When I walked into my IT dept for the first time, in 2002, the security infrastructure and policies were in a sorry state. The then–net admin had a hodgepodge of products installed (including trial software on various servers), no gateway security, no Microsoft Exchange security (the company featured a nice juicy open relay), outdated client security, and no way of controlling viruses and spam at the (nonexistent) gateway. In short, the joint was a mess; a walking target.
After the sudden departure of said admin, the department loosened up a bit, so I decided to take a crack at fixing our broken security. With the LAN and its users, devices, and borders in mind, I started working toward deploying a layered defense-in-depth strategy. I closed the relay (and subsequently worked like a fiend to get us off the Realtime Blackhole Lists—RBLs) and secured Exchange with Sybari Software Antigen. I added a mail gateway server with antivirus protection (GFiMailSecurity) and spam filtering (GFiMailEssentials), a hardware firewall (Juniper Networks NetScreen-50), and a rebuilt Microsoft Internet Security and Acceleration (ISA) Server 2000 system.
I then moved out to the LAN, adding Service Pack 4 (SP4) to all 150 Windows 2000 desktop computers and 30-plus laptops and then removing all users from the local administrators security group. This upgrade paved the way for a Microsoft Software Update Services (SUS) server—followed by a Windows Server Update Services (WSUS) server—for automated patch management.
Back in the server room, we upgraded to Windows Server 2003, Exchange Server 2003, and ISA Server 2004 to further strengthen our infrastructure security. I’ve since added SP1 to Windows 2003 and SP2 to ISA Server 2004.
I reduced the membership in critical security groups such as Domain Admins, Enterprise Admins, and Schema Admins to the bare minimum, eliminating the Schema Admins membership entirely. We stripped the access to user email and home folders to a single, audited user account whose password is known by only three senior admins.
We updated our Norton AntiVirus server to 9.0 and deployed the updated client to all desktop and laptop computers.
Today I’m in the midst of deploying Windows XP SP2 to further add to our client-side security and have continuously tweaked the Group Policy infrastructure to strike the best balance between security (sorry, folks, it comes first) and usability. I also just finished rolling out new laptops featuring a fingerprint reader for user logon and a Trusted Platform Module (TPM) chip for low-level security.
I get gooseflesh when I look back at where we were five years ago and think about what a huge bull’s-eye we had on our hide. We’re not in absolutely perfect shape today (you never are), but I think we’re resilient enough to survive in today’s internetwork jungle and have a much smaller attack surface than we once had. I live by the Immutable Laws of Security, which are tacked up on my board, and remind myself that security comes first on my network, just like safety comes first in the plant environment that I work in.
I’m looking forward to Windows Vista, Longhorn Server, Exchange 2007, ISA Server 2006, and the Microsoft Forefront products as my next countermeasures in the ongoing struggle (yep, that’s how I feel about it some days) to keep the business, its users, and assets secure.
—John J. Penrose