Problem solve Get help with specific problems with your technologies, process and projects.

How to strike a balance between Windows security and business needs

Stringent Windows security controls can get in the way of your users' day-to-day job responsibilities. Don't let this happen. Learn how to create and manage a balance between your Windows security controls and the needs of your company and its users.

With all of the technological and compliance-related changes we've seen in IT since 2003, one would think the battle between security and convenience would be moot. But it seems that the more things change the more they stay the same!

Information security and locking down Windows systems is not an on-and-off switch process. If managing Windows was that simple, we'd all be unemployed. In reality, Windows security is an infinite gray area that depends on your organization's culture, politics and most importantly, management buy-in. The problem is that many Windows administrators have their priorities out of order and forget that their main responsibilities are to facilitate business and support the users.

More on Windows Security:
For a quick security reference, check out this must-read Windows desktop security checklist for IT managers.

Log-in to the IT Knowledge Exchange

A common attitude among IT pros is that Windows systems are "ours" and we're going to do whatever it takes to lock them down and protect users from themselves. It may sound like a noble idea, but it's not always done in the right spirit. A predictable side-effect, if not an outright goal, of Windows administrators controlling things at this level is to prevent unnecessary work and to cover their rears so they don't look bad if an attack were to occur. I'm not speculating here. Administrators are telling me this and I see it in their actions; I used to do it myself.

I've observed relatively stringent controls in many organizations, especially with regard to passwords and Internet usage. When I ask users how security gets in the way of their day-to-day tasks, the majority are very frank about how it hinders their work. Users say they are advised to change passwords every 30 to 45 days, are unable to connect and sync their smartphones, receive email attachments, use instant messaging and connect removable storage so they can back up their own laptop (which is typically their responsibility).

Based on what I see in the security assessments that I perform, most Windows shops have a lot more basic stuff to worry about than just locking everything down according to what the standards bodies' "best practices" declare. Even with strict controls in place that are keeping users from doing their work, I still come across big security vulnerabilities, such as the following:

  • Missing patches on workstations and servers (even when Automatic Updates and WSUS are being used) that can be exploited to gain full control of the system
  • No personal firewall software being used which allows system enumeration, share perusal, etc.
  • Disabled anti-virus software
  • Systems (especially databases and network infrastructure devices) with default passwords or no passwords at all that can be completely controlled, reconfigured, shutdown, etc.
  • Unencrypted laptop drives that facilitate the exposure of sensitive information stored on any given system

There's an obvious disconnect: Lots of user controls that really don't make much of a difference with security (especially if compensating controls such as passphrase enforcement, content filtering and data leakage prevention are in place) yet lots of security holes that are still waiting to be exploited. Do you see where I'm coming from?

Don't take this the wrong way. I'm a technical guy at heart and understand the pains of being a Windows administrator. I've been there and if I've ever been in doubt about certain vulnerabilities, I typically err on the side of caution and lock things down. The big oversight is the fact there's also a business component to IT and security -- something that cannot be overlooked. I'm not against strong security controls if they're done the right way. However, it pains me to see it done haphazardly in an all or nothing fashion without taking the business and users' needs into account. A balance of security and convenience and usability must be in place, but it requires taking a step back and looking at IT and security strategically. You have to ask yourself the following questions:

  • What is the business trying to accomplish?
  • What is there to lose?
  • What can be put in place to reasonably manage risk and facilitate usability?

If there's ever been a good reason to have a security committee, this is it. Get other key decision makers on board and let them provide input on just how tight Windows security needs to be. If anything comes out of this, the right people will be on board, informed decisions will be made at a high level and ultimately you won't be the bad guy when security ends up getting in the way of doing business in the future.

The solution is balance. Think reasonable security and, most importantly, think long-term.

Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years of experience in the industry and specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at .

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.