>From: "Andrew Rooke" <[EMAIL PROTECTED]> >From my view this is a rather thorough security setup, however it >would be >high maintenance. >I see the following as being the problem with your network, remember >you >would be dealing with users and not IT professionals. > >6) Restrict user permissions to the minimum needed to do their job. >Number 6 will cause you the most grief out of the above, every time a >user >wants something installed you will have to do it, everything a >user wants >a different setting changed, it is you who will have to >change it. This is >may hours that you will be wasting. >Build an SOE and you can rebuild their pc in 10 minutes if they install >crap, just keep an eye on them, or give them power user and install >only >some things.
Well, its true that this will increase workload somewhat, although not as much as you're thinking. One of the biggest things I've had to do in the past is put things back after the user messed it up, for me its easier to just prevent them from doing that in the first place. I have a mixed win2k/mandrake8.2 network so I make heavy use of a combination of Active Directory, norton ghost, and scripts to make global settings. In addition, a large portion of network dangers these days come from INSIDE the firewall, so I want to slow that down as much as possible. We mandate the software the users are allowed to have, so thats not much of a problem. About the only thing they can configure is their desktop settings/wallpaper. > 21) Establish desktop firewalls. >Number 21 is also strange to me unless you are giving your >desktops internet ip addressing. Well the basic idea is to cut off all ports to every box that aren't in regular use. While the desktop firewalls will have some significant holes in them as I'm going to configure them all the same way, it should at least prevent access to ports I know we'll never use. IRC for example. >If you are worried about Spyware and Trojans set your proxy server up >correctly and keep your anti-virus software up to date. I do that, but some stuff slips past anyways, can't keep users from clicking on things without reading them. *shrug* Thats just the way it is, although I talk about it all the time at company meetings. >19) Disallow ActiveX. >20) Control allowed cookies. >But 19 and 20 see high maintenance to me, or just block them through >the >proxy server, however either way they are going to be annoying, >and in >most cases your users will not be going to sites have malicious >code. Mind >you I can understand your desire for this. Maybe your users are more puritanical than mine, hehe, have you checked your proxy logs lately? We're switching to Mozilla so both of those are easy to set up and replicate across all boxes. >14) Restrict protocols to as few as possible, preferably only tcp/ip. >What about your printing and file sharing ?? netbeui etc ?? if your > >network is not on internet ip addressing and is behind firewalls this > >should not be necessary unless bandwidth is an issue. Well obviously I'm going to have to leave SMB turned on, and until I can get SAMBA to work with the port 445 netbeui over tcp/ip thing, I'm stuck with netbeui on some servers, but I turn it off whenever possible to both reduce traffic, and make breakins less effective. Hard to do some things without netbeui. As an example though I've almost finished eliminating IPX/SPX which means one less set of security holes to worry about. >My of sider he has just brought something up, he said to remember the >following. "Dont restrict your users more than necessary or they will >try >to find ways around what you have implemented" Thats true, and I try not to, for everything else beware the log files. Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
