So far, we have taken steps to try to protect us against viruses, Trojan horses, DoS agents, and we have considerably secured the operating system environment in order to reduce the number of vulnerabilities a malicious hacker having physical access to the network could try to exploit. We could be thinking that our task is coming to an end, and that we have finally levelled the challenge of securing our internal network. But that would be wrong. We still have to take into account the various applications that the users need to conduct their daily business, which could also host several flaws that could compromise the security of our network. Remember the Outlook example I gave you in a preceding chapter? It is true that with all the steps we have taken so far to secure our network, it could be harder for a potential intruder to achieve its goal, but as long as there is an open door, there is always a way to make it open wider, and wider, up to the point to circumvent all our previously taken security measures.
Another application that needs a special attention is the web browser, either it be Internet Explorer, Netscape, Opera or other. It is important to reduce the capacities of this type of software, because it is an open window on your network. For example, it could be dangerous to accept blindly the execution of Java, Javascript or VBScript applets. Also, the acceptance of ActiveX controls is renowned as being non-secure, as these controls give the possibility to web authors (anyone) to execute code on your machine without restriction. So, it is important to take preventive steps to filter these possibilities, but still leaving enough room for an enjoyable web experience. Again, risk-exposure acceptance is a key factor here. E-mail applications also need similar adjustments, such as the de-activation of VBScript execution in HTML message for example. If you can, disable HTML mail altogether if you want to sleep tight at night.
In fact, each application software installed on your machines that connects in one way or the other on the network should be the object of specific research on how to remove known vulnerabilities. The same could be said of application software that has the capacity to execute code under one form or another. One such example is the popular word processing Microsoft Word, which have the ability to execute macros (and was at the origin of a new breed of viruses). Once the risk factor associated with each standard application on your internal network machines have been identified, and that the necessary changes have been thoroughly tested and approved, we can once again use Security Expression to deploy the configuration changes on existing machines.
5. Optimising operating system security
7. Deployment