148
Networking: A Beginner's Guide
but you set their permission to access a particular file in that directory to read-only,
they would have only read-only access to that file.
TIP
For a network of any size, I recommend avoiding the use of file-specific network permissions,
except in very rare cases. It can quickly become an unmanageable mess to remember to which
files each user has special permissions and to which files a new hire needs to be given specific
permission.
Practices and User Education
The most insecure part of any network is the people using it. You need to establish
good security practices and habits to help protect the network.
It's not enough to design and implement a great security scheme if you do not
manage it well on a daily basis. To establish good practices, you need to document
security-related procedures, and then set up some sort of process to make sure that the
employees follow the procedures regularly. In fact, you're far better off having a simple
security design that is followed to the letter than having an excellent but complicated
security design that is poorly followed. For this reason, keep the overall network security
design as simple as possible, while remaining consistent with the needs of the company.
You also need to make sure--to the maximum extent possible--that the users
are following prudent procedures. You can easily enforce some procedures through
settings on the network operating system, but you must handle others through
education. The following are some tips to make this easier:
Spell out for users what is expected of them in terms of security. Provide
a document that describes the security of the network and what they need
to do to preserve it. Examples of guidelines for the users include choosing
secure passwords, not giving their passwords to anyone else, not leaving their
computers unattended for long periods of time while they are logged in to the
network, not installing software from outside the company, and so forth.
When new employees join the company and are oriented on using the network,
make sure that you discuss security issues with them.
Depending on the culture of the company, consider having users sign a form
acknowledging their understanding of important security procedures that the
company expects them to follow.
Periodically audit users' security actions. If the users have full-control access to
directories, examine how they've assigned permissions to other users.
Make sure that you review the security logs of the network operating system
you use. Investigate and follow up on any problems reported.
TIP
It's a good idea to document any security-related issues you investigate. While most are
benign, occasionally you might find one in which the user had inappropriate intent. In such cases,
your documentation of what you find and what actions you take might become important.