Do filter attachments like crazy.
Whenever you are setting up mail filtering, you should always prohibit attachments that are executable. Examples are those that end with the following filename extensions: .com, .exe., .vbs., .wsh, .jsp and .jse. Some people will kick and scream about this. Let them.
Don't give up on educating e-mail users about security.
Your role as a security educator is ongoing. All e-mail users -- new, old, your bosses, everyone -- must be told again and again not to open e-mails from unknown users. Just one uneducated user can bring your network to its knees.
Of course, sometimes all your missionary work will fail: a user will get 50 copies of the same e-mail message and still open it. Then, you'll have to stand beside that user, pulling out your hair, and ask: "After you got 50 copies, didn't you suspect it might be a virus, even though the subject was: 'I LOVE YOU'?"
Don't put patches on the back burner.
You have to keep up with common security patches. There's just no way around it. There are ways to make it easier, however. For example, Microsoft has the Windows Update tools that will notify you when a critical update is available for your system. You can also check Microsoft's site for system updates.
Do check patches before using them.
I don't allow the update process to automatically install updates on my system. I prefer to be notified when one is available so I can review it. Remember, because patches are hastily created to fix immediate problems, they are not as well tested as service packs. If a patch doesn't apply to you, do not install it. Wait for the service pack.
Do take advantage of newsletters and alerts.
Subscribing to security newsletters is a good idea. Microsoft has a security newsletter and many companies -- such as ZDNet -- also offer excellent security flashes with information about the latest viruses and their cures. Don't just subscribe to these newsletters, read them. It's an easy way to find out what the latest problems are and how to combat them.
Do keep up with service packs, but don't always be hasty about using them.
Of course, you should install new service packs regularly. If you read your software vendors' security bulletins, you will often see that many patches or virus updates have been issued that would have prevented networks from being infected, had they been applied in a timely manner.
That said, you probably shouldn't take every service pack on faith. I always like to wait a bit when a new service pack comes up because I hate being on the bleeding, I mean leading, edge of technology. After someone else has discovered all of the bugs in the new service pack and the bugs have been fixed, then I'll try it. However, I try it only after I read all of the instructions on the service pack carefully to make sure it won't interfere with my network's current configuration.
Don't think you can ever take a break from security tasks.
The whole subject of virus prevention is, frankly, a major pain. There's so much an administrator has to cover. As diligent as you are, you know that whenever you open your network up, you are at risk. If an experienced hacker really wants to penetrate your network, the odds are very good that he will be able to do so.
At the very least, you have to have a disaster recovery plan, install virus checkers, and educate your users and administrators. If you feel like your network is vulnerable, you may want to consider hiring a security consultant to audit your company's security systems and assist in tightening your procedures.
About the author: Douglas Paddock, MCSE, MCT, MCSA, is a CIW security analyst who is also A+ and N+ certified. He teaches at Louisville Technical Institute in Louisville, Ky.
FOR MORE INFORMATION
Go to part one.
Go to part two.
Check out Douglas Paddock's tutorial on the Microsoft Browser Service.