Recently I received a question via Twitter (@yuridiogenes) that said: Hi Yuri, do you know how can I block P2P traffic via TMG? The answer here should be actually another question that says: why you have P2P software running on your corporate workstation in the first place? If this is not allowed, why is it there? Ah…I see, users are clever and they download applications, or bring USB drivers with unauthorized software to use in the corporate environment. I see.
This clearly shows that the problem is not really on the Edge device and trying to band aid by adding a firewall rule will not fix the root cause of this problem: unauthorized software running on corporate environment. There are many built in Windows features that can be used to lock down corporate workstations in order to assist controlling the environment. However even before you dig in to find the features that you need to use, you need to understand what are the major elements that can assist you hardening those workstations.
By start thinking that each user should only have access to what they really need (lease privilege) you are already ahead of the curve. Because the reality is that many companies will give wide access to users and later on will realize that the users have too much access. The problem here is that since the user got used to having wide access, he will get frustrated when you cut out those privileges. As a result you will have an user that now will keep trying to find a breach so he can have access again to the resources that he used to have. We don’t want to motivate this type of behavior and that’s another reason why least privilege is the way to go right in the beginning.
Back in April I wrote this post where I mentioned the need to use standard user account and I will say again: it is very important to use standard user account. While this is not the solution for everything, it can assist in the overall protection. When I say that this is not a solution, I want to echo a paper from Secunia called “Cybercriminals do not need administrative users”. When you read the conclusion of this paper you will see that standard user is an strategy that must be present on your security policy, but you can’t think of this as the only thing that needs to be done to secure the system.
In the first paragraph of this post I showed a common scenario where an IT Admin will try to use the Firewall as the resolution for bigger problems that are going to still in place even after he blocks the traffic to go out. These days you really need to bring the security closer to the endpoint, you can’t rely only on the Firewall. Remember the defense in depth approach? It is getting even more meaning nowadays. One built in Windows feature that you can use for that is the AppLocker. If you don’t know how AppLocker works, watch the video below:
By using Applocker you are adding another layer of protection to assist you in this battle to secure the endpoint. On top of those elements you should also hardening the workstation by disabling unnecessary services and moving forward create a workstation template that you can use to guarantee a seamless experience across the board. There are many templates that comes with the Security Compliance Manager Tool as shown below:
You can either use the templates that comes with SCM or you can built yours based on an existing SCM template. This can help you to have a starting point and make adjustments on the template to reflect your environment needs.
Keep that in mind and have a good (and safe) deployment!