Common wisdom holds that server security is far more critical than workstation security. After all, a security problem in a server can affect thousands of users or even an entire organization, while an insecure workstation directly impacts just one user. Right?
Wrong. A security problem on any workstation connected to your network can cause widespread damage — and in fact most data breaches result from such problems. Verizon's 2016 Data Breach Investigative Report, for example, found that 63 percent of data breaches involved the use of weak, default or stolen user credentials. Malware, phishing and keyloggers were the next most common attack methods, Windows security expert Randy Franklin Smith concurs, noting that “all of the biggest breaches in recent times have started with a compromised workstation — not a server.”
The takeaway is clear: Workstation security is every bit as critical to your organization as server security. (Note that I’m using the word “workstation” here to mean not just desktops but all non-server Windows computers, so we’re talking about endpoint security broadly, including laptop security, tablet security and mobile security.)
Key security differences between servers and workstations
But how can this be? Even though servers and workstations run essentially the same Windows operating system, securing workstations is very different than servers — and often it’s actually far more complex. The key differences that impact security include:
- Servers run mostly unattended background services, while workstations are far more interactive.
- Servers are usually housed in secure areas, but workstations lack this physical security. The mobility of laptops and tablets further increases the risk of the device being compromised.
- Workstations have much more interaction with untrusted websites and parsing of internet content, raising a host of internet security concerns.
- Servers are accessed only by trusted administrators. Employees using workstations are often less security-conscious and less technically savvy.
- Far more applications are installed on workstations than on servers, increasing the attack surface.
- Server inventory is small and static in comparison to the sheer number of workstations and how they come and go on the network.
Workstation security requires protecting users from themselves
More broadly, securing Windows servers is primarily about reducing attack surface and keeping remote users from accessing resources and services other than those they are authorized to use. Since trusted administrators are the only ones logging on interactively, and even they do so only for specific administrative tasks, interactive security is much less of an issue on most servers.
Hardening workstations, on the other hand, is very much about protecting end users from themselves. Of course, a key part of your organization’s workstation security strategy must be effective and continuous user training. However, the details and scheduling of that training is likely beyond your control. And in any case, even the best training is insufficient — IT security professionals have to accept that users will make mistakes. They will fall for phishing attacks, reuse easy-to-guess passwords, leave their workstations unattended, plead the expediency of downloading an unapproved application they need to meet a critical deadline, and so on.
Therefore, you need to use every strategy at your disposal to secure your user workstations.
Learn about the most important controls for ensuring workstation security
What are those strategies? We asked the aforementioned Randy Franklin Smith, who’s an expert on Windows security essentials. You can learn all about the top controls he recommends implementing on workstations in the free webinar Top 12 Workstation Security Controls. Smith built this list of controls based on his experience from his extensive IT audit/assessment practice, along with his research and knowledge of common desktop security standards such the Federal Desktop Core Configuration (now USGCB). Here are the 12 topics you’ll learn about in the webinar:
- BIOS security
- Controlling local accounts
- Controlling unattended workstations
- Patch security
- Tracking new programs
- Internet Explorer security configuration
- Security settings in other apps
- Network, firewall and remote access
- Certificate authorities
You’ll also learn how KACE system management appliances can automatically discover and manage all the systems on your network — automating the otherwise laborious and error-prone work of securing workstations. The recorded webinar is available for you to watch at your convenience.