SysAdmin Corner: 7 Network Security F-Ups Small Offices Make

F-up #6: Only defending the perimeter

Once I’m on, I’m in… to everything.

I can’t tell you how many times I’ve seen this, and it is far more dangerous and has far greater implications than anything written above in this article. It is also assuredly the least followed. Most sysadmins make the mistake that a network is a flock of sheep, needing protection from the wolves outside. Because of that, these sysadmins forget to do important things – like remember to lock the pasture gates so that the sheep don’t go eat your garden.

Network control is not just about protecting the inside users from the outside, it’s about protecting privileged information from non-privileged people. In every company, small and large, there are things that people need to do their jobs and things that people aren’t supposed to see or change.

The first of these steps is file permissions – whether it’s as simple as making your archives read-only or as important as padlocking the firm’s financial info to an individual user, user and group accounts should be used to protect data from the wrong hands. Follow that up with group policy that protects you from users (or people posing as users) changing or monkeying with settings in Control Panel or other sensitive administrative areas.

Network control is not just about protecting the inside users from the outside, it’s about protecting privileged information from non-privileged people.

Finally, consider your servers – every open port is a vulnerability, and every service is an exploit waiting to happen. One sysadmin friend even told me that on smaller networks especially, he firewalls every server individually. Even if you only have one, make sure that at least your software firewall is on and restrict or shut down the services and ports that not everyone needs.

The purpose of this protection is twofold – first, it keeps your data and settings from being tampered with by the wrong people inside your company. But second, it keeps a lucky script-kiddie from getting access to the goods if he or she just happens to trip over an exploit and stumble into your network. That rush of success turns to an overwhelming feeling of disappointment when that non-privileged account that was exploited just got a pass to nothing but some remedial documents like letterhead templates or a directory listing for files that can’t be accessed anyway.

F-up #7: Plugging the whole network into your Internet router

If you don’t need it on the ‘Net, don’t put it on the ‘Net.

Listen, it’s a weird, wired world out there. We all do so much business from our systems that we often forget what it’s like to not have the world at our fingertips. However, I also work in an office where financial data is everywhere – and to protect it, we don’t even hook our desktops to the Internet; instead, we use separate systems in each office for browsing, e-mail and research.

The truth is that not every user, and certainly far fewer servers, need online capacity. Internal networks can’t be breached when they don’t have an access point to breach from. Even when users need the Internet as an integral part of their day-to-day tasks (which are far fewer people than you’d think), many of these systems don’t need to share the same network with privileged data.

Sure, that all-in-one network that some supposed computer guru set up for you seems wonderful now, but do you need it?

If your information is sensitive enough, it may be time to consider cutting the cord to the outside world and letting your staff get their Internet fix through separate channels. Sure, that all-in-one network that some supposed computer guru set up for you seems wonderful now, but do you need it? Will you protect it? What would you do and who would you be liable to if it was breached?

If you can’t answer that last question, it probably doesn’t need to be connected to the Internet.

Final Thoughts

At the end of the day, even true tech geeks can become bogged down in the mires of information security – and there aren’t a lot of resources in between “Update your antivirus!” and complex pentesting whitepapers. My long-term goal in this series will be to bridge that gap a bit and arm you with the knowledge to defend your network. By learning some basic tools and understanding a bit of what is going on behind the scenes, you can help keep your home or business a lot more secure.

However, even the best security won’t hold when basic principles are missed. The seven points above are simple and effective methods that good admins follow, and bad ones ignore at their peril. Failing to do these steps is asking for trouble, no matter what else you try to do for your network.

Always remember though that information security is not as much about making something “hack-proof” (I assure you, there is no such thing) as making the risk and effort far greater than the reward for each task. A sysadmin’s goal is to balance the risk of exposure with the need for access. If the controls are too onerous, people will ignore them or bosses will demand they be removed.

If you’re ever in doubt as to whether you’re locking something down too tightly or not enough, go back to the big question: If this information was stolen, what would you do?

Discuss this article in our forums!

Have a comment you wish to make on this article? Recommendations? Criticism? Feel free to head over to our related thread and put your words to our virtual paper! There is no requirement to register in order to respond to these threads, but it sure doesn’t hurt!