How Do You Keep Your Nonprofit's Computers Secure?

What firewalls and antivirus, anti-spam, and anti-spyware applications does your organzation use to protect your computers? How would you rate them, and what would you like to improve upon?

In TechSoup's article Secure Computing: The Key Ingredients, we'll give you a detailed overview of the software you can use to protect your network, along with special considerations to ensure that the solution you choose works for your organization.

Did we leave out anything? Want to join the discussion? Add your input here.

I would add dilligently applying critical updates, service packs, and patches to your operating system and other software. Windows users should turn on the Automatic Updates feature or they can go to http://update.microsoft.com to get their updates for Windows and Office. Mac OS users should use the built-in Software Update utility.

Increasingly, other software also has the "check for updates" feature. Use these to stay healthy and secure as well.

The San Francisco Chronicle has an interesting article on how Macs are becoming more vulnerable to attacks. It cites a just-released SANS Institute report on the top trends in Internet security:

Mac's OS/X operating system is no longer the "bulletproof alternative" to Windows.

There has been a "substantial decline" in vulnerabilities in Windows Services.

Internet Explorer continues to be vulnerable to attacks.

Firefox and Mozilla browsers also are vulnerable.

There has been a surge in profit-motivated attacks.

(Source: SANS Institute, sfgate.com)

Getting all users to sign on with a restricted UserID for activities such as checking email and browsing the internet is an essentiial.

+1 vote to the post above...

The use of restricted permission accounts for Email and web surfing should be a "given" in today's world of exploits for all major operating systems.

This is the easiest, the most effective, and the most fundamental of all computer security measures.

Don

I second (or third) the restricted accounts for everyday use, as Don and LAMurakai suggest.

I would also add using alternatives to Internet Explorer and Outlook (for email.)

Educating staff on good data security practices can be very important, depending on the setting. They might need to know what are strong passwords, who they can share which data with, what are some current phishing scams, how to back up their data, etc. There may need to be some employee policies in place, just so people know that, e.g., their spreadsheets and email and whatnot don't belong to them.

I would also add keeping abreast of developing security threats, through bulletins, newsletters, etc.

Karl

Here is an interesting article that recommends that advanced users or organizations with full time IT people should NOT use Automatic Updates for Windows.

http://windowssecrets.com/paid/1071451039/

That is theoretically a subscriber-only page, but it is viewable by all (so don't spread it too too widely.)

Here's a quotation:

"• Advanced users (including companies with full-time IT staff) should never use Automatic Updates. Professionals should first test Microsoft patches — and every other company's patches — on isolated machines. Read the free and paid versions of the Windows Secrets Newsletter that are published 2 days after Patch Tuesday with warnings of problems. Then use patch-management techniques to carefully install the needed upgrades to end users.

• Novice users, who can't or won't read up on reported patch problems before updating their machines, should leave Automatic Updates turned on. Beginners have a greater risk of catching a virus than they do of encountering a serious patch incompatibility."

It goes on to discuss a variety of arguments, both supportive of the above and not.

BTW, Windows Secrets is terrific, and subscriptions are free.

We used the Windows Update Services here to do our Windows updates. I have to pre-approve all updates before they get dispersed to the client computers on our network. This works great for us as I do not have to go pc to pc to install critical updates. I test any patches before mass deploy.

I'm the sole IT person at our Agency (6 different sites, 150 users, 3 servers). I direct, manage and support all aspects of technology so anything I can do to keep maintenance and emergencies to a minimum is important.

Here's my recipe for success:

We have a mix of Win98 and WinXP desktop systems. All users who log into WinXP are 'limited account's. This prevents 90% of all troubles.

All email coming and going gets scanned and filtered by Mailscanner, SpamAssassin, and ClamAV:
http://www.mailscanner.info
http://www.clamav.net
http://spamassassin.apache.org
That combo stops 99.9% of all viruses and most spam.

All desktops, Win98 and WinXP, have Norton AV Corporate Edition installed. This will catch anything that our email scanner misses or viruses that comes in on floppy disks and other removable media.

When it comes to Windows Updates. I just say "NO". For two reasons:

1) Windows updates need to be validated and tested before I let them onto our systems. Too often the Windows updates open up new security risks. So I wait for a good batch to come along.

2) The updates consume our limited bandwidth. Our file server shares files to remote sites over a 384k line. That same server will pass out Windows updates when I ask it to. But for the sake of business efficiency I haven't done it yet.

Using the combined efforts listed above I can proudly say that we've been virus free for nearly four years. Not a single infection since I've been running the "show". Spam is a consistent problem but it's managable. No Windows systems have been compromised because of a missing security patch. I attribute that to the strict use of "limited account" access.

Jason Morrill
IT Manager
Child & Family Agency

A short summary of our security recipe...

1) Anti-Social-Engineering. AKA, training the staff to recognize scams and phishes.
2) All new application development must tie into our LDAP directory via SSL for authentication. This makes the last two points, below, possible beyond simple file and web access.
3) Firewalls. Constantly updated and monitored.
4) Anti-Virus. We use a tier-two vendor, since Mcafee and Symentec seem to be the favored targets for disabling routines in worms and viruses. Maintained on the desktops and servers for file protection, and on an SMTP-intercept box.
5) Anti-Spyware. We use multiple vendors, including ad-aware, Windows Defender, etc. We run them resident and do regularly scheduled scans on all desktops, and even on the servers.
6) Anti-Spam. Desktop anti-spam and on the SMTP intercept box.
7) NDAs. All contractors working on our data must sign NDAs, and must be acknowledges by IT, signed in under a company ID (NO generic accounts!).
8) WSUS. Simple to set up, simple to administer, and ends the headaches of bad patches.
9) Network Access Control - we're working on this... we like Harvard's Packetfence so far, but are not in production with it yet.
10) Content monitoring - who looked at what, and when.
11) File audit tracking - who opened what, and when.
12) No vendor-lock-in. We're no a Microsoft shop, we're not a linux shop. We're not a BSD shop. Etc. Etc.
13) DR/BC - we have a two-hour SLA for returning downed servers to online state from backup. We can keep the same two-hour SLA even if we have to relocate to another building. We use virtualization in the server space not only to cut costs, but keep backups simple and easy to restore to.

HIPAA... how I hate thee, yet how I love thee.

Use Windows Server Update Services. It can update all computers joined to a domain via scheduling. It can make exceptions too. My WSUS updates 50 workstations and 9 servers ranging from Windows 98, 2000, XP, Vista, Server 2003, etc ...Beats remoting into servers or going to each workstation.
Block ActiveX by default and only allow it for trusted sites. Lusers don't know any better.

Quick update to my last post and the comment on Network Access Control - we've finally been able to get Pacetfence to work! As my brother would say - WOOT!!!

It's in testing mode now, and I hope to put it in monitor mode by the end of the month, then into intercept mode by the middle of September.

We did it thanks to a very helpful howto on the packetfence site. http://www.packetfence.org/wiki/index.php?title=CentOS_4_HOWTO