Intranet security management is becoming more and more important for enterprises. An enterprise ’s security issues affect the development of all aspects of the enterprise. Our analysis of the enterprise begins with the enterprise ’s security design to see what are the existing aspects content.
Disadvantage one: the client patch upgrade depends on the employees' consciousness
Now most users in the enterprise use Windows client. The characteristic of this client is that there are many patches, including IE patches, Offcie office software patches, and so on. If you don't apply the patch in time, it will be easy for the virus to use and become a convenient channel for its spread. Unfortunately, many IT leaders do not pay much attention to patch management and control. For example, some administrators rely solely on the consciousness of users to manage patches. For example, patch the system through the automatic update service on the client. Taking this operation requires manual operation by the client user. If you need to manually confirm whether you need to upgrade the patch, you may need to restart after the upgrade is complete, and so on. The reality is that some users think that this operation is more troublesome, so they will not consciously upgrade the patch. In this case, it will cause more security risks than necessary for the security of the intranet.
For this reason, the author suggests that for patch management, it is best to adopt a unified solution. For example, Microsoft has a patch management tool that can control the mandatory patching of client systems on the server. Such as automatically patching the system before the next boot and so on. This design can guarantee the security of the internal network, and can also minimize the adverse impact on users. In short, the author believes that it is best not to give the right to update the patch to the user. Most users will not exercise this power correctly.
Disadvantage 2: Incompatible self-signed certificates will cause trouble
The IE browser has always been the hardest hit by Microsoft's operating system and servers. The user's incorrect setting is one of the reasons. To improve this situation, Microsoft has added self-signed certificates to some of its products, such as Exchange. Simply put, when enterprise users do not take any security measures, the system will automatically enable self-signed certificates to enable certain security encryption mechanisms, such as SSL encryption and so on.
This default security measure improves the security of system applications to a certain extent. Especially for users who do not have a security concept, they can start a lot of help. But so far, the role of this self-signed certificate is limited to Microsoft products. If the enterprise is currently using an Exchange server and then using the IE browser to access this mailbox, there is no problem. However, if other browsers are used to access, incompatibility may occur. For example, the browser will prompt the user that the system does not trust this type of certificate. To reduce this trouble, some administrators simply disable the function of self-signed certificates. This undoubtedly weakened the security of the internal network server of the enterprise.
Disadvantage three: do not pay attention to follow-up tracking
Many companies pay great attention to the security of their internal networks when designing and forming networks. Such as disabling unnecessary services, prohibiting the use of mobile devices, etc. However, they also have some misunderstandings in this regard. It attaches great importance to the early design and configuration, but lacks a follow-up tracking mechanism.
For a file server, an enterprise may have relatively secure security mechanisms such as permission access mechanisms. But it lacks an access audit mechanism. In other words, it is impossible to judge whether this security measure is in place, nor to analyze whether the user has unauthorized access. In this case, it may only be possible to find deficiencies in this regard when the problem finally occurs. The author suggests that it is important to do safety design and related configuration in the early stage, but it is also necessary to track and analyze the work in the follow-up daily work. When it is found that the original configuration cannot keep up with the needs of enterprise security, timely adjustments are required. For the file server, you can enable the audit function. Document unauthorized access by users. Then analyze this data to determine the user's possible attack behavior.
Disadvantage four: no reverse proxy is used to reduce port overhead
With the popularization of enterprise information management, enterprises are now increasingly dissatisfied with internal users using the enterprise's information system. For example, some companies may open offices in other places. The enterprise hopes that personnel in these offices can also access servers inside the enterprise. Another example is for the convenience of employees on business trips, but also allows them to connect to servers inside the enterprise from the public network.
If you want to allow the internal server of the enterprise to be accessed by external users through the Internet, you must open multiple ports on the firewall. This situation will increase the internal security risks of the enterprise. The reason is simple, it is like opening a house with multiple doors. The administrator cannot take into account the security of multiple doors. For example, enterprises have deployed Microsoft's instant messaging suite. If you need to allow external users to use this instant messaging server, you need to open a dozen ports on the firewall. This undoubtedly greatly reduces the security of the enterprise's internal network. When this situation is encountered, the author recommends using a reverse proxy mechanism. Reverse proxy servers are generally located between the Internet and local servers that need to develop multiple ports, basically in parallel with firewall servers. The use of reverse proxy can make the server hide before entering the external network, and also can ensure that malicious external requests will not reach the server. In terms of security, it is similar to NAT technology. However, it is much lower than the NAT server in terms of management cost and performance overhead.
Disadvantage five: deploy too many applications on the same server
Deploying multiple applications on the same server is also a common occurrence in enterprises. Although this can reduce the cost of enterprise informatization deployment to a certain extent, it also increases the security risks of the server. Suppose now that three applications are deployed on a server of an enterprise. In this case, there are actually four types of information systems including the operating system. If there are 2 security vulnerabilities in an information system, then this server now has 8 vulnerabilities. If strict security measures are not taken, then the attacker may use any of these vulnerabilities to steal content on the server and even control the server.
This is like a chain. If there are more rings on the chain, the safety performance is relatively worse. Because if any ring is broken, the entire chain will be scrapped. The more rings there are, the more likely it is to break. In general, it is not impossible for an enterprise to deploy multiple applications on a server, but it needs to be limited in number. In general, do not exceed three. At the same time, for some important applications, such as database functions, it is best to adopt a separate application server to ensure its security. But also need to take some necessary measures, such as virtual CPU technology, to provide a relatively independent working environment for multiple applications.
Disadvantage six: SSL encryption mechanism is not adopted for authorized access such as mail
Many information systems in enterprises require authorization to be able to access. For example, for mail systems, users can only access their own mailboxes. For the file server, it can only access files that are authorized to be accessed. These controls are basically restricted by username and password.
In the internal network, two access mechanisms, HTTP and HTTPS, are mainly used first. The former HTTP is characterized by no encryption measures for the data in transit. That is, the user name and password are transmitted in clear text on the network. In this case, the user name and password can be easily stolen through tools such as network sniffer. In order to carry out sabotage activities. And if the username and password information is leaked, the best security measures will not help. The author's suggestion is that for some important applications, such as mail, file servers, etc., it is best to use the HTTPS protocol. The characteristic of this protocol is to use SSL encryption mechanism to encrypt data in the process of data transmission to ensure the security of user name and password.
The content of intranet security management is very complex and extensive. The article introduces several shortcomings in terms of knowledge for your reference. But this is definitely a classic problem. You can conduct self-examination according to the actual situation of the company. For internal network security, it is important to prevent it.
Brushless Dc Motor Controllers
Dc Servo Controller,Dc Servo Motor Controller,Dc Electric Motor Controller,Brushless Dc Motor Controllers
Jinan Keya Electron Science And Technology Co., Ltd. , https://www.keyaservo.com