hey all,
I've learned a lot from this list (thank you) but I've tried to lurk a bit, expected this issue to come up before I posted. Time's up.
Firewalls are certainly a good practice, hopefully getting better, but if I'm really concerned with security and as a responsible netizen looking to stem the spread of disease, don't I want to do the best I can to close up unused ports and services on every destop in my network.
I admit I don't really know the implications of this from an administrator's point of view, and I don't know how to audit this, but the reading I've stumbled on is very directed at server strategy.
This is more to open a discussion than a personal request. All responses can be directed to the list.
Thanks!
Mada
Mada,
1) Pick the primary OS that your workstations use. Learn it's scripting language very well. Being able to script things is going to be your best bet.
2) A good place to start is with a "standard" OS load on all workstations. It really doesn't matter what the OS is (Windows, Linux or Unix) so long as you come up with a standard which will apply to most of your users. Make sure that this includes the common applications (like Office or OpenOffice). Make sure that this also includes a client for some kind of patch management system.
3) Implement a patch management/software distribution system. (I highly recommend Marimba for this as it works really well with users that use laptops and/or VPN connections.)
4) Remove root/administrator rights from your end users. If they can't install it, it's not going to be a problem.
5) Have your company publish and make every employee sign an official network and equipment usage policy. Get management to help you enforce this. No downloaded software. No unlicensed software. No crackz or warez under any circumstances. No software from home. No MP3's. No porn surfing. Get an AUP for your network. Make sure that the policy states that failure to comply with the AUP will result in disciplinary action up to and including termination for cause. You may want to talk to HR about the wording.
6) Establish an audit policy. DO THE AUDITS. Send the reports to management. Your patch management system will probably help you with this. (Yet another reason to like Marimba.) With the move afoot to hold management liable for poor security decisions, I don't think you'll have much problem with this.
7) Once you have your official OS load, promote this to your user base as an "upgrade" and reload all the workstations you are responsible for. Now that you have control of the workstations again, you can proceed.
8) Run scanners - Nessus, NMAP, COPS, SATAN, SAINT, what ever you want - and find out what's running that shouldn't be and shut it down. Again, you are probably going to have to resort to policy on this. When you write the policy, make the policy really really draconian and make them submit a business case in order to obtain an exception. That way you never have to actually say "no" - you can say "well, if you want to do <really stupid thing x>, you will have to file a business case with the management council for approval."
-- Thanks,
Ms. Jimi Thompson, CISSP, Rev.
"Those who are too smart to engage in politics are punished by being governed by those who are dumber." --Plato
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
