What’s a best practice?

On October 25, 2005, in Security, by

In the MVP world we have camps.  I swear we’d have cheerleaders even if we had a chance.  Football games possibly with the Windows team playing the Office team.  But instead we have blogs and newsgroup postings for our playing fields.  And there are times we lob volleys across the wall at one another.  One MVP will indicate the ‘differences‘ between SBS’s Sharepoint and “normal Windows” Sharepointfor example.

In a blog Dr. Tom posted today about a situation where someone got help in setting up a VERY unususal ISA configuration that entailed getting a normally corporate domained laptop out the door of another different domain, he says “The ISA firewall product has enough problems getting traction in the marketplace without having to deal with what looks like an enemy within. “ and the funny thing is, in the book “Protecting your Windows Network by Steve Riley, and the very gentleman with the unususal firewall setup that wrote that blog, they actually stated that ISA server was a very very GOOD firewall and even went so far as to say that even on a server it was layered on the Windows tcp/ip stack in a manner to be able to protect. The enemy here is certainly not within when in literature they are on record as praising it. 

I’m not sure if Dr. Tom has read the book, but he’d see that the authors actually praised ISA server and were certainly not dissing it. They even talk about how SBS ‘might’ just ‘might’ be more secure than larger firms because we’ll have admins that don’t mess around with the firewall and make unnecessary adjustments.

It gets back to my rants about ‘best practices’.  Best for whom?  For you?  Does that checklist you are following really understand your firm?  The entry points into your network?  In this day and age where you can shove just about anything out the universal access port 80, I still argue that it’s the awareness of the network that makes me safe.

I’m in charge of my network.  My sister’s firm does some of those ‘security best practices’ and yet she comes home with more stories of security issues than in  my network.

…so I’m still out here saying … how about we don’t compare my network threat model with the Department of Defense threat model.  Mine is different from Dana‘s who is different from Chad‘s who is different from…well ..we are all just different.  And Security doesn’t have a yes/no answer nor a checkbox.

A lot of it indeed is PEBAK based – problem exists between the chair and keyboard. 

It’s me.  It’s the decisions I make that are the biggest risk to my firm….but one of those decisions, being an aware Admin, that’s one that I would argue that is better than a lot of so-called best practices and checklists.

P.S.  Make no mistake.  I CHOSE SBS.  I did it in 1998, I did it again in the 2000 era and once again in 2003.  A compromise to me is not accepted but not wanted, I’m making a choice of this platform as a result of a settlement.  A balance.

Someone posted the following about SBS and in particular about ISA on SBS ….

SBS is a security compromise by definition:
“Something accepted rather than wanted.”
“something that somebody accepts because what was wanted is unattainable”

No, I chose SBS because it has things in it no other platform has and I do want it.  If given the same decision tree, the proper balance, I will choose it again.  If you define ‘compromise’ as what it is in reality, a balance…. then yes, indeed SBS “is” a security compromise.  But it’s one that is CHOSEN because it IS a balance by businesses all over the world.  I didn’t want to attain anything else.


Comments are closed.