Welcome to the Better-than-Nothing Security Practices Web Page.
If you're interested, the concept of BTNSP came to me in late 2002 when a client asked me what the best strategy was to harden his Windows infrastructure. My response was to hire Jason Fossen as a consultant for a month and send all of his SYSADS, NETADS, and CSO to SANS conferences several times a year. When he found out how much that would cost he said, "My CFO won't go for that. What can we do that's cheap?"
This is not an isolated event. Many if not most CIOs and CSOs are expected to implement effective computer and security policies and procedures without adequate budgets for training, consulting, equipment, and the like. My clients have been telling me for years that CFOs take the position that no budget is warranted that can't produce an ROI. HIPAA and Sarbanes-Oxley are starting to change their attitudes, but the modern CIO and CSO still have a lot of rest inertia to overcome.
So, I took some ideas that I had, a box full of clippings and post-it notes to myself, some tricks I learned at SANS conferences, and made a first pass at creating a helpful guide for securing my own XP clients. The first thing that I noticed was that none of the dozen or so XP boxes I used had anything approaching the same security settings in place, because I hadn't been meticulous enough when I set the local security policies. I would forget things, get interrupted or distracted and fail to get back to the security implementation, change my mind on the optimal configuration, etc. At that point, I my research assistant, Jacob Uecker, rose to the challenge (ok, he was gently pushed :-) and we set off to try to standardize XP security settings for our environments. The result was BTNSP for XP in late 2003. Shortly thereafter, we re-visited the exact same problem I had with my firewalls. Then I took up Wireless, then browsers, then firewalls. We will continue to update and expand as time permits.
Various versions of BTNSP have been online since 2003. They were taken offline for about a year in August, 2005, but now they're back and integrated into my Website. You will note that many of the security issues covered in the BTNSP series are also topics of varous publications on my site.
Let there be no question about it, this is not the ideal way to approach security policy - hence the name. In the case of XP and Vista, optimal use of security policy would be achieved via Active Directory and Group Policy settings administered by the domain controllers. However, a lot of the world still lacks the skills and/or resources to do this, and this only occasionally applies to SoHo environments. While waiting for the optimal solution to arrive at your desk, BTNSP may be of help to increase security safety margins.
So, that's the story. We hope you find the BTNSP series helpful. Our goal is to provide the reader with a benchmark that we find useful against which they may compare their existing security policies. We hope it goes without saying, but just as a reminder don't try to implement any of our suggestions unless you (a) understand what you're doing, and (b) have the permission of your organization. Even if (a) and (b) are satisfied, changes should be made on a test computer before attempting this in a production environment. Of course, we also must add the standard disclaimer that if you use guidelines contained in BTNSP, do so at your own risk. No warranty - expressed or implied - is made with respect to BTNSP.
And, of course, remember to read the "Permissions of Use" page before proceeding.
rev. history: 3/29/07,2/27/07,11/06,2/15/05,12/10/04,1/6/04,10/1/03