Information security and locking down Windows systems is not an on-and-off switch process. If managing Windows was that simple, we'd all be unemployed. In reality, Windows security is an infinite gray area that depends on your organization's culture, politics and most importantly, management buy-in. The problem is that many Windows administrators have their priorities out of order and forget that their main responsibilities are to facilitate business and support the users.
I've observed relatively stringent controls in many organizations, especially with regard to passwords and Internet usage. When I ask users how security gets in the way of their day-to-day tasks, the majority are very frank about how it hinders their work. Users say they are advised to change passwords every 30 to 45 days, are unable to connect and sync their smartphones, receive email attachments, use instant messaging and connect removable storage so they can back up their own laptop (which is typically their responsibility).
Based on what I see in the security assessments that I perform, most Windows shops have a lot more basic stuff to worry about than just locking everything down according to what the standards bodies' "best practices" declare. Even with strict controls in place that are keeping users from doing their work, I still come across big security vulnerabilities, such as the following:
- Missing patches on workstations and servers (even when Automatic Updates and WSUS are being used) that can be exploited to gain full control of the system
- No personal firewall software being used which allows system enumeration, share perusal, etc.
- Disabled anti-virus software
- Systems (especially databases and network infrastructure devices) with default passwords or no passwords at all that can be completely controlled, reconfigured, shutdown, etc.
- Unencrypted laptop drives that facilitate the exposure of sensitive information stored on any given system
There's an obvious disconnect: Lots of user controls that really don't make much of a difference with security (especially if compensating controls such as passphrase enforcement, content filtering and data leakage prevention are in place) yet lots of security holes that are still waiting to be exploited. Do you see where I'm coming from?
Don't take this the wrong way. I'm a technical guy at heart and understand the pains of being a Windows administrator. I've been there and if I've ever been in doubt about certain vulnerabilities, I typically err on the side of caution and lock things down. The big oversight is the fact there's also a business component to IT and security -- something that cannot be overlooked. I'm not against strong security controls if they're done the right way. However, it pains me to see it done haphazardly in an all or nothing fashion without taking the business and users' needs into account. A balance of security and convenience and usability must be in place, but it requires taking a step back and looking at IT and security strategically. You have to ask yourself the following questions:
- What is the business trying to accomplish?
- What is there to lose?
- What can be put in place to reasonably manage risk and facilitate usability?
If there's ever been a good reason to have a security committee, this is it. Get other key decision makers on board and let them provide input on just how tight Windows security needs to be. If anything comes out of this, the right people will be on board, informed decisions will be made at a high level and ultimately you won't be the bad guy when security ends up getting in the way of doing business in the future.
The solution is balance. Think reasonable security and, most importantly, think long-term.
|ABOUT THE AUTHOR:|
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years of experience in the industry and specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org .
This was first published in January 2009