/ TitanHQ Blog
/ 5 Network Security Measures to Protect Client Devices that are Worth the Trouble
Posted by Natalia Biel on Wed, Feb 1st, 2017
If you’re like most IT professionals today, you have a million things to do and a short window of time to get them done, so in order to alleviate our endless load, we sometimes implement out of convenience rather than according to good policy. Unfortunately, the measures we take out of convenience today can end up creating more work for us down the road, which ends up creating a vicious circle that is hard to escape from. Below I’ve have outlined five measures that may require a little time up front but boast a substantial potential payoff in reduced support calls and malware attacks that is more than worth it.
Enforce the Local Admins Group
Let’s face it. Making our users an administrator of their device is easy. We don’t have to worry about applications which may require admin rights to function properly. Unfortunately, it goes against every facet of enforcing the practice of least privilege. Giving users local admin rights to their devices is like throwing a 16-year-old the keys to a Lamborghini without any limitations, at some point it’s not going to end well at some point.
The concept of least privilege is simply that users should only have the privileges and rights they need to do their job and nothing more. With admin rights, users have unwarranted access to software configuration settings that they shouldn’t be meddling in. They also inherent elevated privileges to install malware. Fortunately, you can easily control the membership of the local administrators group of all of your machines through group policy preferences. Once enabled and deployed across the domain, unauthorized accounts will be deleted and inhibited from joining in the future.
Disable any Unused or Unnecessary Services
A key aspect of device hardening is to turn off and disable any services on your devices. This is a task made ridiculously simply once again through Group Policy Preferences. You will need to create this policy on a management machine with the most up-to-date operating system in order to ensure that all services are addressed. You also may need to make multiple policies to accommodate different hardware configurations. For instance, many organizations like to disable blue tooth service on user laptops for security reasons. In this case the policy would have to be created on a device that utilizes this service.
Keep Patching up-to-date with Proper Testing
We all realize the importance of keeping our machines up-to-date with the latest patches and updates. We also know the chaos that an untested update can wreak upon the desktop experience for our users sometimes. For that reason, a many organizations exercise a purposeful lag time of 30 to 60 days from when updates are released. The problem of course is that well known vulnerabilities remain exposed during that time. 200,000+ new malware threats are created every day.
Having a virtual test environment to properly validate updates and patches upon their release can help identify possible conflicts that could occur within your user environment, while allowing your organization to deploy updates and patches network wide in a timely manner.
Implement Local Device Firewalls
For years, most organizations could rely on a network perimeter strategy like the king that depended on his castle wall and moat to protect him. Due to evolving military strategies, backed by advancing technologies, the sole dependence on a perimeter strategy proved fatal for many kingdoms, as it does today for many networks.
With today’s mobile world, sole reliance on perimeter protection is not enough. Every device that leaves the safety of the network should have local firewall protection. Again, before any broad implementation, this requires extensive testing of all desktop and cloud applications utilized by your users, but like all of these measures, a little time investment in prevention can go a long way.
Reassess your Spam and Web Filters
Email phishing is the single biggest social engineering threat to your organization. Some of our recent blogs have outlined the recent ransomware outbreaks that have wreaked havoc on mission critical organizations such as hospitals, forcing them to shut down all because someone clicked a link within an email. We’ve also outlined some of the CEO phishing scams that cost some of the biggest company names in the world millions of dollars.
Spamming has virtually no cost which is why it’s so prevalent and the methodologies used to go about attacks are far more advanced than they were even five years ago. One phishing email can bring down your entire network, which is why it’s worth your time conduct an assessment every year of your current spam filtering service and compare the features offered to the alternatives. A solution that seemed completely suitable five years ago may be outdated today.
For these and other reasons we're seeing a lot of businesses move to WebTitan, often flexibility and more bang for your buck seem to be the main deciding factors. A free fully featured trial is available at https://www.titanhq.com/webtitan .