Many of the security concerns that I deal with or readers inquire about involve user Internet access. Few systems administrators have the luxury of being able to cut off users' Internet access, despite the many problems that improper use of the Internet can cause. However, taking the following steps can make securing your users' Internet behavior a little easier.
Standardize, Standardize, Standardize
It would be easy for me to recommend that you standardize on the client OS for every computer. However, implementing such a recommendation is impractical for most companies for many reasons. The best you can hope for is to standardize on the application set (although even this degree of standardization presents problems, most notably Microsoft's lack of interest in supporting old versions of its own software).
The one element you absolutely should standardize across all your Microsoft clients is the Web browser. Microsoft releases too many patches and security fixes for you to keep track of multiple browser versions and the patches you need to keep them secure. By upgrading all clients to the current version of Microsoft Internet Explorer (IE), you can minimize Web-browsing—induced headaches. A crucial benefit of this approach is that Microsoft's turnaround time for security patches and bug fixes for the current version of IE is much faster than it is for downlevel code. Also, the IE home page has direct links to the latest security fixes and patches for the current version of IE (http://www.microsoft.com/windows/ie/default.asp).
Configure Your Network for Port Blocking
One thing that continues to surprise me when I talk to many systems administrators is their lack of networking knowledge. Despite a networking component to their responsibilities (and to the various certification programs), many systems administrators don't really consider networking to be part of their jobs. The primary reason for this perception is a certain "separation of church and state" in the IT world: Systems administrators deal with computer hardware and software; network administrators deal with networking concerns and rarely get directly involved with end-user computer problems that aren't related to network performance. The systems administrators deal with applications and content; network administrators deal with the plumbing.
When I write about security problems involving client computers accessing the Internet, I get a barrage of email from readers telling me that the answer to those problems is port blocking at the firewall or router. When I write about using port blocking as a security technique, an equal number of readers ask either, "What's port blocking?" or "How do I do that?" Other readers tell me that if they block ports, they disable applications for the entire network, although they're trying to secure only a small part of the network environment.
The response that bothers me the most is "What's port blocking?" All systems administrators worth their paycheck need to understand how applications and devices communicate across their network. I usually suggest that these readers pick up one of the network architecture or TCP/IP books available at their local bookstore.
The "How do I do that?" contingent is probably the most numerous. These folks are seriously interested in finding ways to secure their applications and systems. In most cases, however, they don't have control over their firewalls or routers, so they can't block specific ports without installing a personal firewall on every computer, which introduces a whole new set of problems. However, port blocking can still be an effective technique for securing client machines, and systems administrators need to know enough about the technique to identify and suggest a solution to specific client security problems even if they're not responsible for implementing the solution. To use port blocking with the greatest flexibility, you need to configure your network to the best effect. The simplest way to do this is to segment your network, either physically or virtually (if your network is configured with the proper switching equipment to allow virtual segments). You can then implement port blocking (as well as other network-traffic controls) on only the network segments that you want to affect.
With physical segmenting, you'll most likely be segregating portions of the network by geographical location (e.g., everybody on the east side of the third floor). The drawback of physical segmenting is that it might not correspond to your departmental organization. In contrast, virtual networking is usually controllable down to the port on the switch (i.e., the physical ports attached to the switch box, not the TCP/IP ports that we refer to when we talk about port blocking), which means that you can group users by any arbitrary set of criteria. For example, you can identify users who aren't allowed to use AOL Instant Messenger (AIM), then block the port that AIM uses for only the selected users.
The most common techniques I recommend for securing the Internet behavior of client computers involve group and local policies. Without question, this is where you need to start when you decide to put Internet restrictions in place, especially if you're already using policies to provide other types of controls on end-user computers.
The only downside to using Group Policy is having to contend with different OSs. Windows XP expands on the policy-control abilities in Windows 2000, which in turn is different from the various incarnations of Windows 9x. Lately, I've been looking at the security policies available in XP, and I'm impressed with the detailed level of control available. (Unfortunately, when I tell people what they can do with XP, the most common response is usually, "How do I do that on Win2K" or "How do I do that on Win9x?")
When you're managing multiple OSs, you need to either work with the lowest common denominator or create different policies for each OS version. If you choose to implement or expand the use of security policy controls on your client systems, you should create policies that take advantage of the security settings for each specific OS. Finer granularity of control means a more satisfying end-user experience.