In a large network, many computers handling private information; do you perform routine tasks (daily, weekly, monthly, quarterly, yearly) to assure your computers and network are safe and secure; as well as up to date and performing well?
The network I work with has 170 endpoints among 7 buildings across 4 campuses. All of the workstations are currently individually managed (no AD or other domain controller yet [in the works, previous IT guy didn’t know it was a good idea]) and I need to put together a list of tasks to do every so often to assure we are secure.
How you setup your network is as important as tasks, and will define tasks. For example:
Firewall at each location (then keep them up to date and configured properly). You could do Antimaleware and other IPS functions at this level.
Seperate Private and Guest networks. We have three: Church Owned (only computers and equipment that the church owns), Mobile (Staff BYOD/Personal devices), and Guest. The Mobile and Guest networks do not have open access into the Church Owned network. Do not give out password to Church Owned wireless. Ruckus can do Dynamic PSK so that each device has a unique password and can be revoked centrally.
Email spam filtering and email archive. This can block malicious files and emails, as well as archive for compliance reasons.
Web filter (not only protects against inappropriate sites, but blocks known malicious sites as well).
Anitivirus on computers. Ensure they are up-to-date.
WSUS for Windows to ensure security patches are being done.
Keep browsers and apps up-to-date to ensure known vulnerabilities are patched.
Train the staff on locking their computers as they leave their computer, as well as the basics of not opening or responding to anything they were not specifically expecting.
As you ensure your network is built with security in mind, keeping things up-to-date with upgrades, patches, etc, will become your regular tasks. Don’t forget patching at all levels, from firewalls to switches to computers and servers, etc. And definitely Active Directory for centralized management.
I’m sure I’m missing a few things that others will recommend. Hope this helps.
Configure AD for minimum password requirements and password expiration.
Enforce passwords across all devices (computers, tablets, smartphones).
Mac filtering at LAN and WLAN.
Local Admin vs non-local admin.
These are a few more that I thought of. I’m on the go.
Cisco’s list is excellent. He caught on the second time around the same ones I thought were missing. Now-a-days the products you choose and the way you configure them give a lot of options for identifying security or functional problems and breaches and supplying alerts to you–use them!
I would add that it is always best practice to have the machines lock after a period of inactivity (Yes, I know users will complain about having to re-enter credentials but the security is worth it and they get used to it quickly) I know in a church environment we like to think that no one would misuse a computer, but we all have access to sensitive information and leaving a computer unlocked just invites someone to say “Hmm, wonder what’s on there?”
