Forgotten Security Tools
Home

Forgotten Security Tools

Posted 2005-12-21 19:00 by Christopher

One of the most forgotten security tools is one most of us already have on our networks: Microsoft Windows

Most people are not using a fraction of Window's security features in companies.  Small and medium businesses can especially benefit from using the full functionality of the products they already have in place.

The following are a just a few of the many free features your company may not already be using.

PKI (Public Key Infrastructure):

Starting with Windows 2000, Microsoft includes an optional Certificate Services role for servers. Using Certificate Services, you are able to issue x.509 certificates for SSL and authentication.  This can be integrated with AD, and some certificate templates can be autoenrolled through Group Policy.

RADIUS server:

Microsoft's implementation of RADIUS for Windows servers is called Internet Authentication Services (IAS).  The RADIUS server allows authentication, authorization, and accounting for wired, wireless, and remote access clients.

802.1x client:

Provides authentication for both wired and wireless networks. The 802.1x client is available in 2000 and XP and supports both EAP-PEAP and EAP-TLS (using the PKI Certificate Services above).  Authentication and accounting is handled by the RADIUS server above (great how all of this ties in, isn't it?).

Windows Firewall (WF):

The new Windows Firewall is available for 2003 and XP (as part of SP2). WF blocks unsolicited incoming traffic (by default), and can be managed by Group Policy.  It now protects systems from boot time, and can monitor ports by application.

IPSec including domain isolation:

While IPSec is commonly deployed for remote access and site to site VPNs, it is useful for far more.  Microsoft suggests its use for "logical isolation" of servers and domains.  By implementing IPSec in transport mode, you can ensure that unauthorized systems cannot talk to open ports on servers without first authenticating (using Kerberos or x.509 certificates.)  IPSec can optionally encrypt traffic, depending on configuration.

Software Restriction Policies:

Software Restriction Policies can be used to prevent the execution of unwanted programs, either explicitly or with a default deny.  As I've posted previously, using default deny to identify the good rather than the bad is a very effective technique in preventing unwanted malicious code.  Good programs (or bad programs, if that's your thing) can be identified by hash, certificate, path, or zone.

Group Policy and GPMC:

Group policy can be used to implement and manage all of the above, and much more.  An effective group policy can prevent modification and abuse of desktops and servers by enforcing a "pristine image" concept. GPMC unifies group policy management, and can work with 2000 and 2003 directories.