Securing Desktop Clients Tutorial

5.1 General Client Security

During the next few sessions we're going to discuss Client Security. We'll look at how to connect and secure various clients to a wireless network, configure their settings and so forth. Before we get into that, let's discuss some general wireless client security. And the reason we want to talk about this is that, not only is it important to make a secure connection using the right encryption levels and so forth, but it's also important to secure the client itself. because often times it may not be the wireless network that's the cause of issues. It may be other things such as malicious software or a bad configuration on a client or even sometimes, unknowingly, the user themselves can be an issue. So let's just go over some quick general things that you should do probably to secure your wireless clients, probably even before connecting them to the network in most cases. A client's ought to be secured whether they are stationary or mobile. Obviously, mobile clients such as tablets and cellphones Probably have their own security considerations. The stationary clients do as well. Even though they don't travel, they're not mobile, obviously physical security's still important, and other issues, as well, that you should address with both types of clients. Both clients, stationary and mobile, all clients actually, should be secured to the highest level possible That is compatible with the network. So given the network security level, the client should meet that level at least. The weakest client on the network is a weak spot on the network and could allow malicious traffic or malicious users to get into your network. So obviously the chain is only as strong as its weakest link. So make sure all of your clients are secured to that high level. If you have legacy clients on your network, they typically will be unable to support higher levels of security. For example, any legacy Windows clients Clients such as Windows 2000, for example, probably won't be able to support some of the newer security features found on a wireless network. Things like WPA and WPA2, for example, or even 802.1X authentication. These clients should be replaced whenever possible. Hardware is also an issue with legacy clients because some hardware such as 802 That one B cards only support WEP for example and probably can't converse with the network using those higher level security protocols. Either way you the hardware or the client has to be replaced because again they're the weakest link in the chain and that means not only you would have to take the network security down to a Common level to allow those clients to connect, but that would be a way into your network that you do not want. When we're talking about higher level security, we're talking about using things like WPA and WPA2, obviously, for SOHO clients, Small Office Home Office clients And even in a large enterprise, you want to use this as well. We also want to look at using 802.1X authentication for enterprise users. This requires certificates most of the time. It requires some setup on your part. And it requires an infrastructure. A remote access server, a network access control server for example, and even a certificate server to issue certificates and so forth to users and clients. In addition to those measures, we also want to use complex device passwords. Both on the wireless access points and the clients themselves. Now typically, as I mentioned, legacy clients can't support higher-level security protocols. Also, legacy clients can't support longer passwords. So you definitely want to look at those for that reason as well. Now in terms of logging and auditing, whenever you can, try to audit and log onto client devices. Now this will be a little more difficult. You will have to have some sort of centralized logging function typically that will allow you to get those logs from the clients. Or you may just have to visit each client on a periodic basis. What your looking for in a client obviously is access by the user and connection Entries in the logs. Now if you don't audit these logs and it does you no good to log them in the first place, so you might want to set up a schedule or some kind of method for collecting the logs and auditing them and analyzing them. Network device auditing is very important as well, because You want to be able to look the network device log, the logs, and determine when clients connect and who connects. You also want to determine if there are any unsuccessful connections because this might indicate someone trying to attack your network. So use logging on client devices and audit client device connections to the network as well. In terms of general client security which, as I said, is very important, because it may not be the wireless connections themselves that are unsecure. It may be things on the client that you have to worry about. Obviously security patches would be one of those things. If your client is not patched regularly, and it has not been updated to the latest security patches, you need to do this. Because flaws in the operating system and security holes in applications can lead to network compromise. Along with that, secure configuration of your clients is important. You want to make sure that they're secured in terms of network communication. In terms of encrypting data when necessary, user authentication and so forth. So make sure you lock down those systems. Some other issues, and we'll look at these a little bit more closely as we go through the next several sessions, include physical security control, obviously, of both stationary and mobile devices We also want to look at policy enforcement because security policy is where everything starts. When you don't have then you have nothing to enforce or nothing to secure. Network security, obviously, is also an important consideration. Locking down your network devices, using security protocols, and so forth. I will discuss that a little bit as we go through the course as well And finally, user security we'll talk about in a short while because users, our folks who use the devices, are also insecure to a small extent. And while it's hard to secure user, you can't lock it down or configure it, there's some things you can do to Get your users to help you maintain the security of the network. So, we'll talk about that in depth as well.

5.2 Legacy Clients

Let's talk about legacy wireless clients now. When we discuss legacy clients, we're talking about older devices, such as personal digital assistants, or PDAs, maybe older Windows OS's like 2000 and XP. Of course, you'll also see old, old Windows OS's out there. By Windows 95, 98 and even ME. You also may see older Linux and Mac clients out there as well. Now these older operating systems typically cannot support newer security levels. Things like WPA/WPA2. WiFi protected security and 802.1X. However, we still see a lot of people using these older clients in their homes and small businesses. For some reason, they just can't give them up, they can't upgrade them, or replace them. Now a lot of these OS's only support Lower levels of security, things like WEP or open and shared security. We also have older wireless hardware out there that may run on some of these OSes. And some of this older hardware may only support legacy wireless technologies. We're talking the original 802.11 specification and 802.11b. Now obviously these older cards can also only support things like WEP. Now the best practice, of course, is to replace these clients or upgrade their cards and their OSs if that's possible. But it's not always possible due to budget constraints or maybe legacy applications that you have to use on the box. So you have to maintain it. So if you can't replace it there's some other things you really should do to make these clients a little bit more secure. Now it won't be perfect, and you can't make them as secure as newer clients, but it can help. Some of the other security mitigations you might think about include things like Using IPSec, SSL, or SSH in addition to and on top of WEP. And that would help you protect communications during transmission. You also might look at encrypting any data that resides on the device. Data while in storage obviously not being processed. You might use something like Windows EFS or even a third-party tool, like TrueCrypt. Obviously, you would want to use complex passwords on the device to prevent password cracking measures from occurring Another thing is, if you have to have these legacy clients, try to use them for very limited things. Don't store sensitive data on them, as much as possible, and only use them for the legacy applications and uses that you absolutely require. If you have other things going on like email, internet surfing, web, and other applications Try to port those to newer devices. There's also a lot of third party tools out there that can help you secure these legacy wireless clients most in terms of configuration on the box and in terms of network communications. Let's go ahead and look at configuring a legacy client. We'll look at configuring Windows XP, as a matter of fact. We're looking at a Windows XP desktop. And the first thing you'll notice at the bottom there is that wireless networks are protected. So, we know that there are some in range of the wireless card that we have. So what we want to do Just click this, and we'll see various wireless networks listed on the box here. Now, obviously, we're not going to try connect to any of these, we're not supposed to, but there's one in particular, we are going try to connect to. That's the one labeled VTC which has a very strong signal. Now this little box really doesn't tell you a lot but it can tell you what networks are around and also can tell you the security level that they are using. So you can use this a little bit in terms of war driving and just scanning to see what wireless networks are out there. So let's try to connect to this particular wireless access point. We're going to need to put the password in. And this is a WPA key. And we're going to say connect. And sometimes this can take a little bit of time to connect. So we'll be a little patient here. And it's acquiring the network address, and it's connected. So not a problem at all. Now, obviously Windows XP has the wireless zero configuration service. And we can disable that and use third party tools such as those that might come along with a wireless card. And if you have those. Those can give you a wide variety of security options as well. But if not, you can also use the typical built in windows wireless zero configuration service so on what we just did. So now we've configured a Windows XP legacy client to connect to the wireless network using WPA

5.3 Securing Windows 7 and 8

Now that we've discussed securing a legacy client, such as Windows XP. Let's talk about securing newer clients such as Windows 7 and 8. Now, Windows 7 and 8 are very different operating systems and as such, they have very different interfaces and configuration methods. However, the same principles apply. They'll check the wireless access point to see what level encryption is required and see what other connection information they need to make the connection. And then typically, will configure them to be WPA, WPA2 or unfortunately even WEPS sometimes. Let's go ahead and take a look at how to configure secure wireless connections on both Windows 7 and Windows 8. Okay, we're in our Windows 7 desktop. And if we take a look at the connection icon down here in the lower right-hand corner on the taskbar, If we click on it, we can see that there are a wide variety of wireless networks available for us that Windows detects. If we click on VTC, we can see that the connect automatically check box can be checked or unchecked. We're going to go ahead and leave it checked so that Windows will build a profile for this network. And it'll be available to us the next time we want to check it. Let's go ahead and click connect. It's going to get information from the VTC wireless point that includes encryption information and other connection data. It's going to prompt us for the security key next and I'm going to put in security key and your going to see that it is a Very simple, an unsecure network security key. And that's intentional. Because later on in the course, I want to show you how easy it is to crack wep, when wep is using a very simple unsecure key. So let's say okay to that. And it's going to connect to the VTC wireless access point. Now you'll see down here on the little icon after it connects, that there's a little yellow exclamation point. And what this means is that there's no internet connection and our access point is not connected to the internet. So if we click that, let's go ahead and open Network and Sharing Center. And I want to go ahead and show you the Manage Wireless Networks. I want to look at the profile for the network we just connected to. If we double click it, we're going to see some information about the VTC wireless network. Now this information obviously talks about the name, the "SSID," and so forth, but it's the security tab I want to show you because it demonstrates the capabilities of Windows 7 in terms of connecting to different security levels of wireless networks. If we look at security type, we'll see that we have a wide variety to choose from, including no authentication at all, shared, both versions of WPA and both versions of WPA2, personal and enterprise, as well as 802.1x. So Windows 7 can natively support those advanced authentication and encryption methods. If the wireless access point calls for them and supports them as well. Another option here in this drop down box is TCIP or AES. Now it defaults to TCIP primarily because WPA uses TCIP. WPA 2 can use AES. Or it can also use TCIP for backwards compatibility. So it wouldn't allow us to choose us if we liked. We can also show the characters of the network key or turn them off, so that they're obscured a little bit. So that's basically how to connect to a Windows 7 wireless network connection. Okay, now we're in Windows 8. And we're going to go ahead and connect to the VTC wireless network. Now we've connected to it before, so we may not be prompted to put in the password or the network key. Let's go ahead and see what we get. We get, in Windows 8, a sidebar that pops up. Very convenient for us, and it shows all the different wireless networks we can connect to. Let's click on VTC. We have the option to connect automatically, so let's check that, and we can click the connect box as well. Now again, it's going to communicate with the VTC wireless access point, and if it doesn't have any issues, it's going to prompt for a network connection. So it's going to look at it, see what the encryption levels are, and it's going to go ahead and connect. And it's telling us that it's taking longer than usual, and that's okay. So, we've connected to the VTC network, and if we want to, we can go ahead and right-click on that connection and click Properties. And, when we click that, we'll get a pop-up box that basically describes the properties of that particular connection. And that's what we want to see. We want to go ahead and take a look at this and we'll see the TCP/IP properties here, of course. And that shows all the different TCP information we might want. And, if we go ahead and click on wireless properties here We lost connection. There we go, we're connecting back. One thing about Windows 8 is it is a little bit resilient and will try to connect if a connection is lost. So let's see if it actually does that. So let's come back over here and go ahead and get our properties again. Here's what I want to show you. Just like the Window 7 connection, we have a security tab that shows us pretty much the same thing. There are a couple of other differences, so just connecting to connecting to an Intel CCKM enterprise authentication method. That's beyond the course to cover, but you do have that option. We also have TKS. Very similar to what Windows 7 shows, and its capabilities to connect to different authentication and encryption methods. So that's essentially how to connect to a network in Windows 8 and prior to that, Windows 7. Very similar even though they're different operating systems.

5.4 Securing a Linux Client

Another way if we looked at Windows, let's talk about configuring a secure wireless connection on Linux clients. Now I'm going to use to backtrack five, or at least three virtual machine that we've already got in place for the course. And it is based upon Ubuntu so you will see a lot of similarities between it and Ubuntu and they both can use the same methods to connect. Another thing about Linux, since it's more flexible than Windows, it offers many more connection options. There's so much more you can do with a wireless connection in terms of configuration than you can with Windows. And Understand that between different of Linux, there may be different methods to connect. So by all means, use your favorite brand or of Linux and study the way it connects in terms of securing a wireless connection. You can configure wireless connections and likes at both the shell prompt and the GUI of course to conspire preference. Typically if you're going to do it from the shell prompt, you require all the information such as the BSSID The key, and so forth. Now, let's go ahead and take a look at configuring a secure wireless Linux connection. We're going to look at BackTrack 5, Release 3 and actually connect to a wireless network with it. Okay. I'm in BackTrack 5, Release 3. And let's do this the easy way first for those of us who like GUIs and, we're used to WIndows, let's make this easy We'll have plenty of time to spend at the command line later, I promise. Let's go ahead and go to Applications and Internet and let's look at the Wicd Network Manager. That's probably the most easy way to connect to a wireless network when you're using an Ubuntu version such as BackTrack. And regular Ubuntu as well has this. Network Manager on here and you can download it for other distros of Linux, as well. It shows you the wired network connection, but it also shows you the various wireless connection it comes up with, some of the same ones we've already seen, pretty much. But, we're, of course, targeting the VTC wireless access point. If we Choose to automatically connect to the network. We can click that here and we can click Connect. And it says that the network requires an encryption to be enabled. Notice it alerted us to that whereas Windows didn't really tell us a lot. And we have different options we can put in here. Again, I told you that Linux has a wide variety of more selectable options than Windows does. We can use static IP, static DNS, and so forth. Let's go ahead and just make it simple and put in the passphrase that we know it is. It's password. And we're going to say ok to that. And hopefully in a minute, we're going to see that it's connected. After we click the Connect box here. And it's going to take a little bit of time to connect. It's negotiating, obviously, with the encryption method. And it should be connected here in just a moment. Getting an IP address. Once you see that it's got an IP address, it's pretty much Connected. You can pretty much be assured that you have a good connection. So we're connected to the VTC network, let's look at Properties. And basically that was the same box we just got. We saw the key here which is now grayed out. Now if you look at some of the other options here, we see a lot more options than we saw in the Security tab of Windows. We have the option of using WPA 1 or 2 Obviously, passphrase, pre-shared keys. We can put in with WEP which is our hexadecimal or WEP passphrase. We can use WEP shared and restricted. We can even use weird protocols that you haven't talked about or haven't seen so far. Leap TTLS, EAP, PEAP, and so forth. So there's a lot of different options here, as we've said, that Linux offers that Windows does not. So click off of this and let's say ok, or cancel rather. And let's go ahead and take a quick look at the command line. And what I want to show you is that "ifconfig" command and we've got some information down here. "wlan0" is what we're looking for even though we can see all our network connections here. And we can see WLAN 0, and that's our IP address that we got. Different information about the connection itself. And we're connected to the VTC server obviously. So we have a connection there. Now if we wanted to do a configuration for WLAN 0 manually, We can type in ifconfig. Wlan0, I would have to put in the IP address and that mess and so forth, I'm not going to do this since we already have a good configuration. Another method we can use is look at iwconfig. And if we look at that, we see a little bit more information than we saw with IF. IF config primarily looks at everything is in network interface and doesn't really give you a lot of wireless information. If we run a config on the other hand, it gives you a lot more information Such as the ESSID, what mode it's in, the frequency it's using, the access point, MAC, and so forth. So it gives you a little bit more wireless specific information. That's essentially how to configure a typical Linux client. Even though we used Backtrack you could use Ubuntu or CentOS or Red Hat or Fedora or whatever you like. And a lot of it would be pretty much the same thing. It depends on your favorite version or distro of Linux. Now we've looked at configuring various clients under a secure wireless network connection

5.5 Physical Security

One aspect of client security we really need to address, is physical security. Now clients really need to be physically protected. I cant emphasize this enough. There's a saying in the hacker community that if you can get physical access to the device, you own the device. It doesnt matter what other technical considerations or protections are in place. If you can touch the device. Its yours Now when we talk about client security, we're just talking about mobile devices. In term of physical protections, well that's not true. Obviously, stationary devices require physical protections as well. Although, it seems to be easier to secure stationary devices because they may be in a locked room where there are people physically present. Or at least they don't travel around so it's hard to lose them. So we are talking about mobile devices, but keep mind stationary devices require physical protection as well. Now physical security is one of those things where user responsibility is extremely important. Obviously, the user who uses the device, who it's been issued out to, who typically walks around with it or uses it in an office, has the full responsibility for physical security. So, it's so important that this probably needs to be spelled out in the acceptable use policy or some other policy that indicates what the user's responsibilities are. And one of the responsibilities obviously they would have as a user is to maintain physical control of the device at all times. In other words, they need to know where it's at. If they take it home, if they take it on the road to a hotel They need to have positive physical control. It needs to be locked up. They don't need to be leaving it in the front seat of their car, with their car wide open and so forth. They need to know where the device is at all times. You also need to make that it's spelled out in the policy that they cannot allow others to use the device. Simply because If there are a lot others even if it's a friend, if it's a child, a co-worker or a spouse obviously those people might not be using the device the way it should be and that could compromise your internal network. You want to maintain a formal equipment program. So that you would inventory and keep track of equipment on your inventory through the use of serial number control, issuing out equipment and having people sign for it and so forth. That protects you, because when they sign for it, they're liable for it, and they're more likely to protect the equipment itself. Also, you kind of know what's out there. You know who has what and if something gets loss, then you are aware of it. You want to make sure that the equipment is properly labeled with your organization information. So you might put one of those bar codes on the back of a cellphone, for example, or a tablet. That contains your company name and a serial number or a tracking number. When possible, you want to use or keep equipment only in areas where authorized users work. Now obviously with tablets and cell phones, that's probably not going to be the case, as well as laptops, because those devices are intended to travel. But stationary equipment doesn't need to move from room to room. And, whenever possible, if you're using sensitive information on the network with those devices, they probably should stay in the workplace for use, the mobile devices should. But you're probably just going to have to take that as it comes and play it by ear on that. You want to maintain a secure wireless working area whenever possible and when I say this I mean if you have teleworkers for example that come into your office occasionally to do work They don't need to probably just sit out in the parking lot. Have a secure wireless area where they can come in, authenticate to the network, all sit together at hotel desks, so to speak kind of, and use the wireless network from that point. It helps you because you can physically secure the wireless area. And you can secure the access points a little bit better. You don't have to have them where they're broadcasting out in the parking lot. They can be in a centralized portion of the building, where they need to be. You probably want to limit sensitive data that's used and processed and stored on mobile devices as much as you can. Now, obviously, devices are going to travel. And for that reason since you can't keep them realistically restricted to the work area, at least restrict the data that gets processed on them. Maybe they use the mobile devices for email or to VPN back into the company network but still try to limit the sensitive data that's on there. So that if they are lost or stolen At least they didn't get sensitive data. So that's one way of probably limiting your risk on that. ONe thing you can also do with mobile devices and stationary devices is use warning banners and notifications. And you'd want to do this during device access and authentication. This reminds the users of what they have to do in terms of responsibilities. It warns unauthorized users that they can't use the device, and it basically just serves as a legal protection for you. It obviously won't stop a determined malicious person from getting into the device if they really want to. But it serves to protect you legally. Now one thing you also need to do And you might not think this affects physical security, but it does. And that's use to use enterprise-level authentication for mobile users. Use things like VPN's and 802.1x authentication. Certificates and Network Access Control devices. And how this affects physical security is that, if the device is lose or stolen or left in a hotel somewhere, it makes it that much harder for a malicious user or an unauthorized user to get into your network. So the physical protections of getting into your network are on the device itself. And they are technical protections. And speaking of technical protections, there are some additional things you can do from a technical perspective to protect the physical aspects of a device. Because devices are going to get lost and stolen obviously. So you would put technical measures on there such as encrypting the hard drives. Enabling a remote wipe in case the device is stolen, that way when the device is activated, you could activate that remote wipe capability. Obviously use complex logins, passwords, and authentication methods to protect the device from being accessed as well. Another thing you can do is engage remote tracking on some devices if they have the capability. A lot of mobile devices may use GPS to enable this to be, to monitor on those, so that you don't have to lose them and then not know where they're at. So if they have that capability, definitely enable it.

5.6 Security Policies and Enforcement

Let's take the opportunity to discuss security policies and how they are enforced, Now this really doesn't have something to do only with configuring wireless clients although were coming off a discussion of how to configure wireless clients securely. Security policies actually affect users The entire network infrastructure and the entire organization. So, it's important to talk about them a little bit. Now, policies basically are the governance of an organization. They're the rules. They tell us what we have to Have to do. Policies by themselves don't make things happen, you have to have procedures and standards in place that implement the policies. Procedures detail how you're going to do something. While standards typically define to what degree. So let's say for example that you have wireless policies. One wireless policy might be that you have to use strong encryption and strong authentication methods. And that may be all it says. The procedure would detail how you're to configure that on a client device and on the network. The standard may say to what degree. For example, your standard may be, you must only use WPA2 and 802.1X authentication. So obviously there are some wireless policies out there That we should have in our organization and implement and we should back those up with solid network procedures and standards. Now security policies are obviously very important for the entire organization. But let's talk about how they affect wireless clients and users in particular. Policies can tell us what is and is not acceptable. For example, we may have to have a particular level of encryption or authentication on the network. So the policy would tell us that we have to have that. And anything less than that is not acceptable. It may also detail responsibilities that users and administrators and managers have with regards to organization resources, such as file shares, such as printers, and so forth. And other organization resources. Also our responsibilities towards equipment. Maybe mobile devices, maybe servers, and so forth. Policies will also typically spell out the consequences for non-compliance. So if a user or someone does not obey a policy Does not meet the standards that the policy sets out. There could be consequences, and these may be administrative consequences such docking their pay or firing them. But there also may be legal consequences as well. Now let's focus really on policies that usually apply to wireless clients in particular. And some of these probably also apply to other aspects of the network infrastructure. But let's talk about them in terms of wireless. One policy that's very important, and it really stretches across your entire network, is your acceptable use policy. Now the acceptable use policy obviously tells users what they can and can't do on the network. That they have to have passwords that meet certain complexity requirements. That they can or cannot access certain resources and so forth. And, this is probably one of your more important policies because. Users are the thing that are most difficult to secure on the network, obviously. You can't just patch a user or configure it so you have to have a policy to take care of user security. Another important policy is mobile device use. You might have a policy that discusses The company mobile device policy- that the company owns the devices, what kind of information can be stored or processed or transmitted on them, how you will physically take care of them, how they're inventoried, and so forth. Another policy that we're seeing more and more in networks today and in organizations Is the BYOD, Bring Your Own Device policy. And a lot of organizations are finding it cost-effective to have users bring their own devices. And users can use their own device, their own personal device, to check their own email and so forth. And that sounds great from a cost savings perspective because the company's not out any money. However, there becomes problems when there's sensitive data on those devices and the user controls that. And the organization can't control the security levels of the devices. So that can be an issue. So you need to have a policy that spells out The conditions under which users can use their own devices, what data can be stored or processed or transmitted on them and what security requirements the user must obey in order to use their device. Maybe they need to consent to a scan, for example, if they're using their own laptop. Maybe they need to consent to the company IT security department putting security software on there. So obviously, you need a policy before you allow this, because this could be an issue in your wireless network. Other policies that also affect the wireless network are data sensitivity and access policies and the reason they affect wireless networks in particular is that obviously coming into the wireless network, wireless clients and users should only be able to access certain resources. And certain data. So you might want to make your data policy have a part of it that discusses wireless clients in particular. Some other policies that we talk about, and again these can stretch to the entire network and organization or at least to wireless clients in particular. Authentication policies Obviously, we want to make it a policy that we use the strongest authentication possible. Something like 802.1x, if we can. We also want to enforce encryption policies because obviously if the user wants to connect to the wireless network then their mobile device must meet a standard level of encryption, so we might enforce that. The same thing with certificate policies, obviously. How they're used and how we'll issue them and revoke them. That needs to be in place. And we've already discussed equipment control policies. How we need to have those policies so the users know what their responsibilities are with things like mobile devices and stationary devices. How they'll take care of them physically and use them. So these are just some of the policies that you need to have on your network, and how they may affect your wireless client security.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*