auditors are usually untrained in all aspects of network issues.
they usually come in and try to "raise suspicion" in order to validate their
VALUE ADDED.
if your management buys it, too bad for you.
if your management questions it, good for them, give them good solid answers
to alleviate their fears.
make them all happy and "re-evaluate" your security environ......reduce the
allowed logon windows....maybe bump all off from 11pm to 5am....as an
"added" security measure.
your management has auditors in there to do a job.....like it or not.
go along with them....show your boss your bigger than they are.
-----Original Message-----
From: Shirley Laliberte [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 14, 2001 7:04 AM
To: NT System Admin Issues
Subject: audit
Our auditors just wrote us up.
Here's their statement "The credit Union is not utilizing time/day
restrictions in Windows. These setting restrict users from gaining network
access during non-business hours. If not set appropriately, these accounts
can be exploited to gain unauthorized access to the network".
We have not dial up connections to the network. The only thing we have
setup is to allow a connection to the Exchange server for internet email.
We have eight digit passwords and an account is locked out after 3 invalid
attempts.
I don't believe having logon hour restrictions will improve security but I
would like other opinions.
Opinions???
Shirley Laliberte
Quincy Municipal Credit Union
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
