You have many reasons to restrict access to certain parts of your network: network integrity, license compliance, your company download policy, and data security, to name a few. You must be sure that only those people who need access to a particular area have that access. But it's tough to maintain a balance between easy access to necessary tools and strict adherence to your company's policies and procedures for network security.
The key is a well-thought-out lockdown policy. This article will address some of the issues you should consider when writing this policy, some tips for getting user buy-in, and some tools that may help keep your network safe and secure.
Build your policies from the inside out
You must take into account a multitude of factors before settling on policies for system access. Some factors are quite obvious. For example, can workers in the accounting department see the accounts servers? Can the help desk hit the Microsoft Web site? Others are out of the ordinary. For example, can visually impaired users alter their screen settings?
The most important thing to achieve when building your network lockdown policy is buy-in. You need to make sure that you get the support of your user groups. If you try to steamroll your policy over the entire company, you will meet with opposition and the way will be hard and uncomfortable. On the other hand, if you involve user groups and management teams in the process of devising your policies, you'll be able to impose the scheme on the workforce without stirring up huge resentment from the people you strive to serve.
Once a policy has been built, you will inevitably discover that you've left something out or haven't foreseen a particular contingency. For that reason, it's important to review each piece of a policy after an initial "bedding in" period to formally address those situations.
More about getting user buy-in
If you'd like advice for achieving user buy-in, read "How to roll out an IT policy in your organization."
Rogue software installations
For legal and ethical reasons, you must ensure that you hold licenses for all software installed on your workstations. But how can you maintain this status if anybody can install software at will?
Most companies regard the installation of unapproved software as a breach of the discipline code and will take action against offenders. Yet we all know that people will, if given the chance, install their favorite piece of software on their workstation, and this will inevitably be an unauthorized copy of something they use at home. To comply with the law, you have to ensure that only authorized users can install software and that they are trained to follow a procedure before doing so.
If a user needs a particular piece of software to do his or her job properly, the user will need to apply to the network administrator to have it done. The department should then verify that the product is licensed, will not clash with any of the installed programs, and that the company holds the license for it. It may be that the user's needs are already covered by another package that is already installed and licensed.
If you have sensitive information stored anywhere on your network, there's always the threat of data theft. Users can easily siphon data off onto USB memory sticks, CD burners, portable hard disks, or similar devices that can be attached temporarily to a workstation. By preempting all such connections and making the resource unavailable to normal user accounts, you can plug another loop hole before it becomes a full-blown security issue.
Putting teeth in your policy
Once your policies are formalized in written form, you'll need to enforce the rules you've set forth. Myriad tools are available that will help you control your users' abilities. Here are a few approaches that can help you protect and regulate your network:
One of the fundamental security flaws of any PC system is the system BIOS. Here, you can change the boot order of the PC, so if you want to restrict access to the system, this is the place to start. If the boot order is left at the default, A, C, CD-ROM, anyone with a boot disk can gain access to edit any system file, format the disk, and install his or her own version of the OS.
The solution is to alter the boot order so that C is first. Then, to prevent this from being changed, set a BIOS password that you keep as securely as the Admin password. This will deter the casual fiddler, although it won't keep out anyone with any real knowledge of PC hardware.
While you're at it, you can disable the parallel ports and USB ports so that data devices can't be attached that way. Unless you have directly attached printers, these ports serve very little real function on a network PC—except if you are somebody intent on stealing data.
System policy editor
In Windows 95, NT4, 98, and Me, you can install System Policy Editor, which is on the Windows 98 SE disk in TOOLS\reskit\netedmin\poledit and on the Windows 95 CD ROM in Admin\apptools\poledit.
To install this tool on your hard disk, use the Add/Remove programs option from the Control Panel. Select the Windows Setup tab and click the Have Disk button.
XP and 2000 require the installation of the appropriate resource kit. You can then run System Policy Editor from the Program menu. You can decide which parts of the program you will allow the user to have access to. This is a powerful tool with a wide range of options.
Creating a standard image that you roll out to all workstations can be a great help. You can use it to restore default settings if a system fails or becomes corrupted as well as to ensure that all of your policy settings are installed uniformly across the entire network.
Several tools are available for creating standard network images. For example, check out Symantec's Ghost Corporate Edition 7.5. It includes the GhostCast Server, which provides three methods of image deployment: simultaneous deployment of one image to many computers, deployment to a single client, and selective deployment based on subnet grouping.
Floppy drive locks
Another way that small but vital pieces of data can be removed from your network is through the good old-fashioned floppy drive. A simple lock—like the one from Secure-It—can be fitted to prevent their use. You might even consider, in these days of bootable CDs and network distributed applications, whether you want to have floppy drives in the systems at all.
User account privileges
Any network administrator knows that it is important to grant only those privileges that the user needs in order to do his or her job. Making the system too liberal may mean that, at best, users can see things they should not see. At worst, it might leave a loophole for an aggressive attack.
Restricted network drive shares
When you set up a network drive share, do you leave it open or do you set a password control on it? If the information in the folder is to be used only by a restricted number of people, set a password and make sure that just those people have access to it. It's a quick and easy security measure to set up.
After you have established your profiles and system policies, the only people who should be able to make changes to your workstations are those who know the administrative, BIOS, or share passwords. This means that if you want to keep control over the administration you need to do two things.
First, you need to impress on all authorized staff members that they cannot share the password with anyone. They should also be warned about the small minority of people who will try to read a password as you type it in. It goes without saying that you should immediately change any password you suspect has been compromised.
Second, you should design an unguessable password. You'd be amazed at just how many system administrators will use something like "password" or "letmein." Make sure that the password you decide on consists of numbers and letters and remains known only to those who need to know.
Users are also likely to compose weak passwords. To teach your users how to design foolproof passwords, download TechRepublic's user password presentation.
Review your policies regularly
With all policies, you must be flexible. As people's jobs evolve, their network permission needs will change. You must ensure that there's a process available for them to request those rights and have them granted in a timely way. Those procedures need to be approved by management so that there are no problems when it comes to making changes. If you establish a network lockdown policy and are never asked to change anything, you will be, in the words of Rudyard Kipling, "A better man than I."