One of the most important consulting skill is ability to prioritize and identify the most effective approach to meet the customer\project goals. Pareto principle (also known as 80:20 rule, or law of the vital few) is critical in success and every professional consultant should be aware of it (and benefit from it). Pareto principle allows us (consultants) to deliver something of a value to the customer – it helps us to identify what’s important and what is not and how to get maximum value with minimum resources. When you see a document with 100 recommendations, it’s sometimes hard to identify what is really important and what’s just a minor flaw or annoyance.

Pareto principle also applies to the security. While are tons of articles and blog posts about securing your virtual desktop environment and they range from very high-level to really low-level, are there any real essentials of securing your Windows environment (except the well known recommendations like patching strategy)?

To understand the message of the following article, we need to have a look in the past to understand why Windows was not considered really secure operating system (which is not the case anymore, Windows XP SP2 played a major role in this change, followed by critically acclaimed, yet great SDL engineering milestone Windows Vista).

Years ago, there were three main entry points how badware could infest your computer – first case were viruses that spread through the use of emails (do you remember Melissa and ILOVEYOU viruses?). Second common infection were so-called drive-by viruses (or to be more precise drive-by spyware) – the viruses that doesn’t require any cooperation from the end users, Internet Explorer and some specific file formats (have you ever noticed that .HLP was removed later on?) were quite famous entry points. And of course, the number one winner of all time is badware that simply asked to be executed – and most of the end users simple decided to click on the tempting “Run” button. The end users usually represent the weak links and it doesn’t matter which operating system they are using.

Step no. 1 – You define the rules, not users
Are these actually the fault of the operating system itself? This is topic that is still very hot even after all those years. Could any operating system be really secure if users got high permissions and are willing to execute something willingly? I personally don’t think it’s possible – so you must educate your users and restrict their permissions to the minimum required set (at the same time).

This principle is called LUA – Least-privileged user account. 6 years ago, I was involved in article from Microsoft called “Applying the Principle of Least Privilege to User Accounts on Windows XP”, which was predecessor to Windows Vista UAC (at least I like to think about it that way) and I’m still big supporter of the LUA principle. Principle of least privilege simply tells you to grant only those privileges that are really essential to that users work.

This should prevent your users from damaging your environment by simply removing the rights they don’t actually need. The situation is much better these days (with new hardened operating systems), but I can still see that some administrators granting additional permissions just to fix crappy applications. Requiring permissions that are not needed is a bug. Treat it like one.

Step no. 2 – You choose which directories are safe, not users
Now, what’s the next step, is it finally antivirus and firewall? Not really.

I’ve mentioned the viruses that spread through the emails in the past – why don’t we see those anymore these days? Is it because of the antiviruses deployed on all gateways and Exchange servers?

Based on my experience, the most important step to secure any email is to restrict the attachments – once this became the common best practices, all those .exe and .vbs viruses simply disappeared (or maybe I’m living in a perfect IT world where these threads are no longer present).

Instead of simply fixing issues as they appear, you should proactively block them. So why shouldn’t you use the same approach when securing your desktops?

The most powerful weapon you’ve got at your hands in order to secure Windows desktops from the end users are Software Restriction policies (SAFER). I cannot stress this enough – if you want to secure your desktop environment, start with SAFER. IF YOU WANT TO SECURE YOUR DESKTOP ENVIRONMENT, START WITH SOFTWARE RESTRICTION POLICIES.

Software Restriction policies allows you to specify which locations are safe and which locations are not safe. They allow you to create very simple, yet powerful rules – “I want to allow users to run programs only from Windows and Program Files – ignore any other location”. And it doesn’t matter if it’s user profile, his USB key or network share.
This is also called whitelisting approach – you blacklist everything, and then implement exceptions – as you can imagine, blacklisting approach is complete opposite, allow everything and blacklist exceptions.

Secure by default

Step no. 3 – You choose what is in those directories, not users
So, users are allowed to run applications only from specified directories and they don’t have enough permissions to change these rules, am I safe finally?
There is one more step needed – and this one is also critical. If you allowed your users to execute applications only from specified location and you made sure they cannot change these rules, you must also guarantee that they are not allowed to add anything else to these folders. Otherwise, they could simply copy Solitaire to allowed path and your policies are completely useless.

So, be sure that your users are not allowed to save anything to these special folders.
If your think this is common sense, be sure to check your C:\ drive permissions (on both XenApp and XenDesktop VMs) – users are allowed by default to create new folders and files in root of the C: drive (even on Windows 8). So don’t forget to change this through Group Policy or any other method you prefer.

Is your environment really secure? Be aware of “Special permissions”

I like to call this approach “security ouroboros” – it’s very easy to implement solution how to tighten up your security and until something breaks the circle, it’s very solid. Of course, you should also implement all the other security measures – patches, firewalls, certificates, antiviruses, but I found these 3 simple rules the most important when securing Windows desktops.

Martin Zugec