Security
A review of your organization's security standards and how they are implemented is useful even if you are not moving to a new operating system, but it becomes particularly important when you do. Review your security standards and procedures for mobile and desktop users, internal and external networks, and dial-up and remote access accounts.
Are administrative tasks such as creating users, groups, and file shares, changing passwords, and configuring device and object attributes performed by a centralized group or by several groups? What are the specific rights and membership lists of these groups?
Document the types of relationships that currently exist among office locations, business units, and divisions in your organization. Are the administrative tasks in these units shared or is each unit responsible for its own administration? Do your user groups extend over company divisions or locations, or do you construct them by organizational unit? Document this and any existing user and enterprise security policies. Document what types of information are available to which groups, and any significant restrictions required for certain types of information, such as accounting data.
Document any guidelines that exist regarding appropriate network usage, such as whether staff members can access the Web and for what purposes, and what constitutes prohibited or inappropriate access.
The relationships your company has with outside vendors, customers, and joint venture or business partners affect your security strategy. Answer the following questions about your company's relationships:
Do you have service-level commitments with your partners or permit them access to your network on a recognized user level?
What are your policies concerning their access to your network data and resources?
Can they view data on a read-only basis, or can they change or add to data on your network?
How do you restrict access to applications?
Document the security and encryption standards currently in place or planned for the future in your organization by including the following information:
Document security permissions on your network by user and user group.
List your domains and the existing trust relationships between domain controllers.
Document your password standards—how long a password must be, approved combinations of characters, how long a user is permitted to retain a password, and so on.
List the security protocols used in your network.
Document how you authenticate external users from the Internet, dial-up, and wide-area network (WAN) links to your network.
Document the details of any multiple accounts that exist for a single user. For instance, do some of your users have an account for Windows NT and another account for UNIX? Document the permissions, user and user group memberships, and other details of these multiple accounts.
For more information about the issues involved in creating a network security plan, see "Planning Distributed Security" in this book. These issues involve recognizing the types of security risks your organization might face and planning ways to meet these risks. As part of this process, you will plan and develop policies concerning public key infrastructure and user authentication, and develop ways to secure e-mail and Web servers.
While you are reviewing your existing security arrangements, review your backup schemes, including whether you might reduce security risks by storing backups offsite, and whether your disaster recovery plan is up-to-date and appropriate to your current network size and demands. For more information about developing a storage configuration policy and disaster recovery plan, see "Determining Windows 2000 Storage Management Strategies" in this book.
For more information about security issues and planning using Windows 2000 features, see "Internet Protocol Security" in the Microsoft Windows 2000 Server Resource Kit TCP/IP Core Networking Guide , and "Planning Distributed Security" in this book.