Employee Termination Policy in the SMB segment

Browsing Chris’s blog (which has tons of useful and informed commentary) I came across a post on employee termination policies. This is an often overlooked piece of working in the SMB segment. Why the miss? Good question…

First – perhaps most obvious … Small IT service providers (which really should already have lots of familiarity with security and trust), usually don’t have the right experience here, and as a result most of them are terrible at it. Why? Maybe they’re too small to know what a larger organization needs … or maybe they have the wrong employees (or owners)… but I’d be willing to wager that most who are bad at this, are bad because they’re so concerned about preserving the existing revenue streams… with not rocking the boat, that they turn a blind eye to helping clients manage other forms of risk. Let me give you a couple of examples on risk… Licensing a mess? See no evil. Employee’s with grossly inappropriate (or negligent) access? Hear no evil. Or the worst offender… provider is too busy. They’re too busy to add-value… too scared of risking the revenue stream, or too fill-in-the-blank that they really fail across the board… and unfortunately, it’s the customer who pays.

Need examples of the risks here?
Employee X is terminated, no one tells the IT service provider – and… use your imagination.

Employee X misrepresents their previous employer … or steals sensitive information, or wreaks havoc by deleting files (or randomly modifying data). An endless stream of nightmare-ish events.

And the worst thing about this? Most clients will have no idea that their IT service provider is responsible for this miss. Sure, the client might not have notified you… but did you ever bring it to their attention that the risk existed?

I can hear the complaints now… it’s too hard to sell a client on this. Really? You really can’t sell clients on having a policy and procedure in-place for managing turnover? What kind of effort does it take to put something in-place, and get HR and ownership to buy-in? Hours? Days? Is that too much for your clients to swallow? If so – start upgrading your client-base. Because I haven’t found a business owner – or decision making HR-person that didn’t think this was a reasonable risk to address - it's your job to figure out how to address it within the context of your client's expectations. And remember, this isn’t selling on fear… in fact, if you have to sell this at all, and it’s not a frank conversation between you – the trusted advisor – and your client, then you’re missing more than just this.

If this doesn’t make sense to you, put yourself in the shoes of an IT manager, HR person, or owner of your client organization (and then ask yourself why you haven’t been doing this all along). I guarantee you that if you were in those shoes at a mid-size organization, you’d be taking ownership of this yourself and getting it addressed ASAP. So do, and it might open up more doors at the client. At the very least, you’re cleaning up messes, and addressing real-world risk.

SBS: Are you redirecting the location of newly created computer objects?

Note: This isn’t specific to SBS, but larger organizations tend to already have processes in-place to handle this.

Short answer – use “redircmp.exe” for all of your SBS installs.
Need reasons? Read on…

So, by default when new computers get added to the domain, they get created in the Computers container. And it might be okay that they get dumped there because it forces someone to do something with it. Assuming you’re the only one managing it, you won’t forget, right? Oh, you might? What about you’re other netadmins, will they forget? Maybe so.

Simplify and automate…

That’s why we have Active Directory anyway, right? Well, that and to scale nicely – but doing stuff is a big part of it. So if you have computers piling up in that computer container (by now you should have opened out ADUC), then you know for a fact that they don’t get any GPO’s applied. And if dozens of boxes – for that matter, if even a few boxes – have been added without following the correct process, then at best you have some confusion. Worst-case, you have boxes that aren’t getting updates distributed via WSUS (or some similar fate).

Fortunately, there’s a tool for this called “redircmp.exe”. What it is? How do you use it? Is it safe for SBS? Don’t want to read the KB article? Well, it’s just what it sounds like – a tool for redirecting the default location of newly created computer objects (there’s a “redirusr.exe” too, which does the same for users). The first step is to probably to consider building onto the OU design of SBS. No, I’m not talking about changes to the SBS-ized stuff… we tend to build-out beneath the default OU structure for customization. Why? Well, it reduces risk - it helps us to enable our clients to do a bit of self-management sometimes – and it keeps team members from making big mistakes. But the main reason is that you probably want something that makes sense for your circumstances and your client. The hierarchy should fit the business-need.

As far as how to use it, there’s not much to it… from the SBS server just run it and it gives you the usage. Otherwise, here’s something that might make sense for you… obviously this is a sample based loosely on the SBS hierarchy.

“redircmp ou=WSUSMasterOU,ou=SBSComputers,ou=Computers,ou=MyBusiness,dc=domain,dc=local”
It should respond with “Redirection was successful.” If it said something else, check this KB article. Now go ahead and test it. Fire up Virtual PC with a base-image, add it to the domain, and refresh the OU in ADUC. It should show up down in the WSUSMasterOU (or whatever is appropriate for you). Depending on how much automation you want, this might be enough. At the very least, you're a step in the right direction – and if someone is forgetting to move it down further into the right OU, or add it to the right group, then at least you’ve got a base level of GPO’s being applied.

IT Security in an imperfect world

Andy has a good article on basic IT security.

He hits on some of the pain-points of being an IT professional with a security focus – especially for those of us dealing with small to mid-sized clients/organizations. So he talks about things like… Management reverting to a “let’s make this easy” approach, as well as some other common items like… Open Access Points, firewall holes, local administrator access on end-user systems… you get the point.

Andy sounds like he is the security admin for a mid-sized organization, so his approach will be rightfully different than mind. But I thought it was interesting nonetheless.

Let me first say that I understand where Andy’s coming from. A few years ago, I worked for a larger organization. And I, much like Andy, was/am very security minded. Since then though I’ve had had the opportunity to work with many organizations of varying sizes and mind-sets, and over time, I’ve refined my approach for the clients that I serve.

Instead of just looking at problems and finding solutions (tactical approach), I took couple of steps back and started approaching things a differently. What I’ve come to see is that there is no ideal situation from an IT and/or security standpoint, and there are a lot of reasons (or excuses, your choice) for the way things are… maybe it’s management’s approach, maybe it’s the technical staff, maybe it’s the budget… it may be a lot of different things. But instead of hammering on everyone to clean-up islands of problems, I started to take a different approach.

Find the answers to these four questions and it will improve your life, and career.

• Is there a corporate IT vision, and/or strategy?
• Where’s the plan?
• Are we measuring against expectations set in the plan?
• Is anyone accountable for anything?

If you can find the answers to these questions, you can probably get to the root cause pretty quickly. Take the emphasis off of tactics and figure out the direction of the ship. In my experience, the ship has often has no direction, so it might be your job it to set it on course. Or, if there is a direction and your job isn’t to set the course, then you have a few options… either execute against the existing vision/strategy, move into a position where you can set the strategy, or get out of Dodge.

Stop worrying about the legion of developers running as local admins with Visual Studio 2005 installed (hey, they all pretty-much need to be local admins anyway under XP, just ask Microsoft). Or maybe you’ve got a client who has cash-flow issues, and just simply wants to get though today. Or maybe you’re dealing with an old, large, slow-moving organization that has so much bureaucracy that it takes 30-days for a server-build to get approved.

In short, figure-out what the situation is, and get a plan together. Then either get moving, or move-on.

Security: Thoughts on Security in the SMB space

Ross and Andy both make a good points about the depth of security; or rather, that just doing the basics when it comes to security leaves you predictable, and as a result… vulnerable. In other words, you should be doing more than checking your perimeter logging, looking at your IDS/IPS logs, and making sure your workstations are up-to-date.

If we are only talking about the security of one organization, or of a medium-to-large organization – I think that would be perfectly reasonable. But when I think about our SMB clients… and the SMB market in general… I don’t know of anyone in this market that’s doing much more than playing “night watchman” (using Ross’s terminology). I don’t even know if the SBS Diva Susan Bradley - who is one of the biggest champions of security in the SBS space - is talking penetration testing.

You always need to balance real risk, the client’s perception of risk, and real costs of the meeting what you consider to be valid security objectives. Now maybe, in the SMB-space you don’t have as many valid security objectives… certainly smaller clients will have difficulty justifying the type of security Ross is talking about – and perhaps these activities are ignored, and ignored rightfully so.

I work in a medium-sized organization… but even little things like software licensing, re-purposing servers that are out-of-warranty and trying to justify basic security considerations all represent uphill battles. Coupled with the fact that so much of security sounds like insurance when you’re trying to sell someone (your boss, a client, whomever), and not only is security an up-hill-battle that requires rocking the boat from time-to-time, but it’s something that you need to approach carefully. Closely consider if the risk that you’re attempting to mitigate justifies the time, energy, and opportunity-cost to you’re committing to. Make certain that you’ve got your other bases covered - like your equipment, software licenses, backup/recovery plan, etc. – before trying to tackle new commitments.

Now, none of this is to say that you shouldn’t be improving security for yourself, and/or the organizations that you support. And this is NOT an excuse to start ignoring your logs, or not doing port scans, and the like. But you do need to evaluate the attack surfaces that you’re exposing, and what the risks are to your organization, and your own career as well as the perception of your role in an organization - when you start talking security.

Bottom line… rock the boat when it needs rocking - but don’t rock just for the sake of rocking.

Antivirus: Part 1, Meeting customer antivirus policy requirements

Do you ever consider what it takes to meet a customer’s antivirus policy statement before going on-site? You should… and with the number of VARs, network integrators, IT consultants, etc. that have to go on-site to customer locations – especially with large customers, you’d think there would be more conversations surrounding how to meet a customer’s antivirus policy when working at their location.

What do you mean?

Well, consider this. You work for a consulting shop… you have engineers of various types (programmers, netadmins, electrical engineers, etc.). These personnel work on projects for customers. In at least some cases, these personnel will need to go on-site to the customer’s location (either via VPN, or be physically on-site). And of course, they’ll need to bring their laptops with them and connect to the customer’s network. Maybe some customers have guest VLANs configured, but in some cases (and in my experience, most) customers will require that you be connected to a production LAN of some type – either to work on servers, databases, etc. How can you be sure that your employees have antivirus software that is fully up-to-date?

Now, simply telling employees – even very good and technical employees - to make certain their antivirus software is fully up-to-date probably isn’t enough. Maybe infection notifications – pop-ups, emails, etc. might be of some use. But this isn’t necessarily going to give your customer the protection you want to give them!

Considering Risk!

It’s important to consider the potential risks you expose a customer to when someone on your staff takes their laptop on-site. In fact, it’s probably even more important because the scale and scope of the risk is probably greater. For instance, what’s the worst case scenario on your internal network – a massive outbreak that results in downtime and extra work? That’s bad. But what’s the worst-case scenario for your customer – pretty much the same thing – except the customer can choose not to work with you in the future… so it’s not just downtime and soft numbers, but the potential for a material impact to your business.

So having fully patched operating systems and up-to-date antivirus software is even more important. In fact, it should be a given. But how do you validate this? Validation should be accomplished though a combination of good policies, procedures, and tools.

In follow-up posts, I’ll discuss what we're doing to better protect our customers.