• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

Hippa Windows XP lockdown policy through Windows 2003

I am currently involve in a large production project that involves about 300 computers in an Medical Environment that I need to strictly follow HIPPA Regulations.  I am currently running windows 2003 Server Enterprise and I need a good group policy or find one that will lockdown the computers according to HIPPA regulations.

If any assistance would be greatly appreciate it.
0
medtech1978
Asked:
medtech1978
  • 2
  • 2
1 Solution
 
Jason WatkinsIT Project LeaderCommented:
I would go with what these folks advise; http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml

They do not play around when it comes to security. It would be great to know exactly what the HIPPA standards expect from your efforts.
0
 
samsixtyCommented:
Isn't it HIPAA (The Health Insurance Portability and Accountability Act) ?

I think it would be well worth getting some end point protection software for this, Symantec End Point Protection is what we use to lock machines down and it gives much greater control, monitoring and reporting than using group policies.

Other software will help you achieve the same but I have not used them personally but heard good things, McAfee ePO and Sophos Endpoint Security and Control.

To be honest I doubt group policy on 2003/XP machines will be up to the job.
0
 
Jason WatkinsIT Project LeaderCommented:
A/V software on Windows XP is a given at this point.  Any IT admin/manager that does not put A/V software on his/her Windows machines, should be relieved of their duties.  Group policy is incredibly effective in implementing a secure computing environment.  Example, IPSec for clients and servers, which is done through GPO.
0
 
samsixtyCommented:
Not sure if the AV point was aimed at what I suggested or just thrown in, but endpoint protection software is not only AV, we use it to control which removable storage devices can be used, where and to log the use of them.  (cannot be done via group policy in a 2003 domain)

It controls which software is installed and allowed to run on which machines, again logging the running of the software (including parts of the OS). (This can be done using group policy but it is PITA to set up and manage)

Has location based firewall rules which are very handy for laptops (cannot be done via group policy in a 2003 domain).

It also has host based IDS, and fantasic reporting and compliance monitoring.

HIPAA obviously requires you to ensure accountability for data, which means controlling which removable media can be used on specific machines and logging the use of it. I do not know of a way you can achieve this using group policy.

Group policy is fantastic for certain things but I do not believe that you will achieve what you want to accomplish with GPOs.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now