[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Best Security for Small New Windows Server 2003 Network

Posted on 2007-07-25
13
Medium Priority
?
331 Views
Last Modified: 2013-12-04
I just set up a new network with 10 clients and a DC running Windows Server 2003 Standard x64 edition.  The clients/server are connected via a router (LInksys WRV54G) and a 16 port Linksys gigabit switch (SR2016).  I have disabled the firewall on all the clients.  I have a wireless component to the network as well with wireless security (WEP).  I have a cable modem with a dynamic IP address.  What is the best way to secure this type of network?
0
Comment
Question by:paganchi
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 19570503
Depending on how much money you want to spend and if its for the Server side and or Client side. Considering you have a router that has a built-in firewall you might want to look into getting another firewall layer. SonicWall works great and is very secure. If you are implementing an Anti-virus which I definitly think you should, I would personally use Nod32 AV.

You can check out them both at the following sites.

Nod32 - http://www.eset.com/ 
SonicWall - http://www.sonicwall.com/us/

Hope this helps
0
 
LVL 4

Expert Comment

by:kinetik20
ID: 19570717
I agree with Spec01 SonicWall products are great particularly the TZ series. Depending on your budget I would opt for the TZ-170 with wireless but the TZ-150 is a great choice as well. As far as security is concerned make sure your only opening the ports you need from within the Linksys firewall. Make sure you have enabled a password policy from within the SBS! Ensure your assigning users only the permissions they need! The biggest security threat that your network has is it's users. Make sure they are properly informed about password protection and basic social engineering tactics. In addition to that a strong network anti-virus is worth it's digital weight in gold. If you could tell us a bit more about what your network will be serving I can better assist you with securing it IE (serving email? web?)
0
 

Author Comment

by:paganchi
ID: 19570832
The network is in a physician's office and its main function will be to maintain electronic medical records.  It will contain all the information for patients and make the data accessible to multiple workstations and a few tablet PCs (wireless).  We also share internet access.

Is there a particular antivirus software that you would recommend?

Thanks for the info.

0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 4

Accepted Solution

by:
kinetik20 earned 500 total points
ID: 19570898
Well if it's a medical office you have a lot more to look at then just network security. HIPAA requirements come into play and I would suggest you start here http://www.hhs.gov/ocr/hipaa . That being said I would highly suggest investing in a strong 2 way firewall such as the TZ-170 from SonicWall this one should work nicely http://www.cdw.com/shop/products/default.aspx?EDC=550716 You also want to make sure that you deploy multiple layers security for the wireless computers. Implement WPA security for access and make sure to use a MAC address filter to only allow the proper stations to connect to the wireless network. I would also disable SSID broadcast to help with the wireless threat.

As far as anti-virus I particularly like Grisofts AVG Internet Security SBS edition found here http://www1.grisoft.com/doc/products-avg-internet-security-sbs-edition/us/crp/3
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19572032
Alright first change WEP to WPA 2 or disable the wireless part at all. WEP is today broken within 60 seconds, so not really HIPAA compliant. (1)

Instead of the router you might be interested on the Safe@Office 500 Wired UTM Appliance from Checkpoint (2):

    *  Industrial Strength Firewall - Market Leading stateful inspection firewall and intrusion protection - the same proven technology that protects 98% of the Fortune 500.

    * Gateway Antivirus - Stop Viruses, worms and phishing outbreaks before they reach your network.

    * Remote Access VPN - Securely connect your remote locations and employees for maximum productivity with FREE VPN client software.

    * Web Filtering - Limit access to inappropriate Internet content.

    * Web-based Management - Wizard-driven user interface with preset security rules that let you focus on running your business.

    * Automatic Updates - Regular automatic software and antivirus definition updates keep your network protected from the latest threats.

---
I also see no reason to disable the windows firewall, this can be very useful when a laptop is plugged into the Internet outside of the office...


Regarding malware, Spec01 mentioned already nod32, you might be also interested in superantispyware (3):

Detect and Remove Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits and many other types of threats.


and / or the new prevx 2 (4):

# Prevx 2.0 safeguards your PC population from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of malware and crimeware.

# Malware virtualisation - Prevx 2.0 is the only product that can detect unique new malware by getting into the guts of a file and understanding what it's going to do before it does it.

#Constant surveillance - Prevx 2.0 is looking at the behavior of every new file on the internet through our community and crawler tools, making sure you never receive nasty surprises.


---
then you should run Microsoft Baseline Security Analyzer (5) on all computers to check for possible weaknesses.




Tolomir


(1) http://eprint.iacr.org/2007/120.pdf
(2) http://www.zonealarm.com/store/content/company/products/smb/smb_all.jsp?dc=12bms
(3) http://www.superantispyware.com/
(4) http://www.prevx.com/smbproducts.asp
(5) http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 19572577
I'm sorry if this sounds rude, but I tend to disagree with all of the advice. The securing of a network starts from the server and the clients, not with a firewall. If HIPAA requirements come into effect, as they seem to do here, you have quite a lot more than a firewal and antivirus to implement. I'm glad Tolomir at least mentions MBSA, which although very rudimentary and lightweight, at least tries to tackle the main issues.

I would start by locking down the server and clients according to the following guides:
Windows Server 2003 Security Guide (http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en)
Windows XP Security Guide (http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx)
Threats And Countermeasures Guide (http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx).
Use best practices such as principle of least privilege (http://en.wikipedia.org/wiki/Principle_of_least_privilege), and make sure the sensitive data can only be accessed by the users that really need access to it.

After implementing necessary security configuration on the network nodes, go over the HIPAA requirements and make sure you have filled all the requirements. You should also verify your security settings, with MBSA as Tolomir suggested or preferably Nessus (http://www.nessus.org) or better yet by a third party auditor.

After all of this you can start considering the choice of a firewall product, antivirus, antispyware, IDS/IPS systems, patch management, securing the wireless network etc. For these there are already some good answers here, you can also find great articles about most of the issues at the SANS Reading Room (http://www.sans.org/reading_room/).
0
 
LVL 1

Assisted Solution

by:servitinfo
servitinfo earned 500 total points
ID: 19580741
CoccoBill, in essence you are right. However there a good rule of thumb, or best practise.

In today's world you definitely need a good utm/firewall you prevent the network/users/server from all kinds of (blended) threads. You don't want to put in please all kinds of measure just to comply with HIPAA requirements, you really want to effectively secure your network.  Hence, a UTM firewall is a necessity.

CheckPoint may be a good choice. I would like to add that a Fortigate 50B would certainly be a very good alternative.  ( I get the idea that Tolomir is a CheckPoint rep).
It does everything the CheckPoint does and maybe (certainly) more.

0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 500 total points
ID: 19581017
The purpose of a firewall is to add _extra_ security, not to act as the sole defense. With a correctly hardened/configured environment a firewall is practically unnecessary. If there's a service open on the firewall, it is in theory exploitable. With a correctly configured system the attack surface is exactly the same with or without a firewall. I would argue that properly implementing the principle of least privilege alone adds more security than any firewall. Locking down the nodes does not only serve the purpose of filling HIPAA requirements (which indeed should be fulfilled in this case), they do far more for improving the security of the network than any appliance, software or technology alone would. A firewall is of course beneficial and strongly recommended, but you implement that after the whole network is properly secured. A firewall can always be misconfigured, have vulnerabilities or be otherwise bypassed. The best practise point of view is defense-in-depth, multiple layers of security, none of which if breached alone would allow access to the protected information.

Sure this is costly and hard to implement but so is losing the patient data, you have to choose security controls that are in line with the value of the data. I'm not an expert in HIPAA, but a firewall+antivirus alone will get you nowhere regarding it's requirements.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19581315
To be precise I'm a long times zonealarm user. Not my fault they were bought be checkpoint.
@ Company we use Juniper netscreen firewalls.
Also cool devices, but I guess too expensive for a couple of users...

Though, why not take a look:
http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/ssg_5_slash_ssg_20/

Tolomir
0
 

Author Comment

by:paganchi
ID: 19588556
Thanks for the excellent information.  Can you recommend (or is there) a specific document detailing the HIPAA requirements for electronic medical records and networked environments?
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 500 total points
ID: 19588568
I think you can start here:

http://en.wikipedia.org/wiki/HIPAA

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question