Workstation Domain computers and devices are often the most visible components to users. The majority of users access an organization’s applications and information using Workstation Domain computers. That means Workstation Domain computers and devices tend to interact with users a lot. Many security issues result from user errors and can be addressed with proper training. However, training can address only some of the security issues related to users. Eventually, an untrained, unmotivated, or careless user will violate security policy and will perform an action that causes a security incident. The incident might be large, or it might be very small and unimportant. Regardless, it is important to employ multiple layers of controls to ensure security does not rely on any single control. Even organizations with very effective training programs encounter problems that users create.
A solid security policy should define multiple layers of controls working together to keep your information secure. Your security policy should direct security activities and state standards that maintain compliance with legislation, regulations, and any other requirements. Following procedures and guidelines should always result in fulfilling your security policy as well as any other organizational policies.
Periodically, an organization should assess its adherence. To accomplish this, an organization can perform a gap analysis to determine what holes might exist in how it enforces the security policy. Specifically, the organization can compare the present situation with the desired situation. Once identified, the gap between is used to create actionable tasks.
Procedures define the steps necessary to fulfill the intent of the security policy. The Workstation Domain procedures can cover many aspects of maintaining computers and devices but should include the following:
Change password procedure
Logon/logoff procedure
Backup procedure, including handling backup media
Recovery procedure
Update operating system and application software procedure
Maintain private data procedure
Malware alert procedure
Grant/deny object access procedure
Procedures provide the step-by-step instructions for fulfilling the security policy but cannot include every variable. Sometimes, you have to make decisions based on the information at hand. In these cases, guidelines can help you make decisions that still comply with your security policy and any other organizational policies. Workstation Domain guidelines can include the following:
Strong password guideline
Document-naming guideline
Printer use guideline
Software installation guideline
Handling backup media guideline
Internet use guideline
Use operating system controls whenever possible to enforce Workstation Domain policies. These controls will not fulfill all aspects of the security policy, but they will provide a solid foundation for ensuring your information’s security. Controls you will find in most current operating systems include the following:
General object access permissions
Shared object access permissions
Private object access permissions
Printer permissions
Audit logging settings
Authentication requirements
User rights
Taken together, policies, procedures, and guidelines provide the instructions and limits that enable your users to comply with your security policy when using components of the Workstation Domain. Even though you design and deploy controls to limit user actions, you still should deploy additional controls to detect noncompliant behavior. Use your operating system’s access audit logging features to keep log files of interesting object access requests. Carefully consider which objects you want to audit. Auditing access requests for all objects will slow your computers down and waste disk space. Identify the objects that contain sensitive or private information and enable audit logging for those objects.
A second useful technique during an audit is to compare a snapshot, or baseline, of a computer or device as it currently appears with a baseline from a previous point in time. Any differences between baselines could indicate unintended changes and possible vulnerabilities. Your audit plan should include procedures to create periodic baselines that you can use to detect unwanted changes to your computers and devices. A baseline can contain many types of information, but should include the following:
Users and settings
Groups and members
File list with access permissions
Access control lists
Configuration settings for important applications and services
Installed application list
Startup/shutdown and logon scripts or batch files
Network adapters and configuration
You should include any other information that describes the configuration of a specific computer. One of the easiest ways to create baselines is to include the commands that list the desired information in a script or batch file. You can compare saved output from any baseline to see configuration changes between snapshots. Creating periodic baselines supports the overall audit process to ensure compliance with stated security goals.