Desktop Security: Take the ‘Defense in Depth’ Approach

The “Defense in Depth” approach represents a complete security philosophy—one that helps protect the computing environment from numerous attack vectors.

Joshua Hoffman

One of the few constants of desktop computing is that nothing is ever constant. In most cases, this is a good thing. The ever-changing landscape of our computing environment is a result of innovation and creativity. It provides us with new ways to interact, collaborate and connect with the world around us.

However, as the landscape of desktop computing changes, so too does the landscape of desktop security. As the nature of platforms and data change, new threats emerge. IT professionals must remain vigilant and aware of the practices and the tools available to help counter these threats.

The “Defense in Depth” view of desktop security represents a security philosophy. This is an approach that helps to protect the computing environment from as many different potential vectors of attack as possible. We’ll look at ways to help protect your desktop environment against unwanted and malicious software; new technologies to protect users and data on the go; and tools to help IT professionals manage a diverse computing environment.

Malicious Software

Technologically savvy criminals are relentless in their attacks on desktop computers. Unfortunately, this means increasingly creative attempts to deceive and coerce end users into installing malicious software onto their machines. Fortunately, there are a number of tools available to help protect users, as well as the infrastructure to which they’re connected.

User Account Control (UAC) is a feature that was first introduced in Windows Vista. This control helps users and administrators protect access to administrative rights within the desktop computing environment. Users can easily operate with standard user privileges, so administrative functions of their machines are isolated from malicious software that may attempt to access data or perform tasks without the user’s knowledge.

Windows 7 made some significant enhancements to UAC. The end-user experience was improved by reducing the number of administrative functions that required elevation.  Windows 7 also introduced auto-elevation for digitally signed Windows executables, and new operating modes for more granular control over events that require explicit elevation. For more detailed descriptions of how UAC works to protect the desktop computing environment, see Mark Russinovich’s July 2009 article, “Inside Windows 7 User Account Control.”

AppLocker is another new feature in Windows 7 that lets administrators specify exactly which programs can run in their environment. AppLocker builds on the foundation introduced by Software Restriction Policies (SRP) in Windows XP and Windows Vista. Administrators can permit or deny specific applications to be installed on their desktops.

AppLocker enhances the experience beyond SRP by introducing rules based on application digital signatures. This lets administrators identify applications they may want to prohibit within the organization, without having to update rules every time an attribute of that program (such as a date stamp or version number) changes. The rules engine within AppLocker provides a great deal of granularity as well (see Figure 1). This lets administrators easily build broad rules, allowing for exceptions as necessary.

Figure 1 Configuring AppLocker in Windows 7

Figure 1 Configuring AppLocker in Windows 7

Additionally, AppLocker rules can be associated with a specific user or group within an organization. This provides specific controls that allow you to support compliance and security requirements by validating and enforcing which users can run specific applications.

UAC and AppLocker provide robust mechanisms for controlling which applications you can install and use on any machine. Adding Forefront Client Security can help you go a step further, providing a powerful antivirus and anti-spyware engine, along with real-time file protection. Should a malicious element make its way into your desktop computing environment, the constantly updated filters included in Forefront Client Security can help not only detect, but also neutralize the threat.

Data on the Go

One of the most significant changes we’ve seen over the past decade is how little computing now takes place at an actual desktop. Laptops, netbooks and the vast assortment of mobile devices are now the majority of our computing platform. Users are far more mobile, as is their data. This certainly has its benefits, but it introduces increased risks as well. Laptops and other portable devices are more likely to get lost, left behind or stolen, putting potentially confidential information into unauthorized hands.

There are a number of options to help protect you and your users from data loss or theft. BitLocker Drive Encryption (BitLocker for short) helps prevent unauthorized access to your laptop or netbook. The files stored on the encrypted drive (see Figure 2) are protected and inaccessible to unauthorized users. By providing full-volume data encryption, integrity checks of early boot components, and the option to require a PIN or USB flash device with key material at boot time, users and administrators can be more confident in the integrity of their data should a mobile device be lost or stolen.

Figure 2 BitLocker Drive Encryption locks down data at the drive level

Figure 2 BitLocker Drive Encryption locks down data at the drive level

Lost laptops and netbooks are only part of the problem. Misplacing portable storage devices, like USB flash drives, is also fairly common. USB flash drives can store large amounts of data at very low cost, making them an attractive storage option. That also makes them dangerous when they’re used to store sensitive information. BitLocker To Go can help combat this concern, extending BitLocker functionality to removable storage devices.

With this increased user mobility, it’s important to protect data not just when it’s stored on physical devices, but also as it travels across public networks. DirectAccessis a new feature introduced in Windows 7 that increases security when connecting to corporate networks from the road.

By leveraging standards-based technologies like Internet Protocol Security (IPsec) and Internet Protocol version 6 (IPv6), DirectAccess lets users connect seamlessly from remote locations to corporate networks, without needing a separate VPN connection. DirectAccess also uses IPsec encryption methods like the Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES) to help ensure that data is protected in transmission. Learn more about DirectAccess and ways to enhance its use with Network Access Protection in the June 2010 column The Cable Guy by Joseph Davies.

Finally, as more of our application and line-of-business work moves to the cloud, it’s even more critical that Web browsers provide as secure an environment for online computing as possible. The forthcoming Internet Explorer 9 will build on a strong foundation of Internet security features, while also providing some welcome enhancements.

For example, Internet Explorer 9 will include a cross-site scripting (XSS) filter that helps to detect this increasingly popular type of attack. XSS attacks aim to compromise legitimate Web sites with malicious code.

If the XSS filter in Internet Explorer 9 uncovers any vulnerabilities, it disables the harmful scripts. Internet Explorer 9 also provides an enhanced SmartScreen filter to help users identify and avoid malicious Web sites that may include phishing attacks, malware and so on. Learn more about Internet Explorer 9 and download a beta version.

Streamline Management

As IT professionals, it’s important that deploying, managing and maintaining security technologies and policies remain as easy and efficient as possible. Windows 7 provides a number of tools to help you streamline the management of your desktop security infrastructure.

For example, Windows PowerShell cmdlets are now available for Group Policy. Using this powerful command-line shell and scripting language, you can now more easily automate and manage many Group Policy tasks. You can create Group Policy Objects, define their association with Active Directory containers, configure registry-based policy settings, plus much more. This helps you ensure every desktop in your environment meets the security configuration established by administrators.

Controlling how software is deployed within an organization to prevent the introduction of potentially malicious software is essential. The ActiveX Installer Service helps you manage the deployment of ActiveX controls by using Group Policy. This ensures that you can install and manage these rich controls—which enhance the end-user Web experience—without compromising the integrity of desktop security controls such as UAC.

Malicious attacks will continue to adapt to innovations in desktop computing. However, a comprehensive, Defense-in-Depth approach to security will help ensure that your users, as well as your critical business data, remain protected.

Joshua Hoffman

Joshua Hoffman* is the former editor in chief of TechNet Magazine. He’s now an independent author and consultant, advising clients on technology and audience-oriented marketing. Hoffman also serves as editor in chief of, a site devoted to growing and enriching the market research community. He lives in New York City..*