Security Basics mailing list archives

Re: FW: Controlling access to servers

From: Jeff Breci <jmbreci () yahoo com>
Date: Tue, 30 Nov 2004 16:28:15 -0800 (PST)

-----Original Message-----
From: sf_mail_sbm () yahoo com
[mailto:sf_mail_sbm () yahoo com] 
Sent: Tuesday, November 30, 2004 6:10 AM
To: security-basics () securityfocus com
Subject: Controlling access to servers

Hi List,

Consider a situation where IT Dept has full access
and control over all
servers

How do we manage security in such a case? i.e. how
can we put control
measures to prevent IT Admins to do whatever they
want on the system
without going through a proper control & approval
process


      You're not looking at this properly.  If they
have physical access to the devices, it does not
mapper if they logical access if you are truly that
worried about security.  ALL Admins should log on to
the machines with their own unique userid and you
should make sure auditing is turned on.  Having a
proper change control that is reviewed by all is also
another idea.  My guess is that you do not have any
security policies in place that cover these sort of
things.  However, at some point, you have to trust
someone.

This is still "who is going to police the police?" 
While there need to be proper policies and controls in
place, at some point you need to trust someone.  I
mean, SOMEONE has to have access to the Domain
Administrators password.  The Admins also need to have
access to the local administrators passwords in case
the network goes down, however they must always use
their own unique domain userid when possible.  Nothing
that I'm stating is innovative or revolutionary.

Giving the admin passwords to IT Security or Audit is
a mistake.  Do they need to know that information for
any good reason?  Plus, why are they trusted more than
the admins?  Who is going to go through and change all
the passwords once someone knows it and writes it down
to circumvent the system next time?  

-jb



One solution might be to give the admin passwords to
the IT Security
Section or the IT Audit, in this way, Admins will
have to request them
to log in the machine for all interventions



Of course this solution has lots of drawbacks!



I would be glad to know how other companies manage
to control changes
being done on IT systems, particularly in large
organisations



Thanks for your comments



Ronish




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

Current thread:

Re: FW: Controlling access to servers Jeff Breci (Dec 01)
- <Possible follow-ups>
- RE: Controlling access to servers David Gillett (Dec 01)
- RE: Controlling access to servers Trevor Cushen (Dec 01)