Solved

Server administrator question regarding internal controls

Posted on 2008-10-06
5
313 Views
Last Modified: 2012-05-05
In a large business or corporate environment where employees have internet access through the business' servers, what is to prevent someone in the computer systems department from deleting internet access records for a selected number of employees? We are suspicious of a low-level employee in the computer department possibly attempting in the near future to delete all internet access records for his friends who work in different departments throughout the company. They are known to surf the web extensively during work hours and we are afraid that someone in the computer department will attempt to delete their internet access records so there will be no trace of them having surfed the web. I'm just trying to find out in general, what sort of internal controls are pretty much standard throughout the industry to prevent such things from happening. For example, in the computer systems department, if a deletion of records is made, will information on who made the deletions be recorded? Is there a way to cover one's tracks so no one can tell a deletion was made or who did it? Is authority for deletion generally only given to one person? etc etc.  If you feel uncomfortable answering the question, I understand. But I'm just trying to get a general idea of what some of the standards of the industry. Thanks.
0
Comment
Question by:dbfromnewjersey
5 Comments
 
LVL 1

Expert Comment

by:Chris Brock
Comment Utility
It really depends on what sort of software/hardware your organization uses to control and log internet access. My company is not very large (200-250 employees at any given time) so we use iPrism which controls traffic flow and logs internet traffic based on the active directory user. It is up to your IT dept. head to determine who has access to configure the device or software you use. We only give access to the CIO and one network administrator. If you keep the control as "high" up the ladder as possible and there is a check and balance system in place, then there is a less likely chance that a rogue employee will do something detrimental to the system to "help out" a friend.
0
 
LVL 1

Accepted Solution

by:
Chris Brock earned 45 total points
Comment Utility
Also remember, even if the user in question clears his/her cookies, cache, etc. you can still use an undelete program to browse through deleted files, which is almost always going to be sufficient enough to satisfy your suspicions.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 40 total points
Comment Utility
Generally, in the larger companies, I always recommend for security purposes that there is only one person who knows the credentials to the generic user accounts - Administrator is one prime example. This person would be the Network Manager or Head of IT, who, in the majority of business hierachical structures, is ultimately responsible for the security of the entire business network.

I usually recommend that a user's generic desktop user account does not have Administrative privileges either. Perhaps over their computer (member of the local Administrators group), but not Administrator rights on the network. The security risk here is that if this group has administrator rights, it would be pretty easy for their session to be left unattended for a few minutes, in the mean time somebody could make use of their privileges to delete data from the servers, create themselves a backdoor user account or do virtually anything else you can think of.

As such, I would give each user their own systemadmin_<username> user account, which they must login to only when required for them to do work. Obviously it shouldn't be a daily account. They could even use Run as privileges so they don't have to log off and log back on to get their elevated rights. At least when everyone has their own user account, permissions can be controlled much better for the administrators, and you can setup auditing of events - such as deletions - as necessary.

The final step is of course the permissions. The general rule of only give just enough permissions applies here - on a small company network, one user having access to everything is quite commonplace - because there are only usually one or two administrators. On a large corporate network, matters are different; different people have different roles and responsibilities - some people may be in charge of Active Directory and Group Policies, while others are in charge of hardware, workstations, software, DNS, DHCP, printers, Exchange, file shares, the firewall/proxy server. These users should never have rights to do everything - what you would want to do is (and it's tedious, but worthwhile) create groups for each role admins could have, and then go through and assign THAT group the appropriate permissions. For the AD role, just give the necessary permissions for the AD and GPO group to add/edit/delete user/computer/GPO objects. You can then allocate each AD admin's Admin account this membership, and they will have privileges, without ever being able to mess around with critical file shares, access confidential documents etc.

Hope this helps!
-tigermatt
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 40 total points
Comment Utility
I say trust, but verify.  First of all, a low-level employee should not have unsupervised access to login to a server with admin credentials.
How do you know they will not accidentally break something?

This privilege should be reserved for server admins and network admins.

Low-level operators should have a separate user for logging in at the local console for approved reasons, or as instructed, for example an emergency, or maintenance,  but not at will,  or not beyond the instructions they are given.

There should be a procedure  for low-level ops to document the reason they logged in, how long they were logged in, and every thing they did while logged in.
Failure to comply should be grounds for suspension of access (or worse).

If there is routine maintenance to be done, they should list every single routine maintenance task they did  (so it can be checked off the list, and so they can account for what they were doing while needing to accessing this important piece of infrastructure with admin privs).

_No_ one needs to be deleting any logs except to free up disk space by wiping old logfiles.

Therefore...  log data should be rotated to a read-only location as soon as possible.

Logs should not necessarily be kept on the server where they could be modified, they should be sent to a secure location for archival.

This is called a log server, and the remote log servers should be under lock and key,  domain controllers in a Windows AD environment should also be under lock in key,  and these servers get touched only by the network admins.

In addition  Windows Events  system, auditing, and security events
should be remotely stored for all servers using a setup such as
Windows Event Collectors  ( http://msdn.microsoft.com/en-us/library/bb427443(VS.85).aspx
 )


You can use features in windows called security auditing and file auditing to
help record when a user changes a text file.


I  suggest writing a script to  periodically  move files to another server
a server that does not allow files to be remotely deleted or edited
(only new files created).

And a server that has more restrictive access.

If they  see your script, attempt to login to that other server, then you'll
know about the unauthorized attempt to meddle with the remote logging.

If the low-level operator disables the remote logging (perhaps something you consider an unauthorized major change to the server configuration), your security auditing settings should be setup to generate event logs  when they make the change

to prove who did what when..



0
 

Author Comment

by:dbfromnewjersey
Comment Utility
Thanks folks. A lot of good information. Appreciate the help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now