March 7, 2014
View all posts by Brian Svidergol →
We begin a series of posts about aspects of securing Active Directory administration, created by Brian Svidergol. There will be three parts to this series, each one dedicated to a specific problem around securing Active Directory administration and provide some thoughts for each of the areas:
- Principle of least privilege. While many administrators have heard this term and understand the basic concept, it doesn’t always correlate to the configuration of their environment. On the plate today – internal security incidents, examples of privilege escalation, and minimizing issues.
- Infrastructure considerations. Let’s talk about subnets for administration, administrative servers, and administrative client computers.
- Auditing/monitoring/alerting. Why you should audit success and failure, how monitoring plays into securing Active Directory administration, techniques to reduce alerting so that you take action when alerts come in.
Security is a big topic these days, especially in light of the recent attack on Target and other major retailers. Often, the focus after a major attack is securing IT systems and diving into corporate security policies to mitigate future risk. However, in my travels, I’ve found that there is one area that sometimes doesn’t get quite the attention it deserves – securing IT administration. For this blog, I’m talking specifically about administration of Active Directory including domain administration, object administration, and related administration for directory services related technologies.
Today you can learn about the way, in which the Principle of least privilege applies to the topic of Active Directory administration.
Wikipedia has a good introduction to the principle of least privilege. In the simplest definition, the principle of least privilege means that Active Directory administrators have only the minimum required permissions to perform their job tasks. Of course, the principle of least privilege extends to all of IT and beyond, but I am strictly covering it from an Active Directory administrative point of view for this blog post.
Internal security incidents. Look around on the internet and you’ll find incredibly different tales about how severe (or not) the internal risk is for IT security. I’ve seen reports that only 15% of security breaches occur from the internal network. I’ve seen other reports that show over 50% of security breaches occur from the internal network. Securing Active Directory administration isn’t really about where the incidents originate from or whether the malicious individual is an insider or an outsider. In many cases, it is highly likely that Active Directory is a key target. Because once a malicious individual owns Active Directory, the individual can begin owning a myriad of other systems by using privilege escalation. A few examples, including privilege escalation, are:
- Microsoft Exchange. While Exchange administration is sometimes performed by a totally different team than Active Directory administration, the permissions are doled out by using Active Directory groups. If you control Active Directory, you can add yourself to the appropriate groups and take complete control of the entire e-mail environment. That means access to the CEO’s mailbox, the ability to copy vast amounts of confidential mailbox data, the ability to take on the identity of a highly privileged IT user (such as a DBA with access to sensitive data) – just send an email as the DBA to gain additional access.
- Microsoft Lync. Same situation as Exchange. Role-based access built on Active Directory security groups. Add yourself to the appropriate groups and you can suddenly send an instant message as anybody in the entire organizations. You can hijack Lync meetings, redirect phone calls, and log conversations.
- File shares. The vast majority of file shares are secured by using Active Directory security groups. It isn’t uncommon for the most confidential and sensitive data to be stored on file shares – HR data, payroll data, corporate litigation data, and more. A malicious user that owns AD can use PowerShell to quickly grant himself access to every file share on the network.
You can see how things can quickly spiral out of control if a malicious individual owns your Active Directory! Here are some tips to help minimize issues and utilize the principle of least privilege in your AD environment. Look at all of the Active Directory delegation currently in place. I’ve found the following issues to be common delegation issues:
- The helpdesk personnel can reset the password for most or all of the Active Directory user objects. For example, if the helpdesk personnel can reset the DBA’s password, then effectively he can gain access to anything that the DBA can if so desired. Even if your helpdesk aren’t malicious people, outside attackers are always looking for the easiest way in. They don’t always go straight after a Domain Admin account. A phishing attack to a few helpdesk personnel may be all that they need. Recommendation: ensure that personnel that can reset only appropriate passwords (this will vary by environment). In some organizations, this means that the helpdesk can’t reset any IT passwords or executive passwords and those have to be handled by another team or a secure self-service method.
- Delegation to a single user object. In this case, IT administrators have only a single user object. The user object is used for IT administration, surfing the internet, and reading email. Luckily, this issue has been promoted extensively and some companies are taking action to separate administration accounts for general corporate usage accounts. If you haven’t already gone down this road, it is a huge win to do it. The phishing attacks, browsers exploits, and other attacks that are often used to break into networks, become much less effective (and often just an annoyance).
- Service accounts in the Domain Admins groups. This one really drives me crazy. I’m sure many of you feel the same way. And, like me, you’ve probably run across a situation where a network/DBA/application admin has requested a new service account and mentioned that the vendor said that the service account has to be a member of the Domain Admins groups. The first step in these situations is to ask for the official vendor documentation. Hopefully, you’ll be able to derive exactly what is required and delegate it appropriately using the principle of least privilege. Often, vendors don’t actually know exactly what’s needed and they go the lazy route – Domain Admin. This puts IT admins in the uncomfortable position of choosing to place the service account into the Domain Admin group or spending 50 hours of work trying to ascertain the minimum level of permissions needed. In any event, sometimes relying on IT forums will help because other admins may have already found the solution!
In the next post you will be able to learn more about infrastructure considerations.Posted in Articles | Tagged active directory administration, securing active directory | Leave a comment
March 4, 2014
View all posts by Richard Muniz →
We continue a series of articles about aspects of SOX audit by Richard Muniz. The first one tells about the challenges of an internal audit, network security and some common mistakes IT Pros make. The second one illustrates how a SOX audit results can show IT Pros what needs to be fixed. Here is the third article, explaining the problem of overlapping temporary accounts and risks, that could be provoked by this.
Boy, did we walk into that one. And the Bride of Dracula took us apart on it, and sadly we did it to ourselves. And boy did it offend the heck out of us when called on it. After all, we’d been doing things this way for years, and never, ever, even once, had a problem.
But I can’t blame her for taking the shot! We’d put ourselves into the position of a deer that takes the same trail to water every day. Given that, who could blame the wolf for waiting for an easy meal.
Here’s what we were doing. Before we ever became a public entity and SOX reared its ugly head, we’d hire all manner of temps. They’d be here for a week to 3 months and then be gone. In the interest of making things easier, we had a handful of temp accounts. We’d simply assign one to the new temp and call it good.
With hind sight being 20/20, I understand perfectly what she was saying. “It’s like this,” she explained patiently. “Temp1 logs in and does something. They leave, and a few days later, we hire another person, giving them the same user name. It confuses things.” Well, from just the administration point of view, she was absolutely right.
For example, HR brings some temps in, they send out a request to us to assign them user accounts etc. Well since there was such a big revolving door for temps, it became hell on earth to keep track of all the comings and goings. And indeed, there had been a couple of incidents. Sometimes the temp would leave, and we just never know. So here we have an active account with a password known to a third party who was no longer with us out in the wild. Or we’d find out someone has left, and we’d end up disabling a wrong account.
The best practice is simple. A username is a username, and it should be associated with only one person. If a temp is hired, even if it’s just for a week, assign them a username that is associated only with them. Example: if the user is John Smith, then his username would be something like jsmith or johns, but never temp1.
WE want to be able to go through logs and be able to see what that user did, and to do it with no questions or confusion.
In short, if it could be used by someone else, we don’t use it.
Posted in Articles | Tagged SOX audit, temp accounts, username best practices | Leave a comment
February 25, 2014
View all posts by Nick Cavalancia →
When stories come up in the news about data breaches, if you’re like me, you tend to gloss over them if they seem similar to something you’ve already read. I almost did that today. But something in this story really got my attention.
There’s a story this week about Neiman Marcus being hit by hackers who gained access and moved about their systems obtaining about 350,000 credit card numbers over a three-and-a-half month period! First red flag, right? Right. So after hearing that, the next obvious question is “Didn’t they know about any of this activity?” Surely a company as large as Neiman Marcus would have security logs in place and some kind of alerting system.
Not only does Neiman Marcus have a system to log and alert on security incidents, but that system triggered 60,000 alerts over the same period of time. 60,000???? Why didn’t anyone notice?
A quote from their spokesperson provides some insight: “These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.” The math loosely translates to nearly 600 entries a day in a sea of the “tens of thousands of entries every day”. Neiman Marcus isn’t alone – every IT organization faces the same event log overload.
So what changes to security in your critical IT systems are being missed? Security changes in Active Directory, which is the basis of access to just about everything in the MS world or, closer perhaps to the Neiman Marcus story, changes to security in SQL Server, which can house your company’s most sensitive data are imperative to audit on an ongoing basis. Without auditing IT changes, like the Neiman Marcus breach, you run the risk of security being compromised without ever knowing it… well, at least not until it’s too late.
Posted in Articles | Tagged data breaches, endpoint protection logs, security logs | Leave a comment
February 20, 2014
View all posts by Brian Keith Winstead →
Does your business get audited by outside agencies? If you handle sensitive data, such as customer credit card numbers or patient health information, there’s a good chance you do. And the approach of auditors probably fills most IT professionals with a certain amount of dread. Queue Blue Öyster Cult’s “(Don’t Fear) The Reaper.”
TechTarget’s SearchSecurity recently posted an article to take some of the fear out of the auditor’s visit, “Pre-audit planning: Four keys to a successful IT security audit.” Author Steven Weil, a senior security auditor, offers useful advice for making audits both useful and as painless as possible for the auditor and the IT team (and by extension, the business). However, the one point Weil doesn’t mention under “Advance preparation” is that your organization should have regular self-monitoring in place.
Using a solution such as Netwrix Auditor will make visits from the auditor less of a burden. In addition to giving you early warning of potential compliance problems, allowing you to address these issues before an auditor ever see them, configuration monitoring your environment should allow you to produce necessary information or reports when the auditor is present. If nothing else, you’ll have the peace of mind of knowing how you’re doing before it becomes necessary.
Weil makes one point in his article that I think is worth reiterating, and that is: It’s OK to say, “I don’t know.” Many people, particularly in stressful situations such as an audit or a job interview, feel like they have to provide an answer, even if they don’t really know the information. Rather than giving a weak or dishonest answer, you’ll find yourself in a much stronger position if you say, “I don’t know, but I can find out that information for you.”
In the case of an audit, that required information will be much easier to find if you’re running a reliable monitoring solution. In fact, you’ll probably find yourself even less likely to be in the position to answer with “I don’t know.” So, check out Netwrix Auditor, and read this article to see what else you can do to prepare for those visits from the auditor.
Posted in Articles | Tagged information security, infosec, network auditing, Network Security | Leave a comment
February 18, 2014
View all posts by Nick Cavalancia →
Participate in Netwrix’s “2014 State of IT Changes” survey and be entered to win one of five $50 Amazon gift cards. This simple 12 question survey focuses on how you and your organization look at changes to your IT infrastructure, whether you use change management, and the impact of changes made.
Take 5 minutes, tell us about the state of changes in your organization and be entered to win a $50 Amazon gift card.
Hurry up and take the survey now, this offer expires on February 21st!
Posted in Promotions | Leave a comment
February 3, 2014
View all posts by Jeff Melnick →
Date: Thursday, February 20, 2014
Time: 2:00 PM EST
Active Directory Auditing Headaches (and How to Solve Them)
Keeping tabs on changes to Active Directory can be a challenge for even the most experienced IT administrator. From auditing privileged user activity, tracking privileged group access, to monitoring changes to the structure of your AD forest, staying on top of these developments can consume lots of IT resources. Throw in the additional security risk of outside elements trying to get access to your IT infrastructure, and the need to keep on top of anything that goes on in AD is a must.
In this webinar, Microsoft MVP and Petri IT Knowledgebase Editor John O’Neill will help you identity some primary AD auditing headaches and present the tips and advice on how to manage them. Nick Cavalancia from Netwrix will join to discuss what tools are available to help address these headaches and reveal how Netwrix Auditor can help manage AD changes.
Posted in Promotions | Tagged active directory auditing. ad audit | Leave a comment
January 31, 2014
View all posts by Nick Cavalancia →
So last year, Matt Buchanan at Gizmodo decided that on February 1st would be a day everyone should take the opportunity to change their passwords so some resemblance of security is maintained at least once a year.
It’s a great idea. I think of the non-techie types in my life and realize the last time they changed their password was the time they forgot it and reset by calling, say, their Internet provider.
So for the common individual – be safe and change your password! But what should organizations do about Passwords? IT Pros already have implemented password expiration settings, which have been part of Active Directory and other directory services for years.
So is there anything left for IT to do on National Change Your Password Day?
The answer is a resounding YES. There are a few “Changes” of your own you can make.
Change your Notifications
Organizations today have a mix of local and remote users running Windows, Mac and Unix-based OSes with some users only utilizing web-based access to corporate email. If that’s your company, you need to have a consistent way of letting users know their password is about to expire.
The simple answer is to utilize the one service everyone utilizes: email. By sending a reminder email about an upcoming password expiration, organizations can not only ensure users take action, but also lower support costs from those calls to the helpdesk once passwords expire.
We have both a freeware and paid solution to this problem with Password Expiration Alerting. There are obvious differences in features between the solutions, but you will find both to provide value in addressing the need for password notifications.
Change your Change Method
We’re expecting user to know how to reset their password. But more often than not, it’s just not as simple as we think. Add to the mix a situation where a user doesn’t remember what their password was, and you have yourself a helpdesk call that raises the cost of IT.
Having a password management solution in place that allows the user to both identify themselves with a series of questions, and the ability to reset their password from a web browser (so they can be on any OS, local or remote, etc.) is the answer.
We recently made our password management solution, Password Manager, free to organizations with up to 100 users. So if you have less than 100 users, you can utilize Password Manager with no limitations whatsoever free of charge! If you have more than 100 users, Password Manager is available as a paid solution and can be downloaded for evaluation.
Change How You Manage Passwords Day
So in the spirit of maintaining security on National “Change Your Password Day”, I’d like to propose that you take a look at the free and paid solutions Netwrix has to offer to not just make your organization more secure, but also simplify the process of doing so.
Happy Change Your Password Day!
Posted in Promotions | Tagged password expiration, password reset | Leave a comment
January 29, 2014
View all posts by Richard Muniz →
I’d made the statement in my earlier blog that SOX is a lot about good, old fashioned security. Well, this is the beginning of reinforcing that statement, and illustrating how a SOX audit results can show you what needs to be fixed.
In a nut shell, a service does something. It can be as mundane and simple as executing a small program, or it can be as monumental as running a huge program. The service requires two things, a user name (often times self-generated or often times recommended in the install manual) and a password (usually anything we want). Often times it’s an active directory user accounts, sometimes it’s strictly a local account.
Point number two on the Bride of Dracula’s hit parade was the plethora of service accounts we had. We had one to run Exchange, another to run backups, one for this, one for that, and all in all it amounted to some 167 accounts. From where she sat, this was 147 too many.
And that was the tip of ice berg. Service accounts, whenever they’re generated almost always have elevated permissions and privileges. They need to be able to reach into systems, especially remote systems, and do whatever they need to do. Even local services will often times have elevated privileges. And this is what makes them so appealing to an attacker.
Here’s how this works. The attacker is more often than not, someone who has an ax to grind with the company (know anyone like that)? Now usually what they do is something like this, it begins in the mind. This individual, usually a systems admin with some really serious permission gets it in his or her head that they’ll be axed from the company sooner or later. So, what they do is go out and they identify an account, usually a service account, and then they elevate the privileges. What do they do? Oh maybe give it VPN access for instance or whatever the case might be. They do this because it gives them an advantage. First, it’s an ID that isn’t going to go away (after all, we need to that account). Second, the password probably isn’t going to change. Thirdly, no one’s watching. So right there we’ve a recipe for terrible things to happen.
So, his/her worst nightmare comes true, they’re indeed let go, and so in a fit of rightful vengeance (translation – stupidity), they come in and do something nasty to the network like dump data and etc.
What out auditor was really saying was that we were flirting with disaster. We had so many service accounts, they were all but impossible to police, some of them were local service accounts (and we had no clue in most cases what they did or even where they were). There was no formalized way to change passwords, and if someone did something with one, no one knew it.
So, how do you find the service accounts? First, someplace, somewhere, they need to be listed. A lot of folks use nothing more than a simple spreadsheet to do this. Word of advice her if this applies to you. This should be encrypted, the password to decrypt it should be given to only a handful of people, and you need to audit it as well. It might even be a worthwhile idea to maintain a couple of lists, those that the regular everyday sys admin might need, and then the super secret stuff we don’t want floating about.
A lot of people seem to have an issue or two with locking some of the people out of certain stuff. They say it’s about trust. And it should be. I’m not saying every sys admin out there is waiting to put the screws to you. What I am saying is there are some things you just don’t want everyone to know. As Spock told Harry Mudd, “The problem is I do trust you. But only to a point”.
OK, let me get off my soap box, and back to reality.
Before we dive into how to identify a service account, one thing you should know. Each and every service account should be IDed as such. There’s nothing wrong with putting in the description that this is a service account. Other times, some outfits will go out and construct a bogus user account, one that is in truth a sort of “Master” service account. Again nothing wrong with that, so long as you know it and have it annotated someplace, somewhere.
Also, it’s not unusual to have Active Directory Service accounts stashed away in their own OU. This makes administration a bit easier, not to mention just makes things look better from the general housekeeping perspective.
But if you don’t know where they are, Local Service accounts are really easy to find. One way is to use powershell. The command is really easy.
Your command is get-wmiobject win32_Service | format-table name, startname, startmode
You run this of course on a local system.
Now right about now, someone is asking how to find an Active Directory managed service account. Well, there’s the gag. You really can’t. The only way you’ll find them is going to your servers, and running the command I listed above. It’s a process of elimination, but one that works.
So, since these things are easy to subvert, how do we keep an eye on them?
Well, there’s a lot of ways. One is to keep an eye on things in Active Directory. Netwrix offers a great solution for AD audit, and one that will have your auditors falling in love with you. If you set this up right (in short it counts off for typos), every morning you’ll get an email report showing whatever changes that happened the day before.
The idea is this. Every change reported SHOULD be backed up by a corresponding Change Management request. Print the reports off as a PDF and tuck them away for your auditors. Do realize any gaps in coverage will have to be explained, so try not to lose any. If you do lose something, better draft up a Memorandum for Record (MFR). It’s one more piece of the eternal quest to cover our backsides.
Some folks will no doubt wonder if they could automate this process so they get printed off without human interference. OF course there is, but that kind of defeats the purpose of having the software in the first place. The idea is we have to look at it, and evaluate what the heck is going on before we ever file it away.
Next time, we look at events you might want to know about. Till then, have a great day.
Posted in Articles | Tagged SOX audit | Leave a comment
January 22, 2014
View all posts by Richard Muniz →
The young lady that was reviewing our audit with me sure didn’t look like a vampire. But as she dug deeper and deeper into our results, I began to feel myself getting weaker and weaker, just as if she were sucking my life blood from me. What she was sucking away from me was much less than blood, and more pride. What she was really and truly talking about was Network Security 101a and I’d just gotten an F-. I’d always prided myself upon being able keep issues at bay, pay attention to Network Security, and here I’d just been told that I’d missed the basics.
Let’s take a look at error number one, one she didn’t have to point out, but one I began to realize was there. I looked at her and thought, “Who the heck are you to tell . . .” And I began to realize the lesson was one I’d seen before. What I was seeing was Pride, and she was trampling all over it. I also knew that Pride can be a huge failing. I looked at it and I began to realize I wasn’t alone in that one. My colleagues in Dallas (no names please), were twice as guilty as I was. They’d been through audits dozens of times, and had always failed them. And I’d heard it from their own lips, “These people don’t know how to run an enterprise IT department”. I began to realize that it was impossible to pass if you let your pride get in the way. Their pride was preventing them from learning from their own mistakes.
Let me put it another way. For those of you who have ever been in the US Army, you know of a place called the National Training Center at Ft. Irwin, California. This place isn’t exactly the middle of nowhere, but there are road signs pointing to it from there. It’s out in the Mojave Desert, and Americas best go out there to prove their mettle against the Opposition force the rules the desert. These guys play with inferior equipment, use tactics we look down on, and if you even manage to break even against them, well, you’re doing pretty good. Failing at NTC wasn’t a bad thing (everyone does), what was bad was failing to learn from your mistakes. Since I’d been to NTC several times (and of course died a number of wild and embarrassing deaths) I began to realize that just as NTC prepares you for a real war, what I’d just gone through was preparing me for the real audit.
There are two kinds of audits, there’s the internal audit and the external audit. Of the two, the internal audit is the one that is much more detailed, much more stressful, and much more unforgiving. Reason being is simple. The External audit will most likely focus one or two things, and may or may not even be IT related. Problem is, no one knows what the external audit (and this is the one that generates a report that goes to investors and etc) will look at. They might even take the Internal Auditors results and call them good if they feel they’re valid. So Internal Auditors, which the Bride of Dracula was one, are simply hired guns who go out and find your weaknesses. It’s OK for them to find weakness. What isn’t OK, is to do nothing about it.
In my own defense, I’ll say, I didn’t know the game yet. SOX was a mystery wrapped inside a puzzle and clothed in an enigma. But I also began to realize that if I was ever going to beat the External Auditor, I needed to beat the Internal Auditors first.
So what are the basics, and how do you go from an F- to a Solid A+. Basics is what they look for in any audit, and part of that is keeping things written down (if you don’t write it down, it didn’t happen) so in this and the next several blogs, we’re going to tear apart the audit process and learn how to beat them at their own game.
What she was talking about was Basic Network Security. What she was talking about was checks and balances, the very thing I knew was what I was after anyway. So rather than fight it, I took as a chance to learn. I needed to learn to beat them, and at the same time, I would enhance my security posture.
So, with that in mind, Let us begin. In the next several blogs, we’ll cover many of the mistakes people make, learn how to detect them, and what to do about them. We’ll also begin looking at the hardest thing of all, writing things down.
So, next week, we dive in with both feet and start looking at keeping track of Active Directory changes.
Stay safe out there.
Posted in Articles | Tagged basic network security, internal audit, network security 101, tracking Active Directory changes | Leave a comment
January 17, 2014
View all posts by Jeff Melnick →
Petri.co.il, a trusted online resource for IT Pros has conducted a product review of Netwrix Auditor, our flagship solution for IT systems auditing. During the review Netwrix Auditor was put through its paces in the Petri’s test lab, harder than ever before.
We are excited to announce that Netwrix Auditor received an unbelievable 5-star rating proving the effectiveness of its powerful change auditing engine!
Here are the key strengths of Netwrix Auditor mentioned by John O’Neill, an analyst from Petri.co.il:
1) Broadest Coverage of Audited Systems
“It would probably take less time to list the seemingly few items it cannot audit. Whether it be VMware infrastructure, EMC SANs, Active Directory, or just basic Windows Events, Netwrix Auditor 5.0 does a great job giving IT pros detailed introspection into their IT environments.”
“It’s almost a conundrum to expect software to be both full featured and simple to use. Netwrix Auditor 5.0 is precisely both.”
“Just remember the old adage, “you get what you pay for.” With Netwrix Auditor 5.0 you definitely get a lot.”
In the end of 2013 Netwrix Auditor received excellent scores in the product reviews made by Redmond Magazine and WindowSecurity.com. Netwrix Auditor was also chosen the Best Auditing & Compliance Product by the Windows IT Pro commuity. That being said, the review from Petri.co.il definitely serves as a mark of recognition by the worldwide IT community.
Posted in Awards | Tagged It systems auditing | Leave a comment