Security Basics mailing list archives

RE: Secure Backups

From: "Dan Bogda" <dan.bogda () kintera com>
Date: Fri, 30 Jun 2006 14:51:49 -0700
Rolando,
Generally, you want to avoid complexity unless it is absolutely necessary. If you are going to use separate users for 
multiple environments putting them in the same group to reduce administration may make sense. If you use a group you 
want to audit the individual permissions and make sure the varying users aren't inheriting too many permissions from 
the group. 

Otherwise, if the backups don't have differing requirements I would suggest a common user between servers. If there 
isn't a requirement for extra complexity I try to avoid it. 

Good night,
Dan

-----Original Message-----
From: rolando_ruiz () jetaviation com [mailto:rolando_ruiz () jetaviation com] 
Sent: Friday, June 30, 2006 2:36 PM
To: Dan Bogda; security-basics () securityfocus com
Subject: RE: Secure Backups

Every response I'm getting leans to "least privilege" rule. I totally agree. Particularly with using easy to manage 
domain accounts instead of local accounts on every server. I've been doing some audits on servers and domain and this 
place has way too many accounts used for different purposes and now records of their intended use. 

We have Veritas and Backup Exec here. The administrator account seems to be the primary account used for all backups. 
My question is; should I consider making Domain Admins group the only group allowed to run backups? Or is using groups 
not a good idea in this case? Should I limit backup processes to one account? Or a "Backup Operators" group? If so, 
should this group be local or domain?

I thank you all for your suggestions. 

________________________________________

Jet Aviation Holdings, Inc.
Rolando Ruiz
PC Technician
113 Charles A Lindbergh Drive
Teterboro / United States 07608
Tel.      +1 (201) 462 - 4094
Fax       +1 (201) 288 - 4892
rolando_ruiz () jetaviation com
www.jetaviation.com


-----Original Message-----
From: Dan Bogda [mailto:dan.bogda () kintera com] 
Sent: Friday, June 30, 2006 3:03 PM
To: Ruiz, Rolando; security-basics () securityfocus com
Subject: RE: Secure Backups

Rolando,
You should stick with least privileges necessary to perform the function. If you can get away with read only access to 
the file systems do so. You may also want to provide different accounts between environments or machine types(i.e. dev, 
production; unix, windows, etc.) Also, do not let users use the accounts and make sure to change the passwords on a 
fixed schedule. I would also lean towards a domain account so that you can easily monitor usage, change the password 
and globally disable when necessary. It's harder to track x number of local accounts and when they were last used, 
changed, etc.

Good luck,
Dan

-----Original Message-----
From: rolando_ruiz () jetaviation com [mailto:rolando_ruiz () jetaviation com] 
Sent: Thursday, June 29, 2006 1:34 PM
To: security-basics () securityfocus com
Subject: Secure Backups

Hello security world,

I'd like to establish a secure and reliable backup procedure. Currently, the person whom had this responsibility has 
not been using standard procedures throughout our network. Things I'm looking for include account type to use (local or 
domain - admin or not), and what rights should this account have in each server? I'm assuming that the account should 
hold enough admin rights on each box to be able to run the job but I'm unsure if it should hold complete administrator 
rights. 

Your comments and suggestions are greatly appreciated. 

With best regards,
 
Rolando Ruiz


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------





---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Current thread:

RE: Secure Backups Dan Bogda (Jul 04)
- RE: Secure Backups rolando_ruiz (Jul 04)
- <Possible follow-ups>
- RE: Secure Backups Dan Bogda (Jul 04)
- RE: Secure Backups Lee Clemens (Jul 04)