Improve company productivity with a Business Account.Sign Up


Server administrator question regarding internal controls

Posted on 2008-10-06
Medium Priority
Last Modified: 2012-05-05
In a large business or corporate environment where employees have internet access through the business' servers, what is to prevent someone in the computer systems department from deleting internet access records for a selected number of employees? We are suspicious of a low-level employee in the computer department possibly attempting in the near future to delete all internet access records for his friends who work in different departments throughout the company. They are known to surf the web extensively during work hours and we are afraid that someone in the computer department will attempt to delete their internet access records so there will be no trace of them having surfed the web. I'm just trying to find out in general, what sort of internal controls are pretty much standard throughout the industry to prevent such things from happening. For example, in the computer systems department, if a deletion of records is made, will information on who made the deletions be recorded? Is there a way to cover one's tracks so no one can tell a deletion was made or who did it? Is authority for deletion generally only given to one person? etc etc.  If you feel uncomfortable answering the question, I understand. But I'm just trying to get a general idea of what some of the standards of the industry. Thanks.
Question by:dbfromnewjersey

Expert Comment

by:Chris Brock
ID: 22654108
It really depends on what sort of software/hardware your organization uses to control and log internet access. My company is not very large (200-250 employees at any given time) so we use iPrism which controls traffic flow and logs internet traffic based on the active directory user. It is up to your IT dept. head to determine who has access to configure the device or software you use. We only give access to the CIO and one network administrator. If you keep the control as "high" up the ladder as possible and there is a check and balance system in place, then there is a less likely chance that a rogue employee will do something detrimental to the system to "help out" a friend.

Accepted Solution

Chris Brock earned 180 total points
ID: 22654130
Also remember, even if the user in question clears his/her cookies, cache, etc. you can still use an undelete program to browse through deleted files, which is almost always going to be sufficient enough to satisfy your suspicions.
LVL 58

Assisted Solution

tigermatt earned 160 total points
ID: 22654137
Generally, in the larger companies, I always recommend for security purposes that there is only one person who knows the credentials to the generic user accounts - Administrator is one prime example. This person would be the Network Manager or Head of IT, who, in the majority of business hierachical structures, is ultimately responsible for the security of the entire business network.

I usually recommend that a user's generic desktop user account does not have Administrative privileges either. Perhaps over their computer (member of the local Administrators group), but not Administrator rights on the network. The security risk here is that if this group has administrator rights, it would be pretty easy for their session to be left unattended for a few minutes, in the mean time somebody could make use of their privileges to delete data from the servers, create themselves a backdoor user account or do virtually anything else you can think of.

As such, I would give each user their own systemadmin_<username> user account, which they must login to only when required for them to do work. Obviously it shouldn't be a daily account. They could even use Run as privileges so they don't have to log off and log back on to get their elevated rights. At least when everyone has their own user account, permissions can be controlled much better for the administrators, and you can setup auditing of events - such as deletions - as necessary.

The final step is of course the permissions. The general rule of only give just enough permissions applies here - on a small company network, one user having access to everything is quite commonplace - because there are only usually one or two administrators. On a large corporate network, matters are different; different people have different roles and responsibilities - some people may be in charge of Active Directory and Group Policies, while others are in charge of hardware, workstations, software, DNS, DHCP, printers, Exchange, file shares, the firewall/proxy server. These users should never have rights to do everything - what you would want to do is (and it's tedious, but worthwhile) create groups for each role admins could have, and then go through and assign THAT group the appropriate permissions. For the AD role, just give the necessary permissions for the AD and GPO group to add/edit/delete user/computer/GPO objects. You can then allocate each AD admin's Admin account this membership, and they will have privileges, without ever being able to mess around with critical file shares, access confidential documents etc.

Hope this helps!
LVL 23

Assisted Solution

Mysidia earned 160 total points
ID: 22656023
I say trust, but verify.  First of all, a low-level employee should not have unsupervised access to login to a server with admin credentials.
How do you know they will not accidentally break something?

This privilege should be reserved for server admins and network admins.

Low-level operators should have a separate user for logging in at the local console for approved reasons, or as instructed, for example an emergency, or maintenance,  but not at will,  or not beyond the instructions they are given.

There should be a procedure  for low-level ops to document the reason they logged in, how long they were logged in, and every thing they did while logged in.
Failure to comply should be grounds for suspension of access (or worse).

If there is routine maintenance to be done, they should list every single routine maintenance task they did  (so it can be checked off the list, and so they can account for what they were doing while needing to accessing this important piece of infrastructure with admin privs).

_No_ one needs to be deleting any logs except to free up disk space by wiping old logfiles.

Therefore...  log data should be rotated to a read-only location as soon as possible.

Logs should not necessarily be kept on the server where they could be modified, they should be sent to a secure location for archival.

This is called a log server, and the remote log servers should be under lock and key,  domain controllers in a Windows AD environment should also be under lock in key,  and these servers get touched only by the network admins.

In addition  Windows Events  system, auditing, and security events
should be remotely stored for all servers using a setup such as
Windows Event Collectors  (

You can use features in windows called security auditing and file auditing to
help record when a user changes a text file.

I  suggest writing a script to  periodically  move files to another server
a server that does not allow files to be remotely deleted or edited
(only new files created).

And a server that has more restrictive access.

If they  see your script, attempt to login to that other server, then you'll
know about the unauthorized attempt to meddle with the remote logging.

If the low-level operator disables the remote logging (perhaps something you consider an unauthorized major change to the server configuration), your security auditing settings should be setup to generate event logs  when they make the change

to prove who did what when..


Author Comment

ID: 22776735
Thanks folks. A lot of good information. Appreciate the help.

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
In short, I will be giving a guide on how to install UNMS on a virtual machine in hyper-v and change the default port for security (you don’t need to have a server, since Windows 10 supports hyper-v)
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question