Hi Chris,
That's quite a list of improvements. I am actually saving it as a reference. What about physical server security, backups, backup tape storage and access? Don't know if these are even an issue, but I figured I'd drop them in just in case. Nikola Vujic sn.com | web site evolution® phone: 610.527.2955 x227 fax: 610.519.0442 http://www.sn.com "Chris Berry" <compjma@hotm To: [EMAIL PROTECTED] ail.com> cc: Subject: Defense plan 09/18/2002 12:51 PM The company I work for had no security at all when I started here. I've made a number of improvements, but I'm trying to come up with a defense in depth security plan, and I thought I'd run it past you guys to see if I've missed anything. In no particular order, they are as follows: 1) MAC address filtering on Switches & Routers 2) Internet Firewall set to deny all except for allowed traffic (both ways) 3) Disable unused services/daemons 4) Remove unused software 5) Anti-Virus on all machines plus an email scanner 6) Restrict user permissions to the minimum needed to do their job. 7) Ensure all systems are patched and up to date. 8) Set up and monitor event logs 9) Install an IDS system to catch leaks before they become serious. 10) Run an external scan of firewall with nmap to make sure the rule set works the way its supposed to. 11) Set chkrootkit to run with a cron job on Linux boxes. 12) Install a file verification system (like tripwire) on critical systems and servers. 13) Employ spyware scanners. 14) Restrict protocols to as few as possible, preferably only tcp/ip. 15) Set modems to ignore incoming calls, and install ring-tone filters where possible. 16) Ensure all remote use is via secure shell or VPN. 17) Disallow anonymous access. 18) Encrypt sensitive documents like lists of passwords, machine names, or security info. 19) Disallow ActiveX. 20) Control allowed cookies. 21) Establish desktop firewalls. 22) Edit registry settings (win) and config files (linux) to ensure that you have secure defaults. 23) Put exposed servers in true DMZ (two firewalls). 24) Set linux boxes to use shadow password file I don't have the time to deal with a honeypot, and in an organization as small as ours, I think it would just reduce our security. Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
