RE: [NTSysADM] Change control....GPO
Thanks guys, I was kind of thinking as much. Ken, great input as always! Dave From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ken Schaefer Sent: Sunday, September 22, 2013 4:51 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Change controlGPO Hi, IMO: GPO changes should be classified based on risk: - the scope of possible issues (e.g. will it impact the domain, an OU, only a select group), - as well as the possible impact of the change (complete outage, major impact, minor inconvenience etc.). It's then fairly easy to draw up an x by y 2D grid: Scope of Change Large Medium Small Possible Adverse Impact High Medium Low Then you base your process around the risk weighting: *Changes that would result in a green box can be handled by creating an incident ticket [1] *Changes that are orange require your normal change management process *Changes that are red require CAB approval, plus some other additional review. You may have some special process, or mandatory weightings, for privileged accounts, machines etc. E.g. changes to servers that the Board (or executive) store their documents on, plus their workstations/accounts, changes to security infrastructure etc. You don't want to send every change to CAB - otherwise you'll get bogged down in every minor change (e.g. adding or removing a single site from an IE zone) Cheers Ken [1] You may want to limit these to a set of pre-approved standard changes. The CAB would agree to a blanket approved change that can then be reused for each subsequent individual change. If the change doesn't fall into a pre-approved category, it can be approved by an offline CAB From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ziots, Edward Sent: Monday, 23 September 2013 1:14 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Change controlGPO +2, Defintely agree that GPO change, or modification which will impact the workstation environment, should go to change management. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.orgmailto:ezi...@lifespan.org Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond Sent: Saturday, September 21, 2013 2:44 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Change controlGPO +1. I've seen this pivot in highly regulated environments where the GPO affects a controlled asset/system then it's much more rigid. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, September 20, 2013 10:08 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Change controlGPO Most of the environments I've worked in treat GPO's depending on level of impact. Domain-wide, go to Change Control processes. OU level required manager for that OU's sign off. GPO's making maintenance changes with low risk are treated the same as user account creation. HD Ticket or similar to track request and work. - WJR On Fri, Sep 20, 2013 at 9:55 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: For you guys with a pretty well defined change control process - are incremental GPO changes (in this case we have a GPO that controls IE's trusted sites, I want to add enable auto logon with current credentials for sites in trusted sites) reviewed by people before the change? I'm thinking in larger environments it might be submitted by one person, reviewed and approved by another but not necessarily held until a formal change request meeting is convened? Normally I'd just whip this change out, but I need to think about the accountability process in general. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229tel:503.548.5229 inline: image001.jpg
RE: [NTSysADM] Change control....GPO
+2, Defintely agree that GPO change, or modification which will impact the workstation environment, should go to change management. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.orgmailto:ezi...@lifespan.org Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond Sent: Saturday, September 21, 2013 2:44 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Change controlGPO +1. I've seen this pivot in highly regulated environments where the GPO affects a controlled asset/system then it's much more rigid. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, September 20, 2013 10:08 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Change controlGPO Most of the environments I've worked in treat GPO's depending on level of impact. Domain-wide, go to Change Control processes. OU level required manager for that OU's sign off. GPO's making maintenance changes with low risk are treated the same as user account creation. HD Ticket or similar to track request and work. - WJR On Fri, Sep 20, 2013 at 9:55 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: For you guys with a pretty well defined change control process - are incremental GPO changes (in this case we have a GPO that controls IE's trusted sites, I want to add enable auto logon with current credentials for sites in trusted sites) reviewed by people before the change? I'm thinking in larger environments it might be submitted by one person, reviewed and approved by another but not necessarily held until a formal change request meeting is convened? Normally I'd just whip this change out, but I need to think about the accountability process in general. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229tel:503.548.5229 inline: image001.jpg
RE: [NTSysADM] Change control....GPO
+1. I've seen this pivot in highly regulated environments where the GPO affects a controlled asset/system then it's much more rigid. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, September 20, 2013 10:08 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Change controlGPO Most of the environments I've worked in treat GPO's depending on level of impact. Domain-wide, go to Change Control processes. OU level required manager for that OU's sign off. GPO's making maintenance changes with low risk are treated the same as user account creation. HD Ticket or similar to track request and work. - WJR On Fri, Sep 20, 2013 at 9:55 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: For you guys with a pretty well defined change control process - are incremental GPO changes (in this case we have a GPO that controls IE's trusted sites, I want to add enable auto logon with current credentials for sites in trusted sites) reviewed by people before the change? I'm thinking in larger environments it might be submitted by one person, reviewed and approved by another but not necessarily held until a formal change request meeting is convened? Normally I'd just whip this change out, but I need to think about the accountability process in general. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229tel:503.548.5229
[NTSysADM] Change control....GPO
For you guys with a pretty well defined change control process - are incremental GPO changes (in this case we have a GPO that controls IE's trusted sites, I want to add enable auto logon with current credentials for sites in trusted sites) reviewed by people before the change? I'm thinking in larger environments it might be submitted by one person, reviewed and approved by another but not necessarily held until a formal change request meeting is convened? Normally I'd just whip this change out, but I need to think about the accountability process in general. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229