I saw Brian Bourne give this presentation at Energize IT and asked to have it written up as a guest blog post. Over the past few years his company, CMS Consulting, has been doing security audits and this lead to their list of top 10 mistakes.
1. Password Management - This is an obvious one but still prevalent in many organizations. Issues include poor password policies or enforcement of those policies, re-use of passwords, and password storage. Amazingly enough simple user training can help in the majority of these. Most users do no know that "My first born is Grant." is a secure password.
2. Patches and Upgrades - Remember ALL software and hardware needs patching not just Microsoft. This is even more important for security products. Some issues here include no inventory (how do you know what to patch?), no reporting on status of patch deployment, legacy applications that are no longer patched, and the "deploy and forget" methodology of software deployment.
3. NTFS and Share Permissions - There are some simple rules to follow here. Remember that permissions are cumulative (except Deny always wins), never grant permissions to users and always use groups, install Windows 2003 fresh rather than upgrade and use security templates and GPO's to set and maintain security. Everyone having Full Control everywhere is never good, remember Anonymous is part of Everyone!
4. Too Much Privilege - Always follow the rule of least privilege! Enumerate the Domain Administrators, Enterprise Administrators, Schema Administrators, Server, Print and Backup Operators groups to ensure nothing is adding itself to any of these groups. Also remember that service accounts need special consideration and put those accounts in a separate OU with a restrictive GPO applied to it. And never use a domain or enterprise admin account to run services.
5. Administrative Practices - NEVER use a domain or enterprise admin account for your day to day activities and don't use those accounts to login from a standard workstation. Always deploy a high secure desktop for administrative work. Also remember to guard the Enterprise Administrator accounts with your life and never share passwords among admins.
6. Unused Services - IIS is the number one installed but unused service (installed by default in 2000 but an additional install in 2003+) and removing unnecessary services will reduce the attack surface. There is a good guide to understanding services you can download and read here.
7. Auditing and Logging - How do you know if something has happened? How will you piece together the "crime scene" without any evidence? Auditing is crucial but it is also important only to audit what is important. Think beyond Windows to your switches, firewalls, and applications and consider shipping your logs off site for long term storage.
8. Backups - Backups are crucial and a lot of people think they are on top of things here only to find out things were not running smoothly when they need to restore something. Always test your DR plan as well as your recovery procedures. Do random tests to ensure your process is working and ensure you are backing up all your critical data (System State on all FSMO role holders). Also consider encrypting your backups and look at offsite storage or a fire and heat proof vault to store the media. Finally remember that backups are only part of your DR plan.
9. Security Education - You certainly can't expect someone to make the best security decisions without any training. Security training for your staff (Network usage policy, social engineering awareness) and your IT department (security architecture, secure operating policies, attack methods and how to mitigate and defense in depth techniques) are key to a secure environment.
10. Incident Response - Be prepared in the event that something does happen. Have a plan and have your staff trained on what to do in case of emergency. NEVER touch the compromised computer, delete any files, or do anything without the approval of your security officer. Doing so could destroy the evidence needed to determine what happened and how to prevent it from happening again.