System Accounts
Posted by EYHokie
What do I find to be one of the biggest misses in companies
today?
The biggest issue is controlling system accounts. How can a company control an account that is
not tied back to an individual user? Likely,
for ease of management, passwords are the same across all system accounts with
the same naming convention. For
example, Windows has a built-in administrator account called “BUILTIN\Administrator.” Depending on the size of the company, it may
be easiest for the IT department to use the same password on all servers for
this account. They’ve changed it from
the default, so they feel good about the control. Well as MicroSoft points out, once a hacker
gets control of the password they now have control of every Windows server. My point though is not a discussion about
hacking. Rather my point is around controlling
the activity run under these types of accounts.
The easiest way I can see to control the account is to
control the password. Give one person,
typically in a leadership role, ownership of the password. They are responsible for logging into the
system and changing the password.
Therefore, the manager knows exactly who
has used the account. However, the
concern remains is that the manager knows who
used the account but not what they
did with the account. In a mid-size
company, this may not be feasible. The
password may need to be distributed to associates from time to time. It is the responsibility of the manager to
change the password periodically. How
often is up for debate. If one associate
is on-call for a week, the manager changes the account at the beginning of the
next week. Again, this only controls the
who not the what. I am sure there are
logging tools available on the market for tracking the activity. If the tool and password control were put together
there would be a reasonable assessment of the who and the what.
How does audit fit into the picture? In a mid-sized company
with limited resources, we are going to have to rely on the password controls.
The company likely does not have the resources, financial or FTEs, to log and
review all activity. Faith in associates
becomes critical. The system can provide
some comfort if the last password change date is available. Entity level control may provide additional
comfort. Are the IT associates properly
trained? Is there a password policy that requires system account passwords to
be changed periodically? Are there background checks performed for new hires?
While at the entity level, they do start to describe the culture of the
company.
0 comments: