| 1. |
Know your usersOne of the best ways to secure your users is to know their jobs. Spend time learning what they do, what their interests are and what would make life easier for them. This will have a threefold effect on security.1. The better you know your users the easier it will be to spot espionage. 2. It will help you shape security policies around your business. 3. When the users realize you are trying to make their job easier, they will be more likely to communicate problems with you. |
|
|---|---|---|
| 2. |
Secure user passwords.This is easier than most people think especially on a Windows network. But it may take some trial and error. Different employees respond differently to password security. Some users may have no difficulty coming up with new passwords and memorizing them right away, while for others this poses a great problem. Here are the settings for the AD password policy I have found useful and convenient for users.GPO ->Computer Configuration ->Windows settings->Security Settings->Password Policy. Enforce password history: (one year's worth, eg 12 for a 30 day policy or 4 for a 90 day policy.) maximum password age: 90 is excellent, 30 can result in users writing down their passwords or simply incrementing them which negates the extra security granted by the shorter period. Minimum password length: 8 (7 is ok but 8 increases by an order of magnitude the difficulty, 7 is also common and it is likely that users will do the minimum most times) Password must meet complexity requirements - Enabled (See below reference called "Dictionary Attacks" for details) |
|
| 3. |
Force NTLMNothing worse than a good ol legacy attack.Consider making the following GPO change (note that this may prevent legacy win 95/98 machines or apps from domain connectivity): GPO->Computer Configuration->Windows Settings->Security Settings->Local Policies/Security Options Network security: Do not store LAN Manager hash value on next password change Enabled Network security: LAN Manager authentication level Send NTLMv2 response only\refuse LM Thanks to Roeman for adding this step. (As a side note, this will break 98 and NT boxes, but if you have them on your network you have bigger problems, and please don't use reversible encryption.) |
|
| 4. |
Set Lockout PolicyTo reduce the impact of bruteforce attacks you need to lockout an account in case someone tries to bruteforce it.GPO ->Computer Configuration ->Windows settings->Security Settings->Account Lockout Policy. Here is the combo I recommend: Account Lockout duration: 15 Minutes Account lockout threshold 5 invalid logon attempts Reset lockout counter after 15 minutes. However, reducing to 3 invalid logon attempts will reduce the ability for a maicious user to sit at a computer guessing passwords. Many user passwords can be found within 10 feet of the user's desk in the form of post-it notes and pictures of family members. |
|
| 5. |
EncryptEncrypt, Encrypt, Encrypt.Encryption is free, Encryption is easy, Encryption saves your hide. Users do not intend to leak data but it happens. Encrypting a volume that has the ability to leave the network, eg a removable disk or laptop is easy, DO IT, it might just save your company. Many of the major data losses recently have been due to transporting unencrypted sensitive data. Follow these steps to secure user data. 1. Create a policy that states that no secure user data is to leave the network without authorization and encryption. Work with your HR department and legal department on this. 2. Truecrypt all laptops. 3. Disallow use of unauthorized USB keys on your network. There are a number of programs like lock-it-down that will allow you to do this without severely reducing functionality of the USB ports on the PCs. |
|
| 6. |
Auto Lock PCsYou cannot count on a user to lock their computer every time they walk away or at night. But you CAN control the computer. To create a policy that locks a computer automatically check here.GPO->User Configuration->Administrative Templates->Display Password Protect the screen Saver: Enabled Screen Saver Timeout: Enabled 900 seconds. Screen Saver: Enabled Screen Saver Executable Name: |
|
| 7. |
VPNVPNs are easy to create. If a user can easily access data from home they are less likely to put it on unsafe media.Cant afford a VPN appliance? m0n0wall and smoothwall are free and have great VPNs. Use in conjunction with a Terminal Server or secure windows box with RDP enabled. If you use a Terminal Server I recommend disabling the clipboard for the remote user and disallow mapped drives and local printers. Google how to do this for your server, it is simple. I would post it here but there are many different Terminal environments. However those 3 options will keep data from leaking. |
|
| 8. |
Outbound Port BlockingSimple: Block outbound ports...21, 23 at least from the user subnet.Moderate: Block 110 and 25 as well if your mail server is local. Advanced: Block everything but port 80 and 443 if you can. Blacklist outbound IPs to foreign areas, most of your users probably don't speak second languages anyway. If there is a foreign ip they need to get to, white list it. For instance I block all subnets outside the US. Get a proxy that integrates into AD if you can afford it. This will keep malicious users from exporting data offsite. Know your router well, if you dont know your router, then hire a 3rd party to take care of it, but the above port blocking will help prevent your network from leaking data (unless your user is tech savvy and you don't have a proxy). |
|
| 9. |
Security Holes in SYSTEM accountTask Scheduler runs as system, easy to get administrative access this way. Disable it.You can also elevate your own privileges through the help files as well. This is an inherent flaw in XP. The fix is to upgrade to Vista or windows 7. In step 6 we set the screensaver because it is a pretty massive security risk, you can run cmd as a screensaver and get root privelages. |
|
| 10. |
Least PrivilegeFinally please follow this rule. It is a pain but leaving users as local admins on their boxes allows them to install several tools that can easily circumnavigate your network security. It will also cause their boxes to clutter.This same rule applies on your file server, manage the groups, keep users out of folders unless they NEED to be in them. However don't kill their ability to do their job, if they cant do what they need to, then they will share passwords and find ways around it. |
Know your users
