Security Annoyances

[February 2007]
Security Annoyances
Get the answers you need to 6 big security problems
By: Randy Franklin Smith
Cover Story
InstantDoc #94414
From the February 2007 edition of Windows IT Pro

Trying to keep your company's information secure is a lot of work and is unlikely to make you popular with users. Typically, the tighter you try to lock down a network, the more hassle the network is to administer as repetitive tasks become necessary for both end users and you. But there are ways to ease the pain—often by deploying automation technology. Let's look at six common security annoyances and practical, effective ways to overcome them.

Password Resets
Resetting passwords for users who forget them is the bane of every administrator. A META Group survey indicates that this thankless task alone costs companies with 10,000 users well over half a million dollars a year (http://www.microsoft.com/technet/security/guidance/ identitymanagement/idmanage/p2pass.mspx). But there are ways to reduce or even eliminate this problem. My favorite solution is to use electroshock therapy. With a few simple modifications to a keyboard's wiring and a device-driver hack, you can deliver 120 volts of behavior-changing juice to the nervous system of your users when they enter their passwords incorrectly. A couple of jolts and your problem is solved!

You can train users to remember passwords with less violent behavior-modification methods. The most effective password-memorization technique I've found is creating passwords by using the first letter of each word of a sentence that the user can remember. You'll need to use a sentence that has some proper nouns and numbers so that this technique produces a complex password with upper-case letters and nonletter characters. You can let users come up with their own sentences, but I've had better success assigning users passwords based on a sentence of my choosing. Assigning passwords this way carries the added benefit of the enjoyment you get by forcing users to mentally recite your brutally honest observations about their personality or appearance. Of course, if you have one of those irksome corporate security policies that says you shouldn't know everyone's password (like you can't just run a password cracker, right?), then you might have to look at other alternatives.

Enter the automated password reset tool. Let's think about it. Resetting a user's password is a pretty mundane, clerical process: Authenticate the person requesting the password reset, find his or her account, and reset its password. Why not automate this? A variety of self-service password reset solutions are already on the market to take this burden off your shoulders, and it's not hard to justify the cost when you consider the savings in IT staff time. Solutions on the market provide various methods for letting users reset their own passwords, from Web-based applications to telephone-based systems. Some of the players include Avatier Password Station and M-Tech Information Technology's P-Synch. Just do a Web search for "password reset self-service" and you're on your way.

Protecting Laptop Data
Protection of laptop data is receiving increasing scrutiny from legislators and the media. When an organization loses a laptop containing customers' personal information, the organization is in for some hefty unexpected costs associated with notifying each customer of the security breach as well as the more-difficult-to-quantify costs of bad press and loss of good will.

I've watched this problem and the technologies designed to address the risk of stolen or lost laptops for years. Many solutions have caused more problems in terms of stability or administration than they were worth. Other solutions slowed down systems or were too impractical because they depended on users to encrypt or decrypt files or manage encryption keys. I've used Windows Encrypting File System (EFS) for my clients, but drawbacks and instance, EFS doesn't support whole-volume encryption, so data can leak out from unencrypted folders.

Windows Vista's new BitLocker Drive Encryption feature for whole-volume encryption and its integration with the Trusted Platform Module (TPM) found in most business laptops today provides the best all-around solution for protecting data on laptops. In fact, I'd say BitLocker is the single biggest motivator for migrating your laptop fleet to Vista.

With BitLocker, you divide your hard drive into two volumes. One volume is very small (just a few megabytes) and initially left empty; you install Vista to the partition that occupies the rest of the drive. Then you enable BitLocker and wait for it to encrypt the entire large volume. BitLocker installs a bootstrap loader on the small volume, which is protected from tampering by the laptop's TPM. When the laptop is turned on, the TPM checks, through hashes stored in its tamper-resistant memory, whether the tiny bootstrap partition has been modified. If it hasn't, the TPM allows the bootstrapper to load. The bootstrapper retrieves the encryption key for the larger volume from the TPM and proceeds to boot Vista on the larger, encrypted volume. This description is a bit simplified, but the bottom line is that for the first time, we have laptop hardware, tamper-resistant key storage, and whole-volume encryption all integrated with the OS for the most transparent, best performing, and effective encryption solution I've seen to date. To learn more about BitLocker, see the Windows BitLocker Drive Encryption Step-by-Step Guide (http://www.microsoft.com/technet/windowsvista/library/c61f2a128ae6-4957-b031-97b4d762cf31.mspx).

Lovely Spam, Wonderful Spam
Spam is such a pain. Kind of the understatement of the decade, eh? We all hate it, and it's a security threat because we can all too easily open an attachment containing a virus.

If you aren't careful, though, your antispam solution can become an even bigger pain. No antispam solution is 100 percent accurate. You run two basic risks with an antispam solution: user dissatisfaction with low catch rates and user dissatisfaction with false positives, both of which lead to increased care and feeding of users by IT staff (i.e., support calls).

In my experience, an 80 percent catch rate for spam is pretty reasonable; users shouldn't expect much better unless they're willing to regularly hunt down good email messages that got caught by the spam filter. Many antispam solutions claim a much higher catch rate but don't mention their false positive statistics. Moreover, catch rates vary from organization to organization, and even user to user, because of the content and phrases peculiar to different industries and what each user considers to be spam. A marketing professional may have a view of spam very different from a technician who doesn't have much interaction outside the organization.

In my opinion, Sender Policy Framework (SPF) spam detection has the best potential to significantly reduce spam, but too few companies have taken the time to publish an SPF record for their DNS domain. An SPF record published in your domain's zone file formally declares the official SMTP servers for your domain so that other organizations can determine if email that purports to be from your domain really is. Don't delay: There are great setup wizards on the Internet that will help you build your own SPF record—for instance, http://www.openspf.org.

Prev. page [1] 2 next page

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Backup & Recover like the DBA star you are: With continuous application imaging and data de-dupe, Replay AppImage speeds recovery in test or live environments from hours to minutes. Try it now!

SQL Management Made Easy with DBLaunch 4.0!: Wish you could migrate multiple SQL databases with the same time and effort it takes for one? Now you can with DBLaunch. Download a free trial today!

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

FEATURED LINKS

Empower Your Processes with PowerShell 201: Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

SQL Connections, March 22-25, 2009 – Orlando, FL: The first 800 paid attendees receive SQL Server 2008 Standard Edition w/one CAL. Register by January 12 and receive a free night at the JW Marriott (with 3-night stay). For details (203) 268-3204 or 800-438-6720.

Join Today: VIP Monthly Pass: Get online access to ALL of the resources in the Windows IT Pro and SQL Server Magazine network! With your order, you'll also receive a full digital copy of the latest issue of SQL Server Magazine.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home SuperSite IT Job Hound ITTV

	Copyright © 2009 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Articles

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Backup & Recover like the DBA star you are

SQL Management Made Easy with DBLaunch 4.0!

Order Your SharePoint Fundamentals CD!

FEATURED LINKS

Empower Your Processes with PowerShell 201

SQL Connections, March 22-25, 2009 – Orlando, FL

Join Today: VIP Monthly Pass