Announcement

Collapse
No announcement yet.

Security Best Practice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Best Practice

    So I'm dealing with the age old battle: too many users having too many rights.

    When I started at my present company everyone was a domain administrator, logged on to any and every server, and did whatever they wanted. I've worked hard over the last 4 years to reverse this and it's been an uphill battle (because users don't like to have things taken away).

    My boss jokes that I'm a jack booted thug and doesn't understand why I'm so restrictive, but the moment something breaks because someone had access to something they shouldn't have access to or does something they shouldn't have done he grills me about "How could this happen!?" and "How do we prevent this from happening in the future!?". I feel like I'm in a no win situation. How have you dealt with this type of situation?

  • #2
    Re: Security Best Practice

    We're in a very similar situation where a combination of ignorance and history have led to all users being local admins. It's taken a year of constant support calls for apps that aren't supported and shouldn't be installed breaking things for them to accept that the users have too much power.

    We're now doing a project with WDS and loads of GPOs to standardise the desktops and support calls have dropped drastically. In fact things are running much better, and configuration is much easier on some apps now that we are utilising their full capabilities rather than just doing local installs and configuration.

    Thankfully we haven't had the "How could this happen?" speech yet. We do a monthly report/healthcheck and every month we flag things like this and they ignore us, so we have it well documented that we've recommended changes. They do have a bad habit of telling people the domain admin password when they need to reboot a remote server, despite us setting up a server operator account for each office for this purpose.

    One of the biggest problems we faced was getting the management to stand up to the users and finally admitting that they had too many rights. Once we won that battle the rest was easy. Unfortunately doesn't sound like your boss is willing to do that though.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Security Best Practice

      This is always an endless battle.
      If you can calculate what the current support costs and how many it will costs when they switch over, well then you might get the attention from your manager.
      And if the shit crashes, you can always say: well I told you so where in a far from recommended solution.

      psst, can't you deploy conflicker or so?
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Security Best Practice

        Originally posted by joeqwerty View Post
        ...he grills me about "How could this happen!?" and "How do we prevent this from happening in the future!?". I feel like I'm in a no win situation.
        Omoplatas tend to induce wonderful negotiation terms.

        One place I worked in had about 200+ users and all were local admins. It was because it grew from about 2 people to 200 in a little more than 10 years and most of that time there was only one or two IT people trying to manage a very diverse business. Slowly they tried to move people away from local admin (fortunately users didn't know the domain admin password) and it was somewhat successful. Mostly because management was supportive or didn't care and just let IT do what we did best. Fortunately there was enough of a history of trust that we could make changes and most managers would say "okay" (Note to all: Histories of trust are worth their weight in vacation time ).

        However, there was one major thing lacking in the environment that hindered it from being successful and mass deployable: Enterprise Management. Oh my, I just used a buzzword. -5 hit points.

        In other words, you can remove users from being admins, but what happens when accounting needs the new version of Blackbaud or Crystal Reports? What if a new version of Adobe Reader comes out or Flash... or Comet Curser? (kidding) It's either manual labor for a very weary help desk or allowing users to install their own software (we chose the latter as do most IT departments seemingly). Printer deployment is another hassle... but Vista and 7 takes care of that with the new GPOs.

        What we really needed, and what I believe every place needs that is seriously looking into streamlining IT and reducing Tier 1 and 2 support tickets is a software package like SCCM 2007 or LanDesk or ZenWorks or... whatever. We had SMS 2003, but it wasn't given a high priority so it was never used. I have no doubts that SCCM or similar software packages can revolutionize IT departments if used correctly and thoroughly. It make simage deployment simple since you don't have to deploy software in the images (we had to put Office and Reader and antivirus and backup clients and etc in the image before sealing it and deploying), you can manage licenses and multitudes of other tasks from a central administration console.

        The other option is to go all thin clients and deploy apps via a Citrix or Terminal Services on Server 2008 farm. That's a bit spendy though.

        This is all IMO, of course.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: Security Best Practice

          Originally posted by cruachan View Post
          Thankfully we haven't had the "How could this happen?" speech yet. We do a monthly report/healthcheck and every month we flag things like this and they ignore us, so we have it well documented that we've recommended changes.
          Wow. Do they ever make reference to it? Do they see that it's costing money? Do they give a reason for their blind eyes?

          Out of curiosity, and to clarify your IT's position relative to the business, are you in an in-house IT department, a consultant, an ASV or... ?
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: Security Best Practice

            Originally posted by Nonapeptide View Post
            Wow. Do they ever make reference to it? Do they see that it's costing money? Do they give a reason for their blind eyes?

            Out of curiosity, and to clarify your IT's position relative to the business, are you in an in-house IT department, a consultant, an ASV or... ?
            External Consultants. We have 14 months of reports and they've barely changed in that time. We've made a lot of progress with the admin rights, next step is WSUS as they're running unpatched versions of Office XP in some places.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Security Best Practice

              Originally posted by joeqwerty View Post
              I feel like I'm in a no win situation. How have you dealt with this type of situation?
              I spent a week writing a comprehensive buck-pass report filled with enough technical jargon to ensure my boss would glaze over within 5 pages. Then whenever something went wrong, he'd re-read it and realise that the buck stopped with him.



              Fortunately for me, the systems at both companies in the group were in such a poor state when the sister company's geek and I started that it made more sense to flatten and rebuild than to repair. So we built entirely new systems, completely locked down. Suddenly we've gone from ~85% uptime to >99.9% uptime.

              "why do you lock it down?" -> "why do they need this access?"
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Security Best Practice

                I started at a new company back in July where every service from A to Z on all servers runs as the builtin domain Administrator account.

                User groups, application security, NTFS ACLs are messy and all over the place. Theres dozens of obsolete groups and service accounts with too many permissions still active in AD. No password complexity requirement, no password expiration, unsecure protocols and

                As someone who plans to move into security (CCNA:Sec -> CCSP -> CISSP) this has been fustrating.

                I have two bosses that don't seem to care about security so I've had to relax my security OCD and focus on being a normal network admin.

                Comment


                • #9
                  Re: Security Best Practice

                  Originally posted by Garen View Post
                  I started at a new company back in July where every service from A to Z on all servers runs as the builtin domain Administrator account.

                  User groups, application security, NTFS ACLs are messy and all over the place. Theres dozens of obsolete groups and service accounts with too many permissions still active in AD. No password complexity requirement, no password expiration, unsecure protocols and

                  As someone who plans to move into security (CCNA:Sec -> CCSP -> CISSP) this has been fustrating.

                  I have two bosses that don't seem to care about security so I've had to relax my security OCD and focus on being a normal network admin.
                  "Security OCD", that's what I have. It's too bad that more non-admin types don't understand the importance of it.

                  Comment


                  • #10
                    Re: Security Best Practice

                    BTW, thanks for the replies everyone.

                    Comment


                    • #11
                      Re: Security Best Practice

                      One tip that I'll throw in: whenever you make recommendations to your boss (or other senior figure), always do so in writing. And make sure that their response is in writing too. At least then if things do go wrong, you can at least avoid (most) of the blame.
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment

                      Working...
                      X