RE: Security / Best Practice

In article <2AF30C29-6071-43B0-8F8D-0434B5D7DF5B@xxxxxxxxxxxxx>,
stevefizz@xxxxxxxxxxxxxxxxxxxxxxxxx says...
You remotely support and monitor 150 small business servers and 500 xp and
vista client computers.
You have had problems recently with viruses and malware
Apart from the obvious things like passwords, firewall, antivirus and
windows updates what else would you implement.

You also have plenty of hardware available to try it out on

80 clients with more than 100 servers, more than 500 desktop computers,
all over country.

You need to start with security first, open exploit paths only for
BUSINESS needs.

So, general set of ideals:

1) Firewall blocks everything that is not 100% business necessary

2) Firewall filters HTTP, SMTP, POP3, FTP sessions and blocks file types
and malicious files.

3) Universal block list by IP Subnet, blocking source countries where
there is no business requirement - both directions.

4) Website Classification blocking - in almost all cases there is no
reason to allow Web based email or any other personal functions.

5) NO PERSONAL ANYTHING

6) Disable USB/CD/DVD support on all computers

7) No access to server unless critical need - create additional accounts
for Business Owner and Your support team, never logon as business owner,
always logon as your own account - tracking is critical.

8) All workstations - Automatic Updates, every day, auto-reboot on
Sunday (or your pick of time) by script from server

9) Servers - download, don't autoinstall updates

10) NEVER browse the web from the server, MS, Symantec, HP (printer
sites) are OK, but you should download from a workstation.

11) Never logon to network as a DOMAIN ADMIN account if you don't need
to be at that level, create a different account with LOCAL ADMIN rights
on workstations that you can use - do this during the workstation roll
out.

12) Never do anything to compromise security, the customer is not always
right, tell them so if they ask you to compromise the network, make them
sign a note stating they requested the change and you were against it.

13) Central Antivirus control - I find Symantec Corp for Workstations
and Servers or Symantec End-Point-Protection has been critical in never
having a single infected customers network in our entire history.

14) Never give in to personal needs of employees, they are there to
work, not to check their personal email.

15) Check/Track all email in/out, look for red-flags, like the user that
sends 400 emails outbound per day, when their job has no requirement for
such activity. Same for inbound - GFI makes this easy to track and
report.

16) VPN - never setup a SITE-SITE or User VPN that allows ALL ports or
allows the entire network range, it takes more work to lock down VPN's,
but it will save your *** in most cases.

17) I've run out of time, if interested I could post 100 items and still
not cover it all.

18) Do not use Remote Desktop to manage servers remotely, use VNC or
UltraVNC through a VPN to the site, you can't always see everything in a
Remote Desktop session.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.

Loading