If an administrator had to pick one main goal for managing the Windows Server environment, ensuring its security...
and resiliency would be at or near the top. While it's easy to say an IT security plan is a priority, it's quite another to make it happen.
How do you get to that level of information systems assurance that seems to evade so many? I'm not yet convinced that it's possible to reach such a level given the complexities of the average network combined with the nuances and barriers of running an effective information security program. However, you can take steps to make the information security program at least twice as good as it is today.
Without a clearly defined set of goals, you're just going through the motions waiting for that inevitable breach in your Windows Server environment. Unless and until you document specific objectives -- along with steps to take and deadlines to hold yourself accountable -- there is little chance for these intentions to become reality. The premise of goal setting has been around for centuries, but many people struggle with it. There are small, yet critical, steps to take to turn things around and get ahead of the curve and secure the Windows Server environment.
Make it plain
First, decide what you want to accomplish. Most people say they want a "secure" network, but what does that mean? To some, it may mean clean reports on all security assessments and audits. To others, it means having reasonable uptime or zero data loss. It's important to get as detailed as possible when setting your IT security goals. Some specific examples of security-related goals for the Windows Server 2012 and Windows Server 2016 systems might include:
- Domain-related policies and standards such as weak passwords that you know are going to get your business into trouble one day.
- IIS/Web-related flaws such as SQL injection, cross-site scripting, and the widespread SSL/TLS-related vulnerabilities that cause problems for so many organizations.
- Hardening servers up to a certain standard such as the DISA STIGs or the Center for Internet Security Benchmarks.
- Integrating new features in Windows Server 2016 with existing security controls such as strong authentication via Microsoft Passport, the admin-limiting Just Enough Administration, and denial of service protections built into IIS version 10.
Detail the steps needed
After defining specific needs, write them out as completed tasks, such as "IT hardened the Windows servers to the Center for Internet Security's Windows Server 2012 Benchmark version 1.0.0."
The next step in this formula is to outline the specific steps to accomplish the goals in the IT security plan. Each specific goal will require several steps. To use the same example, it will require taking an inventory of existing systems, determining where the systems are vulnerable, and understanding specific compliance, policy and contractual requirements to lock down Windows Server systems. Some steps must be followed in a particular order. For example, you can't document policies and standards without knowing where things stand and what the requirements are. You have to prioritize; get the proper people involved, such as your peers, subordinates and management.
Put a date on goals
With any goal in the IT security plan, the most important thing is to set a deadline and hold yourself accountable. When do you want to have this task completed? Perhaps it's before the next security assessment or audit. Or maybe a big business deal might hinge on the completion of a goal. Whatever it is, know the specifics so you and your team can stay focused. Next, get started on the goals immediately and revisit them periodically and consistently -- ideally every day -- but no less than once per week.
Many businesses struggle with IT security goals because few people in an organization know how to follow through with the goal process. Achieving goals is as simple as determining what is needed and following through with completing them. Don't settle for New Year's resolutions; they don't work. Goals are different in that they require discipline -- day-to-day accountability on your part and others involved in the work.
Basketball coach Bobby Knight once said "The will to win is not nearly as important as the will to prepare to win." Practice relentless incrementalism -- do the small things that add up to big outcomes in the long term.
Correcting common Windows vulnerabilities
Required reading for Windows admins
Tools to keep Windows protected