General Desktop Security Best Practices

Desktop Security
Security concept: Lock on digital screen, contrast, 3d render

A few nights ago I was sitting in the living room watching television and happened to notice a user account control (UAC) prompt appear on my wife’s laptop. Much to my disgust she simply accepted the prompt without even reading what it said. When I asked her what it had said she replied saying “Oh I don’t know… it does that a lot!” This got me thinking. I typically work from home and have quite a few machines online at any one time. They are all quite well protected from execution of malicious code however they are all on a single domain network and if my wife is merrily clicking away allowing code to run my entire network could easily be compromised. In order to try and address this issue I’ve done a number of things  and I wanted to share my Desktop Security Best Practice publicly for people to contribute towards.

Firewall – almost every modern operating system that exists today, from Windows, through Linux and over to Mac OS all have a firewall installed by default. Some operating systems ship with this enabled by default others do not. The very first thing I do before I install a single application is to enable this firewall.  Most desktop firewalls will allow outbound communication by default but block inbound communication so enabling this should really impact your standard user looking to do some web browsing but add an extra level of complexity for someone attacking a machine.

Virus Protection – similar to the firewall, free antivirus programs exist for all modern operating systems. Whilst I agree most anti-virus vendors only block a tiny percentage of the malicious software out there, the impact of having this running on a modern endpoint is negligible. I accept businesses are looking at innovative ways of implementing antivirus (hypervisor solutions, network appliances, etc) I feel a lot more comfortable knowing antivirus is configured, up to date and enabled on an endpoint.

Patches – when last did your Mom / Dad / Wife / Husband / <any other person in your household> last install patches on their machine? I’m not only referring to Windows patches because operating system developers have got significantly smarter, and more forceful, in subjecting users to regular updates. I’m referring to applications as well! Acrobat Reader, Firefox, Notepad++, iTunes, etc. With these applications unpatched they are all possible attach vectors. This is made even more of an issue when you keep in mind the next point, Administrative Rights.

Administrative Rights – to my surprise, a default build of Windows will allow the first user that is added to the machine to be a local administrator. This means that almost every single home user is a local administrator. This means that all a malicious hacker needs to do is trick you into opening a file on your machine and it will be able to install and do its thing. This, for me, is one of the biggest vulnerabilities in modern computing. No matter what protection I put in place on a corporate laptop, taking it home and plugging it into a network that has a machine where a user is a local administrator means it could be compromised.

Passwords – there is a lot of bad advice out there about passwords. Graham Cluley, a well known security blogger, covers quite a lot of this on his YouTube channel which is definitely worth subscribing to. In short, don’t use the same password for multiple sites. Make sure the password is a complex, randomly generated password and use something like 1Password to keep all of your passwords safe. If you are able to remember your password its highly likely that a hacker will be able to crack it in a very short amount of time.

Backups – another surprise was how seldom people back their data up and those that do back their data up have usually suffered a major data loss at work or at home in the past. Whilst using cloud storage providers like Dropbox, OneDrive, Box, iCloud Drive, etc are a great starting point I personally recommend using a dedicated backup solution.

Education – the most important thing of all. Nowadays everyone believes they are “tech savvy.” This isn’t the case at all. In fact this makes the problem even worse. Take my Dad as a prime example. He isn’t tech savvy in the slightest. This means that when the computer says no for whatever reason he will ask what to do. On the other hand, my Mum, will most likely click the button and see what happens before asking what to do.

Trust no-one – don’t trust anything you receive by email or see on a website. If, for example, you receive an email saying your bank account has been compromised click here to secure it…. DON’T CLICK THERE. The same applies for attachments, don’t open attachments unless you know the sender AND are expecting an attachment. Its so easy to craft malicious attachments that aren’t quite what they seem that you are better off just trusting no-one as your default starting point and only once it meets a few tests should you open it.

Now for the little added extra as a thank you for sticking with me throughout this post…

My blog doesn’t rank highly on most search engines so if you’ve found it you’ve either been referred here by someone or are part of the AppSense community. If you fall into the latter category I’ve been using AppSense Application Manager to secure my personal desktop for a while now. I will admit, my configuration is not an ultra-secure configuration. This has been done deliberately because I am trying to find a perfect balance between security, performance and functionality which everyone dreams of. I want my configuration to be secure enough that it neither affects the performance of my laptop or restricts the functionality too much that makes it unusable.

You can download a copy of the configuration from here.