A few small tweaks can add up to a more secure desktop. Jack Wallen shares some simple precautions that will provide a bit more protection.
The desktop computer is the heart of business. It is, after all, where business gets done. But so much effort goes into securing our servers (and with good reason), that often the desktops are overlooked. That does not need to be the case. Outside your standard antivirus/anti-malware/firewall, there are ways of securing desktops that many users and techs might not think about. Let's take a look.
1: Patch that OS
Although many updates occur for feature-bloat, some updates do in fact happen for security reasons. One of the first things you should do, prior to deploying a desktop, is apply all the patches available for it. Do not deploy a desktop that has known, gaping security holes. If you are deploying a desktop that has not been fully updated, it will be vulnerable from the start. And this tip applies to all platforms, not just Windows.
2: Turn off file sharing
Those who must share files can ignore this tip. But if you have no need to share files on your desktop, you should turn this feature off. For Windows XP, click Control Panel | Network Connections | Local Area Connection Properties. From that window deselect File And Printer Sharing, and you're good. In Windows 7, open the Control Panel and then go to the Network And Sharing Center. Now click Change Advanced Sharing Settings in the left pane. From this new window, expand the network where you want to disable sharing and select Turn Off File And Printer Sharing. Done.
3: Disable guest accounts/delete unused accounts
Guest accounts can lead to trouble. This is especially true because so many users leave guest accounts without password protection. This might not seem like a problem, since the guest user has such limited access. But giving access to a guest user creates a security risk. You are much better off disabling the guest account. The same goes for unused accounts. This is such a common mistake. Machines get passed around from user to user in many businesses, and the old users do not get deleted. Don't let this happen to you. Make sure the users on your system are actually active and need access to the machine. Otherwise, you have yet another security hole.
4: Employ a strong password policy
This should go without saying. SHOULD. But how many times do you come across the word "password" as a password? Do not allow your users to make use of simple passwords. If the password can be guessed with little effort, that password should never be used. This can be set in server policies. But if you don't take advantage of policies, you will have to enforce this on a per-user basis. Do not take this lightly. Weak passwords are one of the first ways a machine is compromised.
5: Mark personal folders/files private
You can enable folder/file sharing on a machine but still have private folders. This is especially important for personal information. Some businesses might not allow personal files to be saved on desktop machines, but that's a rarity. If you work in a company that allows you to house personal data, you probably won't want your fellow employees to have access to it.
The how-to on this will vary from platform to platform (and is made even more complex by the various editions of the Windows platform). But basically, you change the security permissions on a folder so only the user has access to the folder. To do this, right-click on the folder and select Properties. From within the Properties window, go to Security and edit the permissions to restrict access to just the user.
I wish I could say there was a definitive way to make sure a desktop was 100% secure. But the only way to ensure that is to unplug it from the network and power it off. That doesn't make for a very efficient work environment. But if you follow these tips, those desktops will be more secure than they would be otherwise.
What additional measures do you recommend for improving desktop security?