14.3 Administrative Access

Previous page
Table of content
Next page
   

The administrative account, usually known as administrator on Windows systems and root on Unix systems, is the account that has full access to any program or file on the system. The administrative user can also make global changes to the system configuration and add and delete other system accounts. In short, the administrative user has a lot of power.

As has already been established, when a user logs into their workstation, that user is really authenticating against a remote server. Generally there is also a local account for the user created on the workstation. This allows the user to log in, even when not connected to the network. There is a profile associated with each user on a network. There may be multiple users who have the same profile, and these users are generally part of one group .

An administrator has the ability to limit the type of access available to both users and groups. For example, the user Bob may have access to certain file servers and the ability to install some types of software on his machine. Conversely, an administrator may choose to limit the group Accounting so its members only have access to the accounting file server, and members of the Accounting group cannot install any files on their machine.

Obviously, managing security access by group is a lot easier than managing it by individual user, and this is the route most administrators choose. Assigning certain rights and privileges to a group allows an administrator to control traffic flow on the network, and can help prevent unauthorized access to network devices.

This can also create a nightmare for the desktop support group. When users can no longer install their own applications, they will have to be installed by desktop support, which may or may not have the manpower to handle these requests .

It is very important to control the types of applications that are installed on workstations. The easiest way to do this is to not allow anything to be installed; only users with administrative access will be allowed to install applications. This is not always the best answer though. Some users will need to be able to regularly install software for testing purposes, and several calls a day to the support desk can be frustrating, especially during times of heavy testing.

One solution is to give some users administrative access to their workstations. As with the laptops, a user has to fill out a form asking for authorization, and it has to be approved by a manager. The user would also have to be aware of the possible security implications of installing non-approved software. While this will not prevent security breaches from occurring through the installation of bad software, it will reduce the number of problems that occur because of bad software installations.

A second, and more expensive, solution is to create a lab environment where users can test and install software. The users would have full administrative access to the machines within the lab. The lab would have to be carefully managed, and secured, so that not all users have access. The lab would also have to be separate from the network, so workstations within the lab would be unable to launch an attack on the rest of the network.

A third solution is to give users limited ability to install software. Generally administrators accomplish this by limiting the directories that can be written to, preventing any software that overwrites system files from being installed. While this offers an additional level of security, it is most definitely possible to install software that can be used to launch attacks on a network. If some level of control is going to be allowed for users to install software, a list of approved applications should be communicated to users.

Two areas that are especially of concern to network administrators are instant messaging and file-swapping services. Instant messaging services such as AOL Instant Messenger or Microsoft Messenger are used to share short messages with other users on the Internet. They have become a popular communication tool in recent years and provide a great way for users to quickly share information. The problem is that all messages are routed across the Internet to a third-party server, and then forwarded to their intended recipient, even if that recipient is on the same network. The messages communicated between the two parties are unencrypted, adding to the insecurity of these services.

Rather than relying on public messaging services, a better solution is to use one of the private messaging services, like Lotus Sametime or Odigo. They will allow employees to communicate with each other, without administrators having to worry about sensitive company information leaving the network. Putting a corporate messaging system in place is not enough; employees must also use the system. This may mean disabling access to other messaging services. If other instant messaging services are commonplace within the organization, there may be many complaints if they are disabled.

Once again, it is a matter of weighing the security benefits of disabling the services against the needs of the users and corporate policy. Consider this: How much productivity is being lost by users with five messaging windows open simultaneously , especially if none of the people they are chatting with are employees?

File-swapping software has come under a lot of fire because of the nature of the software: It exists so users can download and upload material that is usually copyrighted . More recently some of these services have come under attack because of applications that are bundled with the swapping software. These applications may be used to monitor user movement, help in CPU-sharing systems, or other types of applications that involve using workstation resources and company bandwidth for purposes other than those intended.

Most organizations have set up rules specifically disallowing file-swapping services and blocking access to them at the firewall. They use system and network resources to provide users access to material that may be illegal or contain hidden viruses. These services may also make a company culpable in the event that one of its users is sued for copyright violation. While the political issues surrounding these file-swapping services are murky, and there is validity to both arguments, they should probably be avoided within the corporate network.

The solution most often opted for by companies is to allow users to install some programs, but not be given full access to their machine. This allows users to install some applications that may be useful for work, but not full-blown applications that may not be on the approved application list. In conjunction with this policy, administrators will make a list of the type of software that is not permitted, under any circumstances, on workstations owned by the organization.

Allowing users some freedom to install applications means that fewer desktop support personnel are necessary. At the same time informing users what they should not install, and blocking access to the ports used by known programs in violation of this policy, will help maintain the security of the network.

   

Previous page
Table of content
Next page
The Practice of Network Security. Deployment Strategies for Production Environments
The Practice of Network Security: Deployment Strategies for Production Environments
ISBN: 0130462233
EAN: 2147483647
Year: 2002
Pages: 131
Authors: Allan Liska
BUY ON AMAZON
Snort Cookbook
Java for RPG Programmers, 2nd Edition
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
An Introduction to Design Patterns in C++ with Qt 4
.NET-A Complete Development Cycle
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy