jc135

Level 1
Hi,

I have always wondered why enterprises don't harden their PCs. The impression I get is that they do default installs of Windows 10 and install security things at the perimeter.

The most they do seems to be to take away admin accounts from users. Maybe it is a cost issue - several thousand $ to protect 1000 PC's seems cheaper than to install say VoodooShield and Hitman Pro Alert on those 1000 PC's.

Then also, they don't have enough admins to walk around to each PC.

But why can't they make golden drive images per department? Each department can have uniquely locked down configurations particular to the apps they use. Least privilege and minimal attack surface and all that jazz. Then segment the network to little pieces so attackers can't horizontally migrate. That could be manageable, no ? Then they could divvy up the tech support team so that members specialize on a few departmental images.
 
Last edited:

Zartarra

Level 2
The problem is in some cases the management. You need to get an approval. And it cost money (software license and/or manpower).

An example: we used Citrix XenDeskop Windows master images for 80% of the client devices. Their was an good enterprise anti-virusproduct installed on it and Windows was controlled with a bunch of group policies, especially with AppLocker and software restriction policies. Fun times and a lot of work. When the migration started to Windows 10 almost everything was dropped. Master images are still used but the policies are more open, no SRP or AppLocker. Commend from the management: it was to much work to harden and maintain a master image.
 

MacDefender

Level 5
Verified
It depends on the company. Some do take more precautions to lock things down or strip their users of local administrator rights.

One reason not to is simply the overhead of granting exceptions and the infosec implications of that. Often times infosec/IT does not have the level of access that certain employees do on secret projects, and that ironically creates concerns if IT must get involved in the specifics of what employees are doing on their machines.

A lot of it does come down to laziness and cost cutting though. Every preventative measure has a time and money cost. We aren't always great at estimating the benefits vs tradeoffs.

Trying to lock more things down might also be counterproductive. When I worked at an unnamed military contractor, our machines were locked down to the point that we could not run the engineering software we needed (microcontroller debugger that uses a kernel driver). As a result we ended up just buying a handful of a specific model of oscilloscope that ran Windows 2000 on it, as "lab equipment" and just reimaged that as debugging PCs.
 

shmu26

Level 84
Verified
Trusted
Content Creator
1 It is more difficult to harden enterprise systems because the IT admin usually manages it by means of scripts, so you can't disable the script interpreters or you cripple the management. And there are certain network things that enterprises need to be open.
2 Businesses have productivity as first priority, and if security gets in the way of doing what they wanna do, well...
 

jn221

Level 1
In the work i do for being in the Cyber Defense Department for a top leading cable communications company. We do harden our PC's but we also have Kaspersky or Eset installed on every system. I cant speak for other companies and industries etc. It does take a lot of up keep and maintenance
 

TairikuOkami

Level 25
Verified
Content Creator
My company hardens it too much, my boss can not even use USB on her computer. When she needs something I have to use one computer, where USB works, because IT admin forgot about it, and I have to send her documents via her email to her email and then send them back like that. :LOL:
 

Umbra

Level 26
Verified
1 It is more difficult to harden enterprise systems because the IT admin usually manages it by means of scripts, so you can't disable the script interpreters or you cripple the management. And there are certain network things that enterprises need to be open.
2 Businesses have productivity as first priority, and if security gets in the way of doing what they wanna do, well...
Exactly. in business you have to evaluate productivity vs security. Consequently productivity (because it is where you make money) is more important.
As @shmu26 rightly mentioned, 99% of admins will run scripts, they obviously can't go to each computers and manually do things, especially on businesses with more than 20 machines... it would take weeks of nightly work to do it.
Unfortunately modern and sophisticated malware targeting enterprises use scripts as well... now you can guess the admin's dilemna...
Don't even think using classic anti-exe...which admin in his right mind will allow the employees to answer prompts...Reason SRP/Applocker are still The best corporate line of defense and for free then add Windows Defender ATP subscription and you are more than good; BUT with one big inconvenient, the admin needs good skills and experience with them and sadly many don't or rather install some business AVs, easier to deploy, less work , and if it fails, you can put the blame on the vendor lol.

So yes you can harden computers on corporate environment, most are, but not at he same level and carelessly deployed like on a home user system.
I remember visiting a colleague at his home , on his personal computer the hardening was extreme, imagine @TairikuOkami setup coupled with heavy use of SRP/Applocker like mine... i asked him why not doing the same but adapted to his company , his answer: "you want me fired or what?".

Now you get it.
 

JHomes

Level 7
Verified
It's all about costs. If IT comes and says "spend $5K and we'll be protected" they're gonna say "well we'll see how it goes" then BAM slapped with $500K worth of damages. Then they all think "we should've listened to Bob".

Sad reality. No one wants to spend money, and by time they see the value it's too late.
 

Umbra

Level 26
Verified
Also, we have to consider many corporate admins really have no clues about basic security, most are very skilled at networking but security... Some members here are more aware than some iTs i knew...
I remember this story when a company bought the corporate product I was doing Q&A, the iT guy had no clues of the repercussions of his policy and ended up wrecking every single computers of the company lol... The company was paralyzed for the whole day...

So even me, I won't do on a company computer what I do on my personal one even if I did intensive testing on an dummy machine. Some hardening just can't be applied to companies systems.

Some people believe that home users Default-Deny solutions would work as good on corporate machines, sadly it won't.
 

Dave Russo

Level 10
Verified
Also, we have to consider many corporate admins really have no clues about basic security, most are very skilled at networking but security... Some members here are more aware than some iTs i knew...
I remember this story when a company bought the corporate product I was doing Q&A, the iT guy had no clues of the repercussions of his policy and ended up wrecking every single computers of the company lol... The company was paralyzed for the whole day...

So even me, I won't do on a company computer what I do on my personal one even if I did intensive testing on an dummy machine. Some hardening just can't be applied to companies systems.

Some people believe that home users Default-Deny solutions would work as good on corporate machines, sadly it won't.
ok,but backup programs for corporations,is this also too expensive?
 

Umbra

Level 26
Verified
ok,but backup programs for corporations,is this also too expensive?
Everything destined to be sold to corporations is usually way more expensive even if the features are identical than the home user.
Basically you pay more just because the license is for businesses. And since most CEOs have cost-saving interest first, no wonder hackers enjoy attacking corporations or organizations.
 

MacDefender

Level 5
Verified
Everything destined to be sold to corporations is usually way more expensive even if the features are identical than the home user.
Basically you pay more just because the license is for businesses. And since most CEOs have cost-saving interest first, no wonder hackers enjoy attacking corporations or organizations.
Yep Crashplan Pro and Backblaze are not super cheap. Off site backups also tend to elicit a lot of worries about either privacy compliance or simply a mistrust of the cloud, and on premise backup is often just as vulnerable to ransomware attack.

I think one has to sympathize with business budget challenges -- IT is one of dozens of departments that wishes they can spend just a little more money on something.
 

Umbra

Level 26
Verified
I think one has to sympathize with business budget challenges -- IT is one of dozens of departments that wishes they can spend just a little more money on something.
yes, i remmeber i had a job offer from a SMB, their previous IT resigned for some supposedly too much works, he was working for several companies at once. When i went to the interview, they show me their machines.
All were pirated WinXP/Windows 7 system with pirated MS Office and other programs....
Obviously i didn't take the job, (not saying the salary was cheap), it is enough work to secure legit systems, i didn't want to worry about potential backdoors/rootkits...
 

MacDefender

Level 5
Verified
yes, i remmeber i had a job offer from a SMB, their previous IT resigned for some supposedly too much works, he was working for several companies at once. When i went to the interview, they show me their machines.
All were pirated WinXP/Windows 7 system with pirated MS Office and other programs....
Obviously i didn't take the job, (not saying the salary was cheap), it is enough work to secure legit systems, i didn't want to worry about potential backdoors/rootkits...
Yeah it's basically being set up for failure!

Reminds me of when I worked at a car supplier and they were forcing my team to use a $0.15 instead of a $0.20 chip for cruise control. The main difference is that the lower cost chip did not multiply correctly consistently so when computing how far to press the accelerator we were told to multiply the same computation 20 times in a row and only apply the acceleration if all 20 results matched.

It's lose lose: you can't do a successful job with the constraints set, and if you end up failing, it reflects poorly on the company and on you. And even a postmortem investigation might turn their sights on you and ask "hey if you knew things were this messed up, why didn't you blow the whistle"