Thursday, November 13, 2008

Turned off by default

Every now and then I read about a product, most often a server, that is considered more secure because features are turned off by default.

There is something not expressed in this kind of advertisement. It is implied that you will not choose which features are turned on and off. That you will use the product just like it is out of the box.

No company should do that. No uncustomized product should go in production in a company. That's precisely what the admins are payed for: to know the various options, and to manipulate them. If you don't do that on every product, that possibly means two things:
  • Your admins are not qualified for their job or you under use them.
  • Your company is full of security holes, because of unknown and unmonitored features.
So check about this in your company, and remember that except if you hire them precisely for that task, consultants will never take the time to look at side-features of a product. It is your teams' job to do this work.