5.1. Administrative Security
Administrative security falls into three general categories:
This chapter provides some guidelines for sound administration. Most enterprises today are a heterogeneous environment, that is some legacy functions reside on creaky old mainframes, some business critical processes are accomplished on a fairly modern computing core, and lots of client server networks unite a mixture of Windows and Unix users. Wireless implementations accommodate drop-in users and guests, as well as worker who insist on carrying their work to the lunchroom with them. There may even be a layer of mobile devicesPDAs with radios built inby which a few workers keep in touch with each other during meetings. Each of these systems requires its own series of administrative practices, and each requires administrators to carefully develop security policies regarding its use.
Actually, in some respects, the highest levels of security are the easiest to attain. Most ultra-sensitive systems use an air wall, that is nothing goes in or out. Each terminal or workstation connects to its own network, and that network goes nowhere else. None of the users' devices are equipped with floppy drives or removable media. And rogue wireless devices (or in the old days, rogue modems) are usually considered contraband in this environment.
This environment is practical only in a few disciplined organizations. Most organizations connect users to some kind of server or server cluster via a local area network, and the LAN usually connects at some point to the Internet, usually via a firewall. As this arrangement is most common, the bulk of security policies apply to it, although password administration and certain other tenets, such as division of duties and least privilege certainly apply no matter what server and network configuration is in effect.
Fortunately, the more esoteric the network, the more administrator documentation the vendors supply to describe the security features of their systems. If your organization has government contracts, you may need to observe more stringent security policies established by the government for high-security sites. When your organization gets a security clearance, you'll find out the details of what you need to do.
It is in the vast bog of PC LANs and wireless networks that most security is made or broken. Because of size, staffing, or budget, some organizations may not have dedicated system administrators charged with security administration. In this case, the burden of security administration is likely to fall on the existing system administrators. If your organization can't afford full-time system administration, or if you don't have the appropriate staff to administer a security policy that adequately protects your equipment and information, you should consider hiring a security consultant on a short-term or periodic basis. Such a person can analyze your security risks and needs, help you set up a workable security policy, and conduct periodic security audits. (See the discussion in the later section "Performing a Security Audit.")