the ultimate network security checklist

Follow GFI:

HOME ABOUT US TRIALS BLOGROLL VIDEO TOP POSTS CONTACT

The Ultimate Network SecurityChecklistChristina Goggi on February 24, 2012

Working on your network security? Check.

Want to make sure you have all yourbases covered? Check.

Need some help getting started? Check.

How about a simple list you can follow,broken down by category, which includessome tips and tricks for getting the jobdone?

Here it is The Ultimate Network SecurityChecklist: a document that provides youwith the areas of information security youshould focus on, along with specificsettings or recommended practices thatwill help you to secure your environment against threats from within and without.

Using this checklist as a starting point and working with the rest of your IT team, yourmanagement, human resources, and your legal counsel, you will be able to create theultimate network security checklist for your specific environment. Thats an importantdistinction; business requirements, regulatory and contractual obligations, local laws, andother factors will all have an influence on your companys specific network securitychecklist, so dont think all your work is done. Youll need to tweak this to suit your ownenvironment, but rest assured the heavy lifting is done!

Well break this list down into broad categories for your ease of reference. Some of thebreakdowns may seem arbitrary, but you have to draw lines and break paragraphs at somepoint, and this is where we drew ours.

1. PoliciesThe best laid plans of mice and men oft go awry,and nowhere can this happen more quickly thanwhere you try to implement network securitywithout a plan, in the form of policies. Policiesneed to be created, socialized, approved bymanagement, and made official to hold anyweight in the environment, and should be used asthe ultimate reference when making securitydecisions. As an example, we all know that sharingpasswords is bad, but until we can point to thecompany policy that says it is bad, we cannot holdour users to account should they share a passwordwith another. Heres a short list of the policiesevery company with more than two employeesshould have to help secure their network:

1. Acceptable Use Policy

2. Internet Access Policy

3. Email and Communications Policy

4. Network Security Policy

The Ultimate Network Security Checklist http://www.gfi.com/blog/the-ultimate-network-security-checklist/

1 of 13 11/20/2012 5:38 PM

Recent PostsGFI Labs Email Roundup for the Week

Rolex Spam Rolls Out in Time for Black Friday

test post

VIPRE Business Premium Launches with aUnique Feature

Tech Zone13 IT Projects to Include in Your Plans for 2013

New Phishing Campaign Targets LinkedInUsers with Fake Reminders

Spyware: The Next Generation

Unsolicited Phone Call Scams - Part Two

Recent CommentsScammers Target Chikka Users

Introducing VIPRE Internet Security 2013



TalkTechToMe - Copyright 2012 GFI Software | Privacy Policy | Copyright | Blog Terms of Use | Contact

GFI Fixes It

More articles

GFI MailArchiver 2011: A KeyTool in Your VAR Toolbox

GFI World

IT Dojo

MSP Insights

SMB Zone

Tech Zone


2 of 13 11/20/2012 5:38 PM

Chistian Oliver February 24, 20123:39 pm

Wow this list is mind blowing!!!!!

Xerxes Cumming February 25, 20129:11 am

For me, making sure workstations are in good shape (secured, updatedand physically in excellent condition) should be the top-most concernrather than the server itself. I also would like to add that vulnerabilityscan and patch management should go hand in hand. You should not do orapply only one. Ive been a white hacker for several years now and thesetwo network security methodologies are a must for both the server andthe workstations. Organizations and enterprises with more than 50employees and a hundred computer units should have these two in place.

Adam Loveland February 25, 20121:31 pm

Quite an exhaustive list, but thats the kind of thorough attention todetail that is necessary when reviewing network security. One hole in anyone of these spots can effectively bring most of the others down. You maynot need this much consideration for a smaller business, but if you havean intention to grow it is ALWAYS a better idea to have the infrastructurein place first and grow to fit it.

Roger Willson February 27, 20129:15 am

A great list! It is really a concise representation of all the points thatneed to be secured. I think this list can be used as a basis for security forcompanies of all sizes. For a small company it can be used verbatim,while for a large one there might need to be some additions but all in all,awesome work, thank you!

Thomas Macadams February 28, 20122:51 am

Backup backup backup. If theres one GREAT thing I learned way back incollege that is to backup all network programs and systems. When allbackups are in place, network security and protection will be a breeze.And with Cloud Computing on the steady rise, automatic backups of yourworkstations and server will be both practical and easier to do. If you area competent network administrator or an IT manager, backup / restoreshould be one of the top in your checklist.

Remco February 28, 20128:39 pm

A great list indeed! What i really would like to see is a tool or an excelsheet as an example of documenting these information, because i keepstrugling wich data is important and how to save them efficient. Anysuggestions?

Christina Goggi March 5, 201211:13 am

Thanks Remco! Everyone has their own method; the mostcommon approach is probably keeping a cheat sheet (which is justa concise list of the items you think apply to you). Then update itgradually things that become second nature can be removed andnew things you encounter should get added.

Kevin Fraseir February 29, 20126:33 am

STAY AWAY FROM TORRENT-BASED WEBSITES. As an experienced seniornetwork administrator for more than eight years, Ive encountered someof the toughest network security risks there is. Name it and I know themdown to their source codes. From these threats, the toughest for me aretorrent-based infections and attacks.

Its a bad idea to download files (mp3s, videos, games, etc) from websitesthat host torrents. Some downloaded torrent have extra and unnecessaryfiles attached to them. These files can be used to infect your computersand spread viruses. Be extra careful about downloading pirated DVDscreener movies especially if it contains subtitles (usually it has a .srt fileextension). Subtitle files are sometimes encoded with malicious codes.


3 of 13 11/20/2012 5:38 PM

Gill Langston March 13, 201211:06 pm

Torrents are bad news for so many reasons.. besides the fact thata user in a corporate environment can infect the entire networkjust because they wanted to download a song or movie, theycould leave the company legally liable for copyright infringement.Especially when the torrent client is sharing files to others. Thatmeans the company network is now hosting pirated content.

Stephen July 20, 201212:27 pm

Kevin, I understood that a .srt file is just text. Please could youexplain how this can be a threat? Thanks.

Crunchy July 26, 20123:14 pm

Its a text file, it could contain code that executes when it isopen. If youre familiar with coding you could just edit the .srtfile to see if there is anything crazy on it

5. Remote Access Policy

6. BYOD Policy

7. Encryption Policy

8. Privacy Policy

A great resource for policy starter files and templates is the SANS Institute athttp://www.sans.org.

2. Provisioning ServersWhen asked why he robbed banks,American criminal Willie Suttonanswered because thats where themoney is. If you could ask a hackerwhy s/he breaks into servers wouldprobably reply with a similar answerbecause thats where the data is.In todays society, data is a fungiblecommodity that is easy to sell ortrade, and your servers are wheremost of your companys mostvaluable data resides. Here aresome tips for securing those serversagainst all enemies both foreignand domestic. Create a serverdeployment checklist, and make sure all of the following are on the list, and that eachserver you deploy complies 100% before it goes into production.

Server list

Maintain a server list that details all the servers on your network SharePoint is a greatplace for this. At a minimum it should include all the name, purpose, ip.addr, date ofservice, service tag (if physical), rack location or default host, operating system, andresponsible person. Well talk about some other things that can be stored on this server listdown below, but dont try to put too much data onto this list; its most effective if it can beused without side to side scrolling. Any additional documentation can be linked to orattached. We want this server list to be a quick reference that is easy to update andmaintain, so that you do.

Responsible party

Each server must have a responsible party; the person or team who knows what the server isfor, and is responsible for ensuring it is kept up-to-date, and can investigate any anomaliesassociated with that server.

Naming convention

Naming conventions may seem like a strange thing to tie to security, but being able to


4 of 13 11/20/2012 5:38 PM

quickly identify a server is critical when you spot some strange traffic, and if an incident isin progress, every second saved counts.

Network Configuration

Ensure that all network configurations are done properly, including static ip.addrassignments, DNS servers, WINS servers, whether or not to register a particular interface,binding order, and disabling services on DMZ, OOB management, or backup networks.

IPAM

All servers should be assigned static IP addresses, and that data needs to be maintained inyour IP Address Management tool (even if thats just an Excel spreadsheet). When strangetraffic is detected, its vital to have an up-to-date and authoritative reference for eachip.addr on your network.

Patching

Every server deployed needs to be fully patched as soon as the operating system is installed,and added to your patch management application immediately.

Antivirus

All servers need to run antivirus software and report to the central management console.Scanned exceptions need to be documented in the server list so that if an outbreak issuspected, those directories can be manually checked.

Host intrusion prevention/firewall

If you use host intrusion prevention, you need to ensure that it is configured according toyour standards, and reports up to the management console. Software firewalls need to beconfigured to permit the required traffic for your network, including remote access, loggingand monitoring, and other services.

Remote access

Pick one remote access solution, and stick with it. I recommend the built-in terminalservices for Windows clients, and SSH for everything else, but you may prefer to remote yourWindows boxes with PCAnywhere, RAdmin, or any one of the other remote accessapplications for management. Whichever one you choose, choose one and make it thestandard.

UPS and power saving

Make sure all servers are connected to a UPS, and if you dont use a generator, that theyhave the agent needed to gracefully shut down before the batteries are depleted. While youdont want servers to hibernate, consider spinning down disks during periods of low activity(like after hours) to save electricity.

Domain joined

Unless theres a really good reason not to, such as application issues or because its in theDMZ, all Windows servers should be domain joined, and all non-Windows servers should useLDAP to authenticate users against Active Directory. You get centralized management and asingle user account store for all your users.

Administrator account renamed and password set

Rename the local administrator account, and make sure you set (and document) a strongpassword. Its not a foolproof approach, but nothing in security is. Were layering thingshere.

Local group memberships set and permissions assigned

Make any appropriate assignments using domain groups when possible, and set permissionsusing domain groups too. Only resort to local groups when there is no other choice and avoidlocal accounts.

Correct OU with appropriate policies

Different servers have different requirements, and Active Directory Group Policies are justthe thing to administer those settings. Create as many OUs as you need to accommodate thedifferent servers, and set as much as possible using a GPO instead of the local securitypolicy.

Confirm its reporting to management consoles


5 of 13 11/20/2012 5:38 PM

No matter what you use to administer and monitor your servers, make sure they all report in(or can be polled by) before putting a server into production. Never let this be one of thethings you forget to get back to.

Unnecessary services disabled

If a server doesnt need to run a particular service, disable it. Youll save memory and CPU,and its one less way bad guys will have to get it.

SNMP configured

If you are going to use SNMP, make sure you configure your community strings, and restrictmanagement access to your known systems.

Agents installed

Backup agents, logging agents, management agents; whatever software you use to manageyour network, make sure all appropriate agents are installed before the server is consideredcomplete.

Backups

If its worth building, its worth backing up; no production data should ever get onto a serveruntil it is being backed up.

Restores

And no backup should be trusted until you confirm it can be restored.

Vulnerability scan

If you really think the server is ready to go, and everything else on the list has been checkedoff, theres one more thing to do scan it. Run a full vulnerability scan against each serverbefore it goes production to make sure nothing has been missed, and then ensure it is addedto your regularly scheduled scans.

Signed into production

Someone other than the person who built the server should spot check it to be sure its goodto go, before its signed into production. By signing it, that user is saying they confirmedthe server meets your companys security requirements and is ready for whatever the worldcan throw at it. That person is also the second pair of eyes, so you are much less likely tofind that something got missed.

3. Deploying workstationsMaking sure that the workstations aresecure is just as important as withyour servers. In some cases its evenmore so, since your servers benefitfrom the physical security of yourdatacenter, while workstations arefrequently laptops sitting on tabletops in coffee shops while your usersgrab another latte. Dont overlookthe importance of making sure yourworkstations are as secure aspossible.

Workstation list

Keep a list of all workstations, justlike the server list, that includes who the workstation was issued to and when its lease is upor its reached the end of its depreciation schedule. Dont forget those service tags!

Assigned user

Track where your workstations are by making sure that each users issued hardware is keptup-to-date.

Naming convention

Its very helpful when looking at logs if a workstation is named for the user who has it. Thatmakes it much easier to track down when something looks strange in the logs.



6 of 13 11/20/2012 5:38 PM

Youll probably assign IP addresses using DHCP, but you will want to make sure your scopesare correct, and use a GPO to assign any internal DNS zones that should be searched whenresolving flat names.

Patching

Since your users are logged on and running programs on your workstations, and accessing theInternet, they are at much higher risk than servers, so patching is even more important.Make sure all workstations are fully up-to-date before they are deployed, update yourmaster image frequently, and ensure that all workstations are being updated by your patchmanagement system.

Antivirus

Heres how to handle workstation antivirus: 100% coverage of all workstations; workstationscheck a central server for updates at least every six hours, and can download them from thevendor when they cannot reach your central server. All workstations report status to thecentral server, and you can push updates when needed Easy.

Host intrusion prevention/firewall

Consider using a host intrusion prevention or personal firewall product to provide moredefense for your workstations, especially when they are laptops that frequently connectoutside the corporate network. Make sure that the configuration does not interfere withyour management tasks, like pushing antivirus updates, checking logs, auditing software,etc.

Remote access

Like servers, pick one remote access method and stick to it, banning all others. The moreways to get into a workstation, the more ways an attacker can attempt to exploit themachine. The built-in Remote Desktop service that comes with Windows is my preference,but if you prefer another, disable RDP. Ensure that only authorized users can access theworkstation remotely, and that they must use their unique credential, instead of somecommon admin/password combination.

Power saving

Consider deploying power saving settings through GPO to help extend the life of yourhardware, and save on the utility bill. Make sure that you have Wake-On-LAN compatiblenetwork cards so you can deploy patches after hours if necessary.

Domain joined

All workstations should be domain joined so you can centrally administer them with uniquecredentials.

Administrator account renamed and password set

Rename the local administrator account and set a strong password on that account that isunique per machine. Trust me, one of these days you will have no choice but to give sometravelling user the local admin account, and if that is the same across all machines, you willthen have to reset them all. Use a script to create random passwords, and store themsecurely where they can be retrieved in an emergency. It seems like a lot of work up front,but it will save you time and effort down the road.

Local group memberships set and permissions assigned

Set appropriate memberships in either local administrators or power users for eachworkstation.

Correct OU with appropriate policies

Organize your workstations in Organizational Units and manage them with Group Policy asmuch as possible to ensure consistent management and configuration.

Confirm its reporting to management consoles

Validate that each workstation reports to your antivirus, patch management and any otherconsoles before you turn it over to the user, and then audit frequently to ensure allworkstations report in.

Backups/ Restores

You probably wont perform regular full backups of your workstations, but consider folderredirection or Internet based backups to protect critical user data.


7 of 13 11/20/2012 5:38 PM

Local encryption

There is no excuse for letting any laptop or portable drive out of the physical confines of theoffice without encryption in place to protect confidential data. Whether you use Bitlocker,TrueCrypt, or hardware encryption, make is mandatory that all drives are encrypted.

Vulnerability scan

Perform regular vulnerability scans of a random sample of your workstations to help ensureyour workstations are up to date.

4. Network equipmentYour network infrastructure is easyto overlook, but also critical tosecure and maintain. Well startwith some recommendations for allnetwork equipment, and then look atsome platform specificrecommendations.

Network hardware list

Maintain a network hardware listthat is similar to your server list,and includes device name and type,location, serial number, service tag,and responsible party.


Have a standard configuration for each type of device to help maintain consistency and easemanagement.

IPAM

Assign static IP addresses to all management interfaces, add A records to DNS, and trackeverything in an IP Address Management (IPAM) solution.

Patching

Network hardware runs an operating system too, we just call it firmware. Keep up-to-dateon patches and security updates for your hardware.

Remote access

Use the most secure remote access method your platform offers. For most, that should beSSH version 2. Disable telnet and SSH 1, and make sure you set strong passwords on both theremote and local (serial or console) connections.

Unique credentials

Use TACACS+ or other remote management solution so that authorized users authenticatewith unique credentials.

SNMP configured

If you are going to use SNMP, change the default community strings and set authorizedmanagement stations. If you arent, turn it off.

Backups/Restores

Make sure you take regular backups of your configurations whenever you make a change,and that you confirm you can restore them.

Vulnerability scan

Include all your network gear in your regular vulnerability scans to catch any holes that cropup over time.

Switches

VLANs


8 of 13 11/20/2012 5:38 PM

Use VLANs to segregate traffic types, like workstations, servers, out of band management,backups, etc.

Promiscuous devices and hubs

Set port restrictions so that users cannot run promiscuous mode devices or connect hubs orunmanaged switches without prior authorization.

Disabled ports

Ports that are not assigned to specific devices should be disabled, or set to a default guestnetwork that cannot access the internal network. This prevents outside devices being ableto jack in to your internal network from empty offices or unused cubicles.

Firewalls

Explicit permits, implicit denies

Deny All should be the default posture on all access lists inbound and outbound.

Logging and alerts

Log all violations and investigate alerts promptly.

Routers

Routing protocols

Use only secure routing protocols that use authentication, and only accept updates fromknown peers on your borders.

5. Vulnerability scanning

Weekly external scans scheduled

Configure your vulnerability scanningapplication to scan all of your externaladdress space weekly.

Diffs compared weekly

Validate any differences from one weekto the next against your change controlprocedures to make sure no one hasenabled an unapproved service orconnected a rogue host.

Internal scans scheduled monthly

Perform monthly internal scans to helpensure that no rogue or unmanageddevices are on the network, and thateverything is up to date on patches.

6. Backups

Tape rotation established

Make sure you have a tape rotation established thattracks the location, purpose, and age of all tapes.Never repurpose tapes that were used to backuphighly sensitive data for less secure purposes.

Old tapes destroyed

When a tape has reached its end of life, destroy itto ensure no data can be recovered from it.

Secure offsite storage

If you are going to store tapes offsite, use areputable courier service that offers secure storage.


9 of 13 11/20/2012 5:38 PM

Encryption

Even reputable courier services have lost tapes; ensure that any tape transported offsite,whether through a service or by an employee, is encrypted to protect data againstaccidental loss.

Restores confirmed regularly

Backups are worthless if they cannot be restored. Verify your backups at least once a monthby performing test restores to ensure your data is safe.

Restricted access to tapes, backup operators groups

Backup tapes contain all data, and the backup operators can bypass file level security inWindows so they can actually back up all data. Secure the physical access to tapes, andrestrict membership in the backup operators group just like you do to the domain admingroup.

7. Remote Access

Only approved users and methods

Set up and maintain an approved methodfor remote access, and grant permissions toany user who should be able to connectremotely, and then ensure your companypolicy prohibits other methods.

Two factor authentication

Consider using a two factor authentication like tokens, smart cards, certificates, orSMS solutions to further secure remoteaccess.

No split tunneling

Protect your travelling users who may be on insecure wireless networks by tunneling all theirtraffic through the VPN instead of enabling split tunneling.

Internal name resolution

If you are going to do split tunneling, enforce internal name resolution only to furtherprotect users when on insecure networks.

Account lockouts

Set strong account lockout policies and investigate any accounts that are locked out toensure attackers cannot use your remote access method as a way to break into yournetwork.

Regular review of audit logs

Perform regular reviews of your remote access audit logs and spot check with users if yousee any unusual patters, like logons in the middle of the night, or during the day when theuser is already in the office.

8. WirelessIn addition to the items in the networkequipment list above, you want to ensurethe following for your wireless networking.

SSID

Use an SSID that cannot be easilyassociated with your company, andsuppress the broadcast of that SSID. Botharent particularly effective againstsomeone who is seriously interested in yourwireless network, but it does keep you offthe radar of the casual war driver.

Authentication

Use 802.1x for authentication to your wireless network so only approved devices can


10 of 13 11/20/2012 5:38 PM

connect.

Encryption

Use the strongest encryption type you can, preferable WPA2 Enterprise. Never use WEP. Ifyou have barcode readers or other legacy devices that can only use WEP, set up a dedicatedSSID for only those devices, and use a firewall so they can only connect to the centralsoftware over the required port, and nothing else on your internal network.

Guest Network

Use your wireless network to establish a guest network for visiting customers, vendors, etc.Do not permit connectivity from the guest network to the internal network, but allow forauthorized users to use the guest network to connect to the Internet, and from there to VPNback into the internal network, if necessary.

BYOD

Create a Bring Your Own Device policy now, even if that policy is just to prohibit usersfrom bringing their personal laptops, tablets, etc. into the office or connecting over theVPN.

9. Email

Inbound and outboundfiltering

Deploy an email filteringsolution that can filter bothinbound and outbound messagesto protect your users and yourcustomers.

Directory Harvestprevention

Ensure that your edge deviceswill reject directory harvestattempts.

Antivirus/Antispam/Antiphishing

Deploy mail filtering software that protects users from the full range of email threats,including malware, phishing and spam.

10. Internet AccessProvide your users with secure Internet access byimplementing an Internet monitoring solution.

Filter lists

Use filter lists that support your companysacceptable use policy.

Malware scanning

Scan all content for malware, whether that isfile downloads, streaming media, or simplyscripts contained in web pages.

Bandwidth restrictions

Protect your business-critical applications by deploying bandwidth restrictions, so usersaccess to the Internet doesnt adversely impact company functions like email, or thecorporate website.

Port blocking

Block outbound traffic that could be used to go around the Internet monitoring solution sousers are tempted to violate policy.

11. File sharesHeres where most of the good stuff sits, so making sure your secure your file shares isextremely important.


11 of 13 11/20/2012 5:38 PM

Remove the Everyone and Authenticated Users groups

The default permissions areusually a little too permissive.Remove the Everyone groupfrom legacy shares, and theAuthenticated Users group fromnewer shares, and set morerestrictive permissions, even ifthat is only to domain users.This will save you a ton of timeshould you ever have to set upa share with another entity.

Least privilege

Always assign permissions usingthe concept of leastprivilege. Need access should translate to read only and full control should only everbe granted to admins.

Groups

Never assign permissions to individual users; only use domain groups. Its more scalable,easier to audit, and can carry over to new users or expanding departments much more easilythan individual user permissions.

Avoid Deny Access

If you have a file system that tempts you to use Deny Access to fix a problem you areprobably doing something wrong. Reconsider your directory structure and the higher levelpermissions, and move that special case file or directory somewhere else to avoid usingDeny Access.

12. Log correlationIf you have more servers than you can count without taking off your shoes, you have toomany to manually check each ones logs manually. Use a logging solution that gathers up thelogs from all your servers so you can easily parse the logs for interesting events, andcorrelate logs when investigating events.

13. TimeUse a central form of timemanagement within yourorganization for all systemsincluding workstations, servers,and network gear. NTP cankeep all systems in sync, andwill make correlating logs mucheasier since the timestamps willall agree.

Use this checklist to helpjumpstart your own informationsecurity practices, and youll bewell on your way to maintaininga safe and securenetwork. Know of any other tipsthat should be included in the security checklist? Leave a comment and let us know.

Like our surveys and infographics? Subscribe to our RSS feed or email feed (on the right handside) now, and be the first to get them!

ShareShare 38


12 of 13 11/20/2012 5:38 PM

All

TalkTechToMe

TalkTechToMe TV

GFI Labs

Facebook Public ProfileLogin to see this content

Your email:

Enter email address...

Subscribe Unsubscribe


13 of 13 11/20/2012 5:38 PM

the ultimate network security checklist

Documents

network securitywithout

asthe ultimate reference

specific environment

internet access policy3

short list

simple list

talktechtome copyright

thecompany policy