How do or how would you secure your network?

Hello,

I oversee a small (>150) network of PCs and a couple of Macs. We are a non-profit health care facility that has clients in and out all day using the computers. The majority of our computers are old, P4's some with 256k fo ram running windows 2000 sp4.Most of our users log in with a common userid that gives them very limited rights on the network however most of what they do is surf the web and most of this is not business related but done for entertainment.

We have alot of people who want to download music, look at porn, chat, download and install programs like limewire and upload to file sharing sites. When I started working here there was virtually no security or web filter in place. We have the following:

The lowest level content filter from the sonic wall pro 2040
Symantec antivirus 10.0.1

Last fall we were blacklisted due to a trojan sending out emails. We scanned all our machines and found several viruses not detected by our anti-virus program. I am always finding various trojans on the network.

Right now, I have done the following:

* enacted group policies to prevent downloads and installations
* disabled floppy, cd-rom and usb drives
* blocked all chat and instant messaging
* Allow personal computers to access the network only under IT supervision
* Blocked smtp on all machines except our mail server

I am testing websense as a content filter and hope to be able to use it so I can block streaming video and a whole host of other stuff our old content filter doesn't cover. I am also wondering if there are better anti-virus programs for our network, like trend micro?

I am looking for suggestions as to how any of you would further secure this network if it were up to you. Any and all suggestions and questions are welcome as I am rather a novice when it comes to security.

thanks for any and all help!

 

hi agitate. i think youre on the right track as far as internal network security goes. most, if not everything i would suggest it looks like youve already done or on working on. really the only other thing i would point out, just in case youve overlooked it, is your firewall. how do you have it set up? blocking everything and creating rules to allow only the needed ports is best practice.
i use symantec on most of my PCs around my campus. its an ok program. doesnt pick up on some stuff sometimes though... if i didnt have 1000 other things to do before friday, id look around at other options. just havent had the time.
principal of least privilege for your users.
go the extra mile on the account that people come in to use. make an image of these computers and reimage them often.
if you can, have different VLANS on your core switch. one for your clean admin network, one for the employees, and maybe one for the computers people who come in use. it would be great if you could set up an internal firewall between your clean admin network and your other vlans.

make sure you know your network well. know where the problem areas are, know what area of the network is used most and who its used by. keep current on antivirus software updates and definitions.

just a few things i came up with this morning. hope it helps a little.

 

sorry for the late response.

Thanks alot your advice helps. There are only 2 IT people here and one of them (my boss) really isn't an IT person so much so it helps to get some affirmation about the way I'm doing things.

I agree about symantec, I am thinking of looking at trend micro and am about to try out websense express and something called lightspeed, because websense security suite is just too expensive and kind of overkill for us.

And about making images--that has also been on my list. I have used clonezilla in the past because we can't afford ghost or acronis--being a non-profit means being extremely frugal.

Again thanks alot for your advice it is very helpful to me!

 

hey no problem. thats barely touching the surface though. if you havent already, you should read up on server 03 security and probably get a book or two on your firewall. get good with exchange as well if youre using it.