Windows 2000 Security Policies & Practices:How to build your plan

Mandy Andress, CISSPPresidentArcSec Technologies

What will be covered today

Understanding information assets

Capturing core values and security needs

Performing risk assessment

Formulating security policy

Implementing Windows security policy

What are Information Assets?

Documents, data or information of value

Primary components• Customer information, history, preferences, etc.

• Product or service description, content, components, etc.

• Process & procedure descriptions (“how you run the

business”)

Anything you don’t want to share, give away

or disclose freely to everyone = asset in

need of protection

Recognizing Risk

“Possibility of harm or loss”

Probability of experiencing loss resulting

from a threat event

Risk assessment = associating value or

cost with specific loss

PURPOSE OF SECURITY IS TO MANAGE

RISK!!

Risk Assessment Lingo

Threat Agent

Exposure Factor

Single Loss Exposure Value

Probability of Loss

Annualized Loss Expectancy

Managing Risk

Removing risk

Mitigating risk

Transferring risk

Performing Risk Assessment – Part 1

What can go wrong?

If it happened, how bad would it be?

How often might it happen?

How sure are answers to preceding questions?

What to do to remove, mitigate or transfer risk?

How much will it cost?

How efficient is it?

Performing Risk Assessment – Part 2

Inventory, definition, requirements

Vulnerability and threat assessment

Evaluation of Controls

Analysis, Decision, and Documentation

Communication

Monitoring

Insurance

Understanding Security Policy

Not technology specific

Three primary functions• Reduce or eliminate legal liability to employees & 3rd

parties

• Protect confidential or proprietary information from theft, misuse, unauthorized disclosure, loss or modification

• Prevent waste of company computing resources

Internal policy (inward focus) is key to proper formulation!

Security Policy Lifecycle

Policy development

Policy enforcement

Policy monitoring, review, and

maintenance

Developing Security Policy

Identifying key business resources & policies

Defining organizational roles

Determining capabilities/functionality matrix for each role

Important standards• ISO 17799 (formerly known as BS 7799)

• RFCs 2196 and 2504

Avoiding Policy Pitfalls

Always consider organization culture when creating information security policies

Develop realistic policies explicitly endorsed by management

Never underestimate the importance of teaching policy awareness

Develop policies, compliance monitoring procedures, and define consequences for noncompliance in tandem

ld

Root Domain

Key Security Policy Components

Numerous documents make up a security

policy, including:

• Acceptable Use Policy User Account Policy

• Remote Access Policy Information Protection

Policy

• Firewall Mgmt Policy Special Access Policy

• Netwk Connection Policy Business Partner Policy

• Customer Policy Service Provider Policy

Procedures Implement Policy

Step-by-step technical discussions of

how policy will be implemented

Important Procedures• Configuration Management

• Backup and Off-site Storage

• Incident Response

• Business Continuity and Disaster Recovery

Sample Security Policies & Info

SANS Security Policy Project

CMU Octave Framework

Murdoch Univ “Information Technology Security Policy” report

UC Davis Security Policies

NIH IT Security Policy & related documents

Security Policies Made Easy

ISO 17799

Windows Security Policy

No direct mapping from security policy

to implementation

Requires strong working knowledge of

both sides (policy & OS)

Applies through numerous controls,

consoles, & utilities

Windows 2000 Group Policy

GPO: Active Directory construct,

collection of policies

• Address user and computer configuration

• Address security settings defined in security

templates

Provides controls over many aspects of

security

Key Group Policy Topics & Tools

Group Policy tools

GPO components (what can be modified using Group Policy)

Using Security Configuration & Analysis tools with Group Policy editors

Default Group Policy Objects (GPOs)• Local Security Policy, DC Security Policy, Domain Security Policy

Group Policy inheritance (how Group Policy applies)

Group Policy with Windows NT &/or Windows 9x systems

Proper Implementation Strategy

Start with non-production test environment

Introduce changes slowly & in controlled

manner

Best use of Group Policy occurs within AD

environments

Proceed carefully with production deployment

Be ready to roll back as needed

Key Microsoft Resources

Microsoft Security Site

Introduction to Microsoft Windows 2000 Group

Policy

White Paper: Windows 2000 Group Policy

Step-by-Step Guide to Understanding the Group

Policy Feature Set

Windows 2000 Resource Kit: Group Policy

Search on “Group Policy” view Best Bets results!

Further Information

Contact Mandy Andressmandy@arcsec.com

References by Mandy Andress