Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Read-only access for auditors

Posted on 2016-11-06
5
78 Views
Last Modified: 2016-11-11
What's the industry practice on granting read-only access accounts to
auditors ?  Or generally request are sent to IT Ops who will extract it
& send to them?

I guess the lowest privilege account in Windows can still make changes
to the systems but for certain appliances (eg: proxy, AV EPO, IPS), any
risk of inadvertent changes being made?

I'm assuming the auditors are not trained (or semi-trained) in the specific
platforms / products only
What about UNIX Solaris & AIX?
0
Comment
Question by:sunhux
  • 2
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41876262
Certainly there's a concern that auditor dig too much info which
creates unnecessary overheads
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 41876339
Depends upon the audit and what you are being audited on. A licensing audit may ask for a tool to be run that enumerates the machines and compares the count of specific software against your purchase records.

A PKI audit may examine your policies and setup (which is why we use powershell scripting so we can just show them the script vice having them hover behind us while we type in commands) and you can show them logs that you are actually performing the policies.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 350 total points
ID: 41876632
I was thinking if we really need to even issued machine for auditor to access and view or we can have admin grab the required for their sighting of evidence. In other words, they do not have direct access.

By default, most of the "configuration" settings you want to view are only accessible at all to administrative users, who can also modify them. So to create a read-only user that can access everything, you're basically looking at modifying everything (file system, registry, application permissions) to add read-only access for a given user.

Have the auditors request information from the admins.  if necessary, auditors watch the admins retrieve the required information. Even an adhoc account or time based expiry restricted account still need certain privileged group membership, which most of the time is not comfortable with the auditee. There is need to manage the auditor as their role is to sight evidence to proof claim of compliance. The adequacy of control is separate matter to review the security report which can be sighted Offline based on sampling.
0
 

Author Comment

by:sunhux
ID: 41877186
Guess for Windows, you'll need administrative priv to view many items.

But for AV EPO (incl Deep Security) & Cisco switches/routers, you don't need
admin privilege to see most of the info.  Going to be quite a justification to
stop such a request for readonly account.

To me, an untrained person will keep asking lots of questions & this is
highly disruptive to work/normal operations
0
 
LVL 63

Accepted Solution

by:
btan earned 350 total points
ID: 41877247
Yes for Windows, at least in those privileged group for authorised membership.

Yes for other non-Windows like the network device, there is not necessary for admin but they also have some level of access between user EXEC mode (level 1) and privileged EXEC mode (level 15). This is as per the principle of least privilege — only give access to what's necessary and no more. So in this case, it can be the case the command allow for auditor has the lowest level and they will not be able to run other privileged commands.  The command depends on what they ant to see which you can allow then.

No matter what auditor access if granted will still be logged. The log is to proof they are not doing more that they should be. There is no access to external storage and anything to be read is onsite for sighting and nothing brought out of premise unless approved.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question