Lessons Learned

Many organizations spend a large portion of their IT budget to install protection at their internet gateways and servers. This is good practice and should not be modified. You should be running antivirus software on your servers, your internet gateways should be locked down to prevent external network attacks from getting to your servers behind your firewall, and so on. But what many organizations overlook is the weakest link that exists inside the organization.

The unprotected desktop PC is as much of a threat to security as an attack from the outside. Users bring software from home and run it on their work PCs. They download programs from the internet. They open e-mail attachments from their external mail providers. Any one person doing just one of these examples can cause an IT nightmare or, even worse, bring down the entire network.

So how do you protect your organization from the inside?

First, you need an organizational policy that dictates what is acceptable use for the computers in the organization. You need to make it clear to the users in the organization what they can and cannot do with the computers. Without such a policy in place, it could be very difficult for you to implement technology solutions that prevent your users from doing things that you consider a risk. For example, if you decide that you are going to block access to external mail sites, such as Yahoo or Hotmail, to help protect against viruses and spyware and you do not have a policy that states that organizational computers cannot be used to read personal mail, your users could at the very least complain about the actions taken to block e-mail access.

Next, your antivirus solution must protect at the desktop level as well as the server level. You need an antivirus product that runs on the desktop/laptop computers and scans files on the local hard drives. This software should be able to get updates installed automatically without user intervention. Without this, any program brought in on floppy disk or CD o downloaded from the internet could potentially infect the computer it's run on and others in the organization as well.

You also really need to be running some sort of firewall at the desktop level too. Over the last few years, several viruses have spread not by running an infected program on a computer but by transferring between computers on the network through security flaws in some of the network services running on the desktop. With a firewall in place, users are notified when a network program attempts to access their computer and they are presented with an option to allow or deny access. When presented with such an option, most users will refuse access to the program unless they know what it is and are expecting it. These users are also good about letting their IT counterpart know when something unexpected happens. But if your server and internet firewall are blocking access from external attacks you don't really need to worry about a firewall at the desktop, right? Wrong. Again, if one user on the network downloads a program that is actually one of these network-aware viruses, your entire organization could be infected within a matter of minutes if not seconds. Enabling the built-in firewall in Windows XP SP2 is the best way to guard against this. If you are running Windows XP and have not yet installed SP2 or have not enabled the firewall in SP2, do so now. If you are not yet running Windows XP, there are third-party firewall solutions that will offer similar protection from this type of attack.

What about spyware? This is becoming the largest thorn in the sides of organizations around the globe, and yet a large number of organizations are either ignoring the problem or just unaware of the magnitude of the problem. The situation is very similar to when compuer viruses first began to become a real issue in the industry back in the late 1980's. Most people, including me, thought it was a hoax or just hype. But I quickly learned how bad the situation is and have been preaching antivirus education ever since. I'm seeing history repeat itself with spyware now. Since the computer world is aware of and used to protecting itself against viruses now, I don't believe that adopting practices to protect against spyware will present the same challenge, but we're still not quite there yet. The situation may be helped by the release of the Anti-spyware product from Microsoft. Even though it's a beta product and still has quite a bit of development to be done, the tool has some nice features and does work. If you are running PCs in your organization, you need to download this tool and at least take a look at it.

Finally, and most controversial, is to remove Admin rights from your users for the local machines. Windows XP offers three security levels for users on the computer: Administrator, Power User, and User. The User mode is the most restrictive - users can only run programs that are already installed on the system and make very minimal changes to the computer environment. Power Users can do more cusomizations on the system, such as install some programs (those that do not need to add any components to the OS directories for example), create file and printer shares, and change aspects of their user environment, but still canot remove programs that are already installed or make changes to key system configurations, such as networking. This type of restriction is the best way to keep users from installing programs that you don't want on the systems, and keep some spyware and malware apps from getting installed. Again, an acceptable use policy in place will protect you from users who complain that tehy can't do what they want on their computers.

Without protecting the desktops as much as you can, you are not protecting you organization as best as you can. Antivirus and antispam tools on the server are necessary. Installing a firewall between your network and the internet is necssary. But these items alone are no sufficient to proctect your entire network. Unless you protect the desktop as well, your IT organization will be chasing down more problems than they need to.