Now that the NFL season is over we turn our eyes to Valentines Day when Yankees Pitchers and Catchers report for Spring training. It is the time of the baseball year when we go back to basics to shake the rust off the foundational aspects of the game.
With all the security issues swirling around I think it is also a good time to take a moment and think about the basics of security and patching for our Windows networks.
Study after study shows that the majority of bad things out there are dramatically mitigated/reduced by following a few simple guidelines:
- Make all your users limited users (i.e. no local administrators).
- Turn the Windows Firewall on for every server and workstation.
- Have proper, update to date anti-virus and anti-malware.
- Have a good web filter.
- Limit the use of the domain admin type IDs through delegation of specific tasks to lower level IDs.
- LImit the visibility into your network design by limited user IDs.
- Patch your workstations and servers for major Windows and security vulnerabilities.
While there is a lot of scary, "monster under the bed things" to keep us up at night, the majority of infections are known vulnerabilities with patches available and/or vulnerabilities that can't be fully exploited on a limited user workstation.
If you are still allowing users to be local admins, you must stop it immediately. Stop it right now. I had a school district recently widely use that model. They were afraid of removing the rights. They were backed into a corner with a virus outbreak and the rights had to be removed. We removed them via GPPE. NO ONE COMPLAINED. The world did not stop. They weren't really needed by properly written software.
In the same vein, I unilaterally turned on the Windows Firewall. One program. needed some firewall rules to keep running. We were able to do that centrally.
By simply leveraging the pre-existing anti-virus central console, we were able to make a punch list of infected machines to focus on while pushing new signatures and forcing scans on existing machines. As the number of current anti-virus signature machines went up, and the number of actively scanned machines increased, the virus outbreak began to drop from hundreds a day to a few here or there.
By putting Cisco Umbrella (even the free one) on top of web filtering suddenly malware was having a harder time communicating home or being downloaded.
I will continue this discussion in part two in two weeks. If you can't wait that long and you want to discuss your specific situation or require assistance, please give us a call.
Scott Quimby
You must be logged in to post a comment.