Re: security advice

[Brad Arlt <arlt () cpsc ucalgary ca>]

On Sun, Jan 25, 2004 at 11:40:22PM -0000, coder wrote:
> > installed patches and updates
> > changed passwords to "strong passwords"
> > installed AV software on all clients & server

These are all good.  You might add a group policy to handle auto-updating
so your XP workstations stay current with their updates.

Figure out, write down, and get approved your server update plan.  One
schedule for regular updating, and a provision for "we gotta update
and reboot it right *now*".

Also configure your AV software to automatically update itself - some
companies like McAffee seem to issue updates once a week.  Others like
Sophos issue smaller updates as soon as they think there be dragons.
Figure out when you AV vendor updates stuff, and sync your update
schedule to it.  And sync your server more often than that.

I like once a week for workstations, daily for servers (or every hour
if you have the bandwidth and paranoia).  For all, update on reboot
to handle those machine that have been off for a while.

Disable services that are not in use.  Uninstall services and software
that is disabled.  You can't hack what isn't running, and you can't
forget to patch what isn't installed.  Nor can you misconfigure a
package that isn't installed.

> I am also planning on setting up the NAT thing in the server and
> installing a proxy then disabling all ports except the proxys (is
> this a good idea?)

Honestly, all your services should be on your server, so I don't know
why you need a proxy.

For VPNs and NAT, do this on your firewall (which you didn't mention).
The same goes for your proxy softwares.  You might also consider some
form of interusion detection software on the firewall - but don't
install it if you can't understand it.

Lastly allow only the services you require through the firewall.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------