Re: security in small business networks

[krymson () gmail com]

A few more things you can check/do on your servers and workstations from a security standpoint (I assume you have some 
time available to do this stuff):

- Check for rogue admin accounts on the workstations or servers. Or at least check for a way to quickly dump this info 
from your systems when you're on site, such as with Hyena, Dameware, MBSA/Nessus may even do this for you, or a 
multitude of other scripts with less extraneous bells and whistles.

- Change your firewall and router passwords, change server local admin passwords, etc. Make password rotation a regular 
thing (every month up to every 6 months or so). I know some people will cry out about how 6 months is too long, but 
most small companies don't need to be overzealous.

- Since you're likely not on site all the time, you might end up troubleshooting week-old issues. At least on your 
servers, turn on auditing and set your event logs to use larger event logs. This way you can go back farther. You can 
Google Windows 2003/2000 Event Logs for more info on how to do that and what settings you can use.

- Manage patching using WSUS. I bet you have everything set to automatically update, though, so this might not be much 
of a benefit, but is still useful to learn, especially if you have extra servers or some room on a current server at a 
client site.

- Run MBSA or Nessus (NeWT for Windows) against systems when you're on site, just to get a lay of the land on how your 
systems look. Research the results and learn more about things you might be able to do. First do MBSA, as Nessus is a 
bit noisier. You might even be able to nmap the network just to gain information and get used to using nmap.

- Fully document the firewall rules at each site so that you or someone else can quickly see what is allowed and needs 
to be protected, and what may have changed since last you were there. Continuously log changes you make over time.

- I'll always point first to documentation and information when it comes to systems and security. Document the 
inventory if that is something you are even partially responsible for. Document naming standards for workstations and 
systems, accounts, services on servers, warranty information if necessary, etc. Get in the habit of always having good 
information nearby if this isn't already done. Network diagrams with IP blocks and assignments is also amazingly useful.


Forensics is a bit touchier of a subject. If a customer has an incident that is dangerous or critical enough to make 
you ask whether you should check into it or the FBI/Police, chances are you should first start with the FBI/Police. But 
if you find other smaller incidents like internal virus or spyware infections and the like, you hone some forensics 
skills if you'd like. Find a way that works for you to image the system(s) affected, and work with that image. Document 
everything, keep artifacts (printouts or processes, files, access times, or even actual virus files [carefully!]), and 
then make yourself a report of cause, effects, and cleanup afterword. This is a start and at least gets you in the 
mindset of what it all entails. By this time, you may find you enjoy this a lot and have found your own resources on 
the net for more information.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------