Overlooked Features of Windows Security - Key Area No. 5: Unmanaged and Noncompliant Clients
(Page 4 of 4 )
The last key area in Comsec and XTSeminar's paper is unmanaged and non-compliant clients, which was touched on earlier in this article. All computers that sit on the network should be fully managed by the IT department. The IT department can impose requirements for group policy lockdown, check that firewalls are enabled, use scripts to check that virus scanners are up to date, implement patch management, etc.
In reality, though, the network will contain a mixture of managed and unmanaged systems. Unmanaged systems can belong to contractors, consultants, developers or even an interloper.
The best way to protect valuable resources is through the use of IPSec, which we discussed earlier. There are two components to IPSec: authentication and encryption. Authentication can be used without encryption; it allows us to configure our systems so that they cannot communicate at the network level unless they have been authenticated. The authentication is between the two hosts and is not dependent on user authentication.
Depending on how IPSec rules are configured, if a system cannot authenticate, it will not be able to communicate with other hosts and will effectively be invisible on the network. Unless Windows security specifically denies its use, Craddock recommends allowing the use of ping without the need for authentication.
According to Craddock, security is a balance between keeping the bad guys out and not interfering with the way users build a company's assets. These key areas are intended to show companies how they can increase their security posture without burning through their precious budget on additional license fees and network appliances. It may not pull the economy out of the gutter, but these key areas are definitely worthy of consideration.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
