In this three-part series, Wes Noonan, author of "Hardening network infrastructures," will review steps you can take from both a Windows and network perspective
to protect your data regardless of what is occurring at the network perimeter. Click to return to part one or jump ahead to part three.
My last article introduced the de-perimeterization of the network -- the concept that the network perimeter is so porous today you can no longer rely on it for effective protection. So how is this important to your Windows systems? You now need to harden your Windows systems as if you didn't have a network perimeter at all.
You may be wondering why have network perimeters if you have to invest in hardening Windows systems anyway. As you will see in the next article, the perimeter is still a necessary security component. But the following steps can help you ensure data is protected even if the network perimeter has been compromised.
1. Implement a patch management system
There is one certainty in computing: As long as software is developed patches will need to be released to deal with software bugs and security issues. Unfortunately, it can be an almost insurmountable task to keep up with all the patches that you need for your environment, much less be able to apply those patches throughout your enterprise in a timely manner. This is evidenced in situations like Code Red, which leveraged a security hole that had been patched months prior to the exploit release. This issue will become an even higher priority as the time between the security bug discovery and the exploit is reduced. The most effective method of addressing the need to patch is to implement a patch management system that will allow you to quickly and reliably deploy software updates.
2. Implement virus protection
There is nothing I can say that hasn't already been said about virus protection. You need to run virus protection on all of your systems and you need to ensure that it is not only updated on a frequent and regular basis (at least weekly) but you need to be able to implement out-of-cycle updates to protect against the latest viruses and worms.
3. Implement host-based firewalls
A perimeter firewall is great at keeping things outside of your network, but it does no good securing traffic within your network. By implementing host-based firewalls, you reduce risk to systems in the event that malicious traffic is able to traverse your perimeter firewall or in the event that the malicious traffic is from an internal source.
4. Implement host-based intrusion detection and prevention
One of the biggest problems with network-based intrusion detection and prevention systems (IDS/IPS) is that they have to monitor entirely too much traffic to be useful. While this is not always the case, few companies have the time and resources to really go through the megabytes (and sometimes gigabytes) worth of events a network-based IDS/IPS may log. A more effective approach is to closely monitor just the resources you are trying to protect, and thereby reduce the amount of traffic that must be observed. For example, if you monitor at your firewall, IDS/IPS may see all sorts of traffic. If you monitor at the server, only traffic for the applications on that server are allowed.
5. Harden authentication
Make sure your systems have bulletproof authentication methods in place. If you are going to use passwords, ensure that they have minimum lengths and alphanumeric and special characters, and require users to change their passwords on a periodic basis. In addition, consider implementing two or three-factor authentication systems such as biometrics or security tokens like RSA SecureID. You also want to disable any unnecessary user accounts, and restrict access to services accounts and the administrator account on all systems.
6. Harden data access
Make sure your systems are configured using the NT file system, and that you have applied Discretionary Access Control Lists (DACLs) on all files. By default, many systems grant the Everyone group full access control. You should replace these broad permissions with more restrictive DACLs that grant specific groups access to the data, preventing all other users from having any access. In addition, consider whether a particular user or group of users requires read only or write only access, and configure the DACL as restrictive as possible. For a concise list of DACL recommendations see Chapter 10 of "Hardening Windows Systems" by Roberta Bragg.
7. Implement file system encryption
While DACLs are great at keeping folks out of data while the system is running, if the system can be booted using an alternate OS, data can still be easily obtained. To prevent this from occurring you need to implement some form of data encryption such as EFS in Windows. This way, even if the data is obtained, it will still need to be decrypted.
8. Implement security policies
You should implement group policy in your Windows systems to enforce the various aspects of your corporate security policy. For example, you can use group policy to control application access throughout your network or ensure user account restrictions are in place and enforced.
As I mentioned in the first article, the de-perimeterization of the network does not mean that we need to remove the network perimeter and expose our network directly to all external traffic and threats. It does however mean that we can no longer rely exclusively on the network perimeter to protect our systems and data. In addition to hardening our network perimeter, we need to remember what we are trying to protect -- the data. Then we can undertake hardening steps to protect data in the event that the network perimeter fails or is circumvented. These recommendations will go a long way toward improving the security posture of your Windows-based systems, hence minimizing the risk associated with the porous network perimeter. In the third article we will look at network-centric measures that you can take to further protect your data.
About the Author
Wesley J. Noonan has been working in the computer industry for over 12 years, specializing in Windows-based networks and network infrastructure security design and implementation. He is a senior network consultant for Collective Technologies, LLC (www.colltech.com). Wes recently authored the book "Hardening network infrastructures" for Osborne/McGraw-Hill and previously authored a chapter on network security and design for "The CISSP training guide" by QUE Publishing. He will be presenting a session at TechMentor (http://www.techmentorevents.com) on Friday, Oct. 1, 2004.
For More Information
Learn 10 steps NOT to take when securing your Windows perimeter.
View our collection of the Web's best resources about network infrastructure security.
This was first published in September 2004