Security Basics mailing list archives
Re: FW: Controlling access to servers
From: Jeff Breci <jmbreci () yahoo com>
Date: Tue, 30 Nov 2004 16:28:15 -0800 (PST)
-----Original Message----- From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] Sent: Tuesday, November 30, 2004 6:10 AM To: security-basics () securityfocus com Subject: Controlling access to servers Hi List, Consider a situation where IT Dept has full access and control over all servers How do we manage security in such a case? i.e. how can we put control measures to prevent IT Admins to do whatever they want on the system without going through a proper control & approval process
You're not looking at this properly. If they have physical access to the devices, it does not mapper if they logical access if you are truly that worried about security. ALL Admins should log on to the machines with their own unique userid and you should make sure auditing is turned on. Having a proper change control that is reviewed by all is also another idea. My guess is that you do not have any security policies in place that cover these sort of things. However, at some point, you have to trust someone. This is still "who is going to police the police?" While there need to be proper policies and controls in place, at some point you need to trust someone. I mean, SOMEONE has to have access to the Domain Administrators password. The Admins also need to have access to the local administrators passwords in case the network goes down, however they must always use their own unique domain userid when possible. Nothing that I'm stating is innovative or revolutionary. Giving the admin passwords to IT Security or Audit is a mistake. Do they need to know that information for any good reason? Plus, why are they trusted more than the admins? Who is going to go through and change all the passwords once someone knows it and writes it down to circumvent the system next time? -jb
One solution might be to give the admin passwords to the IT Security Section or the IT Audit, in this way, Admins will have to request them to log in the machine for all interventions Of course this solution has lots of drawbacks! I would be glad to know how other companies manage to control changes being done on IT systems, particularly in large organisations Thanks for your comments Ronish
__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
Current thread:
- Re: FW: Controlling access to servers Jeff Breci (Dec 01)
- <Possible follow-ups>
- RE: Controlling access to servers David Gillett (Dec 01)
- RE: Controlling access to servers Trevor Cushen (Dec 01)