Planning for Security
It is far easier to implement effective security measures to protect your SBS network if you plan for security before you actually start installing software. In the following sections, we’ll cover some of the most common attack vectors and the preliminary steps you can take in this planning stage to prepare your defenses:
Careless or disgruntled employees and former employees Internal users and former users are the biggest risk factors to data loss and data theft on most computer networks. Whether from laziness, disregard of security policies, or outright malice, the internal user is often the most dangerous on your network. To help reduce risks related to this, refer to the Ensuring Physical Security section of this chapter as well as to Chapter 8.
Internet hackers All computers and devices attached directly to the Internet are subject to random attacks by hackers. According to the Cooperative Association for Internet Data Analysis (CAIDA), during a random three-week time period in 2001 more than 12,000 DoS attacks occurred: 1200–2400 were against home computers and the rest were against businesses. If your organization has a high profile, it might also be subject to targeted attack by hackers who don’t like your organization or who are engaging in corporate espionage.
For more information about securing a network against Internet hackers, see the Securing Internet Firewalls section of this chapter.
Wireless hackers and theft of service Wireless access points are exposed to the general public looking for free Internet access and to mobile hackers. To reduce this risk, refer to the Securing Wireless Networks section in this chapter.
Viruses and worms Networks are subject to virus exposure from email attachments, infected documents, and worms such as CodeRed and Blaster that automatically attack vulnerable servers and clients. Refer to the Securing Client Computers section of this chapter for more information.
Ensuring Physical Security
Although security is not something that can be achieved in absolute terms, it should be a clearly defined goal. The most secure operating system and network in the world is defenseless against someone with physical access to a computer. Evaluate your physical environment to decide what additional security measures you should take, including the following:
Place servers in a locked server room. And control who has keys!
Use case locks on your servers, and don’t leave the keys in them.
Place network hubs, routers, and switches in a locked cable room or wiring closet.
Install case locks on client systems or publicly accessible systems.
Use laptop locks when using laptops in public.
Use BitLocker to encrypt the data on laptops that contain sensitive data.
Even a highly secure network can be quickly compromised by a poorly secured client computer—for example, a laptop running an older version of Windows with sensitive data stored on the hard drive. To maximize the security of client computers, use the following guidelines (refer to Chapter 8, and Chapter 14, for more security procedures):
Use a secure operating system Use Windows Vista or Windows 7 on all client computers, with a strong preference for Windows 7 on laptops.
Use NTFS, file permissions, BitLocker, and EFS Use NTFS for all hard drives, and apply appropriate file permissions so that only valid users can read sensitive data. Encrypt sensitive files on laptop computers using the Encrypting File System (EFS), and encrypt at least the system drive on laptops using BitLocker. (BitLocker is available only on Enterprise and Ultimate versions of Windows Vista and Windows 7.)
Keep clients updated Use the Automatic Updates feature of Windows to keep systems updated automatically. Ideally, use the Windows Software Update Service (WSUS), integrated into SBS 2011, to centrally control which updates are installed, as described in Chapter 15.
Enable password policies Password Policies is a feature of SBS 2011 that requires user passwords to meet certain complexity, length, and uniqueness requirements, ensuring that users choose passwords that aren’t trivial to crack.
Remembering passwords has become an increasingly difficult prospect, leading to the resurgence of the yellow-sticky-note method of recalling them. It’s important to discourage this practice, and encourage the use of distinctive but easy-to-remember passphrases. See the Under The Hood sidebar Beyond Passwords—Two-Factor Authentication for an alternative to annoyingly complex passwords.
Install antivirus software Antivirus software should be installed on the SBS 2011 computer as well as on all clients. The best way to do this is to purchase a small-business antivirus package that supports both clients and the server. There are good third-party solutions specifically designed for the SBS market from several vendors.
Install antispyware software Antispyware software should be installed on all client computers on the network and configured for real-time monitoring and daily full scans.
Keep web browsers secure Unpatched web browsers are a significant security issue. Always keep web browsers updated with the latest security updates.
Wireless networks using the 802.11b, 802.11a, 802.11g, and 802.11n standards are very convenient but can also introduce significant security vulnerabilities if not properly secured. To properly secure wireless networks, follow these recommendations:
Change the default password of all access points.
Change the default SSID. Pick a name that doesn’t reveal the identity or location of your network.
Enable 802.11i (WPA2) encryption on the access points.
If the access points don’t support WPA2-Enterprise, don’t use them on your internal network.
Disable the ability to administer access points from across the wireless network.
For more on configuring and protecting wireless networks, see Chapter 19.
Most external firewall devices are secure by default, but you can take some additional steps to maximize the security of a firewall:
Change the default password for the firewall device! We know this seems obvious, but unfortunately, it is all too often ignored.
Disable remote administration, or limit it to responding to a single IP address (that of your network consultant).
Disable the firewall from responding to Internet pings. OK, we admit this is controversial. It’s certainly a best practice, but it can also make troubleshooting a connectivity issue remotely a lot harder.
Enable Stateful Packet Inspection (SPI) and protection from specific attacks, such as the Ping of Death, Smurf, and IP Spoofing.
Leave all ports on the firewall closed except those needed by the SBS 2011 server.
Regularly check for open ports using trusted port-scanning sites. We use http://www.dslreports.com.
Require two-factor authentication for all access to the firewall.
Keep the firewall updated with the latest firmware versions, which are available for download from the manufacturer’s website.