RAM | Reseller Advocate Magazine: Issue 58

By Chris Angelini

Depending on your experienceS working with small businesses, you may or may not be surprised at some of the things that go on in offices supposedly serviced by the largest, most prestigious VARs in my area. Routers sometimes run at their default configurations, for example, including live wireless engines streaking naked without encryption. Or how about client machines connected to a network without any sort of antivirus software? Naturally, the servers go about their business protected, but I've seen workstations with several bugs, including a record-holding 1,700+ spyware- and virus-related maladies.

Fortunately, there are a few basic guidelines that resellers and consultants can use to help safeguard client data—all of them easy to understand and explain to customers reluctant to spend money on technology. Keep a handful in your pocket. When it comes time to show your stuff, buckling down on security is one of the most compelling ways to win customer affection.

Keep Client Systems Well-Protected

Even when working on workstations attached to a large network, it's sometimes easiest to pretend that each system exists on its own in the wild. That way, even if an employee brings an infected floppy disk to work or visits a Web site tainted by malicious code, the client system is able to cope on its own. According to Microsoft's small business security recommendations—and my own experiences concur—there are a handful of preventative measures you can take in the quest to keep workstations secure.

The obvious first step is to deploy antivirus software across the network and not just on a server. Most enterprise-oriented packages actually include client licenses with a limited number of seats. Make it a best practice to invest in such a solution, acquire the necessary number of licenses, and deploy to the server and workstations in one fell swoop. Make sure the software is scanning for new virus definitions hourly and pushing those updates to client machines. And if you're running a version of SBS, take extra care to grab an antivirus suite capable of protecting Exchange Server, too.

In addition, it's important to keep servers and workstations equipped with the most up-to-date code. Microsoft is constantly patching Windows XP and Server 2003—backup and security apps get their fair share of fixes, as well. Unfortunately, hitting the Windows Update Web site is not sufficient for keeping your apps patched. Even components in the SBS 2003 package—ISA Server, Exchange, and SQL Server—are unprotected by Windows Update. So use a patch management utility to keep programs up to date company-wide. (Take note: SBS 2003 R2 introduces built-in, network-wide patch and update management.) Show discretion, though, before deploying every single update. On more than one occasion, a Microsoft patch has broken compatibility with a customer's line of business applications forcing costly downtime. The procedure I now practice compromises between software security and compatibility. I run a small SBS 2003 network in my office with hand-selected apps from the Action Pack along with whatever specialized programs my customers can supply free of charge. As patches emerge, I install them and allow customers to log in and "fool around," so to speak. Once we're jointly satisfied with the results, the recipient's machine is backed up, relevant services are stopped, and the patch is rolled out. If there's a problem, restoring the system is easy enough, but with just a little prudence, nearly all problems can be sidestepped.

Even with viruses mitigated and security holes plugged, unaddressed exploits still allow unwanted guests to peruse insufficiently protected networks. Therefore, safeguarding client machines is as much about the walls you build around them as it is the fortifications erected within. Under no circumstances should a small business network operate without some sort of firewall standing guard. On an SBS 2003 Premium server, ISA 2004 delivers protection—if it's configured correctly and in between the wild side and the networked clients. (In other words, you have an inbound NIC and an outbound controller, too.) But even in those situations, I like to install a hardware firewall in front of the server, which forwards hand-picked ports corresponding to email traffic, FTP access, and so on. Naturally, the more holes you open up, the less secure thing become, so be selective and only open the ports needed by your client's apps.

The Wireless Factor

Increasingly, customers ask for a wireless router when it comes time to roll out updated hardware. Most often, someone in management picks up a new laptop with wireless technology built in and wants access at work. And while there's no problem putting a wireless router at the head of a small business network, it's doubly important to understand the security implications of broadcasting information beyond the office's walls.

Perhaps the single most common configuration I run across is a SOHO wireless router with a server and several workstations parked behind. Though not necessarily vulnerable, a preferred setup would be a hardware router placed out in front of a server with two Ethernet controllers, trailed by a switch and an access point. That way, you're giving hard-wired clients an extra layer of security through a server-based software firewall and managing wireless network traffic back behind the same barrier.

When it comes to addressing wireless security, you can't go wrong by assuming the worst. Your customer shied away from wireless thinking it was too risky? I'll bet that an employee once had a wireless access point set up for convenience. Most security breaches go unnoticed, sadly enough, so it might be a good idea to invest in intrusion detection software, just to be safe.

Formulate policies governing the use of wireless networking, as well. Your customer doesn't want employees connecting with personal PDAs or laptops, for example. Or specify that the 128-bit security key will be changed on each workstation once a month during your maintenance call. The idea is to draft a guide that ensures optimal security at all times.

Moreover, don't be afraid to use aggressive wireless networking settings. Customers complain constantly that their security keys take an impossibly long time to enter. My response: "If it's tedious for you to enter once in a while when a notebook loses its connection, just imagine how hard it'd be for an intruder to crack." I also like to turn off SSID broadcasting, which means anyone scanning for wireless networks will skip right over your customer's WLAN. Yes, you'll get occasional calls about a new laptop not seeing the wireless network. Just enter the SSID and key manually—eventually they'll remember the drill. And for goodness sake, change the default user name and password on any wireless product you deploy. Each manufacturer's standard settings are published for the world to see on the Internet, yet seemingly one of every two routers I touch is unprotected. Security settings do no good, after all, if intruders are able to define their own.

Practice Software Security

It's all well and good to help keep outsiders from breaking in using malware, viruses, and keystroke loggers. However, there also exists a point where it makes sense to protect sensitive information from threats. And while most resellers pay considerable mind to hackers, it's much less common to see solid policies in place to prevent internal security gaffes. For example, I recently received a referral call from an organization of seven experiencing some network performance problems. In the process of investigating the Windows Server 2003 network, I discovered that each user was set up as an administrator, supposedly to make sure everyone had full access to the server. Big mistake, though. Practicing a "lowest privilege" policy is much safer, granting access to only the most basic apps and abilities, then adding permissions as necessary. The simplest way to go about defining permissions in SBS 2003 is through the Add User wizard, populated with its own set of templates. As you start working more intimately with individual security settings, you'll want to start looking at group policies. Using custom policies, it's possible to prevent users from running certain applications, such as msconfig.exe, for instance.

As a side note, it's also advisable to make sure each user is set up with a strong password. I constantly hear complaints about how hard it is to remember passwords with different cases and with at least eight characters—not to mention passwords that change every three months. However, it's pretty scary when even organizations properly set up from an IT perspective have restricted users sharing administrator passwords for easier access to network resources.

Microsoft recommends going a step further and encrypting sensitive data using its EFS (Encrypting File System), available to machines with NTFS-formatted hard drives. I haven't yet taken any of my customers that far. However, if compliance is a concern for those businesses particularly sensitive to privacy, implementing the EFS is a fairly straightforward process outlined on Microsoft's small business support site (visit www.microsoft.com/smallbusiness, search for EFS, and click on the first hit).

Finally, guarantee that backups are in order. For most VARs, this one's a no-brainer. Most backup apps initially generate full saves and follow with incremental stores. One issue I've seen crop up, though, is the compromising of backup integrity once a save point is called into use. Another example: It isn't uncommon for my solution of choice, EMC's Retrospect, to cough up both warnings and errors as it encounters open files it can't save or read-only files it considers non-accessible. But on occasion it reports legitimate problems that may actually affect the status of a restore procedure. One job of a backup is to instill confidence during crises, so if you're seeing occasional execution errors during backups, verify that your backups actually restore properly on a test machine every so often, both for your own edification and the customer's.

One Server to Rule Them All

Small Business Server 2003 is attractive to SMBs for many reasons, one of which is its centralized control over network resources and an administrator-friendly interface. But whether you're using SBS 2003 or not, the concept of managing client systems from one "command center" is sound. From a managerial perspective, security settings are far less likely to be compromised when they're established on a single machine, enforced globally, and protected by a password known by one person—you. Logistically, centralized control gives the VAR a front row seat to the entire network. Should the server encounter problems with backup, a remote diagnosis is easy enough. Similarly, software rollouts to workstations are a piece of cake from the server console of a centrally managed network. And when you don't have to leave your desk, the small business customer saves money.

Train Socially

If you're providing technology services, it's probably because you have the know-how and your customers either don't have the time to juggle IT or nobody on staff is as proficient. That makes you the expert. It also means thinking with more than your right brain. Hackers are an inventive bunch, and they don't necessarily limit themselves to week-old pizza, Mountain Dew, and geeky denial-of-service attacks. Some of them are smooth operators willing to work other angles. I have a customer who fell victim to a social hack, unfortunately. So take a step beyond the services most VARs provide and talk to SMBs about the perils of social network security.

My customer was tricked by a simple phone call: "Hello, this is so-and-so. I'm working on your network, which seems to be having some problems. I was told to call and get your system's login information to help troubleshoot remotely." In an attempt at being helpful, a huge security hole was opened. Had the staff known to run any request for information past a certain point of contact, no user name or password would have ever been divulged.

The same tricks work over email, too. Microsoft Exchange effectively blocks attachments with fishy extensions, but it has a tougher time weeding out shady messages. "Phishing" emails appear to come from legitimate organizations—a bank, credit card company, or some other service provider—and petition for personal information. Should employees use the same login credentials for their network and that other institution, you're looking at another possible security breach.

Protecting against more free-form hack attempts is difficult business since crooks that use those techniques appeal to ignorance and emotions. Keep SMBs briefed on the latest threats, though, and take time to let employees know not to give out password information over the phone or email.

Holding Down the Fort

There's no way around it—taking charge of SMB security is tiresome work, and malicious users are always a step ahead of the good guys. But by plugging the most gaping holes, you can at least cover the basics, which is more than many solution providers actually manage.

A solid combination of technical smarts, social savvy, and value-added implementation should keep your customers running safe and sound.