Updated: November 14, 2005
Network Security: The Checklist
1. Conduct an assessment and risk analysis
Before you start an endeavor that can potentially affect the way your network resources are accessed, it’s important to fully understand what assets you have on your network and the way these assets are reached.
| • | Start by conducting an inventory of your network to catalog the applications, devices, and types of users. Using the asset management capabilities of Systems Management Server, or SMS, can help you gain a big picture view of the important services your network provides. |
| • | Understand the applications in use and their communications paths—inside and outside the network. This includes mapping which TCP/IP ports are being used by each application, why they’re being used, and what normal communications traffic looks like. This will help you decide how to implement the appropriate access controls to safeguard sensitive data. |
| • | Define what “health” means. For example, what does it mean to be compliant with corporate IT policies for antivirus, patch levels, firewall configuration, and credentials? Microsoft offers a number of resources on TechNet to help develop a compliance strategy. Refer to the "Security Risk Management Guide" for details on best practices in this area. You can find this guide in the TechNet Security Center. |
| • | Develop organizational security and access policies. Again, tools like the “Security Risk Management Guide” on the TechNet Security Center offer insights into developing this important plan. |
| • | You may also want to complete the free online Microsoft Security Assessment Tool to help you evaluate your organization’s security practices and to identify areas for improvement. |
Links to both of these tools are available at the Microsoft Events and Webcasts Web site.
2. Protect your organization’s critical network applications
Once you’ve developed your security and access policies, implement solutions to protect your critical applications and the servers where they reside.
| • | If you haven’t already, deploy Active Directory directory services. Active Directory can provide you with the means to manage and to administer your Microsoft Windows user accounts, security policies, and enterprise resources, such as computers, printers, data, and applications. For more guidance about how to deploy or expand your use of Active Directory, see Chapter 4 on Directory Services in the Microsoft Identity and Access Management Series. The link is available at the Microsoft Events and Webcasts Web site. |
| • | Implement Microsoft Internet Security and Acceleration Server 2004 (ISA Server) to add application layer filtering across your e-mail, Web portals, and other networked applications. ISA Server offers deep content inspection and application-specific network access controls to prevent malicious attacks against Microsoft Exchange, Sharepoint, or other Web-based applications. This can help mitigate malicious traffic that may be tunneling across HTTP (port 80) as a means to evade traditional firewall access controls. You can find more information about how to deploy ISA Server at the Microsoft Internet Security and Acceleration Server Web site. |
| • | Consider deploying Microsoft Sybari security products to help protect e-mail and collaboration servers from viruses, worms, spam, and inappropriate content. With a layered, multiple-scan engine approach, these products help stop the latest threats before they affect your business or your users. Tight integration with Exchange, SharePoint, and Live Communications Server ensures strong protection and centralized control without taxing server or network infrastructure performance. |
| • | To help reduce the risk of unauthorized exposure of sensitive data or files as they travel outside the company and reside on mobile computers, consider implementing Windows Rights Management Services (RMS). RMS protects the confidentiality and integrity of Microsoft Office documents. RMS is designed to provide policy definition and enforcement for documents that will be distributed to others. The value of RMS lies in the combination of both policy and encryption technology which lives with the document wherever it travels. |
3. Implement client protection solutions
Since client computers may be connecting to your networked resources from outside the corporate network, it is important to follow desktop security best practices. Those practices are as follows:
| • | Enable desktop firewall. Consider using the Windows XP SP2 desktop firewall. |
| • | Install and maintain antivirus and anti-spyware protection. |
| • | Ensure automatic updating is enabled. Make sure you have a solution such as Microsoft Windows Server Update Services (WSUS) or System Management Server (SMS) in place to distribute updates to all the computers in your environment. |
| • | Consider deploying Windows XP Service Pack 2. This is particularly important for your mobile laptops and remote computers. |
4. Protect the extended enterprise network
Even though more ubiquitous connectivity can yield numerous business benefits—like productivity gains and operational cost savings—it has the potential to introduce new risks to the organization’s networked infrastructure. It’s important to mitigate the potential risk introduced by remote or mobile users as well non-managed computers, such as when contractors or vendors connect to your network.
| • | To address this you can use Server and Domain Isolation based on Active Directory and Windows IPsec to dynamically segment your Windows environment into more secure and isolated logical networks. This practice helps protect your managed computers from malicious attacks. As part of an overall defense-in-depth security strategy, server and domain isolation offers customers the flexibility to logically isolate an entire managed domain or to create more secure virtual networks of specific servers, sensitive data, and clients. Communications between computers are authenticated and restricted to authorized hosts and their respective users based on their credentials. This process helps mitigate the risk of costly network attacks and unauthorized access to trusted networked resources. Optionally, highly sensitive network traffic can be encrypted to help prevent unauthorized monitoring. For more information about server and domain isolation, visit the Microsoft Windows Server 2003 Web site. |
| • | Implement remote procedure call (RPC) over HTTP to reduce the need for virtual private networks (VPN). You can configure user accounts in Microsoft Office Outlook 2003 to connect to Microsoft Exchange Server 2003 over the Internet without using VPN connections. Connecting to an Exchange account by using RPC over HTTP allows Outlook users to access their Exchange Server accounts from the Internet when they are traveling or working outside their organization's firewall. |
| • | Implement the Network Access Quarantine Control (VPN Quarantine) features supported by both ISA Server 2004 and Windows Server 2003 to validate that the computers that are making connections are in compliance with corporate health policies. |
| • | Implement 802.1X for wireless protection. The 802.1X standard defines port-based network access control to provide authenticated network access. It offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. For example, 802.1X combined with Active Directory and Microsoft PKI for Windows Server 2003 can allow organizations to use certificates as an authentication means. Refer to the wireless security guidance available at the TechNet Security Center for best practices about securing wireless communications. |
5. Prepare for future innovations
Network Access Protection, or NAP, for Windows Vista and Windows Server “Longhorn” is a policy enforcement platform. NAP allows administrators to create solutions to validate client health before network connectivity, restrict computers that do not comply, and then enforce the required updates or access to required resources on an ongoing basis. The validation and enforcement features of NAP can be integrated with software from other vendors or with custom programs. You can find more information about NAP and a complete list of vendors at the Microsoft Events and Webcasts Web site.
If you’re interested, consider beta testing Windows Server “Longhorn” when it’s available.
6. Monitor and refine policies as business needs evolve
It is important to monitor network traffic and computer systems to identify possible security breaches, such as intrusions or attacks from outside the organization. For additional information, check out the Security Monitoring and Attack Detection Planning Guide on the Technet Security Center. It is also important to update your security policies and procedures as your business evolves. For example, after an acquisition or an organizational change, review your identity and access management practices.
For more information about the steps that are listed in this article, visit the Microsoft Events and Webcasts Web site.
Related Resources
