[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

Security Issues Concerning Windows Server 2003

Ok, here's one for you.  I am responsible for 26 window servers at the company(university) I work for and will be getting 10 more servers within the week.  Our group just took over these servers a couple of months ago so however they were handled before we really don't know.  We have been having alot of headaches dealing with another group within our company who run PeopleSoft software on these servers.  Here's the situation, we are wanting to implement Group Policy on all the servers and users since they are all in a domain.  The problem is the PeopleSoft group strongly believe they need Administrative Rights in order to run their processes.  They claim to need access to the registry, services, the ability to reboot, etc.  They are strongly opposing any kind of restrictions on these servers.  This is a total nightmare to us as you will probably agree.  We've already had one instance where we noticed someone(hacker) had gained access to one of the servers so we had to cleanly install everything back in with new passwords.  So now we have been asked by upper management to prove or come up with documents stating why we need to restrict users and on what conditions to do this.  I have been researching and found several articles about best practices for security, etc. and am writing this to hopefully get ALOT of help in finding other resources in order to basically show upper management that restrictions on these servers is a must.  All help will be greatly appreciated.    
0
stryngz1
Asked:
stryngz1
  • 3
  • 2
  • 2
  • +3
8 Solutions
 
stryngz1Author Commented:
By the way, we have Windows Server 2003 both Enterprise(clustered servers) and Standard
0
 
brakk0Commented:
It's generally standard policy to restrict EVERYTHING except for the access that is really needed.

For hard arguements to prove this, I would check out
http://www.cissps.com/ 
http://csrc.nist.gov/ 
http://csrc.nist.gov/publications/ 
http://www.sans.org/


Any books on security+ will have good overviews on why security is needed in a network.
0
 
rshooper76Commented:
You also should be able to find something on Microsoft web site about thier standards of practice, which are pretty restrictive.  I don't think you will find any Netwrok Administrator that would think that a normal user woudl need administrator rights to a server to run a normal process.  If this is in fact the case you really need to look at what they ned access to, create a group for these usera and give that group the rights to do only what is necessary.  Too many people with Administrative Access will only create more problems for you down the road.  In fact, i don't evern give many of my tech that work under me administrative access, I give them access to do thier job, but nothing more.  I firmly belive that is part of the reason why my system are as solid as they are.  
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
pseudocyberCommented:
You're responsible for these servers!?!?  Sounds like you're being set up to take a fall.  Pick up a CISSP study book and read a couple of chapters on risk analysis.  Then you can start writing your own risk analysis.  You'll want to document forseeable risks - ALL of them, what you could do to mitigate the risk, how likely the risk is to happen, what will be the impact if the risk does happen.

Once your risk analysis is throughly written, you can present it to Management/Administration.  Let THEM decide if the risk is low enough, or low impact to take it or not.  They are the business owners - not you.  You advise them of the risk, how likely it is, what can be done.  They decide whether or not to avoid it or not.

Then when it happens, your ducks are in a row and your ASSets are covered.

Another facet of security is to have roles - for security purposes, people don't go over into each others roles, or if they do, there's two people.  So, it takes two people to down a server, transfer the payroll file, etc.  Where I work, we have about 400 servers.  There are Server Admins whose responsibility is the hardware and OS.  There's Application administrators whose responsibility is the application which runs on the box.  The App Admins DO NOT have the power to reboot the box, load new drivers, etc.  (Then there's "us" on the network team who just make sure everyone "gets along" ;) )

Hope this helps.
0
 
BILJAXCommented:
YOu NEVER EVER EVER let users have Admin rights to ANY server.   It's right up there with not sticking your finger in a running blender...    You will juts be asking for more trouble if you allow them to have free reign.


AC
0
 
pseudocyberCommented:
Now, if the users want to stick their fingers in the blender, well, that's OK ... >;)
0
 
ziggy_9mmCommented:
I think it would be easier if you, Made a New OU and added all the peoplesoft users to that group and then delgated control to the administrators that say they need rights. You can give them rights to only what you want them to be able to do. Much simpler in the long run.
0
 
stryngz1Author Commented:
We have made an OU specifically for them and have them setup to access what we feel they need access too.  But they won't have it, they want full access to all of the servers
0
 
brakk0Commented:
The burdon of proof should be on them. They should be able to give you reasons for everything they need access to and why.

You can also contact your PeopleSoft vendor and get a list of which rights are required.

If you have the money for it, you can get a security consultant come in and evaluate the situation. That would help convince management.

0
 
ziggy_9mmCommented:
In that case, its a simple arguemenment in WIN2K full blown domain administrators are to dangerous when the admin pack is installed, I think you should tell them that untill they show you in writting that they need "more rights" you should stay as is with OU and delegatting control to them. This sounds like a fight that your managment may need to help you on. The biggest thing you need from them is what they so called "cant do". Also if you have the staffing for it tell them when they need an administartor to call you you, that way you know what they are doing and why.
0
 
stryngz1Author Commented:
Thank you everyone, I wish I could give you each 500 but I will have to split it.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now