Workstation Security
Assuming the goal is the best possible workstation security, a number of
configuration settings, restrictions of use
and security applications are
needed, if the workstation is to be connected to the Internet - and this is the
case
for most corporate workstations (or PCs) today.
 | Patching - Important ? MOTIVATION: 95% of (KNOWN) malware CANNOT run on fully patched systems. That means, however, that not only the operating system must be fully updated, but of course also all other applications that you might have installed. |
| Defragmentation - relevant or not? Finally a good article at OverClockers.com regarding the benefits of defragmentation. TollhouseFrank documents the benefits in: "Realities of Hard Drive Fragmentation" This confirms our own observations, but the Internet is full of articles about defragmentation, often stating that it is not worth the effort, etc. That should be cleared up now. Remember: high (or best possible) availability is also a security element. . . |
| Intel V-Pro - compromising workstation security? On TG Daily, Rick C. Hodgin expressed an opinion re. Intel's V-Pro as an out-of-band monitoring technology. The conclusinon is, that while there are no actual examples of covert use this is possible and feasible. Se more at: Big Brother potentially exists right now in our PCs, compliments of Intel's vPro |
| Microsoft's Defender is no longer a very valuable addition to workstation
security. It consistently scores in the low 40'ies when measured by Spyware Labs. It should be used only if there is no intention to install a stronger, commercial alternative. Can be used as an optional extra, if you want to spend the capacity/electricity/CPU-cycles on it. |
| Workstation security today The first requirement is fully updated /patched operating system AND applications, especially Microsoft Office. Secondly, a solid software firewall - the market leader being ZoneAlarm PRO with component control activated. Thirdly, a strong anti spy ware application is also mandated. Through the advent of the Anti-Spyware Coalition, there is hope for a standardized and thorough testing regime, which will, hopefully, ensure that products are tested against the most comprehensive threat collection and documented according to formalized guidelines. See more at:  |
| Workstation (Windows) optimization - Availability improvement: Microsoft KB314482 documents the official position to optimizing the page file, and is Microsoft's own recommendation. Bottom line: - Place the main part of the page file on a separate drive (preferably a high-performance partition) - Ensure that a small part of the page file (f.ex. 256 MB) is also present on the installation drive (typically the C: drive). Else you will not be able to preserve system dumps - that's the way it is. - Set the file size 1.5 times the RAM installed + 2MB. - Set the size of the page file as FIXED, f.ex. 2050 - 2050 if you are using 1,5 GB RAM. The resulting performance increase can amount up to 20% - for free, but requires at least two HDDS, of course. This applies to Windows XP + VISTA, and most likely also to Windows 7 - trial pending. |
|
CACHE Tweak - Availability improvement: (28-07-2004) Interestingly, Microsoft has
admitted they never, ever, did set any value in this field (it is zero by
default). |
| While you're at it, why not take a look at extending Windows system cache
- Availability Improvement: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache Default value is "0". If changed to "1" Windows (2000, XP or VISTA) will use more memory, keeping relevant data available in system RAM. Benefit: faster performance especially when using several applications. |
(back)