Hardening a financially critical Windows computer

security windows malware windows-xp

One of the risks to small and medium businesses is losing your bank credentials to bad guys by use of a key logger or other malware as Bruce Schneier blogs about. A particular threat is real-time key loggers as described in the NY Times. The bottom line is that with commercial bank login information, bad guys can wire money out of your accounts and there may be no recourse. Commercial bank account logins are truly the keys to the kingdom.

I’ve decided to substantially increase the security on the machines where these bank credentials are used. My standard security recommendations are Windows XP SP3 with patches being applied automatically nightly. Virus protection is on (We generally use ESET). Users are Limited users; they can’t add software. Software restrictions prevent the user from accidently or deliberately downloading software and running it out of their user directory. We use IE8 because of the ease of managing it in a Active Directory environment, but I recognize this as a potential weakness. Unfortunately, the most likely vector of a zero day exploit is flash or acrobat, both of which we use.

Security is always a tradeoff of convenience versus safety, so answers and suggestions should give pros and cons. I’m going to answer with a few suggestions, so you can see where my thoughts are going.


You could setup another PC with Linux/BSD on it that is only used for accessing the bank web site. If you really wanted to get paranoid you could put it on its own dedicated Internet connection and not have anything else connected to it on the regular network. Gives you the benefits similar to dual boot while still keeping the Windows PC available for other tasks. Downside is additional hardware/software to maintain. There's always the possibility that some nefarious employee could put an inline hardware USB keylogger between the keyboard and the computer regardless of what/how you secure the operating system and software.


As with all things a risk based approach is going to be best, and the degree to which you take this is going to be based on your budget, risk, time, and the potential damage of a breach. I certainly don't expect you to do everything here.

Here are some of the attack vectors:

Physical attacks

Types of attacks

  • Theft
  • Offline Attacks
  • Hardware Key loggers
  • Attacker trying to install malware locally
  • Shoulder surfing

This is the space where you are going to focus on controlling things related to physical access:

  • Auto-locking screens, good passwords (that are not stored under a keyboard), and disk encryption will help when a system is stolen
  • Disabling USB ports in the OS or cementing them closed, and disabling autorun can help (but not fully prevent keyloggers)
  • Good physical security of the system (good door locks, sturdy computer cabinets, computer locks, occasional audits)
  • Privacy screens and keeping systems away from windows help prevent shoulder surfing

Software Attacks

  • Internet malware
  • Social Engineering (Phishing)

Once you put a system on the network you have a world of fun to prevent you from loosing control.

  • VM or dual boot scenarios can help separate critical and commonplace information (one system for critical banking one for email)
  • It's worth considering a completely seperate box for this sort of thing too if reasonable
  • Either way though, you'll need non-priviliged access for users
  • Good passwords for all users
  • Effective vulnerability management (Patching, Removal of unnecessary services, etc.)
  • Security lockdown (Windows has their Security Guides and Accelerators* there are various guides to *Nix BSD lockdown out there)
  • Working and well configured network AND local firewalls

*I just set up a Specialized Security Limited Functionality Workstation and it seems to be doing all right.

Network Attacks

In addition to hardening the machine you should also have strong transport protections:

  • Packet Sniffing
  • DNS attacks/SSL MITM attacks
  • etc.

Things you can do at this level:

  • Transport protections (IPSec on Windows, SSH on *Nix, SSL for web***)
  • Well configured and monitored network infrastructure (no default passwords, etc.)
  • Don't send sensitve data over wireless***
  • Consider network segregation of privileged and non-privileged systems

***SSL attacks are a dime a dozen these days, they are all still essentially MITM (as of this writing) so you should take steps to protect against MITM

***And if you must use wireless, don't use anything less than WPA2-Enterprise


Check your bank's authentication mechanisms! Mine adds a pseudo-RSA token in the form of a "code card", and most transactions - aside from viewing balances and moving money between my own accounts - require me to input a randomly selected number from the 100 printed on that card. Each code can only be used once, and when they're all gone I get a new card. This satisfies the "something you know and something you have" requirement of dual-factor without the overhead of issuing all users with a real RSA token, and that's just for a personal account. If your bank won't give you a decent level of security beyond this for a business account, ditch it and find one that will!

Related

Security, user access, login and reporting. How do you mentally adjust for the negative aspects of security management?
Delete all subkeys in a registry key
Adding a second IP to Debian Server
How to configure UNIX or Linux for administration via serial connection
What processors do/do not support PAE?
Split vim window
Performance of IIS+ASP.NET vs (NGINX + FastCGI + Mono or XSP)? [closed]
One Database vs. Multiple Databases [closed]
Data Center Design and Preferences
Static route toward a DNS Address, it is possible?
How to use basic auth for single file in otherwise forbidden Apache directory?
What is the optimum way to secure a company wide wiki?