Windows programmers fall into two main categories: There are those who work from the top down ("new school") and those who work from the bottom up ("old school"). Here's a quick overview of each working style.
Top down: As the program specification is accepted, the programmer designs the basic user interface and then creates the applications that support the user interface.
Bottom up: As the program specification is accepted, the programmer starts designing the various parts of the application and then tweaks the application to meet user requirements.
Keeping those models in mind, most Windows administrators work bottom up when it comes to security. They build servers to be left alone until something has to be fixed or changed, so they're constantly working to keep up with problems and demands. Patch management issues are often to blame; one patch may break something else on the server or maybe there's just not enough time to patch at all. And of course there are bugs in programs, the operating system, etc., that are a continual source of pain.
This is clearly not an efficient way to work. The problem is two fold: Management needs to understand that administrators have been working with this bottom-up mentality for years, and administrators need to be prepared to drop their old habits. A change in thought process has to occur on both sides.
For instance, when building a new server, administrators should build in security from the start. Doing so means reducing the attack surface, keeping services, ports and applications more secure, and less time keeping up with ongoing problems. The detailed breakdown would obviously be more complex, particularly considering dependencies on other services, but in the long run the administrator wins.
When trying to convince management that you need to invest in new Windows security processes, be prepared to answer the following questions:
- If we were taken down by an attack, what would be the cost per hour?
- Do we have a support contract that allows us to call the operating system or application vendor?
- If we have to wait five days for the vendor to respond, what will it cost us?
- How can we solve the problem in the mean time?
If the dollar value adds up to over $100,000 per day, it will be hard for anyone to ignore.
So before the next crisis occurs, take time to rethink the processes your network is currently built on. Any new machines brought online should be built into a new and improved security model, and old servers should be retrofitted. The goal is to be able manage the network -- and still take a vacation.
What do you think? Do you fit the mold of a top-down or a bottom-up worker? Do you act proactively and build in security from the start, or are you reactive and work in crisis mode? What are your biggest daily challenges, and, most importantly, do you have time to take a vacation? Let us know in an e-mail or Sound Off below when you get a chance.
SearchWindowsSecurity.com reader Al Reust is a systems engineer for information assurance working for the U.S. government. One of his main goals is to successfully communicate Windows security issues and solutions to employees of all skill levels and functions, from interns to senior administrators to management.