Microsoft’s 10 Immutable Laws of Security Administration

Law #1: Nobody believes anything bad can happen to them, until it does

·  Why would someone want to cause harm to a network

·  We do not have anything of value…

Law #2: Security only works if the secure way also happens to be the easy way

·  If you are too strict you will likely face an uprising

1.  Make sure security policy is reasonable.

2.  Make security processes have value to the user.

3.  If strict security is necessary, make sure users understand the need.

Law #3: If you don't keep up with security fixes, your network won't be yours for long

·  Software contains bugs, bugs lead to security flaws that have a large number of people looking for them.

·  Security mailing lists like NTBugTraq, BugTraq and Win2kSecAdvice

Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with

·  No good to patch a system that has a weak admin password, or has guest account enabled

·  Harden the system before you introduce it to the wild

Law #5: Eternal vigilance is the price of security

·  Still susceptible to brute force attacks, DOS, etc

·  Event log is your friend

o  Setup up procedures for regularly checking logs

Law #6: There really is someone out there trying to guess your passwords

·  Only need one password to gain access and learn valuable network information

·  Most people pick lousy passwords, write them down

·  Consider dual authentication methods – biometric, smart cards

Law #7: The most secure network is a well-administered one

·  Most exploits use misconfiguration

·  Documentation and policies are key

Law #8: The difficulty of defending a network is directly proportional to its complexity

·  Look at trust relationships in the network

·  Know all access points into your network

·  Adopt – “few and well controlled”

Law #9: Security isn't about risk avoidance; it's about risk management

·  There will be time when business imperatives conflict with security

·  Your network will be compromised it is all about how you deal with it

Law #10: Technology is not a panacea

·  Technology itself is not a guarantee of security