Holes in my security - advice needed

Discussion in 'Server Networking' started by SteveP, Apr 25, 2007.

  1. SteveP

    SteveP Guest

    The network is 2003 standard servers and one W2K server. All users are XP
    Pro. All users are joined to the domain.

    Except:
    One user bought a laptop with Vista Home on it. It is used at home by
    children and then brought into work and plugged into the network. It was
    also given the printer drivers. It cannot be joined to the network and I
    have no control over it. I do not know if it has up-to-date antivirus.

    One Mac desktop that was just brought in one day and plugged in.

    Company policy is XP Pro machines only and they must be joined to the domain.

    I need information to present to management on why having computers just
    plugged into the network is dangerous.
     
    SteveP, Apr 25, 2007
    #1
    1. Advertisements

  2. I don't know what to say. It would be like trying to explain what the color blue
    looks like.
    If they don't understand why it is bad,...then how did the company policy get
    put in place that says, "Company policy is XP Pro machines only and they must be
    joined to the domain"? That would be the whole point of that policy,...if they
    aren't going to enforce that policy then get rid of it and let the LAN be a
    free-for-all, because your Policies have no "teeth",..they have no authority.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 25, 2007
    #2
    1. Advertisements

  3. SteveP

    SteveP Guest

    It's difficult, if not impossible, to protect the company from itself. Yet,
    I will be blamed if there is an attack, infection or theft of corporate and
    client information. It worries me a lot.

    I can talk over their heads about man in the middle attacks and virus's.

    Other IT people must have found ways to present the danger to their
    employeer and enforce IT policy for the good of the company? Suggestions,
    please?
     
    SteveP, Apr 25, 2007
    #3
  4. Just tell them that people will being in infected machines and spead it all over
    the LAN. You don't have to get any more complicated than that.
    There is no "mature" and affordable solution for preventing users from bringing
    laptops and plugging them in willy-nilly all over the place.

    There is a new standard (802.1x? I forget) where a machine is authorized by
    having the switch they connect to use a RADIUS server to authorize them before a
    address is given over DHCP. It requires very exspensive switches with this
    ability,...it also requires a RADIUS Server. It pretty much mirrors to a
    certain extent what happens with some secured Wireless Systems before the user
    is allowed to operate over the Wireless Access Point.

    The other option is to stop using DHCP.

    The other option is to not have unused wall jacks left "live",...unplug them
    from the switches.

    In the end what you have is a social problem, a behavoral problem, and a [human]
    management problem,....*not* a technical problem. So you have to treat it that
    way. If management won't support your actions with simple enough explainations
    that they can understand,...then you have already lost the war and it is time to
    go work somewhere else rather than patiently wait for the inevitable "blame" and
    "firing" that will eventually occur to you.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 25, 2007
    #4
  5. SteveP

    SteveP Guest

    Interesting.

    You are right. The network is good, I have a human management problem.

    It is just a matter of time before the network is attacked from within
    and/or infected. It's frustrating.

    I was hoping for a list of things that could occur and present it in a
    document to upper management.
    --
    Thanks, Steve


     
    SteveP, Apr 25, 2007
    #5
  6. It's difficult, if not impossible, to protect the company from itself.
    I would do a audit of the information on the network. Classify the
    information into categories ranging Information needed to be kept from the
    public (Social Security numbers, private business info that needs to be kept
    out of competitors hands, Info that if released to the public would damage
    the company's credibility and profitability) Information that needs to be
    kept from other departments ( Wages, Social Security numbers, etc) and
    information that is created for the public (Info released on the website,
    etc.).

    This over all audit will allow you to know first *if* there is sensitive
    info on the network, where it is, how much there is, and who has access.

    Then you can go to the powers that be and show them how much data is on
    their network that is covered by HIPPA or Sarbanes Oxley. If they put some
    teeth in their policies, this overall audit will allow you to know where the
    data resides on your network that needs the most protection and you can
    target your efforts accordingly.

    If they still refuse to put some teeth in their own policy after that CYOA.
    Find another job or have them sign off on a letter that states you informed
    them of the possible security hole and the data that they store on their
    network. It's possible that their data can be intercepted and modified,
    deleted or copied, or just read to get an unfair advantage.

    hth
    DDS
     
    Danny Sanders, Apr 25, 2007
    #6
  7. SteveP

    SteveP Guest

    May I ask how to run the audit?

    2003 standard server SP2. I have a primary domain controller DC1.
     
    SteveP, Apr 25, 2007
    #7
  8. May I ask how to run the audit?

    Interviews of the department heads.

    Ask questions.

    What would be the ramifications to the company if this file/folder were
    somehow made available to the public?
    To another department?

    Answers should range from: nothing, it's already on the website or that was
    in the news last year, to "that would cost us a lot of business" or that
    would ruin us.

    If you don't get any "that would cost us a lot of business" or that would
    ruin us, maybe they don't need to worry all that much about security.

    If you do get some answers that indicate there would be a problem if some
    folders got to the public, make note a concentrate on explaining the
    ramifications of those folders getting out.

    hth
    DDS


     
    Danny Sanders, Apr 25, 2007
    #8
  9. SteveP

    SteveP Guest

    Got it.

    Thank you both for ideas with my problem.
     
    SteveP, Apr 25, 2007
    #9
  10. Yes, exactly. I thought of that a short while after I sent the last post.
    Sarbanes Oxley made huge difference in how serious they took things around here
    where I am.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 25, 2007
    #10
  11. From my practical day-to-day experience here where I am,...the possiblity of a
    hacker stealing data and having it used against us or just hurt us via the loss
    is pretty slim. The most common, most likely, most practical threat caused by
    users bringing in their personal laptops is the viruses and the damage caused by
    them which could trash the software side of the machines. It wouldn't hurt the
    hardware, the machines can always be reloaded, but the loss of data that might
    not be perfectly restored is where the first danger is. The second danger is
    the blame you/I would get for it happening,...even after trying in vain to warn
    people that it would happen.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
     
    Phillip Windell, Apr 25, 2007
    #11
  12. SteveP

    SteveP Guest

    Since telling upper management about possible theft of data and infections
    didn't work, you may be on to a topic that will.

    I read up on Sarbanes-Oxley and it was almost something I could use. They
    would not like to pay a fine! But, we are a privately held corporation.

    Can you refer me any more laws that might pertain to knowingly having
    security holes in a network that contains a lot of legal and financial data?
     
    SteveP, Apr 25, 2007
    #12
  13. SteveP

    Mike Lowery Guest

    CERT has a lot of good information and guidelines regarding computing security:
    http://www.cert.org/cert/

     
    Mike Lowery, Apr 25, 2007
    #13
  14. SteveP

    Jeremy Guest

    You need to put it in business terms and not technical terms. Steve Riley
    likes to start of a conversation with this question:

    What is your most important business asset (in IT terms) and what would it
    cost the company if it were unavailable.

    Unfortunately security is working well when nothing happens. The policy
    exists, so this is a good start, but you need to be able to argue for budget
    to enforce it if that is what they want. If the bosses take your cost
    beenfit argument and decide it isn't worth their while to fix it then you
    need to get it in writing that you cannot be held accountable for an outage
    caused by a machine on the network that is beyond your ability to control.

    There are two technologies that could help you out if you manage to get
    their buy in. One is Domain Isolation via IPSec (seach for Domain Isolation
    on the MS web site), or something like Network Admission Control (NAC) from
    Cisco.

    Microsoft will be bringing out their own version of NAC called Network
    Access Protection in Longhorn.

    Good Luck,
    Jeremy.
     
    Jeremy, Apr 26, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.