Get the answers you need to 6 big security problems
Trying to keep your company's information secure is a lot of work and is unlikely to make you popular with users. Typically, the tighter you try to lock down a network, the more hassle the network is to administer as repetitive tasks become necessary for both end users and you. But there are ways to ease the pain—often by deploying automation technology. Let's look at six common security annoyances and practical, effective ways to overcome them.
Resetting passwords for users who forget them is the bane of every administrator. A META Group survey indicates that this thankless task alone costs companies with 10,000 users well over half a million dollars a year (http://www.microsoft.com/technet/security/guidance/ identitymanagement/idmanage/p2pass.mspx). But there are ways to reduce or even eliminate this problem. My favorite solution is to use electroshock therapy. With a few simple modifications to a keyboard's wiring and a device-driver hack, you can deliver 120 volts of behavior-changing juice to the nervous system of your users when they enter their passwords incorrectly. A couple of jolts and your problem is solved!
You can train users to remember passwords with less violent behavior-modification methods. The most effective password-memorization technique I've found is creating passwords by using the first letter of each word of a sentence that the user can remember. You'll need to use a sentence that has some proper nouns and numbers so that this technique produces a complex password with upper-case letters and nonletter characters. You can let users come up with their own sentences, but I've had better success assigning users passwords based on a sentence of my choosing. Assigning passwords this way carries the added benefit of the enjoyment you get by forcing users to mentally recite your brutally honest observations about their personality or appearance. Of course, if you have one of those irksome corporate security policies that says you shouldn't know everyone's password (like you can't just run a password cracker, right?), then you might have to look at other alternatives.
Enter the automated password reset tool. Let's think about it. Resetting a user's password is a pretty mundane, clerical process: Authenticate the person requesting the password reset, find his or her account, and reset its password. Why not automate this? A variety of self-service password reset solutions are already on the market to take this burden off your shoulders, and it's not hard to justify the cost when you consider the savings in IT staff time. Solutions on the market provide various methods for letting users reset their own passwords, from Web-based applications to telephone-based systems. Some of the players include Avatier Password Station and M-Tech Information Technology's P-Synch. Just do a Web search for "password reset self-service" and you're on your way.
Protecting Laptop Data
Protection of laptop data is receiving increasing scrutiny from legislators and the media. When an organization loses a laptop containing customers' personal information, the organization is in for some hefty unexpected costs associated with notifying each customer of the security breach as well as the more-difficult-to-quantify costs of bad press and loss of good will.
I've watched this problem and the technologies designed to address the risk of stolen or lost laptops for years. Many solutions have caused more problems in terms of stability or administration than they were worth. Other solutions slowed down systems or were too impractical because they depended on users to encrypt or decrypt files or manage encryption keys. I've used Windows Encrypting File System (EFS) for my clients, but drawbacks and instance, EFS doesn't support whole-volume encryption, so data can leak out from unencrypted folders.
Windows Vista's new BitLocker Drive Encryption feature for whole-volume encryption and its integration with the Trusted Platform Module (TPM) found in most business laptops today provides the best all-around solution for protecting data on laptops. In fact, I'd say BitLocker is the single biggest motivator for migrating your laptop fleet to Vista.
With BitLocker, you divide your hard drive into two volumes. One volume is very small (just a few megabytes) and initially left empty; you install Vista to the partition that occupies the rest of the drive. Then you enable BitLocker and wait for it to encrypt the entire large volume. BitLocker installs a bootstrap loader on the small volume, which is protected from tampering by the laptop's TPM. When the laptop is turned on, the TPM checks, through hashes stored in its tamper-resistant memory, whether the tiny bootstrap partition has been modified. If it hasn't, the TPM allows the bootstrapper to load. The bootstrapper retrieves the encryption key for the larger volume from the TPM and proceeds to boot Vista on the larger, encrypted volume. This description is a bit simplified, but the bottom line is that for the first time, we have laptop hardware, tamper-resistant key storage, and whole-volume encryption all integrated with the OS for the most transparent, best performing, and effective encryption solution I've seen to date. To learn more about BitLocker, see the Windows BitLocker Drive Encryption Step-by-Step Guide (http://www.microsoft.com/technet/windowsvista/library/c61f2a128ae6-4957-b031-97b4d762cf31.mspx).
Lovely Spam, Wonderful Spam
Spam is such a pain. Kind of the understatement of the decade, eh? We all hate it, and it's a security threat because we can all too easily open an attachment containing a virus.
If you aren't careful, though, your antispam solution can become an even bigger pain. No antispam solution is 100 percent accurate. You run two basic risks with an antispam solution: user dissatisfaction with low catch rates and user dissatisfaction with false positives, both of which lead to increased care and feeding of users by IT staff (i.e., support calls).
In my experience, an 80 percent catch rate for spam is pretty reasonable; users shouldn't expect much better unless they're willing to regularly hunt down good email messages that got caught by the spam filter. Many antispam solutions claim a much higher catch rate but don't mention their false positive statistics. Moreover, catch rates vary from organization to organization, and even user to user, because of the content and phrases peculiar to different industries and what each user considers to be spam. A marketing professional may have a view of spam very different from a technician who doesn't have much interaction outside the organization.
In my opinion, Sender Policy Framework (SPF) spam detection has the best potential to significantly reduce spam, but too few companies have taken the time to publish an SPF record for their DNS domain. An SPF record published in your domain's zone file formally declares the official SMTP servers for your domain so that other organizations can determine if email that purports to be from your domain really is. Don't delay: There are great setup wizards on the Internet that will help you build your own SPF record—for instance, http://www.openspf.org.
As seductive as the idea of a Bayesian-based, "self-learning" antispam solution is, I've had better luck with frequently updated signature-based spam-detection solutions. Like antivirus solutions, signature-based spam-detection solutions require the vendor to constantly monitor messages, quickly update their signature database, and just as quickly push the updated file to their customers. Microsoft Exchange Intelligent Message Filter (IMF) would be a much better solution if Microsoft updated it more frequently. I always see a dramatic drop in spam after I install an IMF update, but the amount of uncaught spam immediately begins to climb. Other signature-based spam solutions, such as St. Bernard Software's ePrism, are much more frequently updated. There are also a number of antispam services available that relieve you from installing and maintaining any software by routing your mail through the antispam service's servers first.
Perhaps the biggest risk in implementing an antispam solution is the potential increase in support calls from users trying to find email messages that were apparently eaten by the antispam solution. Any solution that requires you to get involved when a user needs to retrieve a false positive is more trouble than it's worth. My advice is to install only antispam solutions that make all email identified as spam easily accessible to the user—preferably without leaving the email client. As examples, you can configure both IMF and GFI Software's GFI MailEssentials to put all spam into the recipient's junk email folder. Even better, GFI MailEssentials lets you specify a different folder for each antispam method it supports, so you can determine which method (e.g., Bayesian, SPF, Realtime Blackhole List—RBL) is responsible for misclassifying a good email message by the folder in which it ends up.
Most organizations I run into are still using Wired Equivalent Privacy (WEP) standard or Wi-Fi Protected Access (WPA) pre-shared keys to secure their wireless LANs (WLANs). WEP isn't secure no matter how strong your shared key is due to vulnerabilities in the protocol and associated algorithms. WPA and WPA2 pre-shared keys are secure only if they are at least 22 characters long and drawn from a large character set. Long shared keys, though, are an annoying, time-sapping problem for IT staff and users because of all the management and security issues that arise. Users can't remember them, so you're constantly asked for the key, and frighteningly few users seem capable of typing more than a few characters correctly in sequence. Whenever a new computer is commissioned or a contractor comes in, you must get them access to the WLAN. And what happens if a pre-shared key is compromised?
The solution is elimination. Get rid of WPA with pre-shared keys (WPA-PSK). No, not WPA altogether—just the PSK part. Implement 802.1x in place of pre-shared key authentication. With 802.1x, you configure your Access Points (APs) to interface with Active Directory (AD) via Remote Authentication Dial-In User Service (RADIUS) to authenticate users and computers based on their AD credentials. You have to install Internet Authentication Services (IAS) on one of your Windows servers, such as a domain controller (DC); IAS is Windows' built-in RADIUS server. After installing IAS, you introduce the APs and IAS to each other with some simple configuration settings, and in no time your Windows wireless clients will begin authenticating to your WLAN by using either the computer's or the user's credentials.
By applying a few Group Policy settings, you can make the authentication process transparent to users of computers that belong to your domain. Outside users such as contractors and consultants that need access to your WLAN simply need to enter the user name and password of an AD account that you provide them. IAS allows you to limit access to WLAN and internal wired networks based on group membership, which allows you to restrict external consultants to Internet-only access, for instance. For detailed directions for implementing 802.1x on your WLAN, see the Windows IT Security article "Reaping the Benefits of WPA and PEAP," June 2006, InstantDoc ID 50105. By replacing WPAPSK with 802.1x, you leverage the user accounts you already manage in AD and eliminate the headaches of pre-shared keys.
Backup and recovery is very much a part of information security, even if it isn't the first thing you think of. There's nothing more annoying than being close to a new high score on your favorite computer game when an inconsiderate user calls up whining about a file he needs restored. While mourning your dead game avatar, you must rouse from the comfortable environs of your cubicle, find the appropriate tape, restore the file, inform the user, and repeat the process when he decides he really needed a version from a week earlier.
Stop the insanity! Get Microsoft System Center Data Protection Manager (DPM), and put users in control of their own restores—right from Windows Explorer. After you install a DPM server and the associated agent on your file server, DPM periodically takes snapshots of your server. It efficiently stores multiple versions of each file in its online Microsoft SQL Server database. After you push out a necessary hotfix explained in the Microsoft article "How to use the End User Recovery functionality of Data Protection Manager in Windows XP" (http://support.microsoft.com/kb/895536) to your Windows XP clients, users will be able to browse available backup versions of any file on the server directly from Windows Explorer. To facilitate offsite backups of your data, DPM lets you back up shadow copies of your file servers from the DPM database, giving you a disk-to-disk-to-tape backup scenario. To learn more about DPM, go to http://www.microsoft.com
Patch Tuesday is many administrators' least favorite day of the month. And zero-day vulnerabilities are rearing their ugly heads more frequently between Patch Tuesdays. I have three recommendations for making your patch-management effort less of a nightmare:
- Life is too short to push out patches manually. Implement Windows Server Update Services (WSUS) or another automated patch-management solution. WSUS is free, but many excellent ISV offerings go beyond WSUS's functionality, providing broader platform and application support and better manageability, including those from St. Bernard Software, PatchLink, BigFix, Shavlik Technologies, and ScriptLogic.
- Many administrators are reluctant to push out a patch without testing it, but testing is time-consuming and annoying. In addition, the user community usually identifies defective patches soon after their release. Organizations with a small IT staff might consider just sitting on patches a couple of days and monitoring for any advisories or revisions from Microsoft, then deploying them without testing.
- An especially annoying type of vulnerability is that for which no patch is available—zeroday vulnerabilities. Most zero-day exploits are related either to a specific file type (e.g., .doc, .xls, .ppt, .bmp, .png) or to a Microsoft Internet Explorer (IE) ActiveX object. More and more antivirus vendors quickly release signature updates for file-format exploits even though they aren't, strictly speaking, viruses. If you cover your file-borne vectors (principally email attachments and Web downloads) with multiple antivirus engines, you'll often be protected against these fileborne zero-day exploits well ahead of patch availability. The easiest way to address ActiveX-related vulnerabilities is to set the kill bit on the ActiveX control. I've created an administrative template that you can use with Group Policy to automatically set the kill bit for an ActiveX control on thousands of computers in a short time. The template and a video demonstrating how to set it up can be found at http://www.ultimatewindowssecurity.com/killbit.asp.
In the case of many security annoyances, the key is to automate or implement newer technologies, but often such projects are put off because of the initial setup involved or the purchase costs. However, failing to solve problems and automate tasks leads to a less and less productive IT department that moves in slower and slower motion, dragged down by outdated, manual procedures. The IT department that succeeds in climbing the steep, initial curve to eliminating IT headaches such as those in this article will reap the benefits in the long run. A few weekends at the office now can save you many evenings and weekends in the future.