Internet Security Policies
So today I come into work (I work on the phones doing tech support, as well as administration and route planning for engineers for a very, very small salary - I work for love mainly) and get told that I am to research, teach myself and then create a robust Internet Security Policy to be installed on all servers we install (into schools, so it has to be good). Now, the problem is, before today I had never even thought about them, let alone tried to make one.
Where do I start? What do I need (notepad editor + lots of hair to pull out?)? How do I test it?
If anyone can point me in the right direction, I'd be grateful. I've tried google and it throws up essays broken down into essays broken down into essays that could take me an entire week to read, let alone understand - which isn't practical as they want it yesterday (at least that's how it seems).
Thanks
Where do I start? What do I need (notepad editor + lots of hair to pull out?)? How do I test it?
If anyone can point me in the right direction, I'd be grateful. I've tried google and it throws up essays broken down into essays broken down into essays that could take me an entire week to read, let alone understand - which isn't practical as they want it yesterday (at least that's how it seems).
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you're not trading, you might not need to be BASLE compliant..
if it's a school, I don't know what jurisdiction that would come under.
I'd look at the following:
Acceptable Usage Policy - relevant for both students and staff
Internet Access Policy - as above
Server hardening policy - relevant to IT dept
DEFO a remote access policy - if you allow it.
if you are looking at the physical (technical) hardening of servers, that's also to be considered and documented.
again, several leads which might help you out
below is good for a general baseline, but way short on detail
http://searchwindowssecurity.techtarget.com/featuredTopic/0,290042,sid45_gci1069557,00.html
it would be rude to leave out microsoft's take on same
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx
if it's a school, I don't know what jurisdiction that would come under.
I'd look at the following:
Acceptable Usage Policy - relevant for both students and staff
Internet Access Policy - as above
Server hardening policy - relevant to IT dept
DEFO a remote access policy - if you allow it.
if you are looking at the physical (technical) hardening of servers, that's also to be considered and documented.
again, several leads which might help you out
below is good for a general baseline, but way short on detail
http://searchwindowssecurity.techtarget.com/featuredTopic/0,290042,sid45_gci1069557,00.html
it would be rude to leave out microsoft's take on same
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Points double and will be split evenly.
I decided to just throw in the towel and give up. A few days of reading and still not having much of an idea where to start is more than enough for me. The main problem was trying to find/produce one that was relevant to 7 year old children and IT illiterate school teachers, as opposed to big corporations (like all the examples and literature I found).
by "install with the servers" I meant implement - lay down the policy at the same time as the installation, or prior to.
Thanks for your time
I decided to just throw in the towel and give up. A few days of reading and still not having much of an idea where to start is more than enough for me. The main problem was trying to find/produce one that was relevant to 7 year old children and IT illiterate school teachers, as opposed to big corporations (like all the examples and literature I found).
by "install with the servers" I meant implement - lay down the policy at the same time as the installation, or prior to.
Thanks for your time
No worries Vampire. I've been there before.
The MS windows stuff is pretty easy to implement though if that's what yr running.
Here's a quick and dirty example of how it's done. You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced.
http://www.shavlik.com/Whitepapers/Customizing%20Microsoft%20Security%
20Templates.pdf
It's up to you whether you want to muck around any more though.
:)
The MS windows stuff is pretty easy to implement though if that's what yr running.
Here's a quick and dirty example of how it's done. You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced.
http://www.shavlik.com/Whitepapers/Customizing%20Microsoft%20Security%
20Templates.pdf
It's up to you whether you want to muck around any more though.
:)
Your school principal should be able to get the sort of information you are looking for from your local teacher's association / union. - if it is in fact a policy doc you are after.
If it is simply locking down servers, go ahead and use any of the suggestions above - the server hardening process isn't difficult at all.
best of luck.
If it is simply locking down servers, go ahead and use any of the suggestions above - the server hardening process isn't difficult at all.
best of luck.
Just to clarify:
"You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced."
I mean you can test it through XP, but any actual real changes should be done on the appropriate OS - don't recommend applying an XP template to a server.
Probably obvious.....but thought I'd mention it if you do decide to check it out.
Have fun.
"You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced."
I mean you can test it through XP, but any actual real changes should be done on the appropriate OS - don't recommend applying an XP template to a server.
Probably obvious.....but thought I'd mention it if you do decide to check it out.
Have fun.
ASKER
I don't actually attend or work at the school. I work for an IT for schools company, so the policy would have needed to not be school-specific. I think it was more so our network guy can sit back and relax knowing that whatever problems happen at a school, he can just say "that's against policy, not our problem" and/or pass it on to me.
ASKER
So if I get it wrong, there could be legal implications? I also have to work to be compliant to BASLE II (I'm in UK/Europe) which I've never heard of?
Oh, there is no compliance department, and no legal representative. I don't know why they pay some guy thousands more than me to do networks, and more than I earn in a year to send another on a networking course to get me to write this. /sigh
I'll take a read of those sites and get back to you. I have a feeling I'm just going to have to throw in the towel and tell them to do it themselves.