Small businesses tend to focus on threats from outside. While threats from the outside are very real and demand your attention, threats from inside (both intentional and accidental) also need proper attention to prevent your critical data getting out into the wild.
Practice Least Privilege Access
There are two basic ways to structure security. The first is an “open access” which assumes everyone has rights to everything and counts on your restricting access to those that DON’T need it. The second, and better structure, is a “closed access” structure that assumes no one has access to anything and you have to grant access to resources.
Obviously, the second (“closed access”) is going to take more time to implement properly AND more time to manage effectively, but it is well worth the time and effort.
Just FYI; most network operating systems (including Windows Server) come out of the box with the “open access” method. Here is the risk..
If you create a directory; ex: “Files” and share it out with rights for everyone, then create a sub-directory, ex: “Administration” then the access that you granted to everyone in the parent “Files” directory flow down hill into the sub directory also, unless you explicitly block it.
This small issue is what gets lots of companies in trouble, they organize file and folders without understanding the implications of security.
Set Very Restrictive Permissions
On The Folder Level Via Group Membership
Data on a Windows network should be stored on an NTFS partition and access controlled via a domain controller, preferably via group membership.
Appropriate permissions on folders is a must. Remember to give users the lowest level of permissions possible to do their jobs. This granting of permissions should be done via group membership.
For example: create a group called “HR” and a directory called “HR”, grant the HR group the proper rights to the HR directory then add the proper people to the HR group. This allows you to easily add or remove peoples access as you add/remove people or as people change roles.
Remember that rights granted to a folder ‘flow down’ to files and folders in that directory. This can be over-ridden via inheritance but it is best to logically organize folders to avoid having to exclude inheritance.
Avoid setting permissions on individual files because this gets hard to manage and even harder to figure out who has access to what.
Audit File Access
Auditing who is access what is a critical piece of the data protection puzzle. Your ability to see who accessed what and when is critical when security questions arise.
There are lots of good file auditing packages out there and Windows Server includes the ability built in; called ‘object access auditing.’
The key here is to only audit the important stuff which make the information you gather more pertinent. For example; maybe you have a folder called “Public” which everyone has access to and is used as a general file share for non-sensitive information. No need to audit file access here; just clogs your audit logs.
A better example would be to audit access to important customer documents.
Control Wireless Access
Lock access points down tight! I don’t care if you have visitors and want it to be easy for them to access your network. Problem with this arrangement is that it is now easy for ANYONE to access your network.
Using WEP and disabling SSID broadcasts are easy overcome with widely available tools available on the Internet.
The best way; use Extended Authentication and hook your access points into your Windows Server infrastructure so that server has to authenticate people who want to log into the access point. The LinkSys WAP54G will do this.
The benefit here is that you can allow your users to access the access point via their network login and password and create logins for visitors that you can easily enable and disable as needed to allow and deny access to the wireless networks.
Centrally Control Remote Access
With some many companies providing and even encouraging remote workers you can’t overlook the dangers of someone grabbing data without ever setting foot on site.
The best way to have some level of control on this is to centrally administer remote access. Many companies I have spoke with use individual PCAnywhere accounts to allow remote access. This is a disaster in the making because it does not give the business owner any control over the remote access.
Ideally you are using Small Business Server which supports Remote Web Workplace and allows you to centrally grant and deny rights for users to remote in to their PC’s
Certainly, there are a ton of other ways your data can walk off. Users can print off reports, email sensitive data to their personal accounts or someone can simply pick up documents from your trash bin. Put some though into these issues; don’t panic, but make some progress towards nailing down the 5 items above and you will have a huge head start on protecting your data
Good Networking!
Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct
Things to Think About…
- Understand where your risks are. Taking the time to understand HOW data can walk off is the first step to locking it down
- Don’t accept any excuses with data security. The data that your company has created is it’s life blood, protect it as such!
- Prepare for the future. Most employers think that they don’t need to worry about a disgruntled employee walking off with data (or giving it to a competitor) because, at the moment, everything is A.O.K. Don’t assume things won’t change.
