In Parts 1 and 2 I discussed securing your network perimeter and server environment. But as I said in the beginning, IT security is like an onion. Let’s take a look at the 3rd layer of that onion… securing your end-user environment. Again, this is not meant to be a complete list, but instead a starting point to help you think through your own IT security strategy.
Require Strong Passwords and periodic changes. I recommend using a combination of uppercase, lowercase, numbers, and extended characters. To make it more secure, do not allow users to reuse old passwords, and require a password change every 30-90 days. It is also now common to not allow more than 2 sequential characters from the user’s first or last name, and also not allow sequential numbers.
Client access methods are often overlooked when thinking about IT security. How are users connecting to/accessing data? Are they using a secured connection? Can you be doing this better? If users are connecting to a Terminal Server, are you requiring a secured connection? Are email clients using secure ports and SSL for communication with the Exchange or POP/IMAP server? Are any users using FTP, and is it secure?
Drive encryption can encrypt part or all of a PC/laptop’s hard drive. If a system is lost or stolen, the data on that hard drive is still protected.
Email encryption is implemented on the server level, but used in the client level. Using technologies like Hosted Encryption for Microsoft Exchange, you can give users the ability to securely send sensitive information using the existing email system. This is fantastic for organizations that worry about certain compliance levels (such as HIPPA).
Enterprise Anti-virus and Anti-spyware protection will provide more than just protection. These offerings will also provide you with a central way to manage all of your clients. It is very common for Antivirus software to give a false positive and see valid software as a threat. By having a central management system, you have the ability to allow a file path, or file name. These central management consoles are also helpful for managing quarantines and ensuring all clients are receiving updates properly. It probably goes without saying, but anti-virus and anti-malware software should be installed on every server and workstation even if it is an Apple or Linux system.
Just about every computer in your network should be running a software firewall. Yes, this means PCs and servers should all have a software firewall enabled to help prevent unwanted access. This should be configured to allow only certain types of necessary communication. This can really help protect your systems if a threat makes it past your primary network firewall (for example if a user connects an infected laptop into your network). Remember, IT security should always be in layers!! If you have a large number of workstations in your environment, there are number of ways to centrally manage the built-in Windows firewall. There are also good enterprise class software firewalls which come with a central management console for easy administration and deployment.
Central administration of PCs in your organization can really help improve your IT security. Using tools like System Center Operations Manager, System Center Configuration Manager, and Windows Server Update Service, administrators can centrally control Windows Updates, roll out software, and monitor systems.
If you don’t have the infrastructure for central administration of client firewalls, antivirus, and Windows updates, then take a look at Windows Intune. This is a cloud service just released by Microsoft which allows you to create groups of Windows PCs, and set security policies for each group. You can also centrally manage virus/malware threats, updates to Windows, and the Windows firewall.
End-user security training is important to teach end-users that IT security is implemented not just by IT staff, but also by all computer users through constant diligence. Here are some questions which you should have prepared answers for.
- What types of information should not be sent by email?
- How do users know what emails may be infected before opening it?
- What should an end-user do when they think they might have an infection?
- Do users keep their passwords taped to the bottom of their keyboard or worse yet on a Post It in plain sight?
Many customized attacks happen with just a bit of information obtained from employees to give background information about the company and infrastructure. This training can teach users what information not to give over the phone or email.