31 Things Admins Should Do to Increase Their Web Security
System admins need to deal with several issues to keep the company network running smoothly; the primary one being that of ensuring web security is maintained in the best way possible.
For this reason, I have gathered a list of the 31 most important steps admins should consider to improve their web security strategy.
1. Patch your servers – unpatched machines leave you vulnerable to various types of exploits. Make sure that all the latest security and critical updates are in place, not just for your operating system, but especially for other software being used on servers. Service Packs should also be applied as soon as possible.
2. Disable browsing/browsers on the servers – servers should never be used for browsing.
3. Practice the principle of least privilege. Always give services, servers, and users the least privileges they require to run. Additional privileges are an added risk. Yes it’s comfortable to just give admin rights, to solve permission issues but – from a security perspective – it’s a very bad idea.
4. Never reuse passwords – especially for service accounts.
5. Use complex passphrases often, with uncommon punctuation marks and intentional spelling mistakes. Example: Th15probab11yastra(o)ngebuzzword##. Never use a dictionary word, or something such as qwerty12345 which someone looking over your shoulder can snoop. If you run out of ideas, check this out: http://www.onlinepasswordgenerator.com/password.php
6. Do not allow users to store passwords in their browsers – disable this as a GPO policy. Better an inconvenience than an exploit. IE8: http://technet.microsoft.com/en-us/library/cc985351.aspx, IE9: http://technet.microsoft.com/en-us/library/gg699401.aspx
7. Patch your end-point machines; this patching of end user machines is as high a priority as that of servers, if not higher. Since users are constantly browsing using these machines, they might be more prone to coming across exploits.
8. A critical component which must always be up-to-date is the web browser. Always make sure that the latest versions with the most recent updates are in place – most exploits target web browsers specifically.
9. Implement a policy where your users are only allowed to use secure web browsers – without showing any bias to any specific browser, we all know that some browsers are more secure than others.
10. Restrict downloads by file types – although you might want to allow your users to download audio and video files, if they have no reason to install software on their machine, restrict the possibility of downloading certain file types such as .exe, .msi, and other potentially malicious file types to only those who really need them.
11. Remove administrative access to users except to those who really need it – and you should have very few of those. Anybody who needs to install software should do this via their IT administrator.
12. Scan all downloads at the perimeter using multiple scanning engines – antivirus vendors have different strengths and weaknesses, and different response times to different types of threats. Multiple antivirus engines ensure you get the strengths of each product, with the weaknesses of any product being mitigated by the other products.
13. Have yet another (different) antivirus at each end point. One which focuses on being extremely fast to keep it non-intrusive.
14. Invest in a latest generation firewall – one which can perform Deep Packet Inspection. Exploits can easily appear via a port which you voluntarily left open (HTTP/HTTPS).
15. Monitor uploads and upstreams to strange geographic IPs, or large constant upstreams – these may indicate a botnet infection. You’ll need to run disinfection software to ensure that the end-point has not been compromised. It is likely that these infected computers are sending out hundreds of spam messages (risking your public IPs becoming blacklisted), or used to perform DDoS attacks.
16. Implement AppLocker – this allows you to only allow approved applications to execute. In this way you can ensure that malware has no chance to be installed or run, and no user can cheat and bypass your policies using portable applications. http://technet.microsoft.com/en-us/library/dd723686(WS.10).aspx
17. If you cannot implement AppLocker, you can still block portable applications and other unauthorized software – use software restriction policies (http://technet.microsoft.com/en-us/windows/aa940985.aspx)
18. On a similar note, deploy Windows 7 – it contains hundreds of additional security features over previous flavors of the operating system (http://www.microsoft.com/security/pc-security/windows7.aspx)
19. Always have a clean install restore point – just in case the worst happens. (http://windows.microsoft.com/en-GB/windows7/Create-a-restore-point)
20. Remember to always have regular backups of your data and important stuff. As an aside, also remember to back up your mobile contacts. It’s annoying to lose your phone; it’s catastrophic to actually lose a lifetime of contact numbers.
21. Put event logging and auditing in place – you really want to know as soon as possible that some critical event has occurred, like any attempted attack on your servers.
22. Block websites or prevent uploads to websites which allow you to send large files. For convenience purposes or just out of laziness, your employees might actually be leaking critical, confidential data. If you need to use these websites, only use approved ones which are known to be trustworthy so that at least you can maintain control. Use a common account and remove the files once they are no longer needed. Password-protect the files if possible.
23. Do not develop a habit of clicking random links on Facebook, Twitter, YouTube or anywhere else – be suspicious of all links, even those coming from people you trust. Educate as many people about this as possible. Malware authors also use simple tricks such as creating a fake domain such as: http://Microsoft.validlookingwebsite.biz or http://facebook.prettyname.info. Any short URLs actually create a problem with all sites looking nearly identical.
24. In general, don’t visit websites which you don’t know – if you have reason to do so, implement web reputation blocking – and therefore only visit websites with a good reputation as they expose minimal risk.
25. Don’t download and install software unless you have significant reason to trust the software – especially nothing coming from hacking/cracking websites. Hidden malware in these sites is the order of the day, and if you are trusting somebody who is making it easier to steal software, do you actually trust them to run software on your machine?
26. Ensure that your antivirus and web security engines can scan HTTPS encrypted websites, links and downloads. HTTPS websites are typically used by malware authors to disguise themselves from for scanning engines.
27. Block sites which are known to be malicious, or use a security engine which does this implicitly.
28. Block known phishing sites, or use a security engine which does this implicitly.
29. Test the waters – perform a dummy social engineering attack, send out an email which mimics a phishing or malware attack. Log those people who fall for the trap and educate them. Remember they’re probably very good at their job, but might not be as tech-savvy as you are.
30. Block or control Instant Messaging (IM) clients – these are often used by malware authors to propagate malicious content.
31. Educate constantly – you might be on top of your game, but not all browsing users are. Ensure they realize the risks they introduce the network to when performing certain actions, so they can take their own responsible actions.
Following these points will help any system admin ensure web security is top notch. Have any other points to add to the list? Leave a comment.