Of the new applications in Vista, there are a couple of stand-outs.
First is Internet Explorer 7. The most significant leap in IE technology is implemented in Protected Mode and the Mandatory Integrity Control (MIC). MIC is a security feature of Vista that carries the concept of least priviledge over to applications and processes. When IE7 is run in Protected Mode, it is assigned the Integrity Access Level of “Low.” This protects the system and the registry from writes by malware you may have stumbled upon while surfing the `net.
This is a quantum leap in internet security from the practice of loging on as an Administrator and running your processes with that status.
The other application that I really enjoy is Windows Meeting Space. This is a great tool for collaboration, and you don’t have to break the budget to implement this in your workplace, since it’s included in Windows. Not only is it great for remote participation where you can’t physically get together, but it’s also great for when everyone is around the same conference table. In this scenario, you can all share documents, suggest changes, etc. It’s much better than having the meeting, emailing the file out the the participants afterward, and having a slew of revisions come back to you. You almost need another meeting to discuss everyone’s revisions. With meeting space this is avoidable. That should increase productivity.
Sunday, April 26, 2009
Monday, April 20, 2009
Firewall and Security
In today’s world, firewalls and data center security are as necessary as locks on doors and windows. Without some device or software to handle security between your computer and the internet, the Sans Institute’s Internet Storm Center reports that the computer will be under the control of a malicious coder in less than 20 minutes. That was in 2004. You can be sure it’s at least that fast today.
Microsoft’s Windows Firewall has undergone extensive improvement since its implementation in Windows XP. The new version that comes with Windows Vista is infinitely more configurable. In addition to the rather nebulous “on” or “off” settings which you had in XP, you can now configure specific rules for programs, ports, or protocols and apply them to different network profiles.
Perhaps even more significant is the addition of outbound traffic controls in the Microsoft Windows Firewall. This is a giant leap forward for this utility and makes it a worthy security option for the home user, especially in view of it‘s partnering with Windows Defender.
In addition to the Microsoft Windows Firewall, for residential scale networking I like to be very familiar with and employ the hardware firewall included in many home networking routers and wireless access points. The two most common of these are the Linksys and D-Link products for home networking. These products often have a web-based configuration utility that allows you to set up specific port behavior and program exceptions, much like a more expensive product, in a way that is accessible to the home user.
Just as “least privilege” is the best practice for user objects, your network should be set up for least access. That is to say that you should only open the ports you absolutely need. An open port in your firewall is like an open window in a locked house. What? You say “but I require a password for remote desktop port 3389.” Ok, so that’s like a screen in the open window in a locked house. Every opening in the firewall is an additional venue for the malicious coder to get control of your computer and your personal information, so it’s best to keep them all closed. If you are a gamer or employ some other application that requires port forwarding or otherwise opened ports, consider closing them immediately after your session.
Once you have the firewall where you think you want it, it is important to test it to be sure. “Testing Proves Testing Works,” as they say. Security Metrics is one of several online sources for security testing. The Free Port Scan and Firewall Test page of their web site will determine your public IP Address and use that to scan your computer for open ports or possible vulnerabilities. It’s basically a self-inflicted port scan from the internet. This way you will know for sure what is open on your network. A tool like this should be used every time a change is made to the firewall configuration on any network.
Microsoft’s Windows Firewall has undergone extensive improvement since its implementation in Windows XP. The new version that comes with Windows Vista is infinitely more configurable. In addition to the rather nebulous “on” or “off” settings which you had in XP, you can now configure specific rules for programs, ports, or protocols and apply them to different network profiles.
Perhaps even more significant is the addition of outbound traffic controls in the Microsoft Windows Firewall. This is a giant leap forward for this utility and makes it a worthy security option for the home user, especially in view of it‘s partnering with Windows Defender.
In addition to the Microsoft Windows Firewall, for residential scale networking I like to be very familiar with and employ the hardware firewall included in many home networking routers and wireless access points. The two most common of these are the Linksys and D-Link products for home networking. These products often have a web-based configuration utility that allows you to set up specific port behavior and program exceptions, much like a more expensive product, in a way that is accessible to the home user.
Just as “least privilege” is the best practice for user objects, your network should be set up for least access. That is to say that you should only open the ports you absolutely need. An open port in your firewall is like an open window in a locked house. What? You say “but I require a password for remote desktop port 3389.” Ok, so that’s like a screen in the open window in a locked house. Every opening in the firewall is an additional venue for the malicious coder to get control of your computer and your personal information, so it’s best to keep them all closed. If you are a gamer or employ some other application that requires port forwarding or otherwise opened ports, consider closing them immediately after your session.
Once you have the firewall where you think you want it, it is important to test it to be sure. “Testing Proves Testing Works,” as they say. Security Metrics is one of several online sources for security testing. The Free Port Scan and Firewall Test page of their web site will determine your public IP Address and use that to scan your computer for open ports or possible vulnerabilities. It’s basically a self-inflicted port scan from the internet. This way you will know for sure what is open on your network. A tool like this should be used every time a change is made to the firewall configuration on any network.
Wednesday, April 8, 2009
Vista is Good. It's Time to Admit It.
Vista came out a while ago now. When it first came out, there were issues, and they were primarily related to drivers. Drivers are the responsibility of the hardware vendors, not the operating system programmers. Secondary issues came into play with legacy custom software applications.
Well, here we are in 2009. Vista service pack one has been out for some time now, and service pack two is about to be released. Hardware makers have gotten up to speed with the driver model. Users have had time to understand and implement "Compatibility Mode." Today, Windows Vista is a stable, widely compatible, excellent operating system. It's time to stop repeating the same thing we heard three years ago.
Join me. Drink the Kool-Aid.
I read comments on IT specific discussions on the Internet where people say things like "When XP stops working, I'm going to Mac!" That's irrational and silly. Sure, we're creatures of habit, we don't like change, but that sentiment is oxymoronic. I can't think of much bigger change than going from Windows to it's largest commercial competitor. It's kind of funny when you think about it.
The bottom line is this: Don't be afraid to embrace progress. Maybe not right away, but it's been a while now, and things improve and move forward. Vista is great. Windows 7 is fantastic.
Well, here we are in 2009. Vista service pack one has been out for some time now, and service pack two is about to be released. Hardware makers have gotten up to speed with the driver model. Users have had time to understand and implement "Compatibility Mode." Today, Windows Vista is a stable, widely compatible, excellent operating system. It's time to stop repeating the same thing we heard three years ago.
Join me. Drink the Kool-Aid.
I read comments on IT specific discussions on the Internet where people say things like "When XP stops working, I'm going to Mac!" That's irrational and silly. Sure, we're creatures of habit, we don't like change, but that sentiment is oxymoronic. I can't think of much bigger change than going from Windows to it's largest commercial competitor. It's kind of funny when you think about it.
The bottom line is this: Don't be afraid to embrace progress. Maybe not right away, but it's been a while now, and things improve and move forward. Vista is great. Windows 7 is fantastic.
Wednesday, April 1, 2009
NTFS Permissions
Here is a piece detailing my methodology in dealing with users and network file space. I use NTFS permissions, which is a file security schema implemented in the NTFS file system from Microsoft.
Some of the key rules of NTFS permissions: There are six standard rules for folders, five for files. These standard permissions control general aspects of file security. There are also 14 special permissions which allow a much more detailed control of access and security. Every permission can be explicitly allowed or denied, or they can be inherited from a parent object. Deny can also be implied by the absence of explicit or inherited allow permissions. Permissions are assigned via the presence of objects in an Access Control List(ACL), but permissions belong to the object to which they are assigned, not to the user or group in the ACL.
I use Shares, NTFS Permissions, and User Groups in concert to provide users ever-expanding rings of file access. I begin with the premise that users need, at a minimum, the following areas of file storage: First, they need a private space to keep their work that is in progress, confidential, or other things that are generally not to be shared with others. Second, users who work together need a file space that helps them to work together. Third, users who work together across departmental boundaries also need a shared space to help them get things done.
To accomplish my three levels of access, I create the following folder structure: In my data volume (which is created separate from my operating system volume) I will create a folder called “user data” or some similarly descriptive name that gives me a clue as to the content of that folder. This folder becomes the root of the user share structure. Next, inside the root folder I create a folder called Users. Inside Users I create a folder for every employee's user name. These folders inside Users are the private folders for the employees, also known as “Home Directory” or “Home Drive” and often assigned the drive letter H:(for “Home”). Usually they are shared as jdoe$. The trailing dollar sign makes it a hidden share, so that people poking around the file system will not see the folder if they are coming across the network and don't have access to a folder higher up in the tree. That completes the personal folder.
Next, back up in User Data, I'll create a folder called “Departments.” In that folder I'll create sub-folders like “Finance,” “Marketing,” “Development,” “Human Resources,” and so on. This will give the users in the same department a place to store files that they are sharing with departmental co-workers. I give the department's users full control inside their department shares so that they can create new folder structures inside that are helpful for them.
Next, returning again to User Data, I create a folder called “Public.” The public folder is available to all, and all users have full control. It is akin to the wild west of file systems, but it serves a valuable purpose in allowing users from different departments who may be working together on a project a collaborative space. Additionally, I can create sub folders in Public and block inheritance. This allows me to create, for example, a folder called “HR Info” in which the HR users have full control and all others have read only. HR can then deposit files like the employee handbook or benefits information in that folder and all users can read it. This saves me from having to create too many folders that get mapped as drives.
All employees are trained in the structure of the folder tree and the rights that they and others have throughout. It is made clear to them who can see what, where, and they are also assured that there is no such thing as “privacy” on corporate file servers or computers. We give you a “private” space, but it's always available to the system administrator at the command of the appropriate management staff. It may be called private, but nothing should be in there that would be against any company policy, civil law, or reasonable moral standard.
Once my folders are in place, I go on to create groups for every department. I place the appropriate users in each of the departmental groups, and then I set the NTFS permissions on the Department sub folders by group. The rights to Public are assigned to the “Everyone” group, and rights to the user folders are assigned per user.
At this point you may be saying to yourself “That's a lot of people with full control!” I agree, it is, and the concern over files being inadvertently or maliciously deleted is a legitimate one. For this reason I have implemented other file-security solutions so that I may recover any file in moments. It's the best of both worlds.
There are special circumstances that will occur. For example, let's say a share is desired for the department heads only. I would create a “Department Heads” folder in the Departments sub folder. I would then create a group and give access rights to that group, then finally add the heads to that group.
The way I provide access to the various shares is through a Visual Basic login script. The script uses variables to make it simple. When a user logs on, the script runs and finds the user name and all groups that the user belongs to. With this information it maps network drives on the workstation. H: is the private share, I: is the department share, J: is public, and special folders follow if the user is a member of other groups.
Here is a little graphic to illustrate the folder structure. Hopefully it comes through ok.
Some of the key rules of NTFS permissions: There are six standard rules for folders, five for files. These standard permissions control general aspects of file security. There are also 14 special permissions which allow a much more detailed control of access and security. Every permission can be explicitly allowed or denied, or they can be inherited from a parent object. Deny can also be implied by the absence of explicit or inherited allow permissions. Permissions are assigned via the presence of objects in an Access Control List(ACL), but permissions belong to the object to which they are assigned, not to the user or group in the ACL.
I use Shares, NTFS Permissions, and User Groups in concert to provide users ever-expanding rings of file access. I begin with the premise that users need, at a minimum, the following areas of file storage: First, they need a private space to keep their work that is in progress, confidential, or other things that are generally not to be shared with others. Second, users who work together need a file space that helps them to work together. Third, users who work together across departmental boundaries also need a shared space to help them get things done.
To accomplish my three levels of access, I create the following folder structure: In my data volume (which is created separate from my operating system volume) I will create a folder called “user data” or some similarly descriptive name that gives me a clue as to the content of that folder. This folder becomes the root of the user share structure. Next, inside the root folder I create a folder called Users. Inside Users I create a folder for every employee's user name. These folders inside Users are the private folders for the employees, also known as “Home Directory” or “Home Drive” and often assigned the drive letter H:(for “Home”). Usually they are shared as jdoe$. The trailing dollar sign makes it a hidden share, so that people poking around the file system will not see the folder if they are coming across the network and don't have access to a folder higher up in the tree. That completes the personal folder.
Next, back up in User Data, I'll create a folder called “Departments.” In that folder I'll create sub-folders like “Finance,” “Marketing,” “Development,” “Human Resources,” and so on. This will give the users in the same department a place to store files that they are sharing with departmental co-workers. I give the department's users full control inside their department shares so that they can create new folder structures inside that are helpful for them.
Next, returning again to User Data, I create a folder called “Public.” The public folder is available to all, and all users have full control. It is akin to the wild west of file systems, but it serves a valuable purpose in allowing users from different departments who may be working together on a project a collaborative space. Additionally, I can create sub folders in Public and block inheritance. This allows me to create, for example, a folder called “HR Info” in which the HR users have full control and all others have read only. HR can then deposit files like the employee handbook or benefits information in that folder and all users can read it. This saves me from having to create too many folders that get mapped as drives.
All employees are trained in the structure of the folder tree and the rights that they and others have throughout. It is made clear to them who can see what, where, and they are also assured that there is no such thing as “privacy” on corporate file servers or computers. We give you a “private” space, but it's always available to the system administrator at the command of the appropriate management staff. It may be called private, but nothing should be in there that would be against any company policy, civil law, or reasonable moral standard.
Once my folders are in place, I go on to create groups for every department. I place the appropriate users in each of the departmental groups, and then I set the NTFS permissions on the Department sub folders by group. The rights to Public are assigned to the “Everyone” group, and rights to the user folders are assigned per user.
At this point you may be saying to yourself “That's a lot of people with full control!” I agree, it is, and the concern over files being inadvertently or maliciously deleted is a legitimate one. For this reason I have implemented other file-security solutions so that I may recover any file in moments. It's the best of both worlds.
There are special circumstances that will occur. For example, let's say a share is desired for the department heads only. I would create a “Department Heads” folder in the Departments sub folder. I would then create a group and give access rights to that group, then finally add the heads to that group.
The way I provide access to the various shares is through a Visual Basic login script. The script uses variables to make it simple. When a user logs on, the script runs and finds the user name and all groups that the user belongs to. With this information it maps network drives on the workstation. H: is the private share, I: is the department share, J: is public, and special folders follow if the user is a member of other groups.
Here is a little graphic to illustrate the folder structure. Hopefully it comes through ok.
D:
|--->User Data - (not shared, no permissions)
|
|------->Users - (not shared, no permission)
| |-------->jdoe$ - (hidden share, permissions only for Jane Doe)
| |-------->tjones$ - (hidden share, permissions only for Tom Jones)
|
|------->Departments - (not shared, no permissions)
| |-------->Finance - (shared, permissions for the Finance group)
| |-------->Marketing - (shared, permissions for the Marketing group)
|
|------->Public - (shared, permissions for the Everyone group)
Subscribe to:
Posts (Atom)