed / uninstalled). Many a times users work in self-destruct mode by installing all kinds of 'freeware' and unauthorized s/w on their work computers, thereby affecting their own performance, and jeopardizing the security of the office network. But, in my experience, few CIOs have the b*lls to put such restrictions on users' computers.

Justin James
Justin James

"You can enable folder/file sharing on a machine but still have private folders." Windows file sharing on the desktop SKUs has been doing this forever... out of the box, "My Documents" is private, but there is a default, public area (for Music and Video too) that gets shared out. J.Ja

Gis Bun
Gis Bun

Wondering why a guy that seems to prefer open source topics is discussing Windows issues. That said, unless someone turned it on, the Guest is by default disabled. Having non-admin rights on XP is useless unless you've installed everything. By default, the first account created in Windows XP has admin rights. Patching is obvious. As for unused accounts, delete only accounts that are obvious - not specialized accounts which if deleted could "break" some software installed. There shouldn't be any unused accounts on a home PC with no other users at home. Jack seems to be mixing home and company systems. By default, domain accounts should already have a decent secured password policy. As for home users, a password should be required for laptop users - optional for desktop users. But all mail, government, banking and other secure accounts require tough passwords [too many people with the passwords "password" or "123456" or ....]. Probably should be using ACLs to secure folders [Windows "home" users don't have this option. Also try BitLocker [premium Windows Vista & 7 editions only], TrueCrypt or others. Encrypting the drive, BIOS password, and boot password for laptops also should be used. Finally disable or restrict Autorun. For domains, if possible use software that can restrict users from installing USB and other devices on their own [such as DeviceLock]. Some companies also rename the actual local administrator account [as well as a very strict password] and create a disabled dummy administrator called "administrator".

Neon Samurai
Neon Samurai

If you have mobile and remote users there may come a time when you need to talk them through an administrator login. This may be get a remote connection you can then work through or similar. Create a second local administrator account in addition to the primary local admin. Give it a nice strong password as it's not going to be for regular use. When the user calles with an applicable issue: - validate that staff is who they say they are - talk them through disposableadmin login with crazy long password - have them change the password to something more rational and temporary - talk them through whatever minimum you need to get your own remote connection - fix the machine - reset disposableadmin password to new crazy long value You can have to user do the minimum admin stuff without exposing your primary local administrator account Now, if you have a seporate primary local administrator password for each of your machines then this doesn't really apply (but.. wow.. how do you manage that with more than ten workstations?) Any of the security hackers see a glaring issue in my strategy?

jfuller05
jfuller05

Users shouldn't have administrative privileges. This probably sounds "dated," but it's a good policy. I know from experience. I got a call from a user telling me this his computer was slow, unresponsive, etc. When I arrived at the site, I took a look at his computer. I asked him the usual questions and found out that he had been downloading stuff like he wasn't going to be able to download for the rest of his life. Coupons and Antivirus 2010 were his favorite things to download. :)

Justin James
Justin James

"Jack seems to be mixing home and company systems. By default, domain accounts should already have a decent secured password policy." Agreed. While these are all good tips, in a properly managed Windows network, they are mostly moot points. Password policies? Out of the box. Updates? WSUS, leave the box on and WSUS pushes out your corporate patch loads for Microsoft products. Group Policy and/or System Center take care of the rest of your corporate load out. Disabling Autorun? GROUP POLICY. Folks, this isn't rocket science. If you have more than a small number of machines in a Windows network and you are running a company, you need Windows Server to manage them. Why recreate the loadout and patches and security policies on every single machine when you can just do it once in the centralized management? Or, to put it another way, how much is your time worth, that the cost of a proper server with the benefits it brings, is "too expensive"? Your time needs to be worth nearly nothing, or you need to be in something like a startup environment (where you have time but not money... again, your time is "worthless" or at least, "worth less"...) for this to make any sense. J.Ja

AnsuGisalas
AnsuGisalas

That's the only problem I can see with this. If you have a lot of users to support, how do you validate them? And of course, if the audio feed is patchy... that could fail the process. No security weaknesses I can see, but the process itself is not entirely robust. But it's better than most. Beats the "emergency envelope". Tricky problem, this "How to let people enter the forbidden zone, just once"

NickNielsen
NickNielsen

Until the Windows software OEMs stop writing their apps to require write access to system directories, some users are just going to have to run with admin privileges. (Can somebody please explain to me why I need admin privileges to burn a CD? ?:| ) And what idiot at Microsoft approved putting the global temp directory inside the protected-for-a-good-reason system directory?

Justin James
Justin James

... design decisions by Microsoft, sadly, combined with a few lazy devs. It's like the installers that insist that you need to reboot, when it's just that they never bothered to check the package and see if any of it truly required a reboot or not. J.Ja