The systematic exploitation of computer security vulnerabilities has evolved into a refined discipline where any that exist will be diligently and methodically revealed and exploited. That’s why we take a pragmatic and methodical approach using in house expertise, custom and freely available third party and native Microsoft tools to achieve radical attack-surface reduction across all of our production infrastructure.
Application of computer security policy must address three key areas.
Host Based Security
Widely available publications such as the “Analysis of Remote Active Operating Systems Fingerprinting Tools” give an in depth discussion on tools and techniques that may be used in the assessment phase of an attack to determine operating system specific vulnerabilities.
Infrastructure based on Microsoft technologies can be properly secured, but to do this requires an understanding of the processes and technologies involved in the design and maintenance of a secure environment.
The Trustworthy Computing Initiative outlines the new Microsoft focus on availability, security, and privacy. The SD3 Security Framework included in the TCI aims to ensure that steps have been taken to protect the confidentiality, integrity, and availability of data and systems at every phase of the software development process—from design through delivery, to maintenance. By undertaking to provide Security in Deployment Microsoft have made available native tools and utilities such as the Baseline Security Analyser (MBSA), the Security Configuration Wizard (SCW) as well as detailed guidelines and best practices for securing not only their Windows Server operating system, but also many business critical applications like Exchange Server.
Through technologies such as Public Key Infrastructure (PKI), internal Certificate Authorities and Secure Sockets Layer (SSL) encryption, as well as the application of computer security configuration policies incorporating customised security templates it is possible to minimize the attack surface presented by a Microsoft Exchange server, or any other application server.
Network Based Security
A firewall is the first line of defense in securing your internal organisation from the public Internet. There are multiple firewall technologies available, from basic packet filtering to full application aware statefull filtering and statefull inspection. In most situations the best solution is a combination of technologies where multiple layers provide defense in depth. If you wish to use an existing firewall, or supplement it with a nested firewall architecture, Cheddon Limited can recommend firewall configuration or deploy a complete firewall and VPN solution.
Firewalls manage who can access the internal network from the Internet, and who can access the Internet from the internal network. Many firewall’s do not have the ability to understand the content moving through them, and a large number of threats pass undetected. A packet filtering firewall open for SMTP traffic, (port 25) would pass all files attached to SMTP mail regardless of their content. In order to address all aspects of content security, a comprehensive content security policy should address the following three additional areas:
URL Filtering and Access Control. Most sites on the public Internet are accessed using their “Uniform Resource Locator”. URL’s can also provide access to folders or directories, even files within sites. URL filters rely on customisable listings of URL’s to check which sites, even which parts of sites should be accessible to which users.
Virus Protection. Anti-virus tools can provide protection from viruses downloaded from the Web or attached to e-mail messages. A comprehensive virus protection solution should be three tiered. It should have components installed on the Internet Gateway, the e-mail server, and the operating system level including the user desktop
Content Scanning. Content scanning products check inbound and outbound traffic for confidential data, excessive file sizes, prohibited content and more. They can search for customisable lists of keywords, for Unsolicited Commercial E-mail (UCE) or SPAM, for combinations of words and phrases, profanities, forbidden file types, and malicious code
Click here to contact us about Security Enhancements for your business.