Security Solutions
3-124
Designing Access Controls
Finalize Security Policies
“Customer Needs Assessment,” meet with users and consider their input when
formulating the policy. Also test policies before enforcing quarantining. (See
the ProCurve Access Control Implementation Guide.)
Due to the high level of control exerted by these tests, these tests are most
appropriate for checking endpoints in private zones. It is a rare security policy
that requires all of the tests in this section. Go through the steps below to
choose the tests for your environment.
Note You might want to use some tests more as reminders to users and you than as
deal-breakers for network access. The NAC 800 allows you to specify different
test actions for different tests. Failing a particular test could trigger an email
to the network administrator but not quarantine the failed endpoint.
1. Do you require hotfixes for IE?
2. Do your security policies dictate specific settings for IE security zones?
Circle the security level (high, medium, medium-low, or low) for each zone
in Table 3-97.
3. Does your organization require users to run a particular version of Web
browser?
Enter the required versions in Table 3-97.
Table 3-97. Web Browser Tests
4. Do your security policies dictate specific settings for macros?
Circle the security level (high, medium, medium-low, or low) for each
application that uses macros.
Test Settings IE Mozilla Firefox
Required version For Windows XP or 2003: For Windows 2000:
Hotfixes required? Yes or no Not applicable
Internet zone—security
setting
High
Medium-low
Medium
Low
Not applicable
Local zone—security setting High
Medium-low
Medium
Low
Not applicable
Trusted zone—security
setting
High
Medium-low
Medium
Low
Not applicable
Restricted zone—security
setting
High
Medium-low
Medium
Low
Not applicable