One of the risks to small and medium businesses is losing your bank credentials to bad guys by use of a key logger or other malware as Bruce Schneier blogs about. A particular threat is real-time key loggers as described in the NY Times. The bottom line is that with commercial bank login information, bad guys can wire money out of your accounts and there may be no recourse. Commercial bank account logins are truly the keys to the kingdom.
I’ve decided to substantially increase the security on the machines where these bank credentials are used. My standard security recommendations are Windows XP SP3 with patches being applied automatically nightly. Virus protection is on (We generally use ESET). Users are Limited users; they can’t add software. Software restrictions prevent the user from accidently or deliberately downloading software and running it out of their user directory. We use IE8 because of the ease of managing it in a Active Directory environment, but I recognize this as a potential weakness. Unfortunately, the most likely vector of a zero day exploit is flash or acrobat, both of which we use.
Security is always a tradeoff of convenience versus safety, so answers and suggestions should give pros and cons. I’m going to answer with a few suggestions, so you can see where my thoughts are going.
You could setup another PC with Linux/BSD on it that is only used for accessing the bank web site. If you really wanted to get paranoid you could put it on its own dedicated Internet connection and not have anything else connected to it on the regular network. Gives you the benefits similar to dual boot while still keeping the Windows PC available for other tasks. Downside is additional hardware/software to maintain. There's always the possibility that some nefarious employee could put an inline hardware USB keylogger between the keyboard and the computer regardless of what/how you secure the operating system and software.
As with all things a risk based approach is going to be best, and the degree to which you take this is going to be based on your budget, risk, time, and the potential damage of a breach. I certainly don't expect you to do everything here.
Here are some of the attack vectors:
Physical attacks
Types of attacks
This is the space where you are going to focus on controlling things related to physical access:
Software Attacks
Once you put a system on the network you have a world of fun to prevent you from loosing control.
*I just set up a Specialized Security Limited Functionality Workstation and it seems to be doing all right.
Network Attacks
In addition to hardening the machine you should also have strong transport protections:
Things you can do at this level:
***SSL attacks are a dime a dozen these days, they are all still essentially MITM (as of this writing) so you should take steps to protect against MITM
***And if you must use wireless, don't use anything less than WPA2-Enterprise
Check your bank's authentication mechanisms! Mine adds a pseudo-RSA token in the form of a "code card", and most transactions - aside from viewing balances and moving money between my own accounts - require me to input a randomly selected number from the 100 printed on that card. Each code can only be used once, and when they're all gone I get a new card. This satisfies the "something you know and something you have" requirement of dual-factor without the overhead of issuing all users with a real RSA token, and that's just for a personal account. If your bank won't give you a decent level of security beyond this for a business account, ditch it and find one that will!
Stop surfing the net from that machine. Don't check email, don't go to websites outside of your LAN, etc. Do all of that on some other machine, then post what you need to do from the financial computer in a local wiki (or something). Don't use the financial machine as a file server, print server, etc etc etc.
Costs: a $500 Dell to surf from Benefits: Your data is more safe.
I would also invest in a firewall (hardware, not software) to put in front of the machine. Don't let anything in, and make policies out of the above, instead of trusting users to do the right thing.
Upgrade to Vista x64. Seriously. It's a lot harder to exploit reliably.
That doesn't stop malware that your users run (by going to websites, etc etc), but it stops network-based attacks that you won't have much detection of.
Depending on the number of transactions these people have to do you may opt for a diskless workstation for banking transactions ONLY. Diskless immediately implies booting from a read only medium like a CDROM. Something like a stripped CDROM bootable Linux that only the bare minimum of software (i.e. only a webbrowser) may be a valid option for this kind of work.
In addition to specific host protection techniques, look for defense in depth approaches to this. For instance, most web filtering software will block known bad sites. If one of your users hits one early on, that's not going to help, but once one is discovered, it makes it into the filtering lists fairly quickly. Along those same lines, look at external DNS solutions like OpenDNS which perform a similar function, but without the web filtering software/appliance requirement. On your firewall, perform egress filtering. Block the known ports for IRC, etc. No, this won't stop a piece of malware that uses a custom port, but many do not. Hopefully, you're web filtering solution helps with those which do use something custom. Also, consider implementing IDS/IPS. If money is tight, there is always Snort.
Move to 64bit Windows 7 since malware is very rarely targeting 64bit code yet. Pro’s are less viruses; con’s are that we have to get new 64bit hardware and deal with various incompatibilities. XP mode may be needed.
Force the users to dual boot into some other OS (BSD?) when doing bank activity. Pro’s: Very safe. Con: very inconvenient since they won’t have access to various windows app’s for figuring out who and how much to wire to.
Use disk encryption. Whatever you do in the OS, as long as you can boot a CD and access the filesystem outside of Windows you're not safe. WinVista/Win7 has encryption capability built-in, but there are heaps of WinXP-capable 3rd party solutions as well.
Look into NAP-type policies where the computer doesn't get internet access before it's patched to company standards (if you need them to have internet access, that is).
Look into Desktop Virtualization (both MS and VMWare have solutions for this) to isolate the bank apps into it's own, tightly managed environment.
Just my 5 cents...