A wise man once told me, "There are three things people can do to significantly improve the security of their networks:
choose strong password practices, install patches and educate users about security." Following that advice, here are five resolutions all enterprise administrators should consider making for 2010.
I will change my administrative passwords every six weeks.
It's not uncommon for password management policies to require users to change their passwords every 30, 60 or 90 days. This practice has significantly improved the overall security posture of the users' accounts however, it ignores the crown jewels of the enterprise -- administrative accounts.
Administrators can bypass the password-change requirements for their own (or other) accounts by checking the box "password never expires." This is convenient because admins have usually set up accounts on multiple locations. Keeping passwords in sync across various locations is challenging if the password needs to be changed every few months. The same goes for service accounts -- who wants to keep changing the service account password on all endpoint systems every eight weeks?
Unfortunately, hackers know that administrators don't change their passwords, and they frequently target the admin and service accounts first. Auditors know this too -- security audits routinely find that administrative accounts have been using the same password for a year or longer.
Plan to change your administrative account passwords every six weeks. And make sure not to use the same password across multiple domains or security zones.
I will make an effort to keep all my systems patched.
Applying security patches to desktops and servers may be one of the single best ways to enhance the security of a network. Microsoft Update, Windows Update and Windows Server Update Services can help keep your operating system and applications up to date.
Don't forget, however, that security patches are available only to machines running the latest service pack and/or the previous service pack. Best practice is to first install the OS service pack, then all application service packs, and then all missing security patches.
Once you've taken care of the Microsoft patches, focus on assessing and deploying security patches for third-party applications such as Mozilla Firefox, Adobe Reader, Sun Java and Apple iTunes. Some of these applications have built-in auto-update functions, but others require users to opt into the update process -- something that they'll defer if given the chance.
I will find and eliminate administrative shortcuts that bypass the security of our network.
All administrators know where the skeletons are buried (and the auditors have no clue): Service accounts that have too much access; the special VPN connection that bypasses the firewall; staging servers that are dual-homed to production servers instead of going through the security gateway; or the "test box" in the Internet that "doesn't really contain anything important" (but that hackers are using as a warez site).
Make an effort to track down your shortcuts and those of your predecessors and shut them down. Yes, it's painful, and yes, it'll take a little more effort to make your connection or route your data, but your network will be more secure.
I will stay current on security issues by following security websites, forums and mailing lists.
Security doesn't sleep. New threats are found every day -- workarounds and solutions are published shortly thereafter. The only way to stay to stay up to date is by visiting security websites and signing up for security newsletters. Some favorite sites include the following:
- Microsoft security advisories
- SANS ISC daily security happenings
- Kaspersky Lab ThreatPost commentary
- InfoSec News mailing list
- SecurityFocus portal
- Bugtraq mailing list
- Security articles and tips
Visit at least two of these sites each day, or sign up for two mailing lists.
I will share my security knowledge with at least one other person who isn't a security person.
Knowledge is limited unless it's shared. Share your security experiences with other admins who aren't focused on security. Discuss the benefits of passphrases (vs. passwords) with end users. Hold a brownbag lunch, and discuss social engineering threats and how to deal with them. Share your favorite security tools and websites with other administrators. By raising the security consciousness of your users and learning more about your environment, your network security will be strengthened.
|ABOUT THE AUTHOR:|
| Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.