Hardening a financially critical Windows computer

Question

One of the risks to small and medium businesses is losing your bank credentials to bad guys by use of a key logger or other malware as Bruce Schneier blogs about. A particular threat is real-time key loggers as described in the NY Times. The bottom line is that with commercial bank login information, bad guys can wire money out of your accounts and there may be no recourse. Commercial bank account logins are truly the keys to the kingdom.

I’ve decided to substantially increase the security on the machines where these bank credentials are used. My standard security recommendations are Windows XP SP3 with patches being applied automatically nightly. Virus protection is on (We generally use ESET). Users are Limited users; they can’t add software. Software restrictions prevent the user from accidently or deliberately downloading software and running it out of their user directory. We use IE8 because of the ease of managing it in a Active Directory environment, but I recognize this as a potential weakness. Unfortunately, the most likely vector of a zero day exploit is flash or acrobat, both of which we use.

Security is always a tradeoff of convenience versus safety, so answers and suggestions should give pros and cons. I’m going to answer with a few suggestions, so you can see where my thoughts are going.

Answer 1

You could setup another PC with Linux/BSD on it that is only used for accessing the bank web site. If you really wanted to get paranoid you could put it on its own dedicated Internet connection and not have anything else connected to it on the regular network. Gives you the benefits similar to dual boot while still keeping the Windows PC available for other tasks. Downside is additional hardware/software to maintain. There's always the possibility that some nefarious employee could put an inline hardware USB keylogger between the keyboard and the computer regardless of what/how you secure the operating system and software.

Answer 2

As with all things a risk based approach is going to be best, and the degree to which you take this is going to be based on your budget, risk, time, and the potential damage of a breach. I certainly don't expect you to do everything here.

Here are some of the attack vectors:

Physical attacks

Types of attacks

• Theft
• Offline Attacks
• Hardware Key loggers
• Attacker trying to install malware locally
• Shoulder surfing

This is the space where you are going to focus on controlling things related to physical access:

• Auto-locking screens, good passwords (that are not stored under a keyboard), and disk encryption will help when a system is stolen
• Disabling USB ports in the OS or cementing them closed, and disabling autorun can help (but not fully prevent keyloggers)
• Good physical security of the system (good door locks, sturdy computer cabinets, computer locks, occasional audits)
• Privacy screens and keeping systems away from windows help prevent shoulder surfing

Software Attacks

• Internet malware
• Social Engineering (Phishing)

Once you put a system on the network you have a world of fun to prevent you from loosing control.

• VM or dual boot scenarios can help separate critical and commonplace information (one system for critical banking one for email)
• It's worth considering a completely seperate box for this sort of thing too if reasonable
• Either way though, you'll need non-priviliged access for users
• Good passwords for all users
• Effective vulnerability management (Patching, Removal of unnecessary services, etc.)
• Security lockdown (Windows has their Security Guides and Accelerators* there are various guides to *Nix BSD lockdown out there)
• Working and well configured network AND local firewalls

*I just set up a Specialized Security Limited Functionality Workstation and it seems to be doing all right.

Network Attacks

In addition to hardening the machine you should also have strong transport protections:

• Packet Sniffing
• DNS attacks/SSL MITM attacks
• etc.

Things you can do at this level:

• Transport protections (IPSec on Windows, SSH on *Nix, SSL for web***)
• Well configured and monitored network infrastructure (no default passwords, etc.)
• Don't send sensitve data over wireless***
• Consider network segregation of privileged and non-privileged systems

***SSL attacks are a dime a dozen these days, they are all still essentially MITM (as of this writing) so you should take steps to protect against MITM

***And if you must use wireless, don't use anything less than WPA2-Enterprise

Answer 3

Check your bank's authentication mechanisms! Mine adds a pseudo-RSA token in the form of a "code card", and most transactions - aside from viewing balances and moving money between my own accounts - require me to input a randomly selected number from the 100 printed on that card. Each code can only be used once, and when they're all gone I get a new card. This satisfies the "something you know and something you have" requirement of dual-factor without the overhead of issuing all users with a real RSA token, and that's just for a personal account. If your bank won't give you a decent level of security beyond this for a business account, ditch it and find one that will!

Answer 4

Stop surfing the net from that machine. Don't check email, don't go to websites outside of your LAN, etc. Do all of that on some other machine, then post what you need to do from the financial computer in a local wiki (or something). Don't use the financial machine as a file server, print server, etc etc etc.

Costs: a $500 Dell to surf from Benefits: Your data is more safe.

I would also invest in a firewall (hardware, not software) to put in front of the machine. Don't let anything in, and make policies out of the above, instead of trusting users to do the right thing.

Answer 5

Upgrade to Vista x64. Seriously. It's a lot harder to exploit reliably.

That doesn't stop malware that your users run (by going to websites, etc etc), but it stops network-based attacks that you won't have much detection of.

Answer 6

Depending on the number of transactions these people have to do you may opt for a diskless workstation for banking transactions ONLY. Diskless immediately implies booting from a read only medium like a CDROM. Something like a stripped CDROM bootable Linux that only the bare minimum of software (i.e. only a webbrowser) may be a valid option for this kind of work.

Answer 7

In addition to specific host protection techniques, look for defense in depth approaches to this. For instance, most web filtering software will block known bad sites. If one of your users hits one early on, that's not going to help, but once one is discovered, it makes it into the filtering lists fairly quickly. Along those same lines, look at external DNS solutions like OpenDNS which perform a similar function, but without the web filtering software/appliance requirement. On your firewall, perform egress filtering. Block the known ports for IRC, etc. No, this won't stop a piece of malware that uses a custom port, but many do not. Hopefully, you're web filtering solution helps with those which do use something custom. Also, consider implementing IDS/IPS. If money is tight, there is always Snort.

Answer 8

Move to 64bit Windows 7 since malware is very rarely targeting 64bit code yet. Pro’s are less viruses; con’s are that we have to get new 64bit hardware and deal with various incompatibilities. XP mode may be needed.

Answer 9

Force the users to dual boot into some other OS (BSD?) when doing bank activity. Pro’s: Very safe. Con: very inconvenient since they won’t have access to various windows app’s for figuring out who and how much to wire to.

Answer 10

Use disk encryption. Whatever you do in the OS, as long as you can boot a CD and access the filesystem outside of Windows you're not safe. WinVista/Win7 has encryption capability built-in, but there are heaps of WinXP-capable 3rd party solutions as well.

Look into NAP-type policies where the computer doesn't get internet access before it's patched to company standards (if you need them to have internet access, that is).

Look into Desktop Virtualization (both MS and VMWare have solutions for this) to isolate the bank apps into it's own, tightly managed environment.

Just my 5 cents...

Answer 11

Use VMWare with a basic linux guest to do all online banking but run it on the computer with all the accounting software so you can easily switch between host and guest to view necessary data.

Answer 12

The NSA and Microsoft came up with the original security guides. The documents are rather long and I'd recommend testing the settings out on a computer you can reformat as it is quite possible to lock things down so much that the only cure is to boot from a cd/dvd and wipe the drive.

http://csrc.nist.gov/itsec/guidance_WinXP.html

http://technet.microsoft.com/en-us/library/cc163140.aspx

I agree with your idea that flash/acrobat are the likeliest threats. Limiting user rights is the largest step in securing the computer that I can think of.

Disable autorun for all computers in the gpedit.msc. Some of the banks I've worked at would disable USB ports. There are now applications that can monitor them and only allow permitted connections. The older banks would use hot-melt glue to seal the ports and prevent plugging things in (one bank used locks on the floppy drives, and would fire anyone on the spot who's {cheap} lock fell out). There are a number of articles where researchers drop USB thumb drives in parking lots near offices and see how many get plugged into computers at the office - the install ended up just sending the IP address home - more malevolent installers have used the icon that one sees for "open with explorer" tricking the user into not paying attention, so they click the installer.