Below are some security recommendations regarding desktops.
The hardening could be done always to the higher level, so only basic is included here.
- BIOS password (e.g. to prevent boot from USB)
- Full disk encryption (e.g. to prevent to install something in OS partition)
- iptables in/out direction
- psad or some HIDS/HIPS monitoring
- use KeePassX for generating and storing passwords
If the Desktop requires additional hardening, the following approach can be used to limit the outgoing traffic by hardening the local firewall. The approach is quite efficient because by this the user can fully control which application are allowed to access the internet. By default the applications are not allowed and only by running sudo under different user would give such access.
Important in the example below is that the outgoing filtering is enabled and only the http_user (non primary user) is allowed to access internet. Http_user is different user with no access to home folder. By this filtering the malware back-connects to C&C should be up to some level mitigated. For browsing internet the desktop user should run browser under http_user (su or sudo to http_user).
iptables
# /etc/sysconfig/iptables*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -i vboxnet0 -j ACCEPT-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT-A FORWARD -o virbr0 -j ACCEPT-A OUTPUT -o lo -j ACCEPT-A OUTPUT -o vboxnet0 -j ACCEPT# allow virtual box bridge interface out, for VMs-A OUTPUT -o virbr0 -j ACCEPT# direct ssh to trusted servers-A OUTPUT -m state --state NEW -p tcp --dport 22 -d some_trusted_ssh_server -j ACCEPT# direct http/https, uncomment here only temporarily if needed#-A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT#-A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT# http_user, used in sudo-A OUTPUT -m owner --uid-owner http_user -j ACCEPT# DNS only to google allowed-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPT-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.4 -j ACCEPT-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -m limit --limit 60/min -j LOG --log-prefix "iptables INPUT DROP: " --log-level 7-A INPUT -j DROP-A FORWARD -m limit --limit 60/min -j LOG --log-prefix "iptables FORWARD DROP: " --log-level 7-A FORWARD -j DROP-A OUTPUT -m limit --limit 60/min -j LOG --log-prefix "iptables OUTPUT DROP: " --log-level 7-A OUTPUT -j DROPCOMMITubuntu ufw
sudo ufw default deny outgoingRun browser under second user
main_user: sudo xhost +SI:localuser:http_usermain_user: sudo su - http_userhttp_user: export DISPLAY=':0.0'http_user: google-chromeThe main aspect of corporate environments is that domain administrator has privileged access to computers in Windows domain. Additionally the Windows is still the most widely used OS so most often targeted by exploits. Most often the domain administrators and helpdesk should be responsible to push the group policy and software on the desktops.
However if the user can run the local admin it is possible to perform following hardening:
- Stop file sharing services and SMB to prevent domain administrators to log on the desktop (to prevent if the attacker gained the domain admin privilege)
- Install AV with HIPS and sandboxes features. HIPS and personal firewall is important to block the outgoing traffic.
- Run full disk encrypted linux VM from Windows
Additionally by domain administrators the AD and Group policy should be hardened (e.g. to do not allow by default running macros and active content, set password complexity, do not store LM hashes, ...)