Sophos experts offer advice on how administrators can better secure enterprise networks against intruders, malware and spam.
1. Define correct user rights for the correct task
Users with administrator rights have the ability to perform activities that could be damaging, such as:
- accidentally making changes that decrease the overall level of network security
- being fooled into running malware, which would adopt user's administrator privileges
- having logon details stolen, which would allow third parties to log in and carry out damaging actions
To increase security, ensure that your users have the appropriate privilege level for the task at hand, and limit the number of users that have administrator usernames and passwords.
2. Download files from trusted sites only
Many files can be downloaded from multiple locations on the Internet, but not all locations are created equal. Some are more secure than others. Ensure your users only download from trusted sites, which are often main source websites rather than file-sharing or generic websites. Also consider who in the company needs to download files and applications from a website: consider restricting this permission to only those trusted users who are required to download files as part of their day-to-day activities, and ensure that these select few are educated in how to download files safely.
3. Undertake an audit of network shares
A lot of malware can spread via networks. This is commonly due to there being little or no security on network shares. Remove unnecessary shares and secure the others and their contents to limit network-aware malware from spreading.
4. Control network connections
When computers connect to networks, they can adopt that network's security settings during that specific session. If this network is external or outside the administrator's control, the security settings may be insufficient and put the computer at risk. Consider restricting users from connecting computers to unapproved domains or networks — in most instances, most users need only connect to the main corporate network.
5. Change the default IP range for your network
Networks often use standard IP ranges, such as 10.1.x.x or 192.168.x.x. This standardization means machines configured to look for this range may accidentally connect to a network outside your control. By changing the default IP range, the computers are less likely to find a similar range. You can also add firewall rules, as an added precaution, which allows only approved users to connect.
6. Audit the open ports on your network regularly and block unused ones.
Ports are like windows in a house. If you leave them open for long periods of time without surveying them, you increase the chance of letting in uninvited intruders. If ports are left open, Trojans and worms can use them to communicate with unauthorized third-parties. Ensure all ports are regularly audited and unused ports are blocked.
7. Regularly audit the entry points into your network
Networks change shape and size all the time, so it is important to look into all the routes into your organization on a regular basis. Be aware of all entry points. Consider how to best secure the routes to stop unwanted files and applications entering undetected or sensitive information leaking out.
8. Consider placing business critical systems on a different network
When business critical systems are affected, they can slow business processes significantly. To help protect them, consider having them on a different network from the one used for day-to-day activities.
9. Test new software on a virtual network before you deploy
Although most software developers test software as much as they can, they are unlikely to have your network's exact configuration and setup. To ensure that a new installation or update does not cause any problems, test it on a virtual system and check its effects before deploying to the real live network.
10. Disable unused USB ports
Many devices, when connected to a USB port, will be automatically detected and mounted as a drive. USB ports can also allow devices to autorun any software connected to it. Most users are unaware that even the safest and most trusted devices can potentially introduce malware into the network. To prevent any accidents, it is much safer to disable all unused ports.