Some applications are a lot more dangerous to a system's security than others. In particular, any application that contains an execution environment, like Java, a web browser, or a macro-enabled office program represents special security challenges and should be specifically addressed in your security policy.
application
Software that allows users to perform their work, as opposed to software used to manage systems, entertain, or perform other utility functions. Applications are the reason that systems are implemented.
execution environment
A portion of an application that interprets codes and carries out actions on the computer host irrespective of the scope or security context of the application.
Java
A cross-platform execution environment developed by Sun Microsystems that allows the same program to be executed across many different operating systems. Java applets can be delivered automatically from web servers to browsers and executed within the web browser's security context.
macro
What is an execution environment? Quite simply, it's any system that interprets codes and carries out actions on the computer host outside the scope of the interpreting program. What makes that different than, say, codes in a word processing document is that word processing codes only affect the activity of the word processor-they merely indicate how text should be displayed according to a very limited set of possibilities. When the set of possibilities is as wide as a programming language, then you have an execution environment to be feared. Office Documents
Viruses require an execution environment in order to propagate. A word processor document alone cannot spread viruses. But if you add a programming language to the word processing program, like say Visual Basic, you create an execution environment that can spread viruses. Microsoft has virus-enabled all of their Office applications; Excel, Word, PowerPoint, Outlook, Access, Project, and Visio all contain Visual Basic and can all act as hosts for viruses. Outlook (and its feature-disabled cousin Outlook Express) is especially dangerous because it can automatically e-mail viruses to everyone you know.
Disable macro execution in all Office programs. Unless your company's work is the processing of documents (like my publisher's is, for example) there's little reason why you should rely on macros in Office. If you really think you need macros, you probably need an office automation system way beyond what Microsoft Office is really going to do for you anyway.
E-mail Security & Policy
E-mail is not secure. The best e-mail policy is simply to make certain that everyone knows that. If a user receives a strange request from someone, instruct them to phone the sender to verify the request and to make sure that it's not a forged e-mail.
E-mailing attachments is extremely dangerous. E-mail viruses and Trojan horses are spread primarily through e-mail attachments. Without attachments or executable environments embedded in mail programs, e-mail would not be a significant security threat.
attachment
A file inserted into to an e-mail.
Note E-mailing attachments within the boundaries of a single facility is always the wrong way to work, anyway. It creates uncontrolled versions of documents, eliminates document permissions, and creates an extreme load on e-mail servers, local e-mail storage, and the network. Teach users to e-mail links to documents rather than the documents themselves to solve all of these problems.
Get rid of Microsoft Outlook and Outlook Express, if possible. These two programs are the platform for every automatic e-mail virus to date. No other e-mail software is written with as little security in mind as these two, and their ease-of-use translates to ease-of-misuse for most users. If you can't get rid of Outlook, set your servers up to strip inbound and outbound
attachments. Attachments of particular concern are executables, such as .exe, .cmd, .com, .bat, .scr, .js, .vb, and .pif.
Web Browsing Security & Policy
There are four major web browser security problems:
1. The downloading of executable programs that are actually Trojan horses or viruses. 2. Connecting to executable content like ActiveX or Java controls that can exploit the
local system (this is actually a subset of problem #1). ActiveX
An execution environment for the Microsoft Internet Explorer web browser and applications that allow code to be delivered over the Internet and executed on the local machine.
3. Bugs in web browsers can sometimes be exploited to gain access to a computer. 4. Web browsers may automate the transmission of your network password to a web
server.
In theory, Java is supposed to be limited to a security sandbox environment that cannot reach the executing host. Unfortunately, this limitation is an artificial boundary that has been punched through many times by various exploits, all of which have been patched by Sun as they were found. But because the limitation is not inherent, more vulnerabilities will certainly be found.
sandbox
An execution environment that does not allow accesses outside itself, and so cannot be exploited to cause problem on the host system.
Note ActiveX is like Java minus any serious attempt to implement security. ActiveX controls are native computer programs designed to be plugged into the web browser and
executed on demand-they are web browser plug-ins (modules) that download and execute automatically. There are no restrictions on the actions that an ActiveX control can take.
Microsoft's attempt at security for ActiveX controls is called content signing, where digital signatures affirm that the code hasn't been modified between the provider and you. It does not indicate that the code is secure or that the writers aren't modifying your computer settings or uploading information from your computer. The theory goes like this: If the ActiveX control is signed, if you trust the signing authority, if you trust the motivation of the code provider, and you trust that they don't have any bugs in their code, go ahead and download. In practice, that's far too extenuated to make any sense in the real world, and most people have no idea what it means anyway or how they would validate the signing authority even if they did know what it meant.
content signing
The process of embedding a hash in a document or executable code to prove that the content has not been modified, and to identify with certainty the author of the content.
These problems are relatively easy to mitigate with a content-inspecting firewall or proxy server. Configure your firewall or proxy to strip ActiveX, Java, and executable attachments (including those embedded in zip files). This will prevent users from accidentally
downloading dangerous content. Avoid using services that rely on these inherently unsafe practices in order to operate.
The automatic password problem is a lot more sinister. Microsoft Internet Explorer will automatically transmit your network account name and a hash of your password to any server that is configured to require Windows Challenge and Response as its authentication method. This hash can be decrypted to reveal your actual network password. Be sure to configure Internet Explorer's security settings to prevent this, or use Netscape Navigator instead of Internet Explorer to decouple the web browser from the operating system.