Preparation

Preparation involves eliminating unnecessary sources of risk before they can be attacked. You should take the following steps:

• Invest time in planning and policies. If you want to be really diligent about security, for each of the strategies I describe in this chapter, outline how you plan to implement each one.
  
  
• Structure your network to restrict unauthorized access. Do you really need to allow users to use their own modems to connect to the Internet? Do you want to permit access from the Internet directly in to your network, indirectly via a Virtual Private Network (VPN), or not at all? Eliminating points of access reduces risk, but also convenience. You'll have to decide where to strike the balance.
  
  If you're concerned about unauthorized in-house access to your computers, be sure that every user account is set up with a good passwordone with letters and numbers or punctuation. Unauthorized network access is less of a problem with Simple File Sharing, as all network users are treated the same, but you must ensure that an effective firewall is in place between your LAN and the Internet. I'll show you how to use the Windows firewall later in this chapter.
  
  

  To learn more about simple file sharing, p. 1088.

  
  
• Install only needed services. The less network software you have installed, the less you'll have to maintain through updates, and the fewer potential openings you'll offer to attackers.
  
  For example, don't install SMTP or Internet Information Services unless you really need them.
  
  The optional "Simple TCP Services" network service provides no useful function, only archaic services that make great denial of service attack targets. Don't install it.
  
  
• Use software known to be secure and (relatively) bug free. Use Windows's Automatic Updates feature. Update your software promptly when fixes become available. Be very wary of shareware and free software, unless you can be sure of its pedigree and safety.
  
  
• Properly configure your computers, file systems, software, and user accounts to maintain appropriate access control. We'll discuss this in detail later in the chapter.
  
  
• Hide from the outside world as much information about your systems as possible. Don't give hackers any assistance by revealing user account or computer names, if you can help it. For example, if you set up your own Internet domain, put as little information into DNS as you can get away with. Don't install SNMP unless you need it, and be sure to block it at your Internet firewall.
  
  

TIP

The most important program to keep up-to-date is Windows XP itself. I suggest that you keep up-to-date on Windows XP bugs and fixes through the Automatic Updates feature and through independent watchdogs. Configure Windows to notify you of critical updates. Subscribe to the security bulletin mailing lists at www.microsoft.com/security, www.ntbugtraq.com, and www.sans.org.

If you use Internet Information Services to host a Web site, pay particular attention to announcements regarding Internet Explorer and IIS. Internet Explorer and IIS together account for the lion's share of Windows security problems.

Security is partly a technical issue and partly a matter of organizational policy. No matter how you've configured your computers and network, one user with a modem and a lack of responsibility can open a door into the best-protected network.

You should decide which security-related issues you want to leave to your users' discretion, and which you want to mandate as a matter of policy. On a Windows 200x domain network, the operating system enforces some of these points, but if you don't have a domain server, you might need to rely on communication and trust alone. The following are some issues to ponder:

• Do you trust users to create and protect their own shared folders, or should this be done by management only?

• Do you want to let users run a Web server, FTP server, or other network services, each of which provides benefits but also increases risk?

• Are your users allowed to create simple alphabetic passwords without numbers or punctuation?

• Are users allowed to send and receive personal email from the network?

• Are users allowed to install software they obtain themselves?

• Are users allowed to share access to their desktops with Remote Desktop, Remote Assistance, NetMeeting, Carbon Copy, PCAnywhere, or other remote-control software?

Make public your management and personnel policies regarding network security and appropriate use of computer resources.

If your own users don't respect the integrity of your network, you don't stand a chance against the outside world. A crucial part of any effective security strategy is making up the rules in advance and ensuring that everyone knows.