A Windows security checklist for IT managers

IT managers already have plenty of things that keep them up at night. Add to that concerns about the effectiveness of their Windows security products. Not only do they worry about how to prevent security incidents and privacy breaches in vulnerable systems, but they must also comply with a growing number of legal, regulatory and contractual security requirements. Regulatory requirements touch virtually every part of the business, including the following activities:

• Providing guest and anonymous access
• Limiting vendor access for maintenance purposes
• Controlling what users can do in the Windows environment
• Segmenting the Windows system to better protect sensitive information
• Documenting and auditing user activities and capabilities

What IT managers need is a high-level checklist they can use as a quick reference to help ensure that the Windows security products they're considering address the full scope of security issues. The following is one version of that kind of checklist with all areas listed – in no particular order -- that need to be evaluated:

[IMAGE] Account management -- Can the security software be centrally managed using unique, nonshared IDs with administrative capabilities that can be logged? Can user accounts have security restrictions established, such as automatically disabling accounts after a specified period of non-use? Does it enforce strong passwords?

[IMAGE...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop security tips Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

] Backup and archives -- Can the software be configured to have the program code and related data backed up automatically according to a schedule you can establish and change as necessary?

[IMAGE] Certifications -- Has the security software been certified by an objective and independent party to work as advertised? For example, has the software been certified to meet applicable FIPS standards? Or CIS certification?

[IMAGE] Configuration settings -- Can you configure settings, such as the logon display, concurrent users, time limitations and so on, to be most appropriate for your organization? You should be able to establish configuration settings that are in compliance with your organization's security policies and standards.

[IMAGE]Data protection -- Does the security software have protections built in to protect the data it generates, such as access controls and options to strongly encrypt the data?

[IMAGE]Documentation -- Does the software have thorough, comprehensive and easy-to-understand documentation detailing how to use it along with descriptions of the possible side effects of using the software?

[IMAGE]Identification and authentication -- Do end user identification and authentication capabilities exist so that you can control the people using the software and track when each individual uses the software?

[IMAGE]Integration and compatibility -- Can you implement the security software into your existing Windows environment without needing to make a lot of changes to other existing applications, network settings, network interfaces and so on? The most secure Windows security products typically require the least changes within the existing Windows environment.

[IMAGE]Known issues -- Does the security software come with a list of summarized issues about what may happen after you implement the software into your network? This will help you pinpoint any functional or operational problems caused by the software.

[IMAGE]Licensing -- Does the software license agreement allow you to use the security software in all locations you need to, not only on network endpoints but also on mobile computers, employee-owned computers that are used for business and more?

[IMAGE]Logging and audit trails -- Does the security software give you the ability to log a very wide variety of actions and events related to the security product, such as when it was used, who used it, the security problems that were discovered and so on?

[IMAGE]Point of contact -- Does the security software vendor provide you with a specific person or department with whom you can communicate via email, postal letters and phones when you need questions, comments and suggestions addressed? Are problem reports associated with the security software available?

[IMAGE]Product role -- Does the security software specify the primary purpose, function or use for the software? Be sure that the software you are purchasing to address a specific issue actually does cover that issue and not other issues that you're not really interested in.

[IMAGE]Regulatory compliance -- Does the security software provide clearly written and succinct documentation stating the regulations it supports for compliance along with a description of specifically how the software supports compliance? Common security software compliance claims include those for HIPAA, GLBA, FISMA and Sarbanes-Oxley, but many don't explain the ways they support compliance.

[IMAGE]Rollback capability -- Can any changes in the security software configuration be rolled back? And, if so, does documentation exist that explains how to rollback the changes?

[IMAGE]Software integrity -- Does the security software have controls to protect the integrity of the software, as well as privacy protections for associated data? Without integrity controls, the software could be altered in a way that would make it less, or even not at all, effective in safeguarding your Windows environment.

[IMAGE]Testing information -- Does the security software list the platforms upon which the security software was tested? Tests should have occurred on all platforms that exist in your network environment. Did the tests include security and privacy tests?

[IMAGE]Troubleshooting -- Can you turn off the security software for troubleshooting or to perform specific types of audit activities without affecting network operation?

[IMAGE]Upgrade issues -- What are the requirements for upgrading the software? Are upgrades to the software, including security patches, included in your purchase agreement and/or licensing agreement?

And just because you are buying security software, don't assume that the software itself is secure. You need to ask the questions from the checklist to help validate that it actually is secure.

Even if you already know the answers for all of the issues on this checklist, chances are all the people working with and supporting the IT Windows environment do not have the same knowledge. Give your IT staff a checklist to raise their awareness. Making documentation available makes them accountable for performing activities to ensure security exists within your Windows environment.

Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance and is the owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.