Maintaining updated security patches, anti-virus, anti-spyware, and anti-malware protection, firewall functionality, as well as enforcing other security policies on your Microsoft Windows networks is always a high priority. But unprotected client devices can slip into your Microsoft Windows network, especially if you have a lot of remote Windows XP or even Windows Vista clients. Microsoft Server and Domain Isolation technologies, including IPSec, IPv6, policy-driven Network Access Control (NAC) technologies for Longhorn Server and Windows Vista (including back-compatibility with Windows XP SP2) and Longhorn’s Network Access Protection (NAP) can keep devices that are not compliant with your security policies away from your network resources.
I had an interesting conversation with Microsoft’s Ian Hameroff, a senior product manager responsible for security and access products, and that conversation is available as a podcast at http://www.windowsitpro.com/podcast/. One big message that Ian stressed is that you need to establish security policies that these technologies can help you enforce. Ian also stressed the importance of upfront planning before you deploy these technologies.
The emphasis on established security policies made me wonder how widely systems administrators are already formalizing and enforcing security policies for Windows networks. Do you have and enforce formal, written security policies? Do you feel that those policies are fully thought-out and provide the protection you need? I might be off base here, but my sense is that many organizations don’t currently have the necessary security policies in place today that would allow them to use NAC and NAP effectively. For example, if you had server and domain isolation technology implemented today, would your network isolate a device that didn’t have the most recent virus definitions installed for your anti-virus solution?
If you do have formal security policies in place, how did you develop them? Ian pointed me to Microsoft’s guidance on security policies http://www.microsoft.com/security, and said one of his favorites is the Threats and Countermeasures guide, which you can find on the Microsoft security site.
I wrote about NAP in my Hey Microsoft column last August (see http://www.windowsitpro.com/Article/ArticleID/50386/50386.html). Some other recent articles are: “StillSecure Defines NAC” (http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/95219/WindowsSecurity_95219.html), “Server and Domain Isolation” (http://www.windowsitpro.com/Article/ArticleID/46826/46826.html) and “Server and Domain Isolation, Part 2” (http://www.windowsitpro.com/Article/ArticleID/47040/47040.html).
Here are some other Microsoft resources you can check out:
- White Paper and other Info on Secure Client: www.microsoft.com/secureclient
- Server and Domain Isolation: http://www.microsoft.com/sdisolation
- Secure Client Webcast: http://blogs.technet.com/ianhamer/archive/2007/01/16/seeing-client-security-in-three-dimensions-a-second-time.aspx
- Ian’s blog: https://blogs.technet.com/ianhamer/