Audit Account

Our IT auditors have requested access to our windows servers (2003 predominantly) to check certain configuration settings on the Server. What kind of account could/should we give them that gives them read-only access to every configuration setting/file on the Server but doesn’t give them any permission that could cause issues to the availability of the Server, i.e. so they cant screw anything up? Not being a server admin myself, what tool could the auditors use to remotely access the Server, and is their any risk to the availability of the Server by just allowing them to logon? What’s the worst that could happen if they logon during peak hours 9-5? Anything?

And is there any other solution that I have no considered? I don’t know how easy it is to clone a server and give them access to the clone, assume that’s quite a huge job?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ImaCircularSawTechnical LeadCommented:
If you wanted to clode a server that's pretty easy.  You could use something like Norton Ghost.  You might also consider using VM Ware or Hyper-V to create a virtual image of the server and restore this to a host that can be used in isolation.

As for giving the auditer access, depending on what applications, server functions they need access to you might find this is a lot of work (if realistically possible).  Have you considered sitting with the auditer?  If the audit is going to take less than a day or two's worth of work it might be worth considering sitting with the auditer.  My friend does a lot of this kind of work and they often have the local network admin sitting with them.

Another option might be to run some screen recording software (or maybe some sort of session logging) and make the auditer aware that you're doing this so that you can have a full log of what they've done.  You can keep it on file in case something crops up later down the line.

Personally, I probably go for turning the server into a virtual machine and giving the auditer local admin access, this would be the least work-intensive option I can think of.  If the server is a DC though you might have to let the auditer look at some domain settings under your watchful eye?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Is it a quick job? I guess its just storage where the host the clone?

>.probably go for turning the server into a virtual machine and giving the auditer local admin access

Why not give them a local admin account if the server was a physical box? Just out of curiosity?

I think the sitting down thing is an option but perhaps not practical due to time and resources required as it can be in excess of 7 days sometimes...
0
ImaCircularSawTechnical LeadCommented:
I'm guessing you want to give read access to the auditer so that they cannot make any changes (either accidentally or on purpose), this is why I would try to avoid letting them have access to the physical box.  Just trying to mitigate any potential for accidents to happen.

I've used the Hyper-V virtual machine manager to convert a machine into a virtual one before and it took about an hour, I was very impressed with it actually!  Just make sure that the host you load it up on does not have network access or you might find it causes issues on your network.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

pma111Author Commented:
Gotcha, when you say clone, does it clone all drives/data as well, or just the drive the OS is installed on?
0
ImaCircularSawTechnical LeadCommented:
This is entirely configurable.  Please have a look at this link for infor on the procedure:

http://technet.microsoft.com/en-us/library/bb963743.aspx
0
Brian PiercePhotographerCommented:
This is a bit of a dilema - Your auditors want to check the IT security - but to let them to it, you have to go against all security principles and let them have access to the system - are they putting this to you as a trick question to catch you out ?

I would have a chat with them and explain that in the interests of security you cannot grant them access to the data that they seem to think they need - but if they would like to sit with you, you can access the information on their behalf and let them see on-screen the security settings on items which may concern them.
0
pma111Author Commented:
I genuinely dont think its a catch us out type question. The issue is with a 3rd party support vendor, if we say to the auditors you can work with the 3rd party as opposed to us giving you an account, the 3rd party will say its out of the baseline contract and every minute spent will be a chargeable project, so we are paying for the audit, and then paying for our support to work with the auditors, all in all costs a fortune.
0
Brian PiercePhotographerCommented:
To cover yourself, I would make it clear to your manager in writing, that if you have to give these people access to your system, then you are doing it 'under protest' and make clear your security concerns.
0
pma111Author Commented:
Thanks I will - but it will go down better if I can put forward some suggestions on an account that will give the neccesary access btu mitigate the type of issue that could go wrong intentionally or unintentially on the server by the auditor. Our managers dont like bad news they like solutions
0
ImaCircularSawTechnical LeadCommented:
I agree with KCTS that this could lead to a breach in security, however, having worked on-site at some organisations with major considerations towards infromation security and personal data, most are not that worried and a non-disclosure agreement could cover your back (another solution!!).

Only fool proof way is to constantly monitor what the auditer is doing, make this clear to your manager and let him know that each solution progressivly increases the risk of issues and that your recommendations would be...etc etc.
0
pma111Author Commented:
Is there any such thing as a domain admin with "read only" type permissions?

What technically could the auditor do, i.e. is logging on to a file server during the day and readign certain files really going to affect the operation of the server?
0
ImaCircularSawTechnical LeadCommented:
You could build a read-only domain controller and give them access to that.  It will have AD replicated to it but cannot wrote to AD.  Can you detail what it is the auditers actually need to look at?
0
pma111Author Commented:
All-sorts of typical audity checks such as password policies, ACL's, SQL config settings, audit policies, AV settings, patch status, installed apps, group policies inherited etc etc
0
pma111Author Commented:
and theyll soon also be looking at our citrix environment as well of which at present I dont have a full scope of their review as yet but they inform me access to the servers is required
0
ImaCircularSawTechnical LeadCommented:
If I were you I'd first ask they for a full list of what they'll be looking at so you know where sensitive information might be compromised or at least a security consideration exists.  Once you have this full list I would work out how I could give them visibility of each thing they need with minimal exposure to data and/or critical systems.

Unless everything is sitting on a single server, sounds like opening up a virtual machine will not be the best way forward.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.