Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Vista

Securing the Workstation : Applying the Castle Defense System (part 1) - Protecting information, Working with protection

7/11/2013 6:07:33 PM

Armed with the list of new Vista security features and with the five layers of the Castle Defense System, you can now begin to view how you will protect your own Vista PCs. Table 1 outlines each of the five layers of the CDS and identifies how you can use the Vista feature set to secure each PC.

Table 1. Applying the CDS to Vista PCs
Layer 1 — Critical informationData categorizationCategorize all data to determine the level of protection each type of data requires on your PCs.
 Application hardeningMake sure the applications your users have access to are well-designed and provide a protection layer of their own.
Layer 2 — Physical protectionPhysical environmentMake sure entry to your offices is protected.

Make sure your PCs are tagged and identified.

Make sure the external systems you allow to connect to your network can provide a clean bill of health.
 Physical controlsPay attention to the physical access to your PCs.
 CommunicationsMake sure all users, including administrators, understand their responsibilities in terms of security practices.
 SurveillanceMake sure everyone in the organization understands their responsibilities in terms of vigilance.
Layer 3 — OS hardeningSecurity configurationPay special attention to the following: service hardening, security configuration settings for the base PC installation, BitLocker Drive Encryption for portable systems whose configuration is sensitive, Encrypting File System data protection for others, User Account Control (UAC) for all users and administrators, Device Control to ensure that unauthorized USB disk drives cannot be connected to any PC, and wireless networking security.
 Anti-malwareImplement Windows Defender along with proper antivirus technologies.
 General Active Directory SecurityImplement very tight permissions management. Implement Software Restriction Policies to ensure no malicious code is allowed to run in your domain.
 File SystemSecure the file system to protect PC stability.

Implement access-based enumeration to further protect information.

Rely on digitally signed Windows Installer Packages for all third-party or custom product installations.
 Print SystemImplement a full security strategy for all printers. Make sure standard users can install their own printers.
 .NET Framework SecurityAny PC that includes this Framework needs special care. For example, PCs running Windows PowerShell will also include the Framework.
 Internet Information Services (IIS)If you choose to install IIS on PCs, then make sure it is securely configured.
 System redundancyRedundancy on PCs is provided through the application of sound principles, the protection of user data and the availability of additional systems for replacement.
Layer 4 — Information accessUser identificationRely on smart card or two-factor authentication for administrators in very secure environments. Highly secure environments will use two-factor authentication for all users.
 Security policiesAssign proper policies for the PC pool.
 Resource accessTightly control all resource access. Implement EFS for mobile users.
 Role-based access controlApplicable only at the server or application level.
 Access auditing/monitoringTurn on auditing to track all changes on critical systems.
 Digital rights management (DRM)Rely on Rights Management Services to apply DRM to all documentation that is copyrighted or sensitive in any other fashion.
Layer 5 — External accessPerimeter networksConfigure the Windows Firewall with Advanced Security to control access to Vista PCs and mobile workstations.
 Virtual Private Networks (VPN)Rely on Virtual Private Network (VPN) connections for all remote access.
 Routing and Remote Access (RRAS)Implement a remote access authentication service for users working remotely.
 Secure Sockets Tunneling Protocol (SSTP)Ensure all remote communications as well as sensitive internal communications are encrypted.
 Public Key Infrastructures (PKI)Implement PKI in support of smart card deployment and software restrictions.
 Identity FederationRely on Active Directory Federated Services for Extranet access if it is required.
 Network Access Protection (NAP)Implement Network Access Protection (NAP) to ensure all machines that link to your network have approved health status.

1. Layer 1: Protecting information

Information is the basis of any effort that relies on the PC, but if organizations are properly structured at the IT level, then this information will most usually be stored on networked servers. That's because when it is stored centrally, information is easier to protect, back up, and secure. But, given the distributed nature of the client-server system, you'll often find that information, sometimes information that is critical to your organization, will be located on PCs. In those cases, you must protect the information as much as possible, especially if the PC is a mobile PC that is used outside of your offices.

Ideally, you will have performed some form of information categorization, one that will give you a better understanding of the information you need to protect if your organization is to run properly. There are usually four categories of information:

  • Public information is information that may or may not be related to your organization, but that does not require protection. For example, information on products your organization sells through your Web site is deemed public information.

  • Private information is information that you need to run your operations, but this information is not sensitive and may not require heavy protection. For example, information on how you run your Web site is usually private, but if it is leaked outside your organization, it will not be a major disaster.

  • Confidential information is information that should only be divulged to authorized personnel. For example, the salaries you pay to your employees are usually deemed confidential.

  • Secret information is information that is critical to the operation of your business. If secret information is leaked out, it may have a negative impact on your organization's ability to operate.

Each category of information can find itself on a PC at some point in time. For this reason, you need to make sure it is protected at all times.


In addition to protecting the data on your PCs, you must make sure that your applications — the applications that generate and manipulate your organization's information — are hardened or otherwise configured in a fashion that makes it difficult for unauthorized personnel to obtain it. Stories about organizations that have leaked out information, such as credit card numbers of their clients because their applications are not hardened are too often on the news.

2. Layer 2: Working with protection

Physical protection is also more difficult with PCs because they are distributed by nature. There are four categories of PCs to protect.

The first category focuses on the workstations that are located in your office are easier to protect because they are on your physical premises; hopefully, you have system checks in place for anyone who wants to remove them from your premises.

However, physical protection becomes more difficult when you consider the second category: mobile or tablet PCs. According to researchers, more than 600,000 PCs are lost or stolen in the U.S. each year. That is a considerable number, so you want to make sure you've properly protected them.

In addition to mobile systems, you might also be faced with a third category: working with or preparing kiosk PCs. Kiosk PCs are still under your control, but they present a different problem because they are exposed to users over whom you have little or no control. Therefore, these PCs must have a very tight physical security mechanism put in place so that they are locked down and cannot be removed from your facilities.

The fourth category of PC that requires some form of physical security is the teleworker's PC. Although these are often mobile systems, they sometimes include actual workstations that you provide to your users so that they can perform work from home. In this case, you are faced with two issues:

  • You must find a way to protect the system at a physical level in an environment — the user's home — where you have no control.

  • The second is that this corporate PC will often be accessed by noncorporate users in the form of the user's family members. One feature of Vista that makes it easier to deal with this aspect is the ability to use Fast User Switching, assigning a personal account to each family member. But in some cases, families all use the same user account and this can cause a major risk since any family member will have access to the data on your network — at lease the same level of access as the user has.

With each of these different categories of systems, you have few choices for protection at the physical level. You can

  • Tag each system and include them in an asset inventory. Bar code tags are the ideal method because they can be entered into a database.

  • Use a loss tracking mechanism, one that will offer an online reward for the return of your lost items. Several exist. One that is well rated is www.trackit.com, but you can find many more if you search for them.

  • Load your PCs with tracking software, software that will automatically identify the location of the system if it is lost or stolen and someone tries to use it. A good example of this software is AbsoluteTrack from Absolute software (www.absolute.com). Once again, you can search for others as there are several choices.

Make sure your kiosk PCs are bolted to the casings that hold them so that they are impossible to remove. It would be nice to do the same with mobile PCs, but that is unlikely. You can however protect your mobile systems with cable locks. You should include these with each mobile system you provide to your users and instruct them in their use. As for systems that you provide to your teleworkers, you can only recommend that they place them in secure rooms. The best way to do this is to provide your teleworkers with information and procedures they should follow when bringing a computer home.

Other -----------------
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Participating in Internet Newsgroups : Filtering Newsgroup Messages, Rating Posts
- Participating in Internet Newsgroups : Notes on Working with Newsgroup Messages, Following Up a Message, Posting a New Message
- Participating in Internet Newsgroups : Downloading Messages
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 3) - Kernel Loading Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 2) - Windows Boot Manager Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 1) - Power-on Self Test Phase, Initial Startup Phase
- Participating in Internet Newsgroups : Setting Up a News Account, Working with Newsgroups in Windows Mail
- Participating in Internet Newsgroups : Some Usenet Basics
- Configuring Startup and Troubleshooting Startup Issues : What’s New with Windows Vista Startup
- Managing Client Protection : Microsoft Forefront Client Security
- Managing Client Protection : Using Windows Defender (part 2)
- Managing Client Protection : Using Windows Defender (part 1)
- Securing the Workstation : Beginning with Basic Security
- Managing Client Protection : User Account Control (part 4) - How to Configure User Account Control
- Managing Client Protection : User Account Control (part 3) - UAC Virtualization, UAC and Startup Programs, Compatibility Problems with UAC
- Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges
- Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
Most view of day
- Microsoft Visio 2010 : Linking External Data to Shapes (part 3) - Using the Database Wizard - Setting Up the Excel File as a Data Source
- Microsoft Lync Server 2010 : Planning for Deploying External Services - Edge Server Preparation
- Microsoft Dynamics GP 2010 : Preventing Errors in Dynamics GP - Preventing sales of Discontinued Inventory
- Fine-Tuning MDT Deployments : Creating a Linked Deployment Share (part 2) - Maintaining Linked Deployment Shares
- Editing Digital Video with Windows Live Movie Maker (part 8) - Sharing Your Videos - Publishing to the Web
- Monitoring Windows Small Business Server 2011 : Using Performance Monitor
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Setting External Content Security Options
- Sharing Your Computer with Others : Create a User Account, Switch Between Accounts
- Developing Disk Images : Creating Image Builds
- Advanced Windows 7 Programming : Working in the Background - DEVELOPING TRIGGER-START SERVICES (part 1)
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro