Protecting desktop computers

A strong desktop computer defense consists of administrative, technical, and physical controls designed and implemented at various crucial layers. The following graphic depicts these layers and their relationship to each other and to a network-connected desktop system.

We'll examine segmentation when we look at overall network security. The rest of the layers are discussed below.

The first step in designing desktop computer security is understanding actions employees are or are not allowed to perform on company-owned equipment or with company-owned services. A description actions allowed, prohibited, or allowed under specific conditions is contained in an acceptable use policy. (Download a sample acceptable use policy.)

Employees must be aware of the contents of the acceptable use policy. Ideally, the do's and don'ts contained within it are included in a documented security awareness training program. Further, fair and consistently applied sanctions for not adhering to security policy should be in place.

Another important set of policies should describe the organization's approach to configuring and implementing end-user devices. One of these documents should include change and configuration management expectations intended to ensure secure system rollouts with little risk of breaking one or more business processes.

Finally, be sure all policies are supported by documented procedures. It's the procedures that ensure all desktops are configured and secured consistently, in accordance with management's expectations.

For more information on policies, see Security Basics - Overview of the Security Program and Security Basics - Components of Security Policies.

Perimeter defense, covered in a subsequent section, begins with network-level controls. Reasonable and appropriate effort should be taken to prevent bad things from the outside getting to your desktop systems. However, no control is perfect. Further, many attacks come from inside the network perimeter. And let's not forget that your users might invite malware in or leak data out by unknowingly visiting malicious or infected Web sites. For these reasons, building a security perimeter around each end-user device is a good idea.

A desktop security perimeter consists of several components, all working together to detect, alert, and potentially block unwanted system behavior, including:

• Anti-virus and anti-spyware protection as well as intrusion detection, alerting, and prevention (see Host Anti-malware and Intrusion Prevention).
• Personal firewall. A personal firewall prevents unwanted external connections or attempts to install unwanted software. It also stops already infected desktops from connecting with an attacker's server.
• Employee awareness. Regardless of how many controls you put in place, careless use of desktops will inevitably find a way around your security. A strong security awareness program is a key element of end-user defense.
• Secure configuration policies and processes (see relevant topic later in this section).
• Appropriate access (see Access Controls and Physical Security)

In essence, all the layers identified in the opening graphic work together to provide a tight perimeter around desktop computers.