You guys are much more security conscious than I am. That being said, I would probably have the following security philosophy if I went "all out":
1. All users use their own login. No "Local Administrator" or "Domain Administrator" account usage unless absolutely necessary. That way, all users are tracked by username... and if an account is compromised, it can be reset or revoked. 2. All local administrator account passwords would be randomly generated, individually for each machine. A database (or perhaps a 3rd party program designed for the job) would be used to maintain the list of passwords for each machine. Local Admin passwords would be changed quarterly. 3. All web browsing would be done with "Live CD" style browsers, aka the Browser Appliance available for several VM solutions. Files that need to be transfered to a server would only be allowed through specified shares. 4. Specified shares would be virus/malware protected. Deep scans enabled. 5. All non-essential computers would have internet-only access. There would be no "Corporate LAN" accessible to any desktop. All traffic that needs access to the DMZ would be delivered over VPN. 7. All servers would be installed in a mode without a GUI (Console mode for Windows, no X for Linux.) 8. All administration of servers would be done from a trusted VM outside the DMZ. Specific VPN rules (which can be tracked) would allow it to contact the server DMZ, only allowing the necessary ports to run. All programs on this VM would be whitelisted, otherwise not allowed. Access to this VM would be restricted to the person(s) that require it. If the organization was large enough, specific roles would be delegated to different VMs with different user access restrictions. 9. Two-factor authentication would be implemented. 10. Physical security would be upped. No unauthorized access. Camera system in place. 11. All users would have to learn the secret handshake. I'm sure there are other things that could be done, but this makes sense to me. --Matt Ross Ephrata School District ----- Original Message ----- From: Kurt Buff [mailto:[email protected]] To: NT System Admin Issues [mailto:[email protected]] Sent: Tue, 28 Feb 2012 19:05:22 -0800 Subject: Re: Log on to DC directly > On Tue, Feb 28, 2012 at 17:47, Ben Scott <[email protected]> wrote: > > On Tue, Feb 28, 2012 at 6:54 PM, Kurt Buff <[email protected]> wrote: > >> One other thing that I've been mulling over along with the other > >> credentials is a set of VMs on which to run them. Want to manage > >> AD/DNS/WINS/CA? RDP into this Win7 VM with the correct tools on it. > >> Want to manage AV/WSUS/other workstation stuff? Log into that Win7 VM > >> over there with those tools on it. Lather, Rinse, Repeat. Then my > >> laptop would be just another end-user station, with much reduced > >> chances of getting my elevated credentials compromised. > > > > Hmmm. Interesting idea. Definitely some advantages. > > > > You mention RDP. So does that mean a bunch of VMs running all the > > time on some other box somewhere? If not, why RDP? If yes, are those > > VMs all shared between the admin team, or are they dedicated to one > > body? If the former, how do we handle contention? If the later, why > > not just run them on one's own end-user station? > > > > Questions posed for mulling purposes. :-) > > > > -- Ben > > All good questions, and all worth mulling over. I'll let you know when > I think I have some answers. > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
