Many administrators spend their time securing Windows at just the network level or just the applications level -- and never cross the line from one group to the other. Where does your domain lie and how do you keep Windows data secure even if the perimeter is compromised? We asked those questions of our ITKnowledge Exchange members. Here is one of the responses, or return to the main page for the complete list of letters to the editor.
Windows systems that just connect to jacks in the wall
Network Administrator (and entire IT staff)
University of Florida
If you have a chokepoint (limited connection to the Internet) then you have a perimeter to defend.
Here at the University of Florida, we have station wiring. The infrastructure owners are not part of my department and we are not part of theirs. All of my servers connect to jacks in the wall and all of my workstations connect to jacks in the wall, and I don't own or have control of the cables or Cisco switches behind the wall.
We use "network" to mean a domain/forest and its users and equipment. We use the term "infrastructure" for the cables, fibers, routers and switches that connect those networks. And I do talk to the infrastructure people on a regular basis. We work together to stop viruses and worms, but I don't make changes to switches and routers and they don't have rights to our domain/forest. It is only difficult when the cause of "network" problems is subject to debate.
For instance, our office in Jacksonville recently moved from one building to another, putting the office on a different subnet. This subnet has slower equipment (10 MB vs. 100 MB). Our talks have been quite heated about service level and access to specific sites.
The infrastructure owners run the DHCP servers and provide IP addresses. My servers have fixed addresses that they also provided. They added firewall filtering, which is limited to blocking peer-to-peer communications mainly. When you turn on a workstation and log into the domain you get the Group Policy Object (GPO) and access to files and applications on the servers. If you login as local user on the machine and not the domain you don't get the servers, but you do get the Internet instead.
We use certificate-based connections for the database (SQL Server 2000 on Windows Server 2003). We have Windows XP with Service Pack 2 and McAfee 8.0i on all 55 workstations, firewall enabled. So I spend our money on system and data protection.
My biggest concern going forward is keeping AOL IM locked down. IM is a service that came in the back door and did not get tested before the movers and shakers said, 'We like it!' Every time there is an upgrade I have to reset our default preferences to eliminate the added bells and whistles. Since we are subject to HIPAA, this is no little matter and we are looking for a legally compliant records system for IM.
Return to the main page for all letters to the editor regarding network vs. data security -- or e-mail us your own comments.
This was first published in May 2005