Rather than take the common approach of dispensing advice and recommendations, let's change the story a bit. Let's talk about what not to do. What are some of the most common mistakes I see administrators making in their Windows networks?
Mistake one: Not enabling automatic updates on critical Internet-facing machines. This is really an unacceptable oversight, as the machines most vulnerable to exploitation are the ones easily accessible from outside your security perimeter. By enabling automatic updates, which patch these problems regularly, just on these machines, you'll cut your security response load immensely. (Note that it's OK to leave this off internally. You can keep your change management policies intact on the inside part of your network, where the risk of direct exploit is less, as long as you make plans to patch as soon as possible after you conclude testing on the updates.)
Mistake two: Favoring interoperability over security. So you have a network with the makeup of a mutt: a lot of Windows machines, and Windows on some servers, but also a few Macintosh clients and perhaps a room full of Unix or Linux infrastructure servers. And they all needed to work together painlessly, so you probably hacked a solution together involving stored passwords and plain-text communications and publicly readable directories. I've seen it before. And these are places that nefarious individuals go to glean all sorts of useful credentials and location information for use in their deviant efforts. The bottom line: Make sure when heterogeneous platforms are talking to each other that they still uphold the same level of integrity that's possible when homogeneous machines are communicating.
Mistake three: Leaving unneeded services on. It's great that all 150 machines on your factory floor have the Messenger service enabled, but it's probably not something that your workers are making legitimate use of. And it can be a very confusing way to convince other computer users to do bad things on behalf of crackers (these Messenger boxes can look a lot like error messages). Use the services guide I wrote for SearchWindowsSecurity.com to lock down these unneeded services.
Mistake four: Not hardening remote access points. There are weak points in every network, and they're invariably located at the windows into your network -- where machines and users from outside your security boundaries can come inside and use resources and make changes within. After all, in your house, it's a lot more likely someone will break into a door or window than cut through siding or brick and drywall. Make sure your VPN concentrators, remote access servers, dial-in modem banks and public authentication servers are all hardened and protected against external threats.
Mistake five: Deploying wireless Internet access without security. Wired networks have at least one advantage over wireless -- their contents aren't leaked to anyone who can listen. Your data and messages and the secure content they contain are at least constrained within the bounds of a wire, whereas transmitting the same packets over the air allows anyone to come in and sample the waves. And if you're in a city or another highly trafficked area, it's probably already happened. Deploy some sort of encryption and security measures, like not broadcasting your SSID and enabling WPA, to thwart the more casual data and access thieves.
These five issues are the most conspicuous issues I see on average. If you're able to make progress on fixing these five, you'll be several orders of magnitude more secure than you were before you began.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP), and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His book RADIUS (O'Reilly & Associates), is a guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. Ask Hassell a hardening Windows question today.
