Operating systems like Windows Server 2003 provide powerful tools to protect data, including the Encrypting File System (EFS), file permissions, user accounts and passwords, and much more. As powerful as those tools are, though, they can't provide a completely secure environment by themselves. For example, Windows can ensure that only authorized users have access to a particular file, but Windows can't stop users from leaving hardcopies of the document lying on their desks. All the computer security in the world is useless if information that is protected on your computers can be compromised in other ways. Similarly, suppose you implement a complete security plan includes computer-based file protection and locked filing cabinets. Without a well-thought-out physical security plan, there might not be anything stopping someone from carrying away a computer or filing cabinet, which would completely defeat your security measures.
Any useful computer security plan has to provide a complete security solution: one that addresses both technological solutions and administration solutions to security threats. If you find that your company is unwilling or unable to implement a complete security plan, you probably don't need to spend a lot of time worrying about the computer-specific aspects of security. Again, you don't need to spend weeks locking down your servers against intruders if your company won't keep sensitive computers in a locked room where they can't be easily carried away by a physical intruder.
That said, security is not an all-or-nothing game. While locking your file cabinet may not be a complete security solution, it is one element of that solution. Locking the front door, arming the burglar alarm, and hiring a security guard may be other elements that contribute to an overall security solution for the data in that filing cabinet. The same works for data security. While IPSec, for example, may be a great security solution, it should never be considered the only data security mechanism in a whole solution. Other components such as Internet Connection Firewall (ICF), EFS, NTFS, or access control lists (ACLs) may be incorporated with IPSec to provide a complete security solution. Each is valuable by itself; together, they provide the desired level of protection.
All security described in this book can be broken down as a combination of two security approaches: technology-based and administration-based. The primary focus of this book is technology-based security, that is, the security controls that you can implement with Windows-based technologies. However, administration-based security is equally important in any security implementation. Moreover, some controls are entirely administration-based. Attention should always be paid to both approaches.
Technology-based . security mechanisms are the ones that you, as a Windows administrator, will implement and work with most closely. You probably bought this book to learn about them. These mechanisms include:
Generally, passwords should be at least eight characters long and contain uppercase letters, lowercase letters, symbols, and numbers. Symbols and numbers should appear in the middle of the password, ensuring that users can't make up easy-to-guess passwords like "DonJones1234." Although this password technically qualifies as a complex password, it's obviously a pretty simple and easily guessed one if used for a user named Don Jones. Generally, the longer and more complex a password, the harder it is to obtain by an attacker. Password considerations are detailed later in this chapter.
These permissions should comply with your written security policies. You should never rely on the default NTFS permissions as described in Chapter 4; instead, always apply specific permissions to your files to ensure that they're completely secure. While Windows Server 2003 does offer a more secure set of default NTFS permissions, it still includes the Everyone group with Read permissions by default, which is all most intruders will need to gain access to proprietary information.
Data contained on portable computers is especially at risk, since portable computers are so easy to steal. Encrypting data using Windows' Encrypting File System (EFS) or other encryption mechanisms helps ensure that data is useless even if physically stolen. Encryption (through other technologies) can also be used to protect data in transit across the network, as I'll explain in Chapter 8.
Passwords can be easy to guess, and users may write them down (despite policies to the contrary). Smart cards are more secure because they don't require users to remember anything but a short personal identification number (PIN). Also, users won't know that someone has stolen their password, if that happens; users are immediately aware that a smart card has been stolen, if it happens, and can immediately report it to an administrator. The administrator can then issue a new card and disable the old one, eliminating the security breach. Another benefit to the smart card is its hiding of private key data from attackers who do not have physical access to the card, which provides a huge boundary for an attacker to overcome. The benefits of smart cards are discussed in great detail in Chapter 10.
I'll discuss these techniques throughout this book, including software restrictions and code signing, and how you can administer them to provide the best security possible to your users. These techniques ensure that viruses and other unauthorized code aren't allowed to execute on your computers. Viruses are a favored way for attackers to gain confidential information, and preventing them from running is a great start to a more secure computing environment.
This is done to help prevent them from becoming security vulnerabilities. For example, versions of Windows prior to Windows Server 2003 often installed Internet Information Services (IIS) by default. IIS was used in several well-publicized instances to propagate viruses throughout large organizations, such as the well-known Code Red virus. Had administrators at the time been more security-conscious, they would have disabled IIS on computers where it wasn't being used, drastically reducing the number of potential entry points for these viruses.
Technology-based security provides powerful tools for protecting information. Unfortunately, too many companies rely solely on technology-based solutions and forget about the necessity of administrative security.
Administration-based security consists of carefully written security policies, day-to-day practices, and other concepts that aren't implemented by a computer or an operating system. Administration-based security mechanisms include:
I've already discussed some of the characteristics of a good security policy. In addition to previously mentioned components, a good security policy identifies role holders and responsibilities. It should tell employees what information they may access and outline penalties for employees who break or circumvent security policies. Everyone has a stake in corporate security, from the bottom-rung employee to the CEO. Each role must be clearly defined.
Policies should address security of information in all its forms: electronic and physical. The policies should also address the destruction of data (i.e., shredding versus recycling). This point is discussed throughout the book.
For example, your servers should be kept in locked data centers, and your doors should have some type of access control mechanism. I'll discuss physical security in more detail in Chapter 3.
You must ensure both procedurally and practically that employees log on with user accounts that have only the access required to complete the employees' job tasks. This is known as the principle of least access, which I'll discuss later in this chapter and throughout the rest of this book.
The only way to know that the data you carefully secured is still secure is to periodically check. Audits should be scheduled to verify the security defined by policy is still in force. Audits are discussed in Chapter 15.
You'd be surprised at the number of companies that spend hundreds of thousands of dollars a year to secure their computer-based data and then allow authorized employees to print that data and leave the hardcopies lying around on their desks for passers-by to read. Technology-enforced security is useless without administrative security; in fact, administrative security should be the driving force behind security in any company, and technology-based security should be used only to implement those administrative policies.
It's not up to you to enforce administrative security, unless you happen to be the president of your company as well as its network administrator. Administrative security has to come from the top down and be enforced by all levels of company management. Your company should have an education program, perhaps administered by human resources personnel, to educate users on their rights and responsibilities with regard to company security. Many companies are forming new information security departments to deal exclusively with the administrative side of security, user education, and auditing.