Tip

Secure your administrators

Like the cobbler's children who have no shoes, system administrators often have no awareness of security requirements that apply to them. Well, more correctly, they often ignore such requirements. In fact, I can't tell you how many times I've seen security audits detect some outlawed application on the network, and then traced it back to an administrator's machine. As recently as two weeks ago, I was at a large company, where the head of their standards setting "Security Counsel" was running a Kazaa server on his workstation.

One of the reasons this is true is that network administrators spend half their time building and tweaking and testing equipment, whether it's firewalls, PCs or routers and switches. And the other half of their time, they spend maintaining their networks with all sorts of specialized tools. These activities are very "high risk" and there are a lot of steps administrators should take to minimize their risk.

First, build a lab or "build" a network, separate from your production network, in which you can build and test equipment, without worrying about what level of patches or service packs you have. Usually, you'll want to 'dual-home' a file server so that you can download necessary files, or better yet, burn the files you need to CDs. Using a Windows server to do "Port Address Translation" is also an option, as it can help prevent access into this private lab and only takes a few clicks to set up. This will help alleviate the problem of unauthorized

    Requires Free Membership to View

programs running on administrators' workstations.

Next, get an accurate inventory of all your network management stations. Lots of administrators re-deploy old PCs to run network management tools like MRTG (multi-router traffic grapher) or to act as route servers or boxes to collect syslogs, etc. Unfortunately, these systems are highly susceptible to worms, as they are often overlooked when new patches are released; having a valid, up-to-date list will help with this problem.

Distributed or dedicated protocol analyzers, running on Windows OS are also vulnerable. Keep them updated, or shut them off when they're not in use. Finally, don't allow these boxes to belong to the same Windows Domain as your production servers.


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in May 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.