Re: [ActiveDir] OT: Security Policy Thoughts
Nominations for sucky apps are always welcome at www.threatcode.com Noah Eiger wrote: Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. We’ll see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe I’ll put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? *From:* Brian Desmond [mailto:[EMAIL PROTECTED] *Sent:* Thursday, June 08, 2006 9:05 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Security Policy Thoughts *They’re keeping me a little busy down at the fun factory, so I’m up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog.* * * *How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you don’t need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Thursday, June 08, 2006 12:59 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Don’t you sleep? It’s late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less “can I control this access” but “should I”? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see /how/ to control its distribution. The question is /should/ I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme *From:* Brian Desmond [mailto:[EMAIL PROTECTED] *Sent:* Wednesday, June 07, 2006 10:43 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Security Policy Thoughts *My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe.* * * *Isn’t the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. * * * *I don’t see how you plan to prohibit OS X at least – put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Thursday, June 08, 2006 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC’s run W2k3. Any thoughts on these topics welcome. _Connecting to the wired network_. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a “public” VLAN that goes only to the Internet. I would apply this even to staff “personal” computers, those of contractors (including me), and machines from those field offices that are not on the domain. _VPN_. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. _Other Operating Systems_. I don’t want to allow other OS’s on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing
RE: [ActiveDir] OT: Security Policy Thoughts
NAC != .1x. The 3560 will certainly do the port based auth, and I believe the 2950 will as well. I have the configs around. Its pretty well explained in the config guide, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, June 09, 2006 12:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. Well see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe Ill put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Theyre keeping me a little busy down at the fun factory, so Im up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you dont need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many
RE: [ActiveDir] OT: Security Policy Thoughts
Thanks. Ill take a look. -- nme P.S. Susan, I will get my nominations in order! From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts NAC != .1x. The 3560 will certainly do the port based auth, and I believe the 2950 will as well. I have the configs around. Its pretty well explained in the config guide, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, June 09, 2006 12:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. Well see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe Ill put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Theyre keeping me a little busy down at the fun factory, so Im up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you dont need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client
RE: [ActiveDir] OT: Security Policy Thoughts
Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
Re: [ActiveDir] OT: Security Policy Thoughts
thoughts in-line -ajm On 6/8/06, Noah Eiger [EMAIL PROTECTED] wrote: Thanks, Brian. Don't you sleep? It's late in Chicago ;-) Sleep? That's something he can catch up on later on in life ;) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less "can I control this access" but "should I"? Is that over-reacting? Over-reacting? No, but you do need to balance it with business need. I know I'm preaching to the choir, but you did ask for an opinion (I happen to have one :) What's the risk? The risk is zero day exploits. Access to the network should be controlled in my opinion. If it's wireless, you cannot enforce connection at the physical level. On the other hand, it's not much different than if somebody came in with a laptop and a network cable and found an empty cubicle. For that reason, you may want to include a policy that restricts wireless and non-wireless clients as a general rule. Allow for exceptions as needed. There will be a few. Also, there is no real reason for a policy if you can't enforce it. Good to start there, and work towards it however. Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? VPN's are a difficult one. Many of the companies I've seen *want* their employees to have access from home machines. Why? Because then they don't have to spend money on a computer resource for them. This leads to a lot of sticky issues however. Data has a tendency to go to uncontrolled machines, uncontrolled/unauthorized software and malware has a tenedency to start showing up because some guy's teenager decided to load IM and some music program which infected his machine and then everyone's machine on the corporate network resulting in 10 days downtime. (get the feeling I've seen it?) Some other issues that come to mind are that because they use their personal pc, they expect support if they run into an issue. Can you imagine what a mess that is and how much that support will cost? Anyway, some thoughts to address it: what is it that the users need access to? Typically, about 90% of the access it to check email. Rarely is it for data entry unless their job is to work from home.Provide email access from a web browser and see if you still need vpn access. For those that need vpn access, provide them with a controlled asset, i.e. a laptop. I say a laptop because a laptop can make their life SO much easier and your support so much less. The user is already familiar with the laptop and any travel is also done via laptop. If not a laptop, then a company owned assett is still advised and you'll need to set proper expectations about usage, ownership of data, etc. Finally, many companies have setup multiple solutions - citrix solutions that allow the users to remote in to a remote session and only utilize the apps that are published vs. full VPN connectivity. They'll also utilize the abilty of health checks and fixes prior to allowing any host to connect to the network. This works for both wireless, and external clients, and can be extended to the internal clients if you so choose. Quarantine networks help to enforce a security software manifest policy such as you'll be running the latest company approved version of anti-virus software have at least these hotfixes.. etc. Without that approval, you'll get the chance to get that software from publicly available networks, but not much else. Two factor authentication for VPN clients is also desirable to help with access controls. I'm sure there's more, but my thoughts are to clearly identify the requirements, prioritize them in order of importance, and then propose based on the budget/tolerance. I absolutely think having a policy is important to protect the company assets and not overburden the support structure. Thanks. -- nme From: Brian Desmond [mailto: [EMAIL PROTECTED]] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isn't the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I don't see how you plan to prohibit OS X at least – put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Thursday, June 08, 2006 12:16 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Re: [ActiveDir] OT: Security Policy Thoughts
The thing I'm not wild about with third-party clients (OSX etc.) is that they often don't play well with security features like SMB signing - if the Macs are hitting a Windows file server, most of the Apple documentation will tell you to turn it off entirely. Similar things can also happen if you've got Windows clients needing to hit Samba shares. It's really just one of those basic tenets: complexity is the arch-enemy of security, etc. etc. - Laura On 6/8/06, Noah Eiger [EMAIL PROTECTED] wrote: Thanks, Brian. Don't you sleep? It's late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isn't the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I don't see how you plan to prohibit OS X at least – put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC's run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I don't want to allow other OS's on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Security Policy Thoughts
Theyre keeping me a little busy down at the fun factory, so Im up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you dont need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
RE: [ActiveDir] OT: Security Policy Thoughts
You set it to request not require - never had an issue. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, June 08, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Security Policy Thoughts The thing I'm not wild about with third-party clients (OSX etc.) is that they often don't play well with security features like SMB signing - if the Macs are hitting a Windows file server, most of the Apple documentation will tell you to turn it off entirely. Similar things can also happen if you've got Windows clients needing to hit Samba shares. It's really just one of those basic tenets: complexity is the arch-enemy of security, etc. etc. - Laura On 6/8/06, Noah Eiger [EMAIL PROTECTED] wrote: Thanks, Brian. Don't you sleep? It's late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isn't the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I don't see how you plan to prohibit OS X at least - put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC's run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I don't want to allow other OS's on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
RE: [ActiveDir] OT: Security Policy Thoughts
Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. Well see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe Ill put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Theyre keeping me a little busy down at the fun factory, so Im up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you dont need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
RE: [ActiveDir] OT: Security Policy Thoughts
My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
