8 best practices for proactive security
Prepare for security risks and threats before they cause problems.
At a time when business conditions can change overnight and data security threats can emerge without warning, the best way to guard against risk is to plan for it before it materializes. These tips from Keith Mayer, chief technology officer at BrightPlanIT, a Microsoft Gold Certified Partner in Buffalo, New York, who specializes in security best practices for midsize companies, may help you avoid problems so that you don't have to react fast after they occur.
| • | Create security zones
When all your computers talk to each other via your servers, they can easily pass viruses and malware across your entire network. If you have more than two servers, limit the number of PCs each one supports so that security problems can't travel through them from one desktop to the next, Mayer says. You can do this with the IPsec Domain Isolation feature, which is supported on Microsoft Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. |
| • | Standardize settings
Create standard network usage rules that let your employees perform only the operations they need to do their jobs, Mayer advises. Limit or block their ability to install software, change settings, or otherwise customize their computers in ways that might expose them to infection or corruption. |
| • | Put sentries at the gates
Make your employees think twice before they click: Set Internet Explorer 7 to Protected Mode on all your PCs. Available only to users running Windows Vista, Protected Mode warns them when Web sites or e-mail messages are trying to execute or upload programs. They have to agree to the action before it continues. |
| • | Maintain your update schedule
"Missing regular security patch updates is a leading cause of security vulnerabilities at the desktop level, but it's so easy to avoid," Mayer says. Microsoft provides a free program, Microsoft Server Update Services (WSUS), that automatically downloads security patches for your IT team to review and install companywide. |
| • | Protect data on the road
Encrypt laptop hard drives with Windows BitLocker Drive Encryption, included in Windows Vista Enterprise and Windows Vista Ultimate. If they're stolen, the information they contain will be harder to access. |
| • | See who's knocking, then lock the door
Built-in security auditing in Windows Server 2008 can help your IT staff spot repeated suspicious attempts to connect to your network. IT can then change passwords and disable logins to thwart further attempts. |
| • | Centralize security reporting
Windows Server 2008 can store security audit reports from your entire network on a single server for quick retrieval and review. It can also create automated e-mail alerts triggered by specified security events—for example, whenever a specific account has three consecutive failed logins. |
| • | Manage your network as a unit
"Rather than see your network as a collection of workstations and servers that need individual management, treat it as a single entity that needs to change quickly as conditions change," Mayer says. A desktop and server platform, such as the Microsoft System Center family of products, lets you push configuration changes and new software components to your entire network at once. That way, even if you can't predict the next threat, you're ready to face it if it happens. |
 | Fawn Fitter is a freelance writer in San Francisco who specializes in business and technology. She contributes regularly to the Microsoft Midsize Business Center. |
