Tip

Windows desktop security standards documentation best practices

Good documentation and good security goes hand-in-hand. So, if you're going to get your arms around your Windows environment and support the new wave of Windows and its associated applications, then taking the time to develop reasonable documentation is essential.

As I mentioned in "Desktop security preparation for a new wave of Windows apps," it all starts with an information risk assessment. You have to understand what your technical and operational weaknesses are, using a framework such as ISO/IEC 27002:2005, before you can develop any semblance of decent Windows security documentation. The Center for Internet Security's Windows Benchmarks and the DoD STIGs are also good resources for Windows security "best practices". It would be beneficial to familiarize yourself with those documents during this process.

Contrary to popular belief, a good Windows security foundation starts with well thought-out security standards. These are not policies yet but standards, and there is a difference. When I talk about standards, I am referring to the Windows and application designs and configurations you are going to "standardize" on. There are many potential areas for Windows security standards, but you need to focus on what counts based on the risks you uncover. Your initial concentration will likely be on the following:

 

  • Passwords
  • Local and/or group security policies
  • User provisioning and management via Active Directory or other third-party tool
  • Malware protection
  • Supported applications
  • Web browser configurations (including these essential IE 8 policies)
  • Disk encryption and key management
  • System hardening
  • OS and application patching
  • Smartphone/PDA synchronization
  • System backups
  • Security assessments
  • Hardware distribution and disposal

Your Windows security standards should be a standalone document. Rather than intermingling them with your actual policies, reference your standards in applicable policies. It's important to make your Windows security standards measurable. So, ask yourself the following four questions:

  1. Have standards been developed?
  2.  

  3. Are standards referenced in applicable policies?
  4.  

  5. Are standards reviewed on an annual basis?
  6.  

  7. Who is allowed to create or update the standards?

As a suggestion: A Web-based intranet or third-party tool for managing this documentation can be very helpful.

Don't fall into the trap of "documentation equals security". What appears to be good documentation in support of a solid Windows security management program often is not. The reality is that anyone can put pretty documentation in place to please the auditors and regulators, but that doesn't mean it'll work. I often see what appears to be detailed security standards, but in reality no one is paying attention to them. The people who put the standards documentation in place aren't practicing what they preach. To be successful, focus on making your documentation a well-rounded information security management program.

ABOUT THE AUTHOR:   
 
Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.
 


 

This was first published in June 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.