Transcript CAMPUS NETWORK UPDATE - University of Washington

University of Washington
Computing & Communications
My 7-Point Plan for Windows Security
Terry Gray
Director,
Networks & Distributed Computing
UW Computing & Communications
September 2002
University of Washington
Computing & Communications
Objective
• Make Windows computers “Network Safe”,
right out of the box.
• Make it easy for users to adjust their
security policy in accordance with principle
of least privilege (or minimum necessary
access from the network).
• An “Open Letter” to Microsoft...
University of Washington
Computing & Communications
My 7-Point Plan for Windows Security
 Require the administrator account to have a password!
 By default, deny incoming connections to all but a minimum
number of necessary service ports via integral firewalling.
 When an application requires listening on a port, give users the
option of opening the port just for the session, or for a fixed time
interval, or "forever”… but remind later about ports left open.
 Make it easy for users to establish their own local perimeter
defense via IP access lists. (Important if they need to run insecure
protocols within their workgroup.)
 Enhance existing "IP Security" capabilities to allow blocking
only "initial connection" (SYN) packets.
 By default, have connections use IPSEC whenever available.
 Be wary of the UPNP NAT/firewall traversal stuff --a major
security headache waiting to happen.