Re: Basic Windows Security Question
From: PC Sage Information Services (info_at_pcsage.biz)
Date: 03/31/05
- Previous message: Steve Fletcher: "RE: Scanning--more then one side to the argument"
- Next in thread: Doug.Janelle_at_Thermo.com: "Re: Basic Windows Security Question"
- Maybe reply: Doug.Janelle_at_Thermo.com: "Re: Basic Windows Security Question"
- Maybe reply: Danny Puckett: "Re: Basic Windows Security Question"
- Maybe reply: Steve: "Re: Basic Windows Security Question"
- Maybe reply: C. Francis Pineda: "Re: Basic Windows Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Mar 2005 18:05:23 -0500 To: "Andrew McIntosh" <amcintosh@networkadvocates.com>
On Mar 29, 2005, at 4:20 PM, Andrew McIntosh wrote:
> Hello Everybody,
>
> I am curious to see the different suggestions for this scenario:
>
> Suppose you have a small company of less than 100 employees. One of the
> employees likes to bring his work home on occasion. He does so using a
> USB thumb drive. One day he catches a [virus, worm, Trojan, spyware,
> anything you can think of] at home and it winds up on his thumb drive,
> which he in turn brings to the company network.
It is important to remember that ANY company, no matter how small,
wisely invests in a security and auditing policy for their network, as
well as the oft' overlooked disaster recovery plan (aka feces occurs).
If employees and principles alike are not given clear guidelines for
performing their work function, it opens the door to all manner of
exposure for the company.
If only one of the employees likes to bring his work home, it seems
that this is the anomaly and not the rule of employees there. The
easiest method is to author a business policy to prevent this type of
removal of company documents. It's clear that these documents are small
in that thumb drives are currently maxing in the 1GB range, it might be
better to provide vpn access and have the employee log in from home to
access his/her files.
>
> The company certainly should have anti-virus software in place, which
> would fix that problem. But what if he unknowingly loads a key logging
> program that could capture private customer information? What do you
> suggest? Here is what I could think of so far:
>
If your users are given the appropriate permissions (aka NONE) this
installation of outside software is easy to avoid.
> Disable USB Port - That would solve the particular problem and create
> other problems. For instance, substitute the thumb drive with a floppy
> disk or CD. For obvious reasons you don't want to disable those as
> well.
Disable any hardware by profiles that doesn't fit into your
organizations security policy.
>
> Restrict user permissions - That could potentially prevent a program
> from installing itself, but it would also cause the user some grief if
> they need to install programs themselves, or even do simple things like
> changing personal settings.
The largest threat to any company is NOT external hacking, it's
internal misuse, and abuse that is the largest threat to data security.
These people have access to sensitive business documents. Among the
most important security considerations is privilege. In a Windows
environment, I estimate it would be foolhardy to give users any
permissions that could potentially wreak havoc with your hard work. The
best bet is to give them NOTHING and dial up as required. In Windows,
it's important to run at a lower level of privilege to avoid all of the
latent cruft it seems vulnerable to at higher privilege levels.
In-service training of users to utilize the 'Run As' command in Windows
is quick and usually painless (the thoughtful admin will create the
'Run As' shortcuts ;) ) This will prevent a host of difficulties in
your network.
>
> Security Policy - Haven't looked into this yet, but maybe there is a
> way
> to prevent the use of thumb drives and other specific devices through
> security policy.
I'm hoping that you are hardening ALL Windows boxes before they go live
with at least MBSA. Perhaps a bit of auditing would also help you track
which users are ultimately responsible for the breach in policies you
are about to work out with your corporate heads. :)
>
> What do you think?
>
> Thanks!
>
> ====================
> amcintosh@ntad.com
> ====================
>
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
- Previous message: Steve Fletcher: "RE: Scanning--more then one side to the argument"
- Next in thread: Doug.Janelle_at_Thermo.com: "Re: Basic Windows Security Question"
- Maybe reply: Doug.Janelle_at_Thermo.com: "Re: Basic Windows Security Question"
- Maybe reply: Danny Puckett: "Re: Basic Windows Security Question"
- Maybe reply: Steve: "Re: Basic Windows Security Question"
- Maybe reply: C. Francis Pineda: "Re: Basic Windows Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
