The basics of protecting your network
Did you hear about that new illness going around? Evidently it is extremely contagious; it can cause you to divulge all types of personal information about your finances, transactions, passwords, and in some cases it can even kill you. There is some good news though. All you have to do is stop by the front desk on your way into work and they will give you a quick shot to make you completely immune to it. The best part is that it’s free; all you have to do is say yes.
Obviously I’m lying about the illness, however, wouldn’t it be great if it was that easy? All we would have to do was inconvenience ourselves just a little bit, and say “yes, I don’t want anything bad to happen to me” to prevent such a horrible thing from ever occurring. Well that is exactly what Microsoft and other operating systems do for us when they provide their patches and security updates. They are providing a tool for us to protect our operating systems from known vulnerabilities. By ensuring that we properly utilize these tools that they provide us and implement a security patching system that enforces the download and installation of these patches, we may even be able to stop a problem before it occurs.
Microsoft offers their Windows Server Update Services (WSUS) to allow network administrators to download all of Microsoft’s latest updates and then choose when or if to install them to the machines on their network. (Microsoft, 2011) This utility can be used effectively with Microsoft’s group policies to ensure and enforce that all of the machines on their network are receiving the proper patches and updates in a timely manner. By effectively planning and implementing proper procedures for this type of action, a network administrator can greatly increase the security posture of the network. It provides a means for the administrator and security personnel to appropriately manage and monitor the security posture of all Microsoft Windows machines.
There are numerous ways to ensure that all of the machines on the network receive the proper patching. We can purchase Commercial Off The Shelf (COTS) software, we could program our own scripts to run through the network, or we can just hope that the end users are doing the right thing and installing the updates themselves. However, I would like to take a more structured approach to the situation. I would like to first implement some basic policies to mandate what is acceptable on our network and what is not. Then I would like to move on to exactly how we can enforce these new policies. With only 1,500 end-users in our company, I can’t justify being too stringent or spending a ridiculous amount of money on fancy COTS software.
Some basic policies that I would like to start enforcing include: Any machine that has been off of the network for more than 30 days must first come to the IT staff to be scanned and updated; All users must log-off of their machines at the end of every day; A GPO will be created to ensure that all machines are set to automatically download and install critical updates and security patches during non-business hours; A WSUS server will be created on a virtual machine to house all of the Microsoft updates, so that the company can conserve network bandwidth; A scan will be ran on the network every 90 days to identify any machines that are not receiving proper updates; Any machine found that is not receiving automatic updates will be brought to the IT staff within 48 hours to be diagnosed and updated.
These initial policies will start us down a long and happy road of ensuring that we are providing our company and our end-users the safest environment to operate that we can. Where this is not a total solution for all of our security problems and concerns, this will help to alleviate most of the common operating system threats that are out there today. As with any good security architecture, we will also be coming back to these policies and procedures and updating them as time goes on and as new or better procedures are defined.
Bibliography
Microsoft. (2011). Windows Server Update Services. Retrieved from Windows Server: http://technet.microsoft.com/en-us/windowsserver/bb332157
No comments:
Post a Comment