Q: What are your top recommendations for workstation security?

A: You need to address four basic risks in regard to workstation security. First, you must protect company information on the workstation from theft and disclosure by someone who gains physical access to the computer through theft or loss. Second, you want to prevent the workstation from becoming infected with malware, which can wreak havoc on the workstation as well as your network and expose confidential information. Third, you need to protect the workstation from the end user, who might disable security settings or install unauthorized software, both of which could expose the computer to the problems I previously mentioned, as well as expose the company to legal liability associated with software license violations. Finally, you need to protect against network attacks where an intruder on the network actively breaks into the workstation through an open port or insecure application.

To address the first risk (i.e., the disclosure of confidential information through physical access), the most important thing you must do is encrypt the workstation’s hard disk drive using Vista's BitLocker drive encryption or a third-party disk encryption solution. You also need to ensure that the computer automatically locks the console if left unattended.

To address the second risk (i.e., malware), you must keep the workstation patched with all OS and application security patches as they're released. You can automatically patch Microsoft products using Windows Server Update Services (WSUS). You also need to train users on basic best practices associated with safely browsing the Web and how to recognize email messages that attempt to trick the user into opening a malicious file or following a link to a malicious or compromised Web site.

Addressing the third risk (i.e., the end user) requires a variety of measures because there are so many ways users can access unauthorized software and reconfigure their system. First, you can use Group Policy to enforce security settings and restrictions and prevent end users from overriding them. For example, you can easily configure a password-protected screen saver with Group Policy and then hide the Screen Saver tab to prevent the user from disabling the screen saver. You can also lock down the user’s ability to install applications, run OS commands, and access the registry. But be aware that the tighter you lock down a workstation, the more likely you are to cause increased support calls and complaints from end users trying to do their work.

To address the fourth risk (i.e., network attacks), you simply need to enable Windows Firewall and minimize any exceptions that allow inbound connections to the workstation.