Issue dated - 5th April 2004

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
NEWS ANALYSIS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
Openings At Jobstreet.com
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > TechSpace > Story Print this Page|  Email this page

Tech Forum

Security Tips and Guidelines - IV

For the last few articles I have been highlighting many tips related to tightening the security of IT infrastructure. This is the last article in that series.

Of course, these are only tips, not a complete list of how to handle security. In fact, there is no complete list! We just keep playing a ‘catch up’ game with hackers and virus writers all the time. Life is like that.

Tip 14.Enforce discipline with Group Policies

It is important to realise that as many as half of the attacks that compromise IT security originate from within the organisation. This is often not looked at as a serious problem. In fact, we should be more worried about it than putting firewalls and anti-virus patches. Because, internal persons already bypass all these measures. They have access to many more areas of the organisation, physically as well as from an IT perspective.

Further, most internal users are not disciplined, and often not intentionally so—they have just not been made aware otherwise. They do not follow guidelines, they load any kind of software on their machines, they chat, they don’t change passwords often and so on. One of the most effective methods of improving internal security is to provide a tight control over the environment of user desktops.

Usually, internal users are pampered and their mistakes are taken lightly. The idea is to make everybody realise that the IT infrastructure within the organisation is for doing business—not for personal or unrelated work. Sometimes this is difficult to achieve with just circulars or guidelines pasted on notice boards.

The best way would be control the accessibility of technology for each user only on a need to know / use basis. This would be a difficult task in reality. It would mean going to each desktop and configuring it to show only what is required while disabling unnecessary stuff. This would also be almost impractical.

But there is a way. In fact it has been there for a long time. We probably never noticed/used it. It is called Group Policies. Windows 2003 and Windows XP would be the ideal combination from this perspective. However, earlier versions also provided adequate baseline Group Policy support.

What do Group Policies allow you to do?

Simple. It provides a method of controlling all desktop environments in a centralised manner. When the user logs on to the network, a set of policies are checked on the server and then applied locally. Using these policies it is possible to restrict all unnecessary access for users including ability to use floppy / CD drives, Explorer, DOS prompt, registry and so on. Further, the icons made available to the user can be minimised based upon the role of the person.

Auditing can also be enabled. File saving locations can be restricted to ensure that users store information on servers (which is more secure and safe) rather than on local hard disks.

All this and more can be achieved with a one-time planning and deployment of Group Policies. Think about it, try it and implement it.

Tip 15. Consider IEAK

This is a brilliant tool that has been available for at least five years. But very few companies even know about it, let alone use it.

Most of us have Web applications in the intranet. All these use various features like cookies, digital certificates, scripting, ActiveX controls and so on. If these features are disabled or wrongly configured, line-of-business applications could stop running. In addition, if security-related settings are changed by end users, it increases the chances of attacks.

How do we control the browser environment across the organisation without having to manually apply (and monitor) all these settings? The answer is Internet Explorer Administration Kit (IEAK).

This tool is freely downloadable. It allows you to create a custom setup of IE. Many ISPs have used it in the past for customising the logo as well as menus and icons of IE. However, it can also be used for standardising and tightening browser security across the organisation.

You first need to decide the appropriate configuration for IE. Then you create a custom setup. This setup then needs to be run on all machines in the organisation. This itself can be automated using various tools available, such as ‘Systems Management Server’.

Once this is done, end users cannot change the settings. In fact, you can even customise IE to remove the security or advanced tab from the Tools – Options dialog, if required!

IEAK can be downloaded from http://www.microsoft.com/windows/ieak/downloads/ieak6/ieak6sp1.asp

Tip 16. Use an inventory tool

The older the version of the OS and other applications, the higher is the risk of attack. Unapplied patches or service packs also increase these chances. Now, in a large organisation (anything above 20 computers is large enough!) it is practically almost impossible to keep track of each desktop and each software running on it along with the service pack / patch numbers and so on.

This is where an inventory tool is required. Which one you use is immaterial. But it is required. When you gather baseline inventory information, you can assess the right steps required to secure the desktops. Otherwise, we just end up doing ad-hoc, reactive patch management and only plug the holes if and when these are discovered.

Tip 17. Use a patch management automation tool

Patches are a way of life, and their number is only going to increase in future. In fact, currently only OS and antivirus vendors create the maximum updates. However, many other vendors will also start creating patches as time goes by. When the base infrastructure like OS, messaging and database is fairly secure, hackers are bound to look at deficiencies within popular packaged products like ERP, CRM, SFA and so on.

How do you automate patch management? You need a tool which will do the following in an automated manner:

  • Maintain a list of sites where updates are available
  • Periodically check if a new patch is available
  • Download it once
  • Replicate it automatically to specified machines within the network
  • Write a log
  • Repeat the process
  • Highlight errors, if any, during the process.

For OS patch management, there is a nice tool called Software Update Service on Windows 2000 and above. This handles only OS patches.

For a more general purpose and more functional tool, you will need Systems Management Server or other third-party tools. The tool is not important—what is important is to automate patch management. Because if you keep it manual, you will always end up with a wide gap between release of the patch and it being applied to all machines in the organisation. This gap is an invitation for hackers.

All the famous virus attacks were actually most damaging not because the virus writers were great. Most patches to block the spread of these were already available weeks before the attacks. These attacks still succeeded because people simply did not apply those patches in time!

The biggest vulnerability is not in the source code. It is in our mindset!

Tip 18. Use centralised My Documents

This is a brilliant and extremely useful feature of Windows 2003. It increases security as well as safety. (This feature was covered in detail in an earlier article —issue dated 6th October 2003 . Please refer to the online archive to view it.)

Individual desktops are obviously less protected, compared to central servers. Further, desktop machines are cheaper and thus more vulnerable to failure (of hard disks). Thus, business specific data stored on local hard disks of users is at substantial risk of data loss or hacking or pilferage.

What to do about it? Simple.

  • Make sure all users use My Documents.
  • If users are using other directories, first map these to My Documents.
  • This part has to be done manually.
  • Now, implement a Group Policy and prevent access to any other part of the local hard disk except My Documents. This forces users to store information in My Documents.
  • Now, use the folder redirection feature of Windows 2003 to redirect all the My Document folders of all users to a secure server. Separate folders are created for each user and the redirected folders can be seen only by the respective owners.
  • Now you can protect data centrally by providing the central server with all the latest patches, anti-virus, auditing, backup and access control tools.

Tip 19. Dangers of ‘Cut-Paste’

A simple thing like ‘cut-paste’ of data can create security holes.

Often we draw a graph in Excel and paste it in another document or mail. We feel that we are only pasting the graph. In reality, depending upon the destination product, you may actually have embedded the entire Excel sheet unknowingly! If the recipient of the document is smart enough, he can simply double-click and check out all the data behind the graph! Scary, is it not? But this is true.

The solution? It is simple.

While cut-pasting across applications, always use Paste Special. This provides a dialog which allows you to choose between available formats for pasting. Depending upon your needs you choose the right type. In the above example, you would choose ‘Image’ rather than ‘Excel worksheet’.

Try to look back and imagine how many e-mails you yourself may have sent like this.

The bottomline is that security measures do not just mean high-end firewalls and fingerprint scanners. Every aspect of IT usage needs to be improved.

Tip 20. Use EFS

You must have noticed that there is a substantial increase in laptop usage in last few years. As you must be aware, the incidence of laptop thefts is also growing day by day. But there is a darker side to these thefts. Laptops are not just being stolen for money. These are also being stolen for spying on confidential data.

The logic is simple. Laptops are still three times the cost of desktops. Therefore, everyone is not given laptops. Therefore, a person carrying a laptop is potentially a senior person. That means there is a higher likelihood of sensitive and confidential information on his machine.

Thus, stealing laptops is a very effective way of spying. How do you protect your laptop? There are many ways including special locks and so on. But that is not the issue.

How do you protect your data? Even after stealing? The solution is Encrypted File System (EFS). This should ideally be used even on desktops. Lots of corporate secrets have been unearthed from old hard disks of machines sold in scrap!

EFS implementation has also been covered in a previous article in TechForum (issue dated 22nd Sept 2003). However, in brief, it encrypts all the user files using a digital certificate created per user. If you steal the hard disk and somehow break the admin password and access the user data, you can open the files, but the contents will be encrypted. The only damage that is possible is deletion of files.

With a number of spyware programs also increasing, it is not required to steal your machine to look at the data. Backdoor type of programs can allow third parties to view your data while you are connected to the Internet!

So please use this option, at least for important computers.

Tip 21. The only way to be secure is to feel insecure!

I’ll sign off with this final tip, even though I could probably go on for another 20 articles and not finish the list of tips and guidelines. The core issue is that most of us are not as serious about security as we should be.

Because IT related attacks occur quietly, without any visible effects or bloodshed, we do not realise the magnitude of the threat and our vulnerability. Therefore, ensure that everyone in your organisation, including the top management understands the significance of security.

If you are insecure about it, you will take steps proactively – all the time. And that is your only chance to survive.

Think about it, we do so much work to establish a business, a career, a growth plan, a competition strategy. All this can be compromised because of something as stupid as not applying a patch in time, or not changing your password regularly, or not preventing someone from loading games on his machine.

Imagine, think and act. We are already late!

About the Author:Dr Nitin Paranjape is the Chairman and MD of Maestros (Mediline). He is a consultant with many organisations, covering appropriate technology utilisation, business application of relevant technology, application architecture and audit as well as knowledge transfer. He has authored more than 650 articles on various technology-related subjects. He can be contacted at nitin@mediline.co.in
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.