Windows 2000 Security Policies & Practices:How to build your plan
Mandy Andress, CISSPPresidentArcSec Technologies
What will be covered today
Understanding information assets
Capturing core values and security needs
Performing risk assessment
Formulating security policy
Implementing Windows security policy
What are Information Assets?
Documents, data or information of value
Primary components• Customer information, history, preferences, etc.
• Product or service description, content, components, etc.
• Process & procedure descriptions (“how you run the
business”)
Anything you don’t want to share, give away
or disclose freely to everyone = asset in
need of protection
Recognizing Risk
“Possibility of harm or loss”
Probability of experiencing loss resulting
from a threat event
Risk assessment = associating value or
cost with specific loss
PURPOSE OF SECURITY IS TO MANAGE
RISK!!
Risk Assessment Lingo
Threat Agent
Exposure Factor
Single Loss Exposure Value
Probability of Loss
Annualized Loss Expectancy
Managing Risk
Removing risk
Mitigating risk
Transferring risk
Performing Risk Assessment – Part 1
What can go wrong?
If it happened, how bad would it be?
How often might it happen?
How sure are answers to preceding questions?
What to do to remove, mitigate or transfer risk?
How much will it cost?
How efficient is it?
Performing Risk Assessment – Part 2
Inventory, definition, requirements
Vulnerability and threat assessment
Evaluation of Controls
Analysis, Decision, and Documentation
Communication
Monitoring
Insurance
Understanding Security Policy
Not technology specific
Three primary functions• Reduce or eliminate legal liability to employees & 3rd
parties
• Protect confidential or proprietary information from theft, misuse, unauthorized disclosure, loss or modification
• Prevent waste of company computing resources
Internal policy (inward focus) is key to proper formulation!
Security Policy Lifecycle
Policy development
Policy enforcement
Policy monitoring, review, and
maintenance
Developing Security Policy
Identifying key business resources & policies
Defining organizational roles
Determining capabilities/functionality matrix for each role
Important standards• ISO 17799 (formerly known as BS 7799)
• RFCs 2196 and 2504
Avoiding Policy Pitfalls
Always consider organization culture when creating information security policies
Develop realistic policies explicitly endorsed by management
Never underestimate the importance of teaching policy awareness
Develop policies, compliance monitoring procedures, and define consequences for noncompliance in tandem
ld
Root Domain
Key Security Policy Components
Numerous documents make up a security
policy, including:
• Acceptable Use Policy User Account Policy
• Remote Access Policy Information Protection
Policy
• Firewall Mgmt Policy Special Access Policy
• Netwk Connection Policy Business Partner Policy
• Customer Policy Service Provider Policy
Procedures Implement Policy
Step-by-step technical discussions of
how policy will be implemented
Important Procedures• Configuration Management
• Backup and Off-site Storage
• Incident Response
• Business Continuity and Disaster Recovery
Sample Security Policies & Info
SANS Security Policy Project
CMU Octave Framework
Murdoch Univ “Information Technology Security Policy” report
UC Davis Security Policies
NIH IT Security Policy & related documents
Security Policies Made Easy
ISO 17799
Windows Security Policy
No direct mapping from security policy
to implementation
Requires strong working knowledge of
both sides (policy & OS)
Applies through numerous controls,
consoles, & utilities
Windows 2000 Group Policy
GPO: Active Directory construct,
collection of policies
• Address user and computer configuration
• Address security settings defined in security
templates
Provides controls over many aspects of
security
Key Group Policy Topics & Tools
Group Policy tools
GPO components (what can be modified using Group Policy)
Using Security Configuration & Analysis tools with Group Policy editors
Default Group Policy Objects (GPOs)• Local Security Policy, DC Security Policy, Domain Security Policy
Group Policy inheritance (how Group Policy applies)
Group Policy with Windows NT &/or Windows 9x systems
Proper Implementation Strategy
Start with non-production test environment
Introduce changes slowly & in controlled
manner
Best use of Group Policy occurs within AD
environments
Proceed carefully with production deployment
Be ready to roll back as needed
Key Microsoft Resources
Microsoft Security Site
Introduction to Microsoft Windows 2000 Group
Policy
White Paper: Windows 2000 Group Policy
Step-by-Step Guide to Understanding the Group
Policy Feature Set
Windows 2000 Resource Kit: Group Policy
Search on “Group Policy” view Best Bets results!
Top Related