Take Control of Your Security

Here are five things you can do right now— this minute—that will increase security on your networks.

We know what we need to do to secure our information systems, but we just don’t do it. Oh, I know we don’t have all the answers. I know there’s always a way that someone can break into a system. But we do have most of the answers. We know how to prevent most attacks from being successful. But instead of systematically hardening the operating system; instead of physically securing systems; instead of instilling a culture of security that includes everyone—yes, I mean everyone—in the business of security; instead of doing these things, we run around patching systems and screaming about the latest vulnerability that evil Microsoft has blessed us with. Then, when we lose data and have to report to the citizens of California that their credit card data was stolen, we blame someone else.

Stop. Look. Listen!
Stop. Stop right now. You’re either blindly reacting, or you’re paralyzed into inaction. Stop reacting; stop sitting on the fence; start acting. Take control of information security. Note that I said information security—computers are one small part of that. You need a comprehensive plan that secures information wherever it resides—on the mainframe, on the Linux Web server, in the Active Directory, on a PDA, in or available through smart phones and in the hearts and minds of employees, contractors, partners and customers of your organization.

Here’s the simple idea to change your reactive model of information security to a more proactive one: “Hardened systems are secure systems.” By hardened, we mean locked down, secured and stripped of inessentials. By systems, we mean computers, networks and people. How do you do this? Write the policy. Engage management in the discussion. Dig out the reference works that tell you how to secure whatever it is you have to secure and get busy. If you have to, harden one computer at a time. Harden one concept at a time. Harden one user at a time.

Above all, mount your hardening, securing campaign in at least two directions: a) The big picture, and b) The intimate reality of your day-to-day work. Much of the cultural change needed won’t come swiftly or easily. It requires planning and commitment. It requires evangelists and disciples, leaders and doers, talkers and strong, silent types. Making security as easy and as pervasive as breathing won’t happen overnight. But you can effect significant changes in the security posture and actual security status of your networks right now by doing things under your control. Here are five things you can do right now—this minute—that will increase security on your networks.

1. Create a Stronger Password Policy
I know that this may be something that organization-wide, you can’t do alone. However, you can, and do, have the authority to change the logical password policy. This means the technical control of changes at the domain level may not be possible right away, but you can, depending on your authority, demand stronger passwords and password management by members of your own staff, by those with local accounts on servers and, if nothing else, by yourself.

There’s no reason you can’t impose policy-based restrictions on IT administrators or anyone who requires special access to servers. They include those who do backups or have admin privileges on a server in order to administer a database or other server application. Think of the damage that an attacker could do by obtaining these administrative passwords. At the very least, change yours, right now!

2. Lock Down Remote Administration
You may need to access a server remotely to administer it, but that doesn’t mean you should allow that access to others. Where possible, use IPSec or other protected communications. You can also use IPsec to block access to ports required by your remote administrative programs, and then allow administrative access to the ports by allowing access from designated administrative workstations. In many cases, only a few accounts need any access at all to a specific computer over the network; lock the rest out. Also, just because the sheer number of managed computers may require remote administration, it doesn’t mean all servers must be managed that way. Require that computers with sensitive roles or data be administered from the console only, and enforce that by preventing administrative accounts from accessing the computer across the network.

3. Lock Down Administrative Workstations
Designate certain workstations as administrative workstations and harden them. How much? Just as hard as you can. Start by putting them in a secured area, reinstalling the operating system and adding the latest service pack and security patches (do this off the network). Use IPSec or a personal firewall to control egress and ingress (what goes in and out) and use software restriction policies to prevent the use of non-approved software. Use the workstations for administration only; no playing Solitaire, no e-mail.

4. Physically Secure All Systems
Begin with your own. Ask yourself these questions: Do you use a cable lock for your laptop when moving around with them, even in your own building? When you travel, do you leave it unlocked in the hotel room? What data is on the hard drive? Remember that with most laptops, the hard drive can be removed even if the computer is cable locked. Data is what the attacker wants anyway.

What about your PDA? What’s on it that would be damaging if lost? If your computer is a desktop, who can physically access it? Can it be stolen? The hard drive removed? Don't make it easy for theives; why would an attacker bother crafting code to break into your systems when all he or she has to do is steal them? Why penetrate your network defenses when she can walk by and insert a CD-ROM with malignant code on it—or use her USB data-storing wristwatch to steal data?

Keep servers locked up. Remove CD-ROMS and floppies from computers in public areas. Provide traveling laptop users with cable locks. Make sure those with access to the data center don’t allow others in. Don’t prop open doors. Don’t allow tailgating—the process where someone follows an authorized person into the data center. Teach security guards to look for contraband. (Even those picture-taking phones should be considered unacceptable in many organizations.)

Take More Control

 Take Control of Your Network

 Take Control of Your Users

 Take Control of Your Vendors

 Take Control of Your Career

5. Learn To Shut Your Mouth
It’s not rude to refuse to talk about issues that might compromise security. It’s a good practice. It’s one thing to share a security-hardening tip or to alert someone to a bad practice that can be corrected, and another thing to reveal your own systems’ security weaknesses by talking about them to others. I know you would never intentionally do this, but I see on a daily basis information that could be used to successfully attack other networks. You must become aware of what it is you’re telling people or publishing sensitive information to your Web servers where any one can find it by Googling on a few key words. Think of the security of your information systems as if you were protecting your family or your country. Don’t let your complaint, need to impress people with your knowledge or request for help made to a public list reveal more than it should.

Hardening networks isn’t a simple chore, nor is it one that can be done overnight. There are things you can do; I’ve given you some of them. There are many guides to securing systems. The key is to start right now. Remember: Hardened systems are secure systems.

This article is adapted from the upcoming book Hardening Windows Systems, by Roberta Bragg, part of a new information security series, the “Hardening Series” (Osborne McGraw-Hill).

comments powered by Disqus

Reader Comments:

Mon, Feb 16, 2004 Chris Colorado

Easy to understand basics and implement.

Mon, Feb 9, 2004 anon Anonymous

Interesting, but surely applicable primarily to Business? Also, why not use a good spell check, when presenting an article! (You had at least two errors in this one.)

Mon, Feb 9, 2004 Damon MI

Simple but good info one might not think to do being over worked.
He’s right u have to start some where… Administrator need Help
These companies need to start hiring again………. Seriously

Mon, Feb 9, 2004 anonymous Arizona

Pretty basic stuff. Everyone, especially administrators, should already know this stuff. Still it could have escaped some of them! We do need more easy-to-read, how-to articles.

Mon, Feb 9, 2004 Anonymous Anonymous


Mon, Feb 9, 2004 john slc utah

very good advice

Mon, Feb 9, 2004 Antoni Palma de Mallorca

very good

Sun, Feb 8, 2004 Jason California

weak, superficial, nothing new really.

Sat, Feb 7, 2004 Pietro BC

Old news, but still valid. It doesn't always need to be NEW!!! to be useful.

Sat, Feb 7, 2004 Anonymous Anonymous

very good

Fri, Feb 6, 2004 ALLAN C. MICHIGAN

Things to think about...!!

Fri, Feb 6, 2004 Wise Owl Anonymous

Common sense information

Fri, Feb 6, 2004 Anonymous Anonymous

same old...

Fri, Feb 6, 2004 Anonymous Anonymous

good summary

Fri, Feb 6, 2004 Anonymous Anonymous

It didn't address the PC user at home on a stand alone desktop or notebook. This is the unsuspecting person who is most likely to 'Forward' the garbage which ultimately spreads to the networks.

Fri, Feb 6, 2004 Anonymous Anonymous

confidential and extra-informative

Fri, Feb 6, 2004 tsode Anonymous

Wellcome all information to protect.
It's good

Thu, Feb 5, 2004 Betty Ephrata, WA

good ideas

Thu, Feb 5, 2004 jakki nola

very informative!

Thu, Jan 22, 2004 Neo Anonymous

basic stuff that network Admins should know.

Wed, Jan 21, 2004 Brad Massachusetts

Only the beginning of the list of Standard Procedures. Some more: limit the number of persons with any privileges. Firewall, and monitor traffic that gets through the firewall.

Wed, Jan 21, 2004 Anonymous Anonymous

understandable and suggests good places to start computer security management

Wed, Jan 14, 2004 Kuba Anonymous

week, amateur

Wed, Jan 14, 2004 Hung VN

good information for practising

Wed, Jan 14, 2004 Joey Sunshine State

Roberta is not only an infosec expert but also an accomplished writer: short, sweet, and to the point in both grammar and verbal usage.

Mon, Dec 29, 2003 Anonymous Anonymous

old blah

Tue, Dec 23, 2003 Anonymous Anonymous

Right on! This tells it like it is.

Tue, Dec 23, 2003 Anonymous Anonymous

detailed and easy to understand

Tue, Dec 23, 2003 Anonymous Anonymous

Found it to be very sensable and straight forward.

Tue, Dec 23, 2003 Anonymous Anonymous


Mon, Dec 22, 2003 Anonymous Anonymous


Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.