Use the Internet Safely

Believe it: not all Web sites are safe! HTML is a powerful display language that can send all kinds of executable code to the browser that the computer then runs locally. Local code can create very compelling and interactive browsing experiencesand it can wreak security havoc on a machine. Remember one of the ten immutable laws: ^[17]

^[17] "10 immutable laws of security" (http://www.microsoft.com/technet/archive/community/ columns /security/ essays /10imlaws.mspx).

If a bad guy can get code to run on your computer, it isn't your computer anymore.

Good antivirus and anti-spyware programs can help to keep a lot of the bad code off your computerif the programs know how to find them (meaning that your signature files are always up-to-date). But you can't stop there because new malware materializes all the time. This is one of the reasons that Windows XP Service Pack 2 (and Windows Server 2003 Service Pack 1) include a number of Internet Explorer- related security changes to stop much of the bad code from getting onto the computer or executing.

Try to avoid surfing the Internet from your servers as much as you can. The main purpose of a server is to respond to requests from clients for information. Don't use a server as a client. About the only time your SBS server should ever make connections to the Internet is when it needs to update patches for your WUS installation; earlier we already discussed the value of running WUS in your small business. ^[18] If you do have any requirements for surfing from your servers, we encourage you to install Virtual PC on the server, create a Windows XP virtual image, and surf from that. Configure the image to discard all changes; when you finish surfing, just shut down the imageanything some nefarious Web site drops on your computer (that is, on the image) simply gets discarded. We must, however, again strongly recommend that you not surf from your servers. Workstations are cheap; avoid creating situations where people have to surf from your servers.

^[18] At the time of this writing, WUS was still in beta. SUS, the prior version, is still useful if WUS isn't yet out by the time you read this book. See "Updating a Windows Small Business Server 2003 Network using Software Update Services Server 1.0" (http://www.microsoft.com/downloads/details.aspx?familyid=5f1cc6f0-79b7-4a95-bcab-49bee6d5df13&displaylang=en). Look for a WUS version of the document when WUS becomes available.18. Visit the SANS Security Policy Project at http://www.sans.org/resources/policies/ for some pointers.

An Internet Use Policy

Yes, even for small businesses, a basic acceptable use policy is important, for many of the same reasons we explained in Chapter 4, "Developing Security Policies." Policies help clear up confusion and provide guidance to help people make decisions. Good policies encourage compliance by helping people understand the value and don't get in the way of daily work.

Resist the urge to be heavy-handed in enumerating all of the things people aren't allowed to do. Work these days rarely happens within a defined eight- hour period: Blackberries and smartphones have extended work hours well into nearly the entire day, and you as the employer do benefit from this. It's only fair, then, to let people take care of a few personal needs during "normal" working hours because sometimes there's simply no other choice. What you need to explain in your policiesand monitor, toois consequences for abuse.

Describe in your policy the behaviors that are and aren't acceptable; common sense should help you select the specifics. ^[19] (Porn and peer-to-peer file sharing are the usual culprits.) Make it clear in your policy whether you monitor individual actionsmost people assume a certain amount of privacy exists unless you explicitly state otherwise . Have each employee sign a copy of the policy.

^[19] Visit the SANS Security Policy Project at http://www.sans.org/resources/policies for some pointers.