Hardening Windows systems: An immediate call to action

Here is the introductory excerpt from Chapter 1 of Roberta Bragg's "Hardening Windows systems." It explains how to think proactively about Windows security.

Hardening Windows Systems Get a glimpse inside Roberta Bragg's new book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 1, "An immediate call to action." It explains how to think proactively about Windows security. Click for the complete book excerpt series or purchase the book.

An immediate call to action

We have a big problem. We aren't doing what we need to do to secure our Windows computers. We know what we need to do; we just don't do it. This is not to say that we have all the answers. Just as there is no way to keep a determined burglar out of your house, there is no way to ever make a Windows system, or any other operating system, 100 percent secure. But we do have a lot of answers. We know what to do to prevent most types of attacks from being successful.

But instead of systematically hardening the operating system; instead of physically securing systems; instead of instilling a culture of security that includes everyone -- yes, I mean everyone -- in the business of security; instead of doing any of these things, we frantically patch systems and complain about insecure products. Then, when our networks are broken into and credit card data or other sensitive data is stolen, or systems damaged, we blame the problems on someone else.

Stop. Stop right now. These actions are like 14-year-old boys and girls or the extras in a grade B movie when Godzilla attacks. You're either blindly reacting, or you're paralyzed into inaction. Stop reacting, stop sitting on the fence, and start acting.

Take control of information security. Moreover, note that I said information security; computers are one small part of that. You need a comprehensive plan that secures information wherever it resides: on the mainframe; in the Linux Web server; in the Active Directory; on a PDA; in or available through smart phones; and yes, in the hearts and minds of the employees, contractors, partners and customers of your organization.

We know what to do, so let's do it.

Let's change our reactive model of information security to a more proactive one. "Hardened systems are secure systems." By hardened, we mean locked down, secured, and stripped of inessentials. By systems, we mean computers, networks and people. So how do you do this? Write the policy. Engage management in the discussion. Dig out the reference works that tell you how to secure whatever it is you have to secure, and get busy. If you have to, harden one computer at a time. Harden one concept at a time. Harden one person at a time. If you don't have the authority to harden something, find out what you need to do to get the authority. If you don't know what to do, find out. If you're afraid that what you do may cause something to fail, test it. If you are overwhelmed with the sheer size of the project you have set before yourself, get help.

Ultimately, you can't do it alone anyway. Security is everyone's business, and everyone must get involved. As an IT pro, though, it's up to you to start. Above all, mount your hardening, securing campaign in at least two directions: the big picture and the intimate reality of your day-to-day work. Much of the cultural change that we need to make will not come swiftly or easily. It requires planning and commitment. It requires evangelists and disciples, leaders and doers, talkers and strong, silent types. Making security as easy and as pervasive as breathing will not happen overnight. But you can effect significant changes in the security posture and actual security status of your networks right now by doing things that are under your control. What you can do will depend on your authority, but we can all do things that will have an enormous impact.

Click for the next excerpt in this series: Strengthen the password policy.

Click for book details or purchase the book.

Read more on IT risk management