This chapter provides a thorough guide to many security issues. The authors encourage writing strong enforcement statements of acceptable use policies (AUPs) and provide examples of wordings and a best practices checklist. They cover how to limit authority and separate duties and how to pinpoint accountability. The chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg; ISBN:0-072-22697-8, McGraw-Hill/Osborne, 2003.
The following management practices can contribute to administrative security:
Controls on remote access, and access to consoles and administrative ports Controls that can enhance administrative security are the controls placed on out-of-band access to devices such as serial ports and modems, and physical control of access to sensitive devices and servers. Limiting which administrators can physically access these systems, or who can log on at the console, can be an important control. Limiting remote access is another effective move. Just because an employee has administrative status doesn't mean their authority can't be limited.
Vetting administrators IT admins have enormous power over the assets of organizations. Every IT employee with these privileges should be thoroughly vetted before employment, including reference checks and background checks. This should not hamper employment. Clerks who handle money are often put through more extreme checks.
Using automated methods of software distribution Using an automated method of OS and software installation not only ensures standard setup and security configuration, thus preventing accidental compromise, it also is a good practice for inhibiting the abuse of power. When systems are automatically installed and configured, there are fewer opportunities for the installation of back door programs and other malicious code or configuration to occur.
Using standard administrative procedures and scripts The use of scripts can mean efficiency, but the use of a rogue script can mean damage to systems. By standardizing scripts, there is less chance of abuse. Scripts can also be digitally signed, which can ensure that only authorized scripts are run.
Accountability controls are those that ensure activity on the network and on systems can be attributed to an actual individual. These controls are things such as:
Authentication controls Passwords, accounts, biometrics, smart cards, and other such devices and algorithms that sufficiently guard the authentication practice
Authorization controls Settings and devices that restrict access to specific users and groups
Administrative Power Should Be Delegated
In the Windows world, subadministrative groups are defined, each with their own sets of privileges, and custom groups can be created and provided a list of privileges as well. In the classic Unix system, the power of the 'root' account cannot be diminished, and no such natural segmentation of power exists. Additional groups for users can be created, and they can be given distinct rights on resources, but it doesn't provide the same level of granularity. There are, however, third-party products, such as Symark PowerBroker, that delegate the powers of the root account to trusted users. These users will not need nor have the root password, and an audit trail can be created that details the actions taken by these different accounts.
When used properly, accounts, passwords, and authorization controls can hold people accountable for their actions on your network. Proper use means the assignment of at least one account for each employee authorized to use systems. If two or more people share an account, how can you know which one was responsible for stealing company secrets? A strong password policy and employee education also enforce this rule. When passwords are difficult to guess and employees understand they should not be shared, proper accountability is more likely. Authorization controls ensure that access to resources and privileges is restricted to the proper person. For example, if only members of the Schema Admins group can modify the Active Directory Schema in a Windows 2000 domain, and the Schema is modified, then either a member of that group did so or there has been a breech in security. Chapter 6 explains more about authentication and authorization practices and algorithms.
There are exceptions to the one employee, one account rule:
In some limited situations, a system is set up for a single, read-only activity that many employees need to access. Rather than provide every one of these individuals with an account and password, a single account is used and restricted to this access. This type of system might be a warehouse location kiosk, a visitor information kiosk, or the like.
All administrative employees should have at least two accounts: one account to be used when they access their e-mail, look up information on the Internet, and do other mundane things; and one that they can use to fulfill their administrative duties.
For some highly privileged activities, a single account might be assigned the privilege, while two trusted employees each create half of the password. Neither can thus perform the activity on their own; it requires both of them to do so. In addition, since both may be held accountable, each will watch the other perform the duty. This technique is often used to protect the original Administrator account on a Windows server. Other administrative accounts are created and used for normal administration. This account can be assigned a long and complex password and then not be used unless necessary to recover a server where the administrative account's passwords are forgotten or lost when all employees leave the company or some other emergency occurs. Another such account might be an administrative account on the root certification authority. When it is necessary to use this account, such as to renew this server's certificate, two IT employees must be present to log on. This lessens the chance that the keys will be compromised.
Remember: this chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg (McGraw-Hill/Osborne, ISBN 0-072-22697-8, 2003).