This chapter examined several aspects of security for an SBS installation. The physical security of the server computer should not be overlooked. Keeping the server away from common areas reduces the chance of accidental disconnection or damage. Providing adequate power and temperature protection helps maintain the integrity of data on the server.
Server data is protected with a combination of NTFS and share permissions. NTFS permissions are applied to files and folders and allow users to read, write, modify, and delete files. Individual permissions can be either allowed or denied, with the Deny permission having higher precedence than the Allow permission. All files and folders lower in the directory tree inherit permissions applied to a folder, unless explicitly removed and replaced with other permissions. NTFS special permissions allow for finer control of access to file resources. File ownership is used to calculate disk space used when disk quotas are enabled. The CREATOR OWNER group permissions apply only to the owner of a file. Files and folders on the server volumes can also be encrypted so that only the user and the Administrator can view the contents.
Share permissions determine the maximum level of access that a user can have to a shared directory on the server. Users and groups can be granted the ability to read files and folders, change files and folders, or have full control over the contents of the share. When share and NTFS permissions are applied in combination, the more restrictive of the permissions is applied.
Strong passwords provide another level of security for data on the server. Password policies can be put in place to ensure the continued security of passwords on the network. The password policy can control the minimum length, complexity, and age of passwords. The policy can be modified in two waysby using the Change Password Policies Wizard or by modifying the Small Business Server Domain Password Policy group policy object directly. Unless the number of remembered passwords or the minimum password age values need to be modified, the wizard should be used to set password policy.
Best Practice Summary
Chapter 10. Workstation Security
IN THIS CHAPTER
Once upon a time, the network consultant worried most about the threat from the floppy drive. At one time all viruses and all attacks on the network barring physical attacks came from a worker at the office placing a disk in a drive and launching a file. At that time most viruses attached themselves to a Word file or perhaps even a boot sector. As long as the antivirus software was kept up-to-date on the workstation, you were relatively assured that you could stay one step ahead of the virus. Viruses spread through sneakernets, the slang description for a bunch of computers whose means of transporting files was having a floppy disk moved from one computer to another. Thus, like in a virus infection in humans, physical contact was key to transmitting the computer virus in most small networks.
But as technology connects us every moment of our lives, so too has the capability for viruses to be transmitted increased. When the networks that most of us rely on were first designed, there was no need to put protections for workstations inside the office. All we needed to protect networks was a well-designed, well-defended perimeter. But then two inventions changed the way we do computing foreverand changed the boundaries of our network.
The laptop and the Internet moved the boundaries of computer networks away from the ISA Server and Cisco Pix and into the homes of small businesses. It moved the threat window from the time it took to move infected files around via floppy disks to now where within 24 hours, proof of concept of exploit code is posted on the Web. You must think of workstation security as protecting someone from an epidemic. What is the best protection for an infectious disease? Ensuring that you are not exposed in the first place and obtaining inoculations when you realize you cannot remove all the risk of exposure. The computer world is no different. There are three tenets to risk management in a network:
This chapter assumes that you have completed the process of identifying those assets in the firm you need to protect. You have identified those databases and devices that contain the data you need to most protect due to regulation or other requirements. Typically, for most firms, this is a category of data called personal identity information (PII). In the healthcare industry, this data is electronic patient healthcare information (ePHI). Both PII and ePHI have as their risk factors, a risk of business impact due to the required disclosure laws now on the books in many locations. Furthermore one could argue that sitting down and making a reasonable determination of the risk factors in your network is both a good business practice to ensure that your security dollars are well spent and just good business period. If your firm and your clientele depend on a source of data for your revenue above all other pieces of data on your network, this process will help you and your clients streamline that data and assign the proper protection.
Traditionally in risk management there is an equation that allows you to put a dollar value, a budget in place:
AROxSLE = ALE
You first look at the annualized rate of occurrence (ARO) for these events. What historically has been the impact of viruses? Then you determine the single loss expectancy (SLE) for the risk, which is based on the costs to clean up from the risk. Multiply the two to determine the annual loss expectancy (ALE) to determine whether it's less expensive to "clean up from the mess" or to "prevent the mess" in the first place. That amount you calculatethe dollar amount to clean up the machinesshould be less than the cost of the item needed to prevent the event from occurring in the first place. If it is not, there is no question that prevention is cheaper than cleaning up.
Although this chapter focuses on some key processes to ensure more protection of the workstations, should always keep in mind this equation and the overall part that workstations play in the security of your network. Your best protective device may not be technology at all; it may in fact be an educated end user. Make sure that in your budget of security actions you also remember that education will go a long way to the overall security of your network.
Network threat modeling is a relatively new concept but is key for any size firm. Understanding where your data if stored and flowing and the appropriate amount of resources to apply to protecting that key data is more an art than a science.