My 7Point Plan for Windows Security

1
My 7-Point Plan for Windows Security

• Terry Gray
• Director,
• Networks Distributed Computing
• UW Computing Communications
• September 2002

2
Objective

• Make Windows computers Network Safe, right out
  of the box.
• Make it easy for users to adjust their security
  policy in accordance with principle of least
  privilege (or minimum necessary access from the
  network).
• An Open Letter to Microsoft...

3
My 7-Point Plan for Windows Security

• Require the administrator account to have a
  password!
• By default, deny incoming connections to all but
  a minimum number of necessary service ports via
  integral firewalling.
• When an application requires listening on a port,
  give users the option of opening the port just
  for the session, or for a fixed time interval, or
  "forever but remind later about ports left
  open.
• Make it easy for users to establish their own
  local perimeter defense via IP access lists.
  (Important if they need to run insecure protocols
  within their workgroup.)
• Enhance existing "IP Security" capabilities to
  allow blocking only "initial connection" (SYN)
  packets.
• By default, have connections use IPSEC whenever
  available.
• Be wary of the UPNP NAT/firewall traversal stuff
  --a major security headache waiting to happen.