If you're a security administrator and you're new to the job, don't go overboard applying patches to server software...
-- especially if you haven't developed a strong security strategy or immersed yourself in the task of learning everything possible about your enterprise.
Having one person or team of people manage corporate security on their Windows platform is a new idea for many companies that Microsoft bombards with security alerts. But as many IT administrators already know, a good security plan means more than patching server software. These individuals spearhead a comprehensive security policy and acquire tools to carry out that policy, experts said.
"Anyone without a corporate security policy needs to work toward that first," said Roberta Bragg, an independent Windows security consultant and author. Bragg said that some companies may already have a plan, but sometimes it's not something of which IT executives are made aware.
Security administrators should then check out best security practices on each new software platform or new product so that they get the best out of their products. Tim Mullen, chief information officer and chief software architect at AnchorIS, a Charleston, S.C., maker of financial services software, recommends that IT administrators become familiar with all enterprise e-mail, Web, FTP and remote access services.
Mullen said that he thinks the best security professionals think like hackers.
"They look for ways to break something or think about how they can breach a security measure, rather than follow a checklist," he said.
Because there is little formal training available, digging around on vendor Web sites is a great way to get ideas about how to start building a plan, said Mark Resh, chief information officer at SFI, the Norfolk, Va.-based distributor of commercial printing and business forms formerly known as Standard Forms Inc.
Only after reading up on best practices for an individual product are you in the position to take on the technical aspects of securing an individual server or network. The first line of attack in most cases will be just about any server that faces the Internet and e-mail.
"Most of the security breaches in real life are actually caused by simple configuration issues," Mullen said. "The most efficient worms, Code Red and Nimda, require an improperly configured IIS [Internet Information Services] server."
For security administrators on Windows 2000, Chris Weber, a security consultant at Foundstone Inc., a Mission Viejo, Calif., consulting firm, said he advises learning how to design and apply Active Directory's Group Policy features. Group Policy helps manage and distribute security settings to client desktops.
Weber, who is author of "Windows XP Professional Security," a book to be published in October, stresses that managing client security is just as critical as server security because you are dealing with thousands -- not just hundreds -- of machines.
For administrators who have Windows 2000 and XP on the client, it's worth noting that security settings in XP are different, particularly where restrictions are concerned. In Windows 2000, an anonymous user can retrieve information, get user names, groups and services by default, Weber said.
Windows XP allows all the same access, but the information cannot be retrieved unless the user's PC is enabled, Weber said.
The business of figuring out what information users should have access to comes back to the larger issue of having an overarching security policy in place. Baseline security policies provide a technical road map that every system coming online should have.