20 steps for securing your Information Technology, Microsoft Windows Business environment.

Technology alone will not solve the IT security problem.

Technology is an important part, but only a part of a comprehensive information security solution. Equally
important is the development of an information security policy for your company, an assessment of your
current situation, and training for all users and process owners.

Securing the internal network is as important as securing the external network (ex-employees,
contractors, temporary personnel, fired employees, Viruses …)

Also never think that Security incidents won’t happen in your organization, no matter how big or small you
are, because it does and once it hits it hits hard.

It is a must that the technical implementation is actually drafted from a policy not just on the ground only.

Security is part of an organization internal process never to be outsourced, Technical capabilities can be
found outside but the process should be owned by the organization only.

Below are some 20 steps to consider for securing your Information Technology, Microsoft Windows
Business environment:

One man do it all should not exist in your organization, small or big since it is a serious threat.
One man show was a phenomenon and is becoming more since the economy recession and this
may lead to the organizations depending on one single person to do the Security/IT
administration job and the High potential risk of losing him and its consequence on the job and
security aspect. (Retirement, Firing, Resignation or Sudden Death)

Lock down your workstations and Network

Don't Allow End Users and Administrators to Log On as Administrator
Create an alternative account non administrator for administrators, to do the daily work and when
admin privileges is needed use the RunAs Feature, the application will run in administrator
account privileges.

Disable Booting from CD, USB and everything else but the Primary Hard Disk, and put a
password on the Bios.
With that in place no change can be done, or any trials of booting from alternative.

Rename the Administrator and Other Highly Privileged accounts, first thing a virus tries is to get
admin privileges using the administrator account and trying passwords and if it is renamed with a
strong password then it is 100 % Safe

Defeat Password Crackers Enable password complexity in your environment no matter what.
And enabled password lockout (be careful Viruses e.g.: Conficker.C) Disable LM hashing. And
enable NTLM version 2 and run (LC 4 to test Cracking SAM)

Strengthen Windows Services.

Disable un-necessary service e.g. telephony or schedules.
Define the log on as a services accounts as a GPO.
Change Standard ports for Example SQL Server.

Work on NTFS permission for users files and important executable

And be careful on the registry it is an important part of security which you must secure, Firstly if it
is possible to stop remote registry access, and always deny non admin user to have write on it.

Run Firewall, antivirus, spyware on local Workstation and on networks for example internet/email
gateway (in case the antivirus on the Workstation is outdated or disabled) have different brands
make sure you antivirus can’t be disabled or killed.
Separate the external network from the internal, using DMZ; never Ever publish any service
directly to internet from the internal network.

Patch, Patch and Patch
Nothing more important as patching as an organization you need a patch management solution,
there is plenty in the market for Example Windows SUS which comes for free.
Others such as SMS, GFI, Shavlik.

Get a remote access solution, in case there is a need for it or in case a disaster hit and no
accessibility to the premises.

Get and Have an effective backup/Restore solution, Test Backups Frequently, and don’t forget to
integrate it to the policy.

Disable FTP access to the outside world.

Invest in your network:

Get network firewalls (from layer 1 to layers 7 today’s viruses are on all layers) for VPN/IPSec
Tunnels and segregation of network (VLANS)
Get web and email filters but an intrusion prevention system.
And not forgetting someone dedicated to look at the logs otherwise all the investment is thrown
away
Also encrypt tunnels or data if you have more than one branch, never send clear data and never
presume it is safe.

Lock, Log and protect the IT Server Room/Data Centre (theft, Fire, breaking, leakage)

Clustering Alone is not enough using Data replication where adequate also. Since Clustering only
protects application failure not data.

Do periodic external checks using Nesuss or any other product just to see if you are exposed to
the outside world.

Be careful of SNMP Components to change the password never leave them to defaults since a
virus/technical person can issue command to shut them down or unauthorized access to the
components can happen, which may lead to undesirable events.

Have all your employees acknowledge formally the IT/Security Policies and
procedures.

Wireless:
Be careful from wireless Networks if they are configured wrongly.
Always have them behind a firewall; always use high encryption and never use static
password connect them to a Radius server or any other password mechanism for
ultimate security.

About BCCManagement:

We’ve been in Business since 2006, we have participated in several related International Conferences
and seminars held in many countries including Canada, United Kingdom, and the United States.
Also, we published numerous Business Continuity studies and articles in renowned magazines and
international
websites, noting that BCCManagement had been actively involved in the development of standards
dealing with Business Continuity namely the Business Continuity Standard BS25999.
In 2009 BCCManagement has done a corporate partnership with Business Continuity Institute BCI to
bring its Client the state of the art Business Continuity practice.

http://www.bccmanagement.com info@bccmanagement.com
North America +1.800.961.7592 Fax: +1.613.248.5149 P.O.Box 42054- RPO ST Laurent,
Ottawa, Ontario K1k4L8, Canada
Middle East office +961.7061.9274 Fax: +961.923.2406 P.O.Box 116-5108, Beirut, Lebanon