Re: [fw-wiz] Security and Audit Policy

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 11/27/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Antivirus vendor conspiracy theories" 
    To: Servie Platon <servie_tech@yahoo.com>
Date: Sat, 27 Nov 2004 08:09:45 -0500 (EST)

    On Sun, 7 Nov 2004, Servie Platon wrote:

    > 1. Enabled Firewall rules on the network and with
    > Win32 clients;

    Enabling firewall rules without a solid security policy and management
    buy-in of that policy is putting the cart before the horse. How do you
    know what rules to put on the firewall?

    > 2. Installed Anti Virus Software for the network and
    > enabled
    > automatic updates;
    > 3. Enforced User Permissions for most users; (dilemma)
    > 4. Disabled M$ Outlook and IE and replaced these with
    > Mozilla
    > Thunderbird and Firefox.

    Did the security policy discuss client issues?

    >
    > Problems:
    >
    > 1. I don't know how to keep track of their browsing
    > patterns,

    I generally like to force browsing through a proxy, and use the proxy logs
    to track behavior. I also like to block streaming audio, P2P and whatever
    else I can there, at the firewall and in the local internal caching
    nameserver (I don't like clients resolving directly in any circumstance.)

    > some users have intermediate to advanced browsing
    > skills which
    > they can conceal where they have visited such as maybe
    > porn
    > sites and the like. How do I prove my suspiscion and
    > stop them

    Firewall logs? Usage policies? On-system logging?

    > from doing this? I am afraid that by doing so, our
    > network may
    > be trojaned or may have been infected with spyware or
    > may be a
    > zombie now?

    Easy enough to figure out, watch the traffic in and out of the network for
    Trojan activity. That's why firewall rules are important, lots of zombies
    use IRC out- few businesses have a case for IRC.

    > 2. I wanted to enforce strict user permissions, but my
    > dilemma
    > would be, bosses or managers take it against me or
    > anyone
    > restricting on what they could or not do on their
    > machine. To
    > make a concrete example, I could do an audit policy
    > for all
    > users with less rights to install programs and the
    > like but some
    > of them, listen to radio, download .exe files or
    > shareware
    > without my knowledge.

    This is why you must have a security policy, and management must buy-in to
    that policy. I've only so far seen one good business case for listening
    to the radio over the network (I still denied it.) Perhaps in this case,
    QoS is a better method of enforcing some of the policy.

    >
    > If I enforce this restrictive permissions, they get
    > back on me.
    > If I don't, I am afraid the network is considerably
    > slows down
    > and I think, some machines may be a compromised
    > already unless
    > the bandwidth is being used up by the users. How do I
    > catch them
    > accessing forbidden sites and how do I stop them from
    > doing such
    > and how do I make them with less capacity without them
    > getting
    > furious?

    For the first, monitoring is key. logs, sniffing, or whatever works. For
    the second, you need to make a business case for security and have buy-in.

    >
    > 3. Though, I have setup and installed Mozilla
    > Thunderbird and
    > Firefox in each client PCs, most of them still use M$
    > Outlook
    > and IE. How do I justify and convince them not to use
    > this
    > because of security loopholes and problems? Some are
    > so used to
    > Outlook and IE that they don't want change.

    This is often a religious issue, so the security policy should have a
    policy about client properties and what is or isn't acceptable.

    >
    > Any suggestions, on how to make it less of a burden to
    > administer this network of 12 clients would be
    > appreciated.

    Tiny organizations are the most difficult to get buy-in for, since they're
    generally less formal than large ones when it comes to policy and process.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Antivirus vendor conspiracy theories"

    Relevant Pages

    • Re: Limit the Remote desktop connection
      ... Your IP Sec Policy is better i think as we can customize on our own. ... and enter your local subnet. ... Open Control Panel and launch Windows Firewall to ... Create an IP Security policy that only permits your ...
      (microsoft.public.windows.terminal_services)
    • Re: windows firewall
      ... I think at this point, you might want to consider doing a network trace to ensure that it really is a port-blocking problem, that is, if you're SURE you set up the firewall exceptions correctly. ... Group Policy Management solutions at http://www.sdmsoftware.com ... that the clients are seeing the domain during their boot. ...
      (microsoft.public.windows.group_policy)
    • Re: Windows firewall on clients
      ... actually I was wanting to run Zonealarm on the clients as it is ... > you'll see the "Small Business Server Windows Firewall" policy. ... and the setting cant be modified locally. ...
      (microsoft.public.windows.server.sbs)
    • Re: windows firewall
      ... check that you have set the firewall policies for the ... that the clients are seeing the domain during their boot. ... almost opposite to what I have set in the policy ... still the custom programs as well as the built in exceptions are doing ...
      (microsoft.public.windows.group_policy)
    • Re: server firewall
      ... If you want to disable personal firewall settings locate the policy that is ... Refresh the policy on the clients once you are done editing it. ...
      (microsoft.public.windows.server.setup)