Good enough security

On October 29, 2005, in Security, by

What’s enough security?  What’s good enough security?  We got to talking about this in regards to a couple of blog posts and patching.  I was attempting to remotely patch my SBS box over remote web workplace and because the SMTP service got stuck taking down IISadmin, remote web workplace also got a little smooshed in the process.  We got to talking about remote patching and how you can do it safely and dependably.  A terminal services connection will give you the most consistent and dependable patching connection.  But given Terminal services historial issues [TSgrinder comes to mind] how can you defend a well known port of 3389?


Well one thing that you can do if you add the premium edition is ISA server.  With the addition of the premium firewall you can set it up so that the TS port only responds to you the consultant.  With Remote Web Workplace, the firm’s employees really doesn’t need access to that straight TS port do they?


But what else can you do to give good enough security?


Passwords/passphrases. 


Today I toured the open house of a hospital with a new treatment center.  And as we were walking through the computer rooms, me being the geek I am, I was looking at what systems they were running.  And there on the screen was … tapes to the screen…. the user name and password.  And it was quite a sucky password.  I mean … the whole idea behind urging folks to write down passwords in the first place is to ensure that you choose better ones.  The one I saw today, written down, taped to the screen certainly was not in this category 


A long administrator password helps hugely to better protect that Administrator account.  The human brain has a limit to what we remember.  There’s a limit in our brains of how much we can process and remember. 


Good enough security means taking extra precautions…. like passwords.

 

One Response to Good enough security

  1. Krissy says:

    Or you could just leave the admin password blank right?