Deny all, permit some

Corporate networks face more security threats than ever before. Whether it’s the rampant spread of malware, malicious employees, or plain and simple user error, IT administrators must bend over backward to ensure that intruders stay out and corporate data stays in. Tools abound to help you secure your data, but one simple policy — regardless of which part of your infrastructure you look at — will invariably protect you more than any single piece of security hardware or software: Deny all, permit some.

A recent reminder of the value of this policy came to me when an organization I work with was struck by a new zero-day worm. Within a few hours over a weekend, a significant portion of the Windows machines on the network had been infected. It was most of the way through the following Monday before virus detection signatures that would recognize the worm and its payload were made available and real progress was made toward combating it.

[ Effective security at the data level is crucial to dealing with the exponential growth of information. Check out InfoWorld’s Enterprise Data Explosion iGuide for more info. ]

Like many worms, the payload was a Trojan that would allow remote control of infected workstations and cause data leakage, but revealed no outward signs of infection or denial of service. Fortunately, the network administrator had made the decision many years ago to configure all of his border security devices to deny all traffic — inbound and outbound — unless it had been requested for a business purpose and specifically allowed. That policy had not been particularly popular with users, but in this case it resulted in the inability of the virus to communicate with its control server and prevented any data leakage or subsequent infections.

Though it took a fair amount of work to eradicate the worm after it had dug its way into so many systems, the net effect on users and the organization was very low. Given that the Trojan would have shipped random documents, passwords, and full keystroke logs out into the ether, the ramifications of a completed infection could have been a serious existential risk to the business.

In the end, a raft of security measures involving a well-tuned IPS, content filter, desktop security policy, and anti-virus software were shown up by a simple “deny any any” rule at the bottom of the access list on the inside interface of the firewall. That’s some serious food for thought. Sometimes the easiest things you can do to secure your network will have the biggest impact.

If that’s true, why don’t network devices come configured that way? Why did the administrator have to make an explicit decision to implement that policy? The answer is simple: convenience. People — administrators and users alike — aren’t fond of jumping through hoops to start using a new system. Most of you will remember the annoyance caused by Microsoft’s User Account Control as it was shipped in Windows Vista, not to mention the fun involved in actually trying to use Internet Explorer when its “Enhanced Security Configuration” is active (good luck).

It’s a fact of life that by default most systems give more privileges to users than they need to or should. It’s up to the administrator configuring the device or service to lock it down. All too often, this process isn’t taken seriously enough and too many default permissions are left in place in the name of expediency.

Avoiding this trap requires IT to bite the bullet and constantly reevaluate rights and permissions — and make exceptions to allow further access only as it is required. This sort of policy won’t win much praise from end-users, either. Nobody likes to be told that they aren’t allowed to do something that they need to be able to do and wait for IT to come fix it for them. Well, too bad — having people occasionally irritated with IT is far better than having confidential corporate data quietly upload itself onto the Internet without your being the wiser.

The next time it seems easier to leave default permissions in place or grant more permissions than you think are really required, don’t. It could very well save your skin.

This story, “Deny all, permit some,” was originally published at InfoWorld.com. Follow the latest developments in data management and network security at InfoWorld.com.