Industry Standard Security Best Practices

Network security is a must in any network, but when it comes to a business network, there are a number of industry standard security best practices that ensure you have control over your network.

Businesses in certain industries secure. Many different companies require different security standards; one organization for instance is the PCI (Payment Card Industry). The payment card industry has very a strict network security standard.

The below practices are fairly strict and will offer you a great deal of control and protection against data theft and network intrusion.

Modem

We will start from the outside edge of your connection of your network and work our way in from your modem on into client workstations.

The modem is probably the simplest device on the network – you can’t really secure it (beyond performing regular updates), but some ISP’s feature a built in firewall in the modem. This can be turned on or off to work in conjunction with your company’s firewall.

Firewall

The next item to take a look at is your router/firewall. Generally you would have a router that offers several ports you can connect to via a direct Ethernet connection as well as WiFi access.

This firewall will add another layer of protection for when your network connects to the Internet. When configured properly, you would block all unauthorized network connections. As far as protecting the WiFi goes you are best to enable MAC filtering.

Each piece of network hardware has a unique identifying numerical code, called a MAC address. Filtering by MAC lets you set up WiFi so that only devices you explicitly define are allowed to connect to your network.

Once you have MAC filtering in place, you can also encrypt network traffic and use a long secure password. Since the clients on the network will not need to type this password in all the time, it is best to make a complex password containing both capital and lower case letters, numbers, and symbols.

Another option to further increase security when it comes to WiFi connections is to set the access point to not broadcast it’s SSID. This will make it look to the normal person as if there is no wireless connection available.

Server

There are a lot of features that can be enabled at the server to further improve network security. The first item to review is the group policy. Group policy is part of the server operating systems that allows you to centrally manage what your client workstations have access to and how.

Group policies can be created to allow or deny access to various locations on your users’ desktops. You can get as granular as defining a group policy that sets standards on user passwords.

By default, Windows Server 2008’s password policy requires users to have passwords with a minimum of 6 characters and meet certain complexity requirements.

While these settings are the defaults, generally 8-10 characters is recommended as well as mixing upper and lower case letters, numbers, and special symbols. An example of a complex password might be @fF1n!ty (Affinity). This password would meet all complexity requirements and is fairly easy to remember. Passwords should also be forced to reset every so many days. A good time period is roughly 30 days.

One other possible option is to have firewall software installed on the server itself to regulate traffic in and out of the server.

The nice thing about having a firewall on the server itself is that you have the ability to log failed connections to the server itself as well as what that connections is and where it was coming from.

This feature alone gives you a lot more control over the network. For example if you noticed in the firewall logs on the server that a connection you didn’t want getting through was making it to the server you can go back and edit policies on the router/firewall to attempt to further lock down your network from that point as well as blocking it at the server.

One final quick thought on server security is physical security.

Generally it is a good practice to have the server physically locked in a room that only specific people have access to. If you really wanted more control as well you can have the server locked using a system that logs who comes in and out of a room via a digital keypad and their own passwords.

When it comes to your workstations, employees should only be logging into the workstation via their domain login and not using the local admin login.

This will allow you to centrally control via group policy what they can access like stated above. You can also configure roaming profiles so that if someone was to steal a physical workstation they would not have access to any company information as it would all be stored on the server and not that workstation – which is another great reason to have your server locked up.

Employee logins to workstations should also have account lockout policies in place so that if a user attempts to login too many times with an incorrect password, the server would lock them out on that workstation for a time period set by the administrator. One other item you could have in place for various employees is specific time periods their credentials will allow them to log into the systems.

One final step in network security is having good antivirus software installed on your workstations and your server. A compromised machine can be giving your passwords and information away to hackers making it possible for them to waltz right into your network undetected.

You are best protected by having as many of the above security steps configured and working properly on your network.

Determine what your network needs, evaluate the practice after it has been in place for a month and make the proper adjustments to ensure your network is safe. You should also preform regular security audits.

If you would like to see how secure or unsecure your network is give us a call and we can perform a network security audit for you and let you know where you stand!

Featured Article Written By:
Frank Wright