Auditing Remote System Administration

Generally, administrating a network consists of updating user accounts, examining logs, establishing and maintaining standard configurations, and installing and updating software. Administrators perform these tasks from either the location of the workstation or server or from a remote location. For the administration team who has several hundred servers and several thousand workstations, handling these tasks remotely is the most effective and efficient way of doing business.

Here are a few considerations that should be part of the auditor's program in systems with remote configuration capability:

• Ensure that the system accepts administration commands from only an authenticated administrator. Client systems must use strong authentication and traffic encryption mechanisms. Under no circumstances should the administrator send her password in clear text to the system on which she is going to work. The only logical exception for transmitting the user password in clear text is the use of one-time passwords transmitted from the administrator and accepted by the target system.

• Auditors must ensure that the system permits administration to take place from the authenticated host only. It is important that the system receiving the administrator's attention authenticates her identity through means distinct from IP addresses or DNS names, as attackers can easily spoof (falsify) such information. In the case of UNIX, using an authentication tool such as secure shell, SSH, is recommended. In other cases, establishing a VPN, Virtual Privacy Network, where the identity of the administrator is assured and the computer traffic is encrypted through a tunnel, is also highly recommended.

• Auditors must ensure that all administration tasks are operating at the minimum privilege necessary. Administrator tasks should only be performed at minimum privilege levels and not higher. It is a wise consideration to review the separation of duties among administrators so privilege levels are restricted to just a few employees. Of course, the size of the operation will generally dictate the number of privileged individuals. This procedure eliminates risks in having a single point of failure with one administrator.

• Auditors must ensure that administrator information cannot be intercepted, modified, or read by attackers. Mechanisms such as encrypted traffic or VPNs will go a long way ensuring that traffic travels between the administrator's system and the system being serviced in a private and unaltered fashion. If the administrators' communication packets can be read by unauthorized persons, not only does this pose a serious risk to the target system, but this information could be used to attack other systems.

• Auditors should determine if administrators have created checksums of critical system files before placing the system in a production environment. This will permit administrators to know if important files have been altered, deleted, or created by attackers hoping to corrupt the target system.