sunhux
asked on
supporting IT infra systems shd not store authenticators of critical systems (that are hosted in secure zone)
In our environment, secure zone refers to internal zone which hosts the critical backend systems
while DMZ hosts the more 'exposed' systems.
We got an audit finding that supporting infra systems (like SCCM, WSUS, NTP, our internal Vulnerability
Assessment scanner) should not store authenticators (I assume this refers to credentials) of the
critical systems (critical financial systems that transacts huge amount of $) that are hosted in the
non-DMZ (ie secure) zone.
Q1:
Well, SCCM (which we use to deploy PCs patches & collect info from them & these PCs include PCs
used to make/process large payments) & WSUS (which deploys patches to all servers include the
critical/sensitive servers) will need to have access to those critical systems to be able to deploy
patches. Any idea if SCCM/WSUS store authenticators ? We place these systems in our DMZ;
should we place them in an isolated/more secure zone?
Q2:
I presume when SCCM/WSUS is compromised, hackers could access the critical PCs & serrvers
via these tools? If so, what are the mitigations?
Q3:
We also have Cyberark tt we lodge admin IDs of critical servers in them? if this Cyberark server
is hosted in DMZ, what's the risk? What are the mitigations? The vendor who help us set it up
suggested to place it in DMZ (so that we could access via Internet to approve access requests):
is this risky & what are the best practices to mitigate? I'm inclined to think these vendors are
seasoned in selling password vault solutions & know what they are recommending, aren't they?
I presume AD servers need to be placed in internal/secure zone, not DMZ, right?
while DMZ hosts the more 'exposed' systems.
We got an audit finding that supporting infra systems (like SCCM, WSUS, NTP, our internal Vulnerability
Assessment scanner) should not store authenticators (I assume this refers to credentials) of the
critical systems (critical financial systems that transacts huge amount of $) that are hosted in the
non-DMZ (ie secure) zone.
Q1:
Well, SCCM (which we use to deploy PCs patches & collect info from them & these PCs include PCs
used to make/process large payments) & WSUS (which deploys patches to all servers include the
critical/sensitive servers) will need to have access to those critical systems to be able to deploy
patches. Any idea if SCCM/WSUS store authenticators ? We place these systems in our DMZ;
should we place them in an isolated/more secure zone?
Q2:
I presume when SCCM/WSUS is compromised, hackers could access the critical PCs & serrvers
via these tools? If so, what are the mitigations?
Q3:
We also have Cyberark tt we lodge admin IDs of critical servers in them? if this Cyberark server
is hosted in DMZ, what's the risk? What are the mitigations? The vendor who help us set it up
suggested to place it in DMZ (so that we could access via Internet to approve access requests):
is this risky & what are the best practices to mitigate? I'm inclined to think these vendors are
seasoned in selling password vault solutions & know what they are recommending, aren't they?
I presume AD servers need to be placed in internal/secure zone, not DMZ, right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
David Johnson, CD
ANSWERED