11/7/04

Tightening XP Security

I taught at NASA Ames recently. Someone in the class, Jack, asked for resources
for tightening XP security. There are probably hundreds or thousands, but the ones
that came to mind were written by my friend Dave Piscitello of
Core Competence.
These are the ones to which I referred:
  • How to Harden Your Microsoft Web Server
  • Stepping Up to Windows XP: What to Expect at Your Firewall
  • Take the “Sting” Out of XP Performance Issues
  • Securing XP Desktops: Account and Auditing Policies
  • Securing XP Desktops: Controlling Local Use and Network Access
If you like them, tell Dave he should create a “collection” page, like my
Secure E-mail Collection
.

11/5/04

Producing Your Network Security Policy

My editor at WatchGuard Technologies, Scott Pinzon, said in part, “Producing Your Corporate Security Policy” has drawn a phenomenal response. In its first few days, it has generated a 95% click-through rate … the highest rate in the shortest number of days [the marketing rep] has ever seen.”

Here is the executive summary: Network security experts agree that well-run corporations need a written security policy. The policy sets appropriate expectations regarding the use and administration of corporate IT assets. However, the conventional wisdom holds that composing and maintaining these documents bogs down in a morass of bureaucratic inefficiency and pointless wrangling, which never ends and produces nothing useful.

This paper lays out a common-sense approach to writing corporate security policies that makes them easier to draft, maintain, and enforce. Our “question and answer” approach requires no outside consultants. Instead, you can use your in-house knowledge and resources to yield a brief, usable, and — most importantly — understandable policy document, in a reasonable amount of time. To help you generate such a policy, this paper clears away some misconceptions about the purpose of network security; details the process of writing the policy; then explains how to keep refining the drafted policy.
Find the complete 15 page paper at www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf.

It is aimed at small- to medium-sized enterprises. And I just realized, it says, “requires no outside consultants.” Steve Fallin, my collaborator, must have snuck that by me.