asked on
general information security probity checks
We are looking to build in some scheduled probity checks into general information security assurance across our internal network, focusing on network accounts, devices and general permissions.
One of the basic checks that normally highlights problems (and therefore adds value) is checking a list of enabled AD accounts to a list of employees who have left the organization in the past X days/weeks, to flag those whose accounts should have been disabled.
Another basic check has been to check any employees who have changed roles within the company, and were their group memberships updated accordingly, so they no longer have access to shared directories that were only appropriate in their previous role.
Can you think of any more of the basic data security/access/housekeeping probity checks of this nature that you feel would be beneficial and likely to flag issues (common mistakes/misconfigurations in this area etc)? The tests don't have to be limited to Active Directory and file server permissions, but they are often common source of problems so if we could expand the list of 'spot checks' that would be great.
One of the basic checks that normally highlights problems (and therefore adds value) is checking a list of enabled AD accounts to a list of employees who have left the organization in the past X days/weeks, to flag those whose accounts should have been disabled.
Another basic check has been to check any employees who have changed roles within the company, and were their group memberships updated accordingly, so they no longer have access to shared directories that were only appropriate in their previous role.
Can you think of any more of the basic data security/access/housekeeping probity checks of this nature that you feel would be beneficial and likely to flag issues (common mistakes/misconfigurations in this area etc)? The tests don't have to be limited to Active Directory and file server permissions, but they are often common source of problems so if we could expand the list of 'spot checks' that would be great.
Windows OSActive DirectoryNetwork SecuritySecurity
Last Comment
DarinTCH
if they move out of another role and there were paaswords associated with that role then you might consider changing them to prevent use by the employee that is no longer in an associated role.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thank you @Bembi, yes non-AD managed applications makes perfect sense.
@Wesley Miller - when you mention passwords, passwords to what exactly are you referring to? I was hoping if it was things like office documents on file shares then amending group memberships should cover both bases. Intrigued if you were coming at it from another angle though.
@Wesley Miller - when you mention passwords, passwords to what exactly are you referring to? I was hoping if it was things like office documents on file shares then amending group memberships should cover both bases. Intrigued if you were coming at it from another angle though.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
so are you more interested in Maintenance of accounts....
or securing your data in case someone leaves the organization?
Both really.
I will take a look through the articles provided, many thanks.
What does partially disabled/deleted mean in the context of an AD user account, out of interest?
The free reporting tools will be very useful.
ASKER
if they move out of another role and there were paaswords associated with that role then you might consider changing them to prevent use by the employee that is no longer in an associated role.
passwords for what exactly, could you give some examples? They should never share domain accounts.
I guess non AD accounts are the point.
For example support web pages or other services your company bought which are associated with the role.
The question is, if this is a security issue, more relevant to people, who leave the company as they can continue to use these services.
Another point may be generic accounts if you have, so AD accounts which are shared by several people.
Sometimes there are even shared accounts, which should not be shared. The users just do it.
For example support web pages or other services your company bought which are associated with the role.
The question is, if this is a security issue, more relevant to people, who leave the company as they can continue to use these services.
Another point may be generic accounts if you have, so AD accounts which are shared by several people.
Sometimes there are even shared accounts, which should not be shared. The users just do it.
maintenance of accounts can refer to AD accounts - they can be disabled vs completely deleted
the disabled allows them to be reactivated
say BobAdmin quits - 1st change password - then disable immediately
whenyou hire a replacement ...you can copy the permissions BobAdmin had
if you delete ...well then you start over
also may lose something ...currently unknown...but if necessary could always reactivate BobAdmin and use new password to access said resource....that he had locked to his name ONLY
regarding non-AD accounts...there could be external websites and resources that 'BOB' signed up for and now we cany use or access....may need his email to be active to reset access to such services.....
and we really have no idea whats 'signed up for' under his name unless detailed records were kept.....
sometimes its months down the road until we learn of these
so always change passwords immediately....and a common practice is to re-direct the email of BOB who left to another person ...to make sure we dont 'lose' any critical communications....atleast for 30-60 days
the disabled allows them to be reactivated
say BobAdmin quits - 1st change password - then disable immediately
whenyou hire a replacement ...you can copy the permissions BobAdmin had
if you delete ...well then you start over
also may lose something ...currently unknown...but if necessary could always reactivate BobAdmin and use new password to access said resource....that he had locked to his name ONLY
regarding non-AD accounts...there could be external websites and resources that 'BOB' signed up for and now we cany use or access....may need his email to be active to reset access to such services.....
and we really have no idea whats 'signed up for' under his name unless detailed records were kept.....
sometimes its months down the road until we learn of these
so always change passwords immediately....and a common practice is to re-direct the email of BOB who left to another person ...to make sure we dont 'lose' any critical communications....atleast for 30-60 days