Weekly Tech Tidbits – Baby steps to better security

May 18th, 2018
Weekly Tech Tidbits – Baby steps to better security

We have been discussing a whole lot of security issues over this past year.  Many of you are already moving forward to address many of our recommendations.   However, some of you are paralyzed in figuring out how to absorb some of the new costs for the new security technologies that your district now absolutely requires to keep up to current standards.  The challenges are daunting.

Summer is looming.  It is time to act.

We know that summer is where many of the major technology and configuration changes realistically happen in your district.   I wanted to lay out some projects you can undertake that vary from free to low cost to try to keep you at least moving forward in constantly improving your security posture.  These lists are by no means complete and I know many of you have done many of the items on the list.  I am happy to have a more precise discussion of your individual situation.

Free

  • Implement Microsoft Local Administrator Password Service (LAPS).  This allows you to change the local administrator password for all the computers in your domain.
  • Implement Granular Password Policies.  This allows you to have different password complexity and change requirements for Kindergarteners vs. Payroll clerks.
  • Make sure local administrator rights are removed from all workstations that they can be removed from.
  • Make sure the Windows firewall is turned on with all your workstations..
  • Audit the Administrators, Domain Admins, and Enterprise Admins memberships and remove all unnecessary domain admin rights.  Remember Ford Motor Company has only 3 domain admins worldwide.  Do you need all that you see?
  • Change all domain admin passwords.  Remember this needs to be done in a controlled manner where those IDs interact with services.  It is a great late in the day summertime project.  Moving forward use service accounts wherever possible for services.
  • Segment your network so that everything is not visible to everyone.   Remember your fortresses (servers), tech staff VLANs, and administrative staff VLANs (i.e. anything with money or personally identifiable information).
  • Make sure you have a handle on your anti-virus/anti-malware and it is centrally managed and current and actively scanning - the entire network.
  • Implement Windows Server Update Services (WSUS) to do Windows Updates
  • Make sure the fortresses (administrative staff, tech staff, and servers) have the highest level of security patching,  Make sure those patch levels are consistent week to week.  Make sure that you can sustain those patch levels.
  • Implement the free version of Cisco Umbrella district-wide.
  • Turn on multi-factor authentication in Office 365 and Google Apps for all techs, teachers, and administrative staff.
  • Stop techs from signing on throughout the district as domain admins to do basic work.  Leverage delegation and local admin rights to do the work.
  • Stop techs RDPing into servers to do work and leverage RSAT tools, a management server, and other tools like Microsoft Admin Center to do the legitimate work that needs to be done.

Limited cost:

  • Use a product such as Ninite or Ninite Pro to almost effortlessly maintain the patches to applications such as Java, Flash, Adobe, Firefox, etc.  Be obsessive in maintaining the patch levels of the tech and administrative staff.
  • Start a pilot of Cisco AMP.  Put it on all the tech machines.  Put it on all the money machines.  Put it on all the student services machines.  Put it on the administrative machines.  Figure out how of much of that you can afford and just start doing it.

There is a lot more I can say and suggest, but if you came to me and said we have substantially achieved limiting privileged access to users, limited server access, segmented our networks better, we're confident in our anti-virus, and knew that you had a rock solid patching regimen for tech, administrative, and staff workstations that included both applications and OS security updates, I'd be a happy guy.   If you added that you had Cisco AMP playing centerfield for these same users, I would say you had an outstanding summer.

I am happy to talk about your individual situation and map out a plan that works for you.

Scott Quimby