The hidden costs of windows security for non profits

I will soon be helping to setup a large non profit windows network, and I wanted to get an idea of the troubles and costs I can expect.    If people want to argue the usual things like "macs also can be infected in theory" and "windows domination in business balances out security costs" then please start your own topic.

I'd like to start with some raw brainstorms:

- Nonprofits can't pay end user staff as well as for profit businesses.  Therefore the users are often less trained on network security and how to avoid virus tricks, etc

- Windows versions are often the dog and the extra security software is the tail that wags them.  If your virus software becomes updated, often your older computers, smaller memory, or older version of Windows is often left behind.

- More and more people are not doing calendars, email or other tasks on a laptops or desktops.  iPhones and other mobile devices are demoting the PC/Laptop to a word processor or Web Application Terminal,  things a less connected Linux computer can do.

- Security software is often two or more 3rd party applications.   One might need to install Norton Anti-virus, a network firewall appliance, and client software to avoid and remove spyware etc.   These applications are updated frequently and have stringent requirements for other aspects of your computer.

- Nonprofits can't pay IT staff very well and this means the change of staff must well document their actions and the new staff must be given time to make the transition.  

- It seems there are new viruses each day that can attack a windows computer even when the pc has 3rd party protection, and the user has limited access and is moderately trained on common virus tricks.   The most recent is when a USB stick with a virus can fool windows into thinking it is simply a folder with files to browse.  
http://news.bbc.co.uk/2/hi/technology/7842013.stm

- Non profits are often given very cheap or free software for security protection but later the costs go up as the free or reduced contract ends.  

Please add your own items that increase the cost of maintaining a windows network in regards to security.   Thanks,    Joe






 

The first couple of things that come to mind are in the design of the network and workstation.

1.  Limited accounts for the users, no administrator level for the staff  this prevents many of the bad things from being installed.  You may encounter resistance for 'restricting' the user's ability to do their job, but it will pay dividends in cleaner machines and in license compliance.

2.  Perimeter anti-virus protection.  Anti virus scanning on all email and Internet transfers (web, FTP etc.) at the gateway level keeps the bad stuff from ever reaching the desktop. 

3.  Look for the small footprint anti virus / security package for your desktops  AVG  - NOD32 - Kaspersky offer NPO discounts and have small footprint packages that can run on older hardware.  Plan the licensing term of the software to match the service life of the PC.  If the PCs will be in production for 5 years see if you can get a 5 year license on the AV software.  If you are using off lease 2 or 3 year old machines, then a 3 year term on the software would be fine.  That way the relicense fee can be bundled with the replacement hardware costs.

4.  If it is a large network consider firewalling segments of the network allowing only necessary traffic between PC segments.  Again like the perimeter protection, if a machine is going to be infected, limit the number of machines that the infection can impact. 

5.  Build the PCs on an image, allowing the PC to be rebuilt quickly in the event of an malware infection.  Establish a design that all user data is stored on the server, and use as common of a PC software configuration as possible.  Rather than trying to clean a machine, wipe the hard drive and reload the machine from the image library.

6.  User skill and training,  if you figure out the solution to this one let me know. 

Dave

Dave brings up a good point about deploying images of computers and segmenting the network to mitigate the spread of infections.  The cost of removing an infection can be very high.  However, the cost of deploying an imaging system can be high (at least in terms of your time) if the desktops in the windows network do not share common hardware.

I would add the damage to your ability to send email (if running your own email server) should your network be infected.  Your entire network segment from your ISP or all of your hosts in your DNS could be designated as a spam sender if your network(s) are infected.  That takes time and effort as well.

You stated:
- More and more people are not doing calendars, email or other tasks on a laptops or desktops.  iPhones and other mobile devices are demoting the PC/Laptop to a word processor or Web Application Terminal,  things a less connected Linux computer can do.

That is not bore out by the facts. Actually more people are using various products  (outllok, Thunderbird, etc) to keep track of their lives on a computer. They use programs like google and yahoo as an online sync service so that their friends can see it..

I agree with your point that windows security is a hidden cost that most people do not take under consideration. The question is; is it more expensive than a Mac enviroment (no) and or Linux enviroment (yes). Mac costs 40% more for the same machine and specialized (GIS, Research) software tends to costs more with less features. Linux cost less but the number of people who can repair a LInux box is very small and typically has a hiher hourly rate.

I love Linux and use it at home, Macs not so much. I prefer the freedom I get with Linux and Windows. Besides where are the great games that run on a Mac.

Wallydallas I have to agree with the posters above; there are generalizations in your post that may not be supported by facts - also you cannot simply isolate IT infrastructure and support costs to 'Windows security' at the expense of factoring all other costs - To begin, security embraces a heck of a lot more than just the possibility of a virus... How well do you authenticate and manage your userbase and password regimes? How effective is your physical security? What network switching layers and security are installed? How effective are your firewall and content management (email) systems? These are just starters, and of course none of this even begins to factor hardware costs and reliabilities; support and transitional aspects such as training, familiarization, suitability of purpose etc. etc. etc.

Securities provided by operating systems are just one small component of much larger costing issues... although it sounds like this NPO has already selected Windows (ie "I will soon be helping to setup a large non profit windows network"), so maybe the best approach is to bring with you, best-practice processes for working within this framework... 

Hey Mr./Ms. Dwelp.

Great advice on demoting most user logon accounts to "limited" in the control panel.  I forgot that tip, and that it costs IT staff time to walk from PC to PC and apply the fix of "limited" user accounts.    I hope MS will make that "limited" setting forced to be on in the next security updates.

Speaking of costs to keep windows alive...   Seems like Microsoft is a bit too late in closing a big security hole called AUTORUN, that forces your windows PC to run something without asking anytime you pop in a DVD, USB memory stick, USB camera ETc.   Those devices can all catch viruses and much worse than the swine flu, pass it from PC --> camera ---> PC.   Or just from PC to PC.

There are some other great reader comments to this article.  Some of them mine of course.

Great Chart too.

http://www.sfgate.com/cgi-bin/blogs/techchron/detail?entry_id=39417

 

Most of the non-profit IT workers that I know get paid pretty competitively. I think we are in an age where NPOs are realizing that good IT does not cost... but rather it pays. The IT talent is an investment that more and more organizations are realizing to be a good one.

Any operating environment is subject to weakness depending on the skill of the person administering it. Selecting of an OS should be based on the needs of the organization first and foremost. Then, regardless of the OS chosen, learn and implement safety and security.

It ain't rocket science.

Some newer and tougher viruses can't be detected by a computer.  You or another human must inspect the computer by looking at the screen and looking for clues.

The URL link below is one current way to check for one of these that is undetected on 1/2 million windows computers.

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

It costs a lot in staff time to check each windows computer by hand.  Mac and Linux are not affected by this extreme danger currently, and most likely in the future they won't be vulnerable in large numbers even if hackers target them.

 

 

wallydallas:

Great advice on demoting most user logon accounts to "limited" in the control panel.  I forgot that tip, and that it costs IT staff time to walk from PC to PC and apply the fix of "limited" user accounts.    I hope MS will make that "limited" setting forced to be on in the next security updates.

If I want to demote user logon accounts to limited, I don't have to go around computer to computer.  I just make a quick change in active directory. 

Speaking of costs to keep windows alive...   Seems like Microsoft is a bit too late in closing a big security hole called AUTORUN, that forces your windows PC to run something without asking anytime you pop in a DVD, USB memory stick, USB camera ETc.   Those devices can all catch viruses and much worse than the swine flu, pass it from PC --> camera ---> PC.   Or just from PC to PC.

 When I insert a DVD, USB stick, or USB digital camera on my Windows computer, it doesn't autorun, it asks me what I want to do.  Seems this "big security hole" has been patched for a long time. 

 

Now that I think about it.... I can't remember the last time my computer did an "autorun". I had forgotten that it ever did run automatically.

wallydallas:

Seems like Microsoft is a bit too late in closing a big security hole called AUTORUN, that forces your windows PC to run something without asking anytime you pop in a DVD, USB memory stick, USB camera ETc. 

Autorun isn't a "security hole", it's a basic computing function that's been around for years. If you want to turn it off, just turn it off - you can do it for individual computers or for all by group policy... to turn it off on a single computer:

Start > Run. Type gpedit.msc and click OK > double-click Administrative Templates. In the right pane double-click System and scroll down the list. Double-click Turn Off Autoplay

In the "Turn Off Autoplay" Properties window, select Enabled. From the dropdown next to Turn Off Autoplay on, select All drives and then click OK. Exit.

I think this is one of those times where administrators need to take a bit of responsibility for the computers they look after... We can't blame MS for every poor administrative practice.

Actually wallydallas is correct about the AUTORUN security hole.  If you want to listen in detail about it, I direct you to [ Secuirty Now Episode #187 ].  Its over an hour long, but there are links to the show notes if you'd prefer to browse them.  They never properly fixed Autorun prior to [ MS KB967715 ].  According to Microsoft:

The updates that this article describes fix a problem with the disable Autorun feature. Without these updates, Autorun for a network drive cannot be disabled. Also, the shortcut menu and double-click functionality of Autorun were not disabled even if the steps that were previously provided were followed. This problem is fixed by the updates described in this article.

The update is distributed through Automatic Updates - but that only allows for you to set the proper values in the registry.  So users would have to then go in and modify the registry to truly turn off AUTORUN.  This unfortunately assisted in the spread of many malware products.

I urge you to listen to the Security Now Podcast.  It goes into greater detail than the MS KB article and talks about how truly problematic that security hole was.

Hi Chris,

I guess to put this in context for NPO's, the update you are talking about was released by MS as an automatic update back in February - anyone with automatic updates enabled would already have it (if they don't, they have bigger problems than just autorun!). This followed the patch that previously negated Conflicker back in Oct 08 (by disabling the autorun feature exploited by conflicker). 

Also, you don't need to manually edit the registry unless you are running XP Home Edition (which hopefully most NPO's are not running!) - You can disable autorun in XP Pro, Windows 2K, 2K3, 2K8 and Vista by the simple policy changes I outlined above (noting it's a little different for Server 2K8 and Vista).

With regard to defining "Security holes" - yes autorun was exploited by the Conflicker worm (and a few notable others); but also yes, anyone who patched their Windows computer after Oct 08 was protected against the worm. The "security hole" was patched, albeit other means of exploiting operating systems are always being discovered.

The best advice for NPO's is to be vigilant, but not paranoid to the extent you become frightened to turn your computer on - Make sure automatic updates are enabled and your virus scanner is up to date - don't allow people to visit hackware or porn sites on your computers, be aware that email attachments can contain threats; don't let people install software on your machines without your approval... just follow good housekeeping and you will be OK.

For most people autorun is now a non event.

Cheers, Don

The problem here is that the security update was silent.  Anything you've set in the past that you thought had already protected you by disabling autorun doesn't apply to the new update - you have to still go back and make a setting change again after the update was done.  It didn't look at your old setting (that didn't work) and assume anything.

Your advice on how to approach security threats is good : vigilance over paranoia.  However, the purpose of my posting was to let people know that if you thought you'd turned off autorun say prior to February - even after the patch its not turned on.  You have to go back in and make the change.  You also didn't listen ot the Security Now podcast, I gather, where they indicate that the security update KB article tells you all you need to do is make the GPO setting, but that it doesn't actually work properly - still.  That you should go in and explicity set the hex registry key to FF to completely disable autorun everywhere, in the Local Machine (HKLM) and the Current User (HKCU) settings of the registry.

I completely disagree with your statement that for now autorun is a non event for anyone running Windows as a desktop.