How to strike a balance between Windows security and business needs

Information security and locking down Windows systems is not an on-and-off switch process. If managing Windows was that simple, we'd all be unemployed. In reality, Windows security is an infinite gray area that depends on your organization's culture, politics and most importantly, management buy-in. The problem is that many Windows administrators have their priorities out of order and forget that their main responsibilities are to facilitate business and support the users.

A common attitude among IT pros is that Windows systems are "ours" and we're going to do whatever it takes to lock them down and protect users from themselves. It may sound like a noble idea, but it's not always done in the right spirit. A predictable side-effect, if not an outright goal, of Windows administrators controlling things at this level is to prevent unnecessary work and to cover their rears so they don't look bad if an attack were to occur. I'm not speculating here. Administrators are telling me this and I see it in their actions; I used to do it myself.

I've observed relatively stringent controls in many organizations, especially with regard to passwords and Internet usage. When I ask users how security gets in the way of their day-to-day tasks, the majority are very frank about how it hinders their work. Users say they are advised to change passwords every 30 to 45 days, are unable to connect and sync their smartphones, receive email attachments, use instant messaging and connect removable storage so they can back up their own laptop (which is typically their responsibility).

Based on what I see in the security assessments tha...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop security tips Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP User passwords and network permissions Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords Unauthenticated vs. authenticated security testing Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

t I perform, most Windows shops have a lot more basic stuff to worry about than just locking everything down according to what the standards bodies' "best practices" declare. Even with strict controls in place that are keeping users from doing their work, I still come across big security vulnerabilities, such as the following:

• Missing patches on workstations and servers (even when Automatic Updates and WSUS are being used) that can be exploited to gain full control of the system
• No personal firewall software being used which allows system enumeration, share perusal, etc.
• Disabled anti-virus software
• Systems (especially databases and network infrastructure devices) with default passwords or no passwords at all that can be completely controlled, reconfigured, shutdown, etc.
• Unencrypted laptop drives that facilitate the exposure of sensitive information stored on any given system

There's an obvious disconnect: Lots of user controls that really don't make much of a difference with security (especially if compensating controls such as passphrase enforcement, content filtering and data leakage prevention are in place) yet lots of security holes that are still waiting to be exploited. Do you see where I'm coming from?

Don't take this the wrong way. I'm a technical guy at heart and understand the pains of being a Windows administrator. I've been there and if I've ever been in doubt about certain vulnerabilities, I typically err on the side of caution and lock things down. The big oversight is the fact there's also a business component to IT and security -- something that cannot be overlooked. I'm not against strong security controls if they're done the right way. However, it pains me to see it done haphazardly in an all or nothing fashion without taking the business and users' needs into account. A balance of security and convenience and usability must be in place, but it requires taking a step back and looking at IT and security strategically. You have to ask yourself the following questions:

• What is the business trying to accomplish?
• What is there to lose?
• What can be put in place to reasonably manage risk and facilitate usability?

If there's ever been a good reason to have a security committee, this is it. Get other key decision makers on board and let them provide input on just how tight Windows security needs to be. If anything comes out of this, the right people will be on board, informed decisions will be made at a high level and ultimately you won't be the bad guy when security ends up getting in the way of doing business in the future.

The solution is balance. Think reasonable security and, most importantly, think long-term.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years of experience in the industry and specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com .

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.