Keeping Technology Staff Honest

Tuesday, June 05, 2012

Jayson Wylie

54a9b7b662bfb0f0445d1661d7ed180b

Technology staff, on occasion, have had an all-access pass to all data on Window’s networks. 

This can be through specific accounts applied to the object’s ACE or inherited through power access groups.

This creates an environment where the support staff has exposure in being assumed to have access to sensitive and confidential stuff stored in the most private parts of the organization’s data stores.

IT staff does not always need access to information not related to their position, and this condition could create suspicion when inappropriate file access, alterations, collection or destruction is determined.

Auditing file access rights on busy file servers to find an inappropriate successful object access is very difficult and not always identified as an incident even with a helpful SEIM, security staff, operators or auditors.

I used a security design years ago for a financial firm’s domain. I have deployed it in various places since, and feel that the approach will allow the ability to take ownership of access permissions and data when needed, but not always giving constant implicit access.

I simply create a dummy domain security group account named obscurely with full permissions, and allow modification for all other assigned groups and accounts for the folder or object.  I take all access from unrequired accounts, leaving mostly the proper access accounts and Network/System.

The oversight group does not have any membership, and auditing is turned on to determine membership changes of the groups on Domain Controllers versus a file server.  Auditing membership changes of a group is better tracked than a flood of successful object access events where permissions permit.

IT can request permissions through the proper channels and add themselves to the assigned ‘guardian’ oversight group when access is needed as for departed user’s home drive.

They do the work and remove themselves for the group. Membership change events are recorded.

Groups can be designed and applied as creative for all separate data access needs but the main thing is keep the oversight account accounts empty and be able to track when that changes and why.

Possibly Related Articles:
9101
Network Access Control
Industrial Control Systems
Access Control Data Loss Prevention Network Security Data Management Network Security Monitoring SysAdmin Privileges IT Security Permissions
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.