Security Documentation

Administrators can easily feel that documenting security settings and other configurations is important but that this documentation may lessen security mechanisms in the Windows Server 2003 environment. Nevertheless, documenting security mechanisms and corresponding configurations is vital to administration, maintenance, and any potential security compromise.

As with many of the documents about the network environment, they can do a lot of good for someone either externally or internally trying to gain unauthorized access. So, security documentation and many other forms of documentation, including network diagrams, configurations, and more, should be well guarded to minimize any security risk.

Some areas regarding security that should be documented include, but aren't limited to, the following:

• Auditing policies including review

• Service packs (SPs) and updates

• Certificates and certificates of authority

• Firewall and proxy configurations

• Antivirus configurations

• Access control policies including NTFS-related permissions

• Encrypting File System (EFS)

• Password policies (such as length, strength, and age)

• GPO security-related policies

• Registry security

• Security breach identification procedures

• Lockdown procedures

Change Control

Although the documentation of policies and procedures to protect the system from external security risks is of utmost importance, internal procedures and documents should also be established. Developing, documenting, and enforcing a change-control process helps protect the system from well-intentioned internal changes.

In environments with multiple administrators, it is very common to have the interests of one administrator affect those of another. For instance, an administrator might make a configuration change to limit volume size for a specific department. If this change is not documented, a second administrator might spend a significant amount of time trying to troubleshoot a user complaint from that department. Establishing a change control process that documents these types of changes eliminates confusion and wasted resources. The change control process should include an extensive testing process to reduce the risk of production problems.

Routine Reporting

A network environment may have many security mechanisms in place, but if the information such as logs and events obtained from them isn't reviewed, security is more relaxed. Monitoring and management solutions (such as MOM) can help consolidate this information into a report that can be generated on a periodic basis. This report can be invaluable to continuously evaluating the network's security.

The reports should be reviewed daily and should include many details for the administrators to analyze. MOM, for example, can be customized to report on only the most pertinent events to keeping the environment secure.

Management-Level Reporting

Management should be informed of any unauthorized access or attempts to compromise security. The technical details that an administrator appreciates are usually too detailed for management. Therefore, management-level reporting on security issues should contain only vital statistics and any risks that may be present. Business policy and budget-related decisions can then be made to strengthen the environment's security.