Are you slowly losing your mind trying to keep your Windows-based system secure? Or, perhaps you're being innovative in getting security on track? As we found recently, some IT managers are doing a combination of both: losing their minds while trying to innovate appropriate security measures.
If frequent Windows security dilemmas are familiar territory on your network, relax. You're not alone. In a recent searchWindowsManageability user poll, our users confessed their top security concerns, describing their real world and perfect world solutions. Here are five of the most popular headaches that compile our top 10 list.
Let us know if all, some or none of these problems plague you. What are your top security concerns? E-mail editor@searchWindowsManageability.com.
Inadequacies in the security features of Microsoft products
For Hal Smith, an Enterprise DBA at the Board of Public Utilities in Kansas City, Kan., it "depends on the day of the week" when the inadequacies in Microsoft products' security features will cause him the 30% of security problems he regularly encounters.
In a perfect world, Smith's solution would entail "biometrics, multi-factor authentication, role-based access and permissions, and behavior-based intrusion detection and amelioration." His current solution, however, consists of reading logs daily and doing defensive design and coding.
Another example of inadequate Microsoft security features occurred in one county government office. For three months, the office had been using Exchange for its e-mail server. The kicker is that more downtime occurred in those three months due to inadequate virus protection than it did during the five years Lotus Notes was used, an IT manager there said.
Perhaps Rob Burton, network support specialist at Washington, D.C.-based Levick Strategic Communications, summed it up best. If only Microsoft would release its products free of bugs, he said. In the so-called "perfect world," maybe they would.
Inadequate staffing and resources
"We don't even have a password policy!" said one IT manager. However, he can't even convince senior management at his company that a dedicated security group is needed.
That same IT manager, however, feels the security features in Windows 2000 are "excellent if implemented properly." But, how can he apply them with no support?
The best solution, the IT manager said, would be to implement an "Information Security Group" that defines system administrator roles for handling specific applications, policies and guidelines, risk/vulnerability assessments, incident handling/response, anti-virus protection and software licensing. With none of those dreams coming true, however, this manager is currently working with security liaisons to develop a security baseline and a self-assessment checklist.
"Top management does not feel putting money into appropriate security hardware, software and tech staff training is necessary," agreed John Lorimer, president of Lorimer Network Research. That is, until a disaster occurs, he said. Shortly after the disaster, "management goes back to the ostrich stance and starts ignoring requests from their IT staffs again. It is a vicious cycle," Lorimer concluded.
Lack of standardization in security products/tools/features
Jeffrey Cooper, an IT consultant from San Diego, Calif., finds researching the compatibility of different vendor's products a major issue. "Sometimes customers want to deploy a system with protocols that are not allowed to traverse their networks (i.e. dynamic UDP ports)," he said.
In a perfect world, vendors would make it easy to find what protocols they are using, what their bandwidth requirements are, and what assumptions they make about the network, Cooper said. With no surefire way to do that, Cooper currently digs through vendor and research-related Web sites to contact organizations that may know specific compatibility information.
Microsoft patches that don't patch
During Cooper's previous job as a systems administrator, he learned that big problems also reside with Microsoft's security patches. Reading security notices relevant to his company's NT network running SQL server and IIS configurations consumed much of his time.
Microsoft has tried to solve this problem by making computers check automatically for patch updates, Cooper said. But, "who wants their machine automatically going to Microsoft and downloading stuff?" Additionally, most Microsoft patches require Windows NT to be rebooted, he said. In the call center of a small network where Cooper works, requiring someone to stop working so patching could take place was not an effective use of time.
"Patches are a chore to keep up with and deploy," said Tony Conte, director of information and business systems at Racine, Wis.-based Horizon Retail Construction. In a perfect world, a single management console software application capable of monitoring the network both internally and externally for security vulnerabilities, patches, traffic and bottlenecks, and software updates would exist, he said.
Conte currently uses a command-line tool that assesses computers for their current security hot fix status. He spends "several hours each week running through patch/update/security tools to ensure the company keeps current and all holes are patched as they are found." He also keeps anti-virus software updated, scours security newsgroups and subscribes to the SANS newsletter.
Lastly, an IT manager for a different corporation complained of "Windows 'holes' forever needing to be patched." The NIMDA worm and the ILOVEYOU virus, for example, were catastrophic. He compared the damage to that of a hurricanes or flood. "Yet," he said, "Microsoft just blithely moves along ignoring the devastating effect of these security problems."
Problems with instant messengers
Instant messaging-caused security breaches have thwarted one business development executive from using Yahoo's Instant Messenger. Security personnel at his company don't want to open the network to any potential security breaches.
So, are these first five security headaches keeping you up at night? Please let us know. E-mail editor@searchWindowsManageability.com.
Our users' next five Windows security problems may not completely shock you. Their real world solutions, however, might intrigue you. Read part two of the top 10 security headaches to find out how your peers are taking charge of system security.
For more information:
This was first published in February 2002