Print this Post

IT Security is Like an Onion – IT Security Basics – Part 3: End-User Security

In Parts 1 and 2 I discussed securing your network perimeter and server environment. But as I said in the beginning, IT security is like an onion. Let’s take a look at the 3rd layer of that onion… securing your end-user environment. Again, this is not meant to be a complete list, but instead a starting point to help you think through your own IT security strategy.

Require Strong Passwords and periodic changes. I recommend using a combination of uppercase, lowercase, numbers, and extended characters. To make it more secure, do not allow users to reuse old passwords, and require a password change every 30-90 days. It is also now common to not allow more than 2 sequential characters from the user’s first or last name, and also not allow sequential numbers.

Client access methods are often overlooked when thinking about IT security. How are users connecting to/accessing data? Are they using a secured connection? Can you be doing this better? If users are connecting to a Terminal Server, are you requiring a secured connection? Are email clients using secure ports and SSL for communication with the Exchange or POP/IMAP server? Are any users using FTP, and is it secure?

Drive encryption can encrypt part or all of a PC/laptop’s hard drive. If a system is lost or stolen, the data on that hard drive is still protected.

Email encryption is implemented on the server level, but used in the client level. Using technologies like Hosted Encryption for Microsoft Exchange, you can give users the ability to securely send sensitive information using the existing email system. This is fantastic for organizations that worry about certain compliance levels (such as HIPPA).

Enterprise Anti-virus and Anti-spyware protection will provide more than just protection. These offerings will also provide you with a central way to manage all of your clients. It is very common for Antivirus software to give a false positive and see valid software as a threat. By having a central management system, you have the ability to allow a file path, or file name. These central management consoles are also helpful for managing quarantines and ensuring all clients are receiving updates properly. It probably goes without saying, but anti-virus and anti-malware software should be installed on every server and workstation even if it is an Apple or Linux system.

Just about every computer in your network should be running a software firewall. Yes, this means PCs and servers should all have a software firewall enabled to help prevent unwanted access. This should be configured to allow only certain types of necessary communication. This can really help protect your systems if a threat makes it past your primary network firewall (for example if a user connects an infected laptop into your network). Remember, IT security should always be in layers!! If you have a large number of workstations in your environment, there are number of ways to centrally manage the built-in Windows firewall. There are also good enterprise class software firewalls which come with a central management console for easy administration and deployment.

Central administration of PCs in your organization can really help improve your IT security. Using tools like System Center Operations Manager, System Center Configuration Manager, and Windows Server Update Service, administrators can centrally control Windows Updates, roll out software, and monitor systems.
If you don’t have the infrastructure for central administration of client firewalls, antivirus, and Windows updates, then take a look at Windows Intune. This is a cloud service just released by Microsoft which allows you to create groups of Windows PCs, and set security policies for each group. You can also centrally manage virus/malware threats, updates to Windows, and the Windows firewall.

End-user security training is important to teach end-users that IT security is implemented not just by IT staff, but also by all computer users through constant diligence. Here are some questions which you should have prepared answers for.

  • What types of information should not be sent by email?
  • How do users know what emails may be infected before opening it?
  • What should an end-user do when they think they might have an infection?
  • Do users keep their passwords taped to the bottom of their keyboard or worse yet on a Post It in plain sight?

Many customized attacks happen with just a bit of information obtained from employees to give background information about the company and infrastructure. This training can teach users what information not to give over the phone or email.

About the author

Robert Borges

About Robert...

I have been in the IT industry since 1993 focusing mainly in networking. Though I got an early start as an amateur computer enthusiast, and wrote my first database app at age 12, I started my professional career working in the MIS department of one of the largest liquor distributors in the northeast. I started out there as a systems operator on the company’s two mainframe systems. From there I moved into PC support, and help design and implement the company’s first client-server network… This was back in the days of Win NT 3.51. I also worked on my first migration to NT 4.0 back then.

From there I went on to work with Novell 3.x and 4.x along with Windows domains and active directory environments. Working my way up from technician, to specialist, to administrator, and eventually all the way up to Sr. Engineer. I spent many years working for consulting firms, 9 of which I owned and operated my own firm.
Over the years, I have worked with (at an expert level) various versions of: Windows client and server operating systems (including Windows 10 and Windows Server 2016); various virtualization technologies (Hyper-V, VMware, etc.); MS-SQL server 6.5- 2014 R2; Exchange 4-2016, and much more.

I am now vCIO at Spade Technology, Inc. focusing on Information Technology strategy including: cloud computing, IT Infrastructure & Architecture, IT Security, and Cloud Computing platforms & technologies (SaaS, PaaS, and IaaS).

Outside of my day job, I serve as president of the board of Boston User Groups, Inc., as well as IT-Pro User Group. In 2017/2018 Microsoft awarded me the Microsoft MVP (Most Valuable Professional) Award, with a focus of Microsoft Azure cloud, for my efforts in the IT community.

I am in a constant state of learning about new products, and new versions of products. Many of which we end up implementing in lab environments and sometimes for our clients. I have a very broad range of expertise and experience. It is my goal to share some of this experience on this blog to help enrich the IT community.

Permanent link to this article: https://www.robertborges.us/2012/04/it-security/it-security-is-like-an-onion-it-security-basics-part-3-end-user-security/

2 pings

  1. IT Security is Like an Onion: The Basics of IT Security Blog Series - Robert Borges Blog » Robert Borges Blog

    […] IT Security is Like an Onion – IT Security Basics – Part 3: End-User Security […]

  2. Easy Steps to Increase your Computer’s Performance - Robert Borges Blog » Robert Borges Blog

    […] that you are already doing regular scans for virus and spyware. If not, see my blog post “Security is like an onion: End-User Security” .  Increase Memory. Memory is usually one of the most cost effective ways to increase […]

Leave a Reply