Ways to a Better Password Management

Transcription

St at e of IT
Ch an ges
Su r vey
Resu lt s
+ In f ogr aph ic
Tips f or a
Bet t er
Passw or d
Secu r it y
Policy
Dat a
Gover n an ce:
Th e Key t o Com plian ce
Basic
Rules
Ways t o a Bet t er
of
Windows
Passw
or d Server
Securit
y
M an agem
en t
How -t o:
Det ect in g Passw or d
Ch an ges in Act ive
Dir ect or y
Cont ent s
3
Nin e St eps t o a Bet t er Passw or d M an agem en t
5
Wh y You Need t o En su r e Adm in ist r at or s
Ch an ge Passw or ds Regu lar ly
by Richard Muniz
by Orin Thomas
7
How t o St or e an d Ret r ieve Passw or ds Secu r ely
w it h Pow er Sh ell
by Adam Bertram
11
3 Ways t o Pr ot ect t h e Keys t o You r Kin gdom Dom ain Adm in ist r at or Cr eden t ials
by Russell Smith
June 2015 SysAdm in Magazine
13
St at e of IT Ch an ges Su r vey 2015:
Docu m en t in g an d Au dit in g
16
Dat a Gover n an m e: Th e Key t o Com plian ce
18
Internet Usage Policy against Inappropriate
Content
by Deb Shinder
by Richard Muniz
20
How to Detect Password Changes
in Active Directory
Nine Steps to a Better
Passw or d
M an agem en t
by Richard Muniz
20+ years in IT industry, a practicing systems
administrator and a teacher
Passwords remind me a bit of the Coyote. Not
the one that chases the Road Runner, but the
one that lives in my native South-West and howls
at the moon. No matter how hard humans have
tried to get rid of it, it hangs in there, and in most
cases, even manages to gain ground back. Why
do I compare passwords to the Coyote? For years
now they?ve been saying it was heading for
extinction and here we are, years later, it?s still
hanging in there. Somehow, I suspect they?ll be
with us for a long time to come. And as long as
we still have them out there, people will continue
to abuse them.
I suppose I don?t need to point to much further
than a video floating around the Internet of an
employee being interviewed on French TV5
3
Monde and right on the background, taped to
the wall, is a list of passwords (and you thought
you had it rough with people taping them under
their keyboard). And after years and years, the
most popular password out there is still
?Password?.
We can try and try: by GPO implementation and
talking to people. But all we end up with is the
realization that we might be able to build a fool
proof system, but we can?t build a damn-fool
proof system. And we?ll still see people making
passwords that match someone?s birthday or
address and taping them in a place for the world
to see.
Why? People are weak. We have so many
passwords, that keeping track of them is difficult.
We write them down, and we paste them under
the keyboard, and we continue to be our own
worst enemy.
How do we fix it? Well, the answer is in this little
story. Years ago I encountered a very dynamic
preacher, and we got to talking. I asked him how
it was that people changed, and he rocked back a
bit, narrowed his eyes, and said, ?Son, if you want
to take an old bone away from a dog without
getting bit, you?d better offer him a steak in its
place.?
We want to take their piece of paper away and
have them play nice. Problem is that unless we
give them a secure tools to keep the passwords,
they?ll continue to use their post-it notes, and
keep putting them under their keyboards.
Strangely, there are tons of password
management tools there that will help us. We call
them password managers and a simple internet
search will give you at least a dozen, just on the
first try. Some cost money, others are free. Some
are meant for a single user on one system;
others are network based and can serve
hundreds of users. Some you might already have
and not even know it (a lot of cloud services
provide this as part of service).
What do you look for in a password m anager?
1. Support ed plat form s
It can be the best manager in the world, but if it
only runs on Linux and you?re a Windows house,
it isn?t going to do you much good. Also, how you
access it is important. Is it compatible with IE and
Firefox, or does it just work with Chrome?
2. St orage capabilit y
The idea behind a password vault is to provide
your users with a nice, encrypted site to stash
their passwords away in. But it?s also a great
place to put important documents, notes, and so
forth. I know some folks who keep scans of their
social security cards and passports. While it?s not
a substitute for full disk encryption, it is better
than just leaving them out in the open.
4
3. Recording of usernam es and passwords for
cert ain sit es
A nice feature, and possibly one that can bite
you, but one that might endear itself to your
users.
4. St oring cert ain kinds of passwords
Some will only play nice with Active Directory,
some will let you record almost anything into
them.
5. Rem inding quest ions
Everyone forgets things, and we still need
something to allow them access the vault in case
they forget, or at least reset the password, or
give them a reminder.
6. Password generat ors
For users, it?s a waste. For service accounts . . .
Priceless.
7. Dual aut hent icat ion
A card token and a password ? great. A password
and a question ? slightly better than useless.
8. Self-securing
While I?m sure these folks always double check
their house door when they leave in the
morning, they won?t hesitate to leave a site open.
Since this has everything and then some, we
might want it to close after a certain amount of
time.
9. Managable
Letting folks choose their own tools is OK, but
then you end up supporting something you
might know nothing about. An enterprise-based
managing tool is best, and it also levels the
playing field for everyone.
Want to read more articles like this?
Subscribe to our blog:
blog.netwrix.com
Why You Need to Ensure
Administrators Ch an ge
Passw or ds Regularly
by Orin Thomas
20+ years in IT industry; MVP, MCT and
other Microsoft MCSE and MCITP
certifications. Authored 30+ books for
Microsoft Press and is a contributing
editor at Windows IT Pro magazine.
The first time I really felt like I was a system administrator was when the Unix systems
administrator in the IT unit I worked for at an Australian University went on leave for three
months. During this time I was responsible for all of the servers that he had managed,
which included all minor departmental servers, not just the scattered ones I looked after, as
well as the important faculty level servers. Although I?
d been responsible for a couple of
minor departmental servers before then, this was the first time I really worked without a
safety net as, without this guy around, there was no one within reach who could help me
out if something went wrong.
5
When he was performing the handoff, I noticed
something interesting. The administrator and
root accounts for all the servers he was
responsible for used exactly the same password.
The root account password for the faculty web
server (a DEC Alpha running UNIX) was the same
as the password for the Administrator account in
the faculty Windows NT 4 domain. I knew that
the process was questionable even if it did make
the handoff very simple.
After the administrator returned from his trip, he
didn?t change passwords on any of the systems.
When I left that position a year later, the servers
all still had the same password. This was
definitely a case where convenience triumphed
over good security practice.
People change passwords because
they have to, not because they have
any deep appreciation of the
arguments about password security.
It?s no news to anyone that people hate the
process of updating their passwords and that
people hate having separate passwords for
separate services and systems. Ordinary users
don?t have much choice when it comes to having
to update their passwords because they can?t
change the policies enforced by IT. They change
passwords because they have to, not because
they have any deep appreciation of the
arguments about password security.
System administrators are in a position where
they can get around these policies. In talking with
many of them, a sizable number will sheepishly
admit that they don?t change their passwords,
even though they force the users with normal
user accounts to do this. The system
administrators who do change their passwords
regularly don?t do so out of any deep
appreciation of the arguments around password
security. It?s usually because there is an auditing
or enforcement mechanism in place that raises
an alert if they don?t change their password.
6
Regularly changing administrator
account
passwords is even more important than regularly
changing unprivileged user account passwords.
If an attacker gets the password of an
administrative assistant, there is only a certain
amount of mischief that they can perpetrate. If
an attacker gets the password of a systems
administrator,
the
entire
organization?s
infrastructure is at risk. Administrator passwords
need to be subject to more stringent security
requirements because the consequences if these
accounts are compromised are much greater.
It?s vital for organizations to perform regular
checks to ensure that system administrators are
updating their passwords on a regular basis. If
these checks aren?t performed, there is little
reason to believe that system administrators will
do the right thing of their own accord. A system
should be in place where notifications are raised
each time a privileged account password is not
updated after a certain period of time. This
allows you to be sure that the passwords are
being updated on a regular basis. Luckily, there
are good free tools for that, which are easy to
install and help streamline security.
With Windows Server, it?s possible to run a query
against Active Directory to determine which
accounts are configured so that the associated
password never expires. Best practice is that no
accounts are configured in this manner. An
interesting question to ask yourself is: ?How
many systems administrator accounts in my own
organization are configured so that their
passwords will never expire??
Unless your organization has exceptionally good
security practices, I?m betting the answer will be
?more than one?.
blog.netwrix.com
How to St or e an d Ret r ieve
Passw or ds Secu r ely with
PowerShell
by Adam Bertram
senior systems consultant, Pluralsight
author and Powershell MVP
The Sony Pictures Entertainment hack that took place in November of 2014 was one of many
recent high profile hacks brought on by malicious cyber criminals. During this hack, tens of
thousands of employees' (and their families?) social security numbers and other personally
identifiable information (PII) were stolen. Personal emails detailing private conversations between
studio executive heads were stolen and published amongst many other damaging effects. This was
a huge, high profile hack that was extremely detrimental to Sony Pictures.
7
One of the highlights of this hack was the fact
that Sony IT had a shared folder on their network
simply called ?Passwords? that contained (in
clear
text)
hundreds
of
usernames
and
passwords for systems within Sony?s network.
Talk about making a bad day worse. The hack
still would have happened regardless of this but
it would have been far less damaging.
the Data Protection API (DPAPI).
The DPAPI is a method of encrypting and
decrypting text with a user password. One way
that PowerShell uses the DPAPI is through secure
strings.
Secure strings are values that are
encrypted and, when sent to a file, can be
encrypted on disk. This means no more plain
text passwords files. I?m talking to you Sony IT.
Your organization might not be publishing the
When the information needs to be read, it can
next controversial movie poking fun at North
then be easily decrypted using the same user ?s
Korea
credentials seamlessly.
but
you?re
organization
still
has sensitive
vulnerable.
information
Every
that
malicious individuals would love to steal. Do you
have an Excel spreadsheet on your network
unencrypted that contains sensitive information?
Let?s go over a quick example. Let?s say you?re
not Sony IT and you?ve got a text file full of
usernames and passwords that look something
like this.
I hope not! If you do, pay attention while I give
you three words of advice: Proper Password
Management.
An organization doesn?t have to resort to keeping
plain text files in a shared folder to store
sensitive information like passwords. There are
plenty of ways to secure this information and still
maintain
some level of
convenience when
accessing them. One method is simple and free
through
Windows
PowerShell can
PowerShell
scripting.
leverage any Windows API
available. One of those APIs that can be used to
Instead of saving this file in a folder share
somewhere you decide it needs to be protected
using secure strings and managed with Windows
PowerShell. After doing a little bit of research
you discover to do this you need to use the
ConvertTo-SecureString cmdlet to convert each
password from plain text to a secure string
object.
protect sensitive information like passwords is
You try this out by reading the contents of your password file and converting each of the passwords to a secure
string object.
Import-Csv C:\passwords.txt | Select-Object Username , @{n='EncryptedPassword';e = {$_.Password |
ConvertTo-SecureString -AsPlainText -Force}}
After this has ran you get an output like this but you?d expect the encrypted password to be a bunch of
non-readable characters. What is this System.Security.SecureString?
8
You check the password file and nothing has changed. What gives? It turns out that method is actually
encrypting the password but it?s just in the PowerShell console. It?s not actually saved back to disk yet. To do
this, you use the ConvertFrom-SecureString cmdlet which converts the secure string object to a state that can
then be saved back to a file.
ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString}}
Now all we must do is to save it back to the disk and we?re now storing encrypted passwords.
ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString}} | Export-Csv
C:\encryptedPasswords.txt -NoTypeInformation
You now have a file called encryptedPasswords.txt that contains encrypted passwords along side each username.
Encrypted passwords on disk aren?t too much good unless they can be read by authorized individuals. The code
may not be easy to understand but it works. I recommend perhaps making this a function if you decide to do
this.
In this example, I?m finding the username adam in my file and decrypting the encrypted password to show it in
plain text.
Import-Csv C:\encryptedPasswords.txt | Where-Object {$_.Username -eq 'adam'} | foreach
{[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR(
(ConvertTo-SecureString $_.EncryptedPassword) ))}
This is an example of using secure strings and it
is better than storing passwords in plain text, but
it?s not perfect. This method is limited to the
user account that encrypted the passwords and
since it is simply encrypted with a password it is
known to be much less secure than using
certificates.
If you need more robust encryption method I
recommend encrypting your passwords with a
certificate using a tool like the ProtectedData
module or by a third party tool.
9
Even though an intruder may not be able to read
the passwords during the attack he still might
make a copy and run a brute force attack on it in
his own time. Pay attention to who and when
anyone accesses a sensitive document like a
password file. A tool like Netwrix Auditor for File
Servers could easily monitor this file and alert
you if anyone attempts to read, copy or modify
your password file. Security is best applied in
layers. Don?t forget to keep a watchful eye out
on all your sensitive data as well.
Learn more: netwrix.com/ go/ vega
April 2015 SysAdm in Magazine
3 Ways to Protect the Keys to
Your Kingdom ? Dom ain
Adm in ist r at or Cr eden t ials
by Russell Smith
Specializing in the management and security of
Microsoft-based IT systems, Russell is the
author of a book on Windows security and a
contributing author and blogger.
The US Government reportedly has evidence that the Sony hack in November 2014 was carried out
using stolen domain administrator credentials, and while at the time of writing there has been no
official confirmation, it?s conceivable that this could be the case. Windows domain administrator
credentials potentially allow an attacker to gain access to all servers in a domain, and although
care must also be taken to protect server local administrator accounts, they provide an element of
damage limitation by restricting access to individual servers.
Whether compromised administrator credentials turn out to be the way hackers gained entry to
Sony?s systems or not, the misuse and proliferation of administrator accounts across most
organization?s IT systems is a risk that can be significantly reduced by following a few simple best
practices.
11
Isolat e Dom ain Con t r oller s
The servers that run Windows Active Directory
Beginning in Windows Server 2012, support for
are called domain controllers (DCs), and it?s
virtualization makes it easier to ensure that
critical that they are properly secured, both
domain controllers don?t need to host other
physically and logically. The first step to that goal
workloads. Domain controller isolation also
is to make sure domain controllers don?t host
allows for separation of administration duties,
workloads other than Active Directory. For
i.e. regular maintenance of servers not hosting
example, a domain controller shouldn?t double
Active Directory shouldn?t require domain
up as a file or SQL database server for a
administrator privileges, and along with
line-of-business application. It?s also worth
delegation of control, DC isolation helps you to
mentioning that domain controllers should be
manage change on your systems.
physically secured.
Delegat ion of Con t r ol
Privileged accounts should never be used to log
in to user workstations, and only be permitted
for use on devices designated for administering
sensitive systems. IT staff don?t need domain
administrator accounts to perform regular tasks
if you delegate rights. Start by configuring Active
Directory so that a group other than Domain
Admins is able to join computers to the domain,
and follow that by devising a strategy to assign
Remote Desktop access to a designated group.
Use the Delegation of Control Wizard in Windows
Server to get started in assigning Active Directory
access to IT staff, so they can perform daily
administration tasks, such as user and group
management. And while it?s not possible to
completely remove the need to use domain
administrator credentials, you can assign a
restricted group of users the right to reboot
domain controllers, set up event log forwarding,
and configure Windows Update to minimize the
frequency with which domain administration
credentials are required.
Pr ot ect ed User s an d Au t h en t icat ion Silos
The Protected Users group, in Windows Server
2012 and later, applies restrictions to user
accounts that are designed to reduce the
likelihood of compromise, including blocking the
legacy NTLM authentication protocol, weak
encryption in the Kerberos pre-authentication
process, and Kerberos delegation.
Additionally, Windows Server 2012 R2 introduced authentication policies and silos, which can be used to
restrict the devices from which users can authenticate. For example, you could create a policy and silo that
prevent domain administrators authenticating from anything but domain controllers.
blog.netwrix.com
12
St at e of IT Ch an ges Su r vey 2015:
Documenting and Auditing
How do most organizations handle the impact of
changes made and what methods do they use to
maintain security and system availability?
Netwrix 2015 State of IT Changes Survey, the
research of more than 700 IT professionals
across over 40 industries, reveals its unsettling
results. Nearly 70% of organizations continue to
make undocumented changes and only 50%
have some kind of auditing in place.
Undocumented changes are a hazard for
business continuity: by letting them slide you put
sensitive data at risk. After showers of data
breaches back in 2014, companies should have
understood that already. And it?s a good thing,
that just 17% of companies admit to have made
changes which eventually caused a data breach.
Still, the majority ? 67% of companies ? allow
13
unauthorized or incorrect changes to cause
service downtime, the worst offenders being
enterprises in 73% of cases.
All in all, too many organizations remain in the
dark about what is going on across their IT
infrastructures. They are unable to detect a
security violation until a data breach is revealed.
But despite the fact that companies still have
shortcomings in their change management
policies, the overall results of 2015 show a
positive trend. More and more organizations are
establishing auditing processes to achieve
visibility into their IT infrastructures.
Full report is available at
netwrix.com/go/survey2015_report
14
Top 10 Free Tools
for Change Auditing
and Password Management
Track changes to Active Directory, Exchange, file servers, manage passwords and
troubleshoot account lockouts at absolutely no cost.
Change Notifier for File Servers
Tracks changes to files and shares
permissions, detects deleted and
newly-created files, and reports on
file-access attempts. This freeware tool strengthens
security of your Windowsbased file servers.
Free Download
T
6.
Change Notifier for Active Directory
Tracks changes to Active Directory (AD)
users, group memberships, OUs,
permissions, and provides visibility into
what?s happening inside your AD.
Free Download
7.
Change Notifier for Group Policy
Tracks every change made to your group
policy objects (GPOs), including GPO links,
audit policy, password policy, and software
deployment changes, and fills major gaps found in
native auditing tools.
Free Download
2.
Change Notifier for SQL Server
Detects changes made to your SQL Server
configurations, including database creation
and deletion, changes to database users,
roles, and schemas. It also reports ?before? and
?after? values for every change, and sends daily
reports showing all changes made.
Free Download
8.
Account Lockout Examiner
Alerts on account lockouts, helps
troubleshoot these events, and analyzes
their potential causes. The accounts can be
unlocked via Netwrix Account Lockout Examiner
console or mobile device.
Free Download
Change Notifier for VMware
Allows you to control changes in your virtual
environments. It notifies you about changes
to VMware virtual machine settings, creation
and deletion of virtual machines. It also sends daily
reports of all changes made in the past 24 hours
with ?before??and ?after? values.
Free Download
he following freeware tools can save you
a lot of time and make your network
more efficient ? at absolutely no cost.
Some of these tools have advanced
commercial versions with additional
features, but none of them will expire and stop
working when you urgently need them.
1.
3.
Change Notifier for Exchange
Reports on what?s happening inside your
Exchange servers, and tracks both
configuration and permission changes with
?before? and ?after? values.
Free Download
4.
Password Expiration Notifier
Automatically reminds your users to change
their passwords before they expire so you
can avoid password reset calls. It works
nicely for users who don't log on interactively and
never receive standard password change reminders
at logon time (e.g., VPN users).
Free Download
5.
15
Password Manager
Allows users to reset forgotten passwords
and unlock their accounts through a
convenient, web-based, self-service portal
and integration with the standard Windows logon
produre. The tool supports up to 100 users.
Free Download
9.
Change Notifier for Windows Server
Alerts you about changes made to your
Windows Server configurations, including
installed software and hardware, services
and scheduled tasks. It sends summary reports
listing changes of the last 24 hours with ?before?
and ?after??values.
Free Download
10.
JOHN BAGLEY
Award-winning professional writer
and independent consultant
Data Governance:
The Key to Com plian ce
by Deb Shinder
MCSE, MVP (Security), technology consultant,
trainer and writer who has authored a number
of books on computer operating systems,
networking, and security
In a legislation-laden era, more and more organizations are falling under the mandates of governmental or
industry regulation. The requirements can be complex and confusing, and it?s hard to know where to start in
creating and enforcing policies that will keep your company in compliance, so many IT departments live in
fear of the upcoming compliance audit. But whether your company is covered by HIPAA, GLBA, SOX, PCI DSS,
FISMA or other less-known regulations, data governance is a key element in meeting the standards.
Despite this, many IT professionals and even
security experts don?t have a real understanding
of what data governance comprises or how to
implement an effective data governance policy.
Data governance refers to the collection of
established policies and procedures that govern
the management of your data, both in transit
and at rest, within and (in the case of cloud
computing) outside of your organization?s
premises. These policies should encompass
usability and usage, availability and reliability,
and the security and integrity of the data.
16
A good way to think of it is in terms of the old
journalism school rule of thumb: Who, What,
When, Where and How. These are the questions
you need to ask when you formulate your
program. A more formal definition, from the
Data Governance Institute, says it this way: ?Data
Governance is a system of decision rights and
accountabilities for information-related processes,
executed according to agreed-upon models which
describe who can take what actions with what
information, and when, under what circumstances,
using what methods.?
A data governance program is a three-pronged
system:
People (the governing body that establishes the
policies and procedures, those tasked with
implementing them, and the creators and users
of the data who are impacted)Policies and
Procedures
(the
formal
rules
and
implementation guidelines)Plan (a structured
means by which to execute the procedures)
The people involved include designated roles
such as data custodian, data steward, and data
stakeholder. Beginning at the lowest level of
responsibility, the data stakeholders include any
individuals or groups who are impacted by the
data governance decisions, so everyone who
creates or uses the data belongs in this group.
Data stewards are those who either set the
policies (in small organizations) or make
recommendations to higher authorities in larger
organizations (which may have one or more chief
data stewards). Data custodians are directly
responsible for the maintenance of the safety
and integrity of the data when it is in transit and
in storage. Data custodians have responsibility
for the technical aspects of protecting the data,
the ?how? of implementing the policies, whereas
data stewards are business-focused with
responsibility for the ?why? and ?what? of the
policies and procedures.
Data governance is all about decision-making.
Before people can make decisions regarding
data governance, a decision must be made
regarding who has the authority to make which
decisions. This is called decision rights. In regard
to regulatory compliance, decisions include
whether to comply (a fairly easy decision when
penalties for non-compliance are involved), when
to comply (how long it will take to implement full
compliance), what must be done to comply (the
particular requirements) and how compliance
will be achieved (what changes will be made and
in what order).
The policies are the rules and guidelines
developed by the governing individuals or
17
committees and address what must (or must
not) be done, who is responsible for doing it and
for enforcing it, where the policy applies
(including exceptions), when the policy goes into
effect and why the policy is needed (the
purpose/goal of what the policy is designed to
accomplish). Policies should be straight forward
and easy to understand, should cover as many
scenarios/situations as can be anticipated, and
should not conflict or overlap with one another.
Policies should be distributed to all who are
impacted by them.
Procedures are specific instructions on how to
perform a task or process in a structured way.
Each procedure should address one task. The
procedural document should specify who is
authorized or required to perform it, what steps
are to be taken, when each step is to be taken
(order of steps) and how those steps are to be
performed,
including
specific
protocols,
applications, devices etc. that are to be used.
The plan is a broader-based ?big picture? view of
what will need to be in place to accomplish the
data governance program mission, including
timelines, budgets, hardware and software
purchases, personnel, and so forth.
One of the most difficult parts of establishing
compliance policies is the decision as to who will
be accountable for compliance-related tasks.
Those who are assigned responsibility must have
the corresponding authority to carry out those
tasks and this can get tricky in terms of internal
politics and ?turf wars? within an organization.
The plan should take this into account and
establish clear channels of communication and a
chain of command to avoid different individuals
and groups duplicating effort or even working at
odds with one another toward compliance goals.
blog.netwrix.com
In t er n et Usage Policy
against Inappropriate
Content
by Richard Muniz
20+ years in IT industry, a practicing systems
administrator and a teacher
A recent posting in Spiceworks caught my attention. It seems that this admin was asked to generate an
Internet usage report on a fellow employee. The next thing he knows, the employee was let go. Of course he
felt somewhat guilty about it. Another poster was talking about a fellow user who has been surfing porn
while at work. Since management was watching, what should he do since he considered the colleague a
friend? Well, in both instances, the solution to the problem lies on both sides of the equation - the HR side
and the IT side.
First, HR has to establish some strong Internet
usage policy. Often these rules are buried in the
user ?s welcome package. I?d advocate an actual
form that they have to read, understand and
sign; this becomes part of their employee packet.
This would spell out exactly what you can and
cannot do, and what the penalties for violations
are. So the warning starts at the top. And
18
speaking of the top, you cannot have a boss who
gives this lip service and is guilty of violating it. I
worked in a place once where we had a few
employees surfing porn. Since this was
becoming a problem, the boss looked to IT for
solution. ?Not a problem,? I said. ?We buy a
license for the firewall, install it, and then we can
do a little more filtering to include porn.?
?Does that block everyone from reaching a porn
site?? he asked.
?Of course,? I answered, ?I can make some
exceptions, but that might cause issues with the
team if one person does something and the
others can?t.?
?Well, that won?t work,? he said after a moment.
He nixed the idea pretty quickly while continuing
to let people go.
The majority of modern day firewalls will allow
you to block websites of certain kinds. Most have
some keyword programmed into them, and it?s
these keywords the firewall jumps on whenever
someone tries going to them. And instead of
looking at the screen they expected, they get a
rather generic looking, semi-official web page
telling them that the site has been blocked by
the company due to inappropriate content.
Exceptions can be made, but they need to be
treated on a case by case basis. You can also, in
most cases, limit that access to only certain
users, and still deny everyone else. In this way,
everyone knows that there are reasons to grant
access to certain sites, there is a process, and
that it has been approved.
Another step admins might want to consider is
what amounts to a more or less daily reminder.
What you might want to do is configure a policy
setting so that when a person logs on he gets a
pop up banner that contains the warning. The
user must acknowledge it by clicking an ?OK?
button. This is done as part of GPO in Active
Directory and goes to every server and
workstation attached to it. To do this is very
simple, just follow these few steps:
St ep 4: Double click the ?Interactive logon:
Message title for users attempting to log on?,
enter the title message
St ep 5: Double click the ?Interactive logon:
Message text for users attempting to log on?,
enter the notice message
St ep 6: Close the Group Policy Management
St ep 7: Run the ?gpupdate /force? on other
machines to force the group policy or just wait
for it to replicate about.
One thing about the Banner! This is a legal
document, so don?t play for cute on it. Indeed,
whatever you come up with should be approved
by management. Don?t mention names or post
phone numbers, if someone is doing a little
hacking of the site; you just gave them a bit more
information to help them do what they want to
do. What needs to be mentioned is that this is a
private system, that it is monitored, and that
usage of your domain and network is for
authorized users and usage only. You might also
want to mention that unauthorized usage is in
violation of the company Internet usage policy
and can result in termination, criminal charges,
and/or civil actions.
What a lot of companies do is they also run their
employees through a yearly Internet usage and
training course so they?re reminded of usage
policies and better network protection (which
implies an active anti-spam campaign).
Between training, warning banner, and the
firewall we can consider the user warned! And
violation means their indiscretion is on their
head.
St ep 1: Open Group Policy Management
St ep 2: Right click on the Default Domain Policy
under Group Policy Objects, click Edit
St ep 3: Go to Computer Configuration, Policies,
Windows Settings, Security Settings, Local
Policies, Security Options, Interactive logon
19
blog.netwrix.com
How to Detect Password
Changes in Active Directory
Changes to a user account password made by anyone other than a legitimate IT administrator or
an account owner may be a sign that the account had been hacked. Having gained access to the
account, a malefactor is getting an ability to read, copy, delete and distribute sensitive data, which
may result in significant data leaks.
1.
Run GPMC.msc (url2open.com/gpmc) > open ?Default Domain Policy? > Computer
Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy:
- Audit account management > Define > Success and Failure.
2.
Run GPMC.msc > open ?Default Domain Policy? > Computer Configuration > Policies >
Windows Settings > Security Settings > Event Log > Define:
- Maximum security log size to 1gb
- Retention method for security log to Overwrite events as needed
Event viewer and search Security log for event id?s 628/4724 ? password reset attempt by
3. Open
administrator and 627/4723 ? password change attempt by user.
See Real-Life Use Cases: netwrix.com/go/password_changes_AD
20
Next Steps
Try #1 Change and Configuration Auditing Platform:
Free Trial: setup in your own test environment
netwrix.com/go/completevisibility
Test Drive: virtual POC, try in a Netwrix-hosted test lab
netwrix.com/go/test_drive
Live Demo: product tour with Netwrix expert
netwrix.com/go/live_demo
Contact Sales to obtain more information
netwrix.com/go/contact_sales
netwrix.com | netwrix.com/ social
Corporat e Headquart ers: 8001 Irvine
Center Drive, Suite 820 Irvine, CA 92618
Phone: 1-949-407-5125
Tol l -f ree: 888-638-9749
EMEA: +44 (0) 203-318-02
Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/ or one or more of its subsidiaries and may
be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of
their respective owners.

Ways to a Better Password Management

Transcription

Similar documents

Logging into ClassLink Outside of School

Veterinary Medical Center

How to reset your existing Nurre Caxton password:

Security Awareness Hackers Auditors Perspective public

Setting up my WiFi - Alaska Communications

These instructions are for the first time users of CIE/WC electronic

Math Success Net - District 62 Home

How to Access ZipForm Plus

1. Click on your Buffalo Bills Mobile App to access your

Clik here to open the Sterkinekor Moviestop: Membership Card Guide