General discussion

Locked

Security fixes aren't enough

By discussion ·
In this weeks' Security Solutions column, Michael Mullins says security patches are useless without properly securing your system before it?s on the network. Should companies develop a standard security configuration guide to be used before deploying servers? What other security settings do you think should be configured before deployment?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Guide a mininum - But not enough

by Solarian In reply to Security fixes aren't eno ...

I do not understand, in this day and age, a company who does not have a "... standard security configuration guide...". It is a fail safe system for harried personnel and a bring up to date for new personnel.

With so many security patches, or any other type of patches, the time needed to install and make sure they don't worsen the situation can be overwhelming. Therefore, I would strongly advise the installation of intrusion-prevention tools.

These tools, if properly configured, can givethe needed time to check for the proper installations of the patches. At the same time, it will permit the deployement of any new servers, if said patching is not terminated.

Collapse -

Security fixes aren't enough - agree

by James Wise In reply to Security fixes aren't eno ...

It is my opinion that all uneccessary services should be disabled as stated by Michael Mullins. I also belive that it is important to have a security strategy in place ensuring that all W2K servers that are built and deployed comply with the basiscsas mentioned, are patched to current deployment date's latest patches and are continously kept up to date via services such as SUS. If a company does not have SUS services in place it should be designed and deployed as a matter of standard security practice. All current servers should be reviewed in the environment and all unecessary services disabled. A recent study suggests that Unix and Linux are now slightly more vulnurable to attack than W2k, because Microsoft's security campaign has actually brought about a very secure system if configured correctly by competent administrators. The tide is turning in Microsoft's favour when it comes to secure systems, in Windows 2003 server services have to be enabled, as they are already disabled bydefault to a large extent I believe.

Collapse -

Security of a system,

by eziots In reply to Security fixes aren't eno ...

Honestly, this article was a good baseline. I would also look into using a custom Security template to do the inital configuration of your server systems, so that you can have exact reproducable results.

The security template, can do everything you need, from Registry permissions, ACL's on Drives, Services, Registry, along with User rights, auditing, and local GPO configuration. It does all the heavy lifting, and it works out nice, because all you need to do is document the settings in the template once, and review the settings verus this template as your server progresses, or taken existing settings for a system, export them to a new template and then make needed changes, knowing you can re-lay down the template settings, or anty piece of the template if needed.

www.nsa.gov has excellent guides, along with M$ on the security configuration tool set, and how it can take care of most of your Security needs. That coupled with a good change management and patch management system, can ensure that your systems stay hack free, and properly secured.

Sincerely,
Ed Ziots
NT/Citrix Admin
eziots@lifespan.org

Back to IT Employment Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums