- Maximizing Certificate Services Implementations
- Securing Certificate Services
- Getting the Most Out of Smartcards
- Tips and Tricks for Securing Access to the Network
- Creating a Single Sign-on Environment
- Securing Access to Web Servers and Services
- Protecting Certificate-based Services from Disaster
- Integrating Smartcards with Personal Devices
- Summary
Tips and Tricks for Securing Access to the Network
Using certificates and smartcards to secure access to the network relies on several factors including practicing good firewall procedures, securing certificate authority servers, and tracking user access.
This section describes the benefits of a well-run smartcard enrollment and authentication strategy. These techniques are only as secure as the underlying practices that exist in the enterprise.
Using Physical Security
As the old adage goes, keep honest people honest. Physical security is probably one of the most overlooked practices in a Windows-based network. Because of the friendly interface many administrators make the mistake of treating their Windows servers like any another desktop. Having the server's console invite you to sit down and see what you can change or peer into is just too tempting. This is especially likely when administrators walk away from the console while still logged in.
Lock your servers away. If a secure room isn't available, at least use a lockable server cabinet. If this isn't an option you can always remove the monitor, keyboard, and mouse. The server will still run and you can use Terminal Services to manage the server.
Keep backups in vaults. If the company doesn't have access to a storage vault, any off-site facility with reasonable physical security will do. Even if this means that you rotate backup sets at home.
Keeping Security Rules Simple
If security measures are too hard to use or remember users won't use them. Using devices such as smartcards actually make the company's security policies easier to implement due to users not having to suffer through strong passwords.
If security measures are too hard to use or implement administrators won't want to roll them out. Microsoft and other vendors are making the securing of networks and user access more straightforward and easier to manage. Administrators are then able to create a more secure computing environment for their company and end-users.
Covering Your Tracks
Some of the best practices that are relatively simple but effective involve the use of naming conventions, security roles, and client access control. When the simple processes are followed, it's easier to cover your tracks that make it more difficult for a hacker to gain access to your systems.
Don't advertise your systems. By using naming conventions that are somewhat cryptic, administrators can keep someone who is looking at the network from knowing which machine performs which role.
Don't broadcast your network vulnerabilities to outsiders by leaving nonessential system services running. Services such as file transfer protocol (FTP) are constantly polled by port scans. After someone knows which services are running they can then employ tools and bots to try and break into the system.
Another good practice is changing the port number that required services are running on. This method of security is best deployed when you can control the client's applications that are accessing the company's network based services.