LAN Best security practices

We have a single building location with a firewall, web filter and email filter (as SMTP gateway) Exchange email server and Citrix server for remote users via citrix secura gateway. Domain password policy is set to 90 days for most users and we outsource the web hosting.
We are now reviewing our security polices and I am looking for the best practices advices.
1. how to increase security for key users who has no password expiration without creating  a problem for them to remember each time new password ( some password management tools)
2. how to bief up security for exchange when using exchange anywhere and iphones, laptops etc.
3. how to bief perimeter security
i 10+ year of experience and only looking for an expert advice
 thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary DewrellSenior Network AdministratorCommented:
Good morning leop1212.  These are the types of question that if you ask 10 different people you will get 12 different answers but will gladly share my opinions.

1. First I never allow users to have no expiration date on their passwords. You can easily implement self service password reset for those users who have difficulty remembering passwords.  Coming soon you will see new login methodologies built into the OS. Microsoft demonstrated facial recognition login at Ignite this year. Pretty cool.  If interested here is an article.

2. You should already be using reverse proxy for your published exchange services.  Some may argue but I believe that is quite secure however if you your requirements are higher than the average company, then I suggest you look into two factor authentication for OWA.  Several companies offer such products and services.

3. This one is the hard one. Over the last few years their has been a bit of a shift the idea of perimeter security. Some are now saying that the attackers are just getting too good and you can never be 100% secure at the perimeter so you should concentrate on data security.  Not sure I quite buy into that yet but I understand what they are saying. If you have users, your perimeter can not be secure! :)
That all being said and these are basic principles you probably already know, here is my rule of thumb.

A. Get a next generation firewall that supports IPS, SSL Inspection, and has a great tracking and reporting engine. We use the Barracuda NG400 firewall.  We switched from Cisco ASAs to the Barracuda and I can tell you the Barracuda is 100 times easier to configure and manager which means less mistakes.

B. Be very specific in opening ports through your firewall. Always use the most restrictive policy you can.  If you can restrict by source then do it.

C. Only give users access to what they need.  Though this does not fall into the area of perimeter security, because the users always cross your perimeter they are your highest risk factor.  We had an incident a few years ago where a users downloaded the crypto locker virus. Fortunately because of how type we keep things we were able to stop it before it did too much damage.

D. Have your domain admins have two accounts. One for everyday use and one for use when they need domain admin privileges.  Do not let the domain admin account have internet access.
See C above for reason.

Well I could go on and on but I think you get the general idea. I am sure others will chime in.

Have a blessed day.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
madunix (Fadi SODAH)Chief Information Security Officer Commented:
A good Information Security Plan should include several phases, depending on your existing infrastructure, network / systems topology and configuration, Check these links for more info:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.