<b><i>Practice Tip</b></i>Security on the Desktop

Information security has come to play an extremely vital role in today's business environment. Whether you are a solo practitioner or an IT Director of an AmLaw 100 or 200 firm, how can you best protect your company's data from being compromised? Anyone who experienced the “Slammer Worm” attack last January or the “So Big Worm” this past August knows the astonishing speed these viruses spread across the Internet. Hundreds of thousands of networks were affected within hours of each of those outbreaks. What is even more disconcerting is that in the case of the Slammer Worm, the attack exploited a well-known vulnerability in SQL Server; one which Microsoft had already fixed in a patch six months earlier.

For mid- to large-size firms, a security policy is of paramount importance in order to ensure that the most appropriate security measures have been implemented with an acceptable level of competency and consistency throughout the organization. Physical desktop security, password best practices, virus protection, software installation and e-mail best practices are a few of the subjects that would form the core of the security policy document.

Ninety-nine percent of computer break-ins can be prevented by following the below three best practices:

• Use up-to-date and properly configured anti-virus software
• Refuse to install or load any unknown program (via e-mail or via the Internet)
• Run the Microsoft Windows Update and Office Update Services regularly

For the purposes of this article, I will focus on the last item listed.

Windows Update Services

Vulnerabilities in the primary Microsoft software programs used in law firms (Microsoft Windows, Office and Internet Explorer) are literally uncovered daily, if not multiple times a day. Fortunately, Microsoft provides a relatively quick and easy solution to keeping your desktop systems up to date with security patches as they are officially released. The site to visit is www.windowsupdate.microsoft.com. The following operating systems are supported: Windows 98, Windows 2000, Windows XP & Windows Server 2003.

How Do I Know Which Updates I Need?

The great thing about Windows Update is that it scans your computer and displays a list of updates specifically targeted to the software installed on your computer. The history of what patches have already been installed on your computer is taken into account. Technically, this is performed via the use of ActiveX controls that access various settings stored in your computer's registry.

How Does it Work?

On the Windows Update home page (www.windowsupdate.microsoft.com), click on “Scan for Updates”. If you are asked to accept an ActiveX control, accept it. Note, you should only accept ActiveX controls when they are signed by a trusted source and when they are offered from a trusted Web site. By accepting an ActiveX control, you are, in fact, giving the OK to download and run a program on your computer. Do not do this unless you know what it is, and from where, you are downloading.

Updates are organized by category. Browse the various categories and click the “Add” button to add that update to the list of updates you wish to download and install. Each update is also accompanied by a description that you can view by clicking on the “Read more…” link.

Install the updates. Clicking on the “Install Now” button will download and install all updates you have previously selected. Chances are that you will have to reboot your computer, although sometimes this is not necessary.

Windows Update Categories

There are three broad categories of updates:

Critical Updates & Service Packs. These are all a “must install”. They involve security and/or reliability problems which have been fixed by Microsoft. In some cases (ie, service packs) you may have to install one update first before being able to go on to install others.

Recommended Updates. Do not blindly install these updates. Only install them if they apply to your environment. If an update does not fix a problem you are specifically experiencing, then installing it may actually create a problem you didn't have prior to the update.

Driver Updates. Again, do not blindly install these updates. Only do so if you are experiencing the problem described in the update and after having already checked with your hardware manufacturer.

Microsoft Software Update Services (SUS)

If you have multiple desktops to manage, and you do not want to have to run Windows Update Service on each one of them, the next step up is to use Microsoft's free Software Update Services program. Microsoft SUS is like a copy of Windows Update inside your firm's firewall. You install it on a Windows 2000 server. (Note: it is not compatible with Windows 98 desktops.) The SUS server connects to the Microsoft Windows Update site and automatically downloads all appropriate patches. You then point each of your desktop computers to the SUS server, so that the desktop pulls the patches down from the SUS server rather than directly going out to the Windows Update site. This not only conserves network bandwidth, but can also be invaluable in times where a wide-scale attack is in progress and the Windows Update sites are flooded with download requests.

For more information about this nifty software tool, visit www.susserver.com.

Information security has come to play an extremely vital role in today's business environment. Whether you are a solo practitioner or an IT Director of an AmLaw 100 or 200 firm, how can you best protect your company's data from being compromised? Anyone who experienced the “Slammer Worm” attack last January or the “So Big Worm” this past August knows the astonishing speed these viruses spread across the Internet. Hundreds of thousands of networks were affected within hours of each of those outbreaks. What is even more disconcerting is that in the case of the Slammer Worm, the attack exploited a well-known vulnerability in SQL Server; one which Microsoft had already fixed in a patch six months earlier.

For mid- to large-size firms, a security policy is of paramount importance in order to ensure that the most appropriate security measures have been implemented with an acceptable level of competency and consistency throughout the organization. Physical desktop security, password best practices, virus protection, software installation and e-mail best practices are a few of the subjects that would form the core of the security policy document.

Ninety-nine percent of computer break-ins can be prevented by following the below three best practices:

• Use up-to-date and properly configured anti-virus software
• Refuse to install or load any unknown program (via e-mail or via the Internet)
• Run the Microsoft Windows Update and Office Update Services regularly

For the purposes of this article, I will focus on the last item listed.

Windows Update Services

Vulnerabilities in the primary Microsoft software programs used in law firms (Microsoft Windows, Office and Internet Explorer) are literally uncovered daily, if not multiple times a day. Fortunately, Microsoft provides a relatively quick and easy solution to keeping your desktop systems up to date with security patches as they are officially released. The site to visit is www.windowsupdate.microsoft.com. The following operating systems are supported: Windows 98, Windows 2000, Windows XP & Windows Server 2003.

How Do I Know Which Updates I Need?

The great thing about Windows Update is that it scans your computer and displays a list of updates specifically targeted to the software installed on your computer. The history of what patches have already been installed on your computer is taken into account. Technically, this is performed via the use of ActiveX controls that access various settings stored in your computer's registry.

How Does it Work?

On the Windows Update home page (www.windowsupdate.microsoft.com), click on “Scan for Updates”. If you are asked to accept an ActiveX control, accept it. Note, you should only accept ActiveX controls when they are signed by a trusted source and when they are offered from a trusted Web site. By accepting an ActiveX control, you are, in fact, giving the OK to download and run a program on your computer. Do not do this unless you know what it is, and from where, you are downloading.

Updates are organized by category. Browse the various categories and click the “Add” button to add that update to the list of updates you wish to download and install. Each update is also accompanied by a description that you can view by clicking on the “Read more…” link.

Install the updates. Clicking on the “Install Now” button will download and install all updates you have previously selected. Chances are that you will have to reboot your computer, although sometimes this is not necessary.

Windows Update Categories

There are three broad categories of updates:

Critical Updates & Service Packs. These are all a “must install”. They involve security and/or reliability problems which have been fixed by Microsoft. In some cases (ie, service packs) you may have to install one update first before being able to go on to install others.

Recommended Updates. Do not blindly install these updates. Only install them if they apply to your environment. If an update does not fix a problem you are specifically experiencing, then installing it may actually create a problem you didn't have prior to the update.

Driver Updates. Again, do not blindly install these updates. Only do so if you are experiencing the problem described in the update and after having already checked with your hardware manufacturer.

Microsoft Software Update Services (SUS)

If you have multiple desktops to manage, and you do not want to have to run Windows Update Service on each one of them, the next step up is to use Microsoft's free Software Update Services program. Microsoft SUS is like a copy of Windows Update inside your firm's firewall. You install it on a Windows 2000 server. (Note: it is not compatible with Windows 98 desktops.) The SUS server connects to the Microsoft Windows Update site and automatically downloads all appropriate patches. You then point each of your desktop computers to the SUS server, so that the desktop pulls the patches down from the SUS server rather than directly going out to the Windows Update site. This not only conserves network bandwidth, but can also be invaluable in times where a wide-scale attack is in progress and the Windows Update sites are flooded with download requests.

For more information about this nifty software tool, visit www.susserver.com.