LAN Best security practices

leop1212 used Ask the Experts™
We have a single building location with a firewall, web filter and email filter (as SMTP gateway) Exchange email server and Citrix server for remote users via citrix secura gateway. Domain password policy is set to 90 days for most users and we outsource the web hosting.
We are now reviewing our security polices and I am looking for the best practices advices.
1. how to increase security for key users who has no password expiration without creating  a problem for them to remember each time new password ( some password management tools)
2. how to bief up security for exchange when using exchange anywhere and iphones, laptops etc.
3. how to bief perimeter security
i 10+ year of experience and only looking for an expert advice
 thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015
Senior Network Administrator
Good morning leop1212.  These are the types of question that if you ask 10 different people you will get 12 different answers but will gladly share my opinions.

1. First I never allow users to have no expiration date on their passwords. You can easily implement self service password reset for those users who have difficulty remembering passwords.  Coming soon you will see new login methodologies built into the OS. Microsoft demonstrated facial recognition login at Ignite this year. Pretty cool.  If interested here is an article.

2. You should already be using reverse proxy for your published exchange services.  Some may argue but I believe that is quite secure however if you your requirements are higher than the average company, then I suggest you look into two factor authentication for OWA.  Several companies offer such products and services.

3. This one is the hard one. Over the last few years their has been a bit of a shift the idea of perimeter security. Some are now saying that the attackers are just getting too good and you can never be 100% secure at the perimeter so you should concentrate on data security.  Not sure I quite buy into that yet but I understand what they are saying. If you have users, your perimeter can not be secure! :)
That all being said and these are basic principles you probably already know, here is my rule of thumb.

A. Get a next generation firewall that supports IPS, SSL Inspection, and has a great tracking and reporting engine. We use the Barracuda NG400 firewall.  We switched from Cisco ASAs to the Barracuda and I can tell you the Barracuda is 100 times easier to configure and manager which means less mistakes.

B. Be very specific in opening ports through your firewall. Always use the most restrictive policy you can.  If you can restrict by source then do it.

C. Only give users access to what they need.  Though this does not fall into the area of perimeter security, because the users always cross your perimeter they are your highest risk factor.  We had an incident a few years ago where a users downloaded the crypto locker virus. Fortunately because of how type we keep things we were able to stop it before it did too much damage.

D. Have your domain admins have two accounts. One for everyday use and one for use when they need domain admin privileges.  Do not let the domain admin account have internet access.
See C above for reason.

Well I could go on and on but I think you get the general idea. I am sure others will chime in.

Have a blessed day.
A good Information Security Plan should include several phases, depending on your existing infrastructure, network / systems topology and configuration, Check these links for more info:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial