Detecting security holes

The remote employee had called the Help desk to request a unique software installation. In this company, employees have limited privileges on their systems and can't install software themselves-instead, they must contact the Help desk for assistance. The Help desk technician initiated a remote session to the employee's laptop and was preparing to remotely install the requested based network inventory software when she noticed something suspicious: The local Guest account was enabled and given administrator privileges with a password set to never expire. The company's standard laptop image always disables the Guest account, and the only way the account can be enabled is if an administrator with root privileges changes it. But for an administrator to make such a change is against company policy, and the remote employee couldn't have made it herself. To make a bad situation worse, the Help desk tech noticed that a non-standard piece of software-an FTP utility-as well as a nonstandard email program were installed on the laptop.

Active Directory Security

Active Directory (AD) holds the proverbial keys to the kingdom for many organizations-and not properly securing AD can leave that kingdom vulnerable. Admittedly, AD isn't easy to secure, but there are some basic steps you can take to ensure your AD infrastructure is reasonably secure. Note that I said basic steps. Security is a trade-off. There are always measures you can take to increase security, but they come at a price, either in terms of actual dollars or the loss of flexibility or functionality. Let me show you five steps that don't cost much to implement but can significantly help secure the network inventory program You can always improve AD security by automating manual processes, such as building domain controllers (DCs), but there hasn't been a programming language developed yet that will automate human behavior. That's why you need to set guidelines on how your administrators should manage AD.

Active Directory Security

Active Directory (AD) holds the proverbial keys to the kingdom for many organizations-and not properly securing AD can leave that kingdom vulnerable. Admittedly, AD isn't easy to secure, but there are some basic steps you can take to ensure your AD infrastructure is reasonably secure. Note that I said basic steps. Security is a trade-off. There are always measures you can take to increase security, but they come at a price, either in terms of actual dollars or the loss of flexibility or functionality. Let me show you five steps that don't cost much to implement but can significantly help secure the free network inventory tool You can always improve AD security by automating manual processes, such as building domain controllers (DCs), but there hasn't been a programming language developed yet that will automate human behavior. That's why you need to set guidelines on how your administrators should manage AD.

How To Audit a Folder

To enable auditing on a folder, open the folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. Be careful which permissions you enable for auditing because you can easily fill up your log with access events. In your case, you want to monitor only for successful uses of the permission that lets a user change an object's ACL-the Change permissions permission. Figure 1 shows that I've enabled auditing of and network inventory on the DeptFiles folder. I've also specified Everyone as the name of the audit entry because I want to audit everyone.

Security-related Event IDs

After you enable object access auditing at the system level and for a specific folder, you'll start seeing event ID 560 (Object open) in the Security log. Look for instances of event ID 560, such as the one in Figure 2 in which the Object Name in the description is the name of a folder on which you enabled auditing. Then look in the Accesses field for free network inventory software, which is the system name for Change permissions. Figure 2 shows that Fred changed permissions on C:\DeptFiles. In the Security log, you'll also see a subsequent event ID 562 (A handle to an object was closed) with the same Handle ID as in event ID 560. Event ID 562 is just the corresponding close for the open in event ID 560.