Montana Technical Solutions Website Development Design Maintenance Kalispell

Montana Technical Solutions Computer Workstation Security Primer

Local Workstation Best Practices

Local workstations on a corporate LAN  represent an important attack vector for hackers.  They are attractive to attackers due to the fact that end users vary widely in their sophistication and  practices.  If enough end users are targeted, eventually some form of penetration will be achieved.  Fortunately, it is not difficult to significantly improve security of these network end-points.  Review the five points below to quickly and easily achieve improved security:

  1. Implement corporate policy requiring strong passwords on end user workstations and accounts.  Unsophisticated end users will complain, but most will actually comply.  This exercise is useful in identifying the truly vulnerable end users who are at most risk.  (HINT: they are the folks who struggle to create a strong password and need help entering it once it is implemented).  Work with them closely to further reduce your exposure.
  2. Review your backup and restore procedures.  Obviously backups need to be done regularly, normally daily, and stored securely, both on and offsite.  Have you tested your restoration procedures?  BE SURE your backup plan is working.  Even great vigilance can be undone via a single viral email or DNS-redirected web page.
  3. Review your anti-virus and safe browsing software from the workstation point of view.  We assume your end users are behind a firewall appliance, or, at the very least, some form of network firewall software.  Windows 10 offers the best workstation security for general purpose PCs, but be sure to review your Group Policy settings for Windows 10 configuration.  For Windows 7 Defender is competent, but not entirely reliable.  It requires extra effort, but using a combination of the best anti-virus solution with the best safe browsing solution is a ‘best of all worlds’ answer.  Not  only do your settings need to be complimentary, the extra burden on your workstations is also non-trivial.  So be it.  We recommend taking the time and effort required to optimize this aspect of your workstations => that is what Group Policy is for!
  4. End user procedures.  Are your end users adequately coached on ‘do’s and dont’s’?  Do they have reasonable access to help desk support if they have questions?  Be sure they do!  Don’t put them in a position of having to choose between not getting their work done and taking an unnecessary risk with, for example, a questionable email attachment, simply because they cannot timely reach tech support.  It is IT’s responsibility to assist!
  5. Finally, end user procedures.   Are your end users adequately coached on ‘do’s and dont’s’?  Yes we are repeating ourselves here, but this is a broad topic.  However, two main threat vectors exist for end users:  email and web browsing/social media.  Educate end users on both topics and insist that they do not surf non-SSL websites without explicit permission.  Lock down their browsers and refuse to do business with those websites.  If this is a new policy, set a deadline for implementation.  The time is long past for permitting corporate employees to interact with insecure web sites on the public internet.  Use the built-in browser security features of Edge, Chrome, Firefox, and/or Safari to assist in securing your network.  As for email, Gmail offers security and convenience.  If Gmail is not acceptable, use either a white label email hosting service setup by your internal IT staff or your IT consultants, or use a highly reputable third party email hosting service.  Use great care in selecting your vendor, cost, convenience, reliability, and security vary greatly  Admittedly, this is a non-trivial approach, but necessary => there is a reason Gmail is so popular.

Follow these steps to greatly enhance your network end user security, reducing significantly your exposure to external attacks.   We overlooked #6 => keep your software up to date, but hopefully, in 2017, this is self-evident.  If not, we repeat, KEEP YOUR SOFTWARE UP TO DATE!

Thanks for visiting!

Montana Technical Solutions Computer Workstation Security Primer

 

Montana Technical Solutions Kalispell Website Design and Development

‘Your IT infrastructure and the data it supports are Mission Critical assets’

MTS is in the business of supporting small, medium, and large scale network infrastructure for clients from the public, private, and NGO sectors.  We support our client base as they deploy scores of  applications across thousands of end-user devices, in dozens of physical locations.  Every day of the week, we respond to numerous support requests most of which can be handled quickly and easily.  To the casual observer and/or daily computer user, we do our best to make it look simple and easy.  After all, end users and administrators have work to do, and that usually doesn’t involve adjusting the IT infrastructure, ensuring the security and integrity of the network, or deploying applications to dozens of desktops.  In short, we do our job quickly and effectively so our clients can do theirs.

2500 PB of Data Move Over the Internet Daily…More Data Than Even Existed 30 Years Ago

Sometimes the apparent ease with which things get done can be deceptive.  How often are we inspired to hop up on the stage and emulate the performer after witnessing a great performance?  The performance seems so effortless it is as if it requires no skill at all.  However, whether the skill is a theatrical performance, or tuning a network of computers, the ease with which it appears to get done belies the underlying complexity and the specificity of the procedures that need to be followed to make it work in the first place and keep working well moving forward.

So it is with IT services.  Today’s networked environment has evolved over decades and now has the capacity to move as much data every single day as was even in existence 30 years ago.  The internet moves 2500 PB of data each day.  The sheer scale is incomprehensible in terms of quantity of data, let alone the sophisticated equipment and software protocols required to route that much data efficiently.

Our Goal Is Invisibility…Transparency to the End User

Further, today’s networks are under constant attack.  As of 2013, the volume of automated internet traffic exceeded that of live traffic and this trend continues.  In addition, directed attacks such as spoofing, phishing, man-in-the-middle, DDOS, and social engineering are routine.  Monitoring networks for penetration, enacting defenses, and responding to threats and/or actual attacks are round the clock activities for MTS technicians.  Any activity on the network that compromises security is potentially an existential threat to the operation of the network and the underlying data it supports.

Do It Yourself IT is not recommended by Montana Technical Solutions Kalispell Montana Website Design and Development

Add into the mix the end user.  In a perfect world, the inner workings of the IT infrastructure is  transparent to the end user – they neither know nor care how network engineers make things work.  In more practical terms, we strive to offer end users a highly available, very secure, and easy to use network infrastructure.  90% of what we do is done ‘behind the scenes’, either in  the local IT ‘datacenter’ or remotely from our offices.  End users see approximately 10% of what MTS IT technicians do on a daily basis  and sometimes may draw inaccurate conclusions about what it is we do and how we get it done.

This leads to a common request – elevated access privileges for the purposes of ‘minor’ tasks such as installing printers and software.

Did you know there is a right way and a wrong to perform installation tasks?

Yes, it’s true, just like any routine maintenance task, installing applications, printers, and other  software and hardware on your network needs to be done a certain way.  Whether we like it or not, printers and printer drivers continue to be noticeable points of failure on all networks. It is common for improperly installed printer drives to essentially disable one or more workstations on a network and possibly the printer itself.

Software installation is now a high-risk activity – applications must have execute permission in order to run an improperly installed software package can expose the network to direct attack.  End users are certainly capable of running a software installation program, but most do not have the IT background to ensure a secure installation, which also works correctly in a network environment.

Don’t become a casualty

Over the past few years it has become a regular occurrence – news of a network intrusion and massive amounts of user data being compromised.  This is a serious problem with numerous consequences.  Often overlooked are the ground level personnel involved.  They are direct victims of the criminal activity, but unlike many crime victims, because of their professional position they are held accountable as responsible parties, not victims.  In other cases, there is no criminal activity, rather a problem has arisen with an organization’s IT infrastructure and we are called to assist.  Naturally, when the problem is serious enough, executives and administrators investigate and as part of this process they seek our opinion on ‘how it happened’.  There are always multiple contributing factors, but one we prefer not to identify is unnecessary elevated privileges.

In the IT world, there is a fundamental tenant of security known as ‘least privilege’.  You can view the Wikipedia entry here.  Put simply, each person, application, or process is given only the minimum level of access required to perform their necessary and approved function on the network.  If any doubt exists we err on the side of caution.  Naturally, this leads to the occasional circumstance where an end user is unable to complete a task without our assistance, but fortunately, this is not the norm.

Nevertheless, we field our share of requests for elevated privileges i.e. administrator level access, on the part of end users and administrators.  Consider carefully, when asking for this level of access.  Ultimately, that decision is made by the network owners, not by MTS, but do keep in mind that true Administrator-level access on today’s networks implies the ability to do virtually unlimited damage to the network and its assets, up to and including complete and irreversible data loss. 

Consider carefully if the need for Administrator access truly outweighs the associated risks.  There are a number of alternatives available and we are happy to explore them with our clients.

Contact Us for help with your IT needs: