I plumb the depths of ziwethey for advice

Post #33,102 by Silverlock 3/21/02 11:12:34 PM Reply	I plumb the depths of ziwethey for advice I have somehow become the only voice for security in my little part of this big company I work for. My latest task is to come up with a coherent security policy for the employee help desk. I have some basic, commen sense thoughts that I will be presenting to my boss such as: no passwords allowed out over the phone, must have a manager request for new/changed employee system rights, HR is the only source of authorized lists for new/fired employees, and a few other ideas. I am not suprised in the least that this has only recently become an area of concern. My part of this huge, multi-national corp used to be a rather small company where most everybody was known to the help desk. This is no longer the case. At the same time, I have somehow become the main network administrator for account design. We will finally be able to use policies and profiles in account creation and maintenance (something I've been crying about for months) This little gift comes with a caveat; I am also supposed to somehow pull out of my ass a design scheme for our migration to Active Directory services. Enough of my problems. What I am asking for here is some standard security policy guidelines for a employee helpdesk. My other request is for info sources on effective use of policies and profiles in an NT/2000 environment. Plenty of time later to ask for the iwethy guide to Active Directory. [snicker] With this much manure around, there must be a pony somewhere.
Post #33,108 by kmself 3/22/02 12:40:16 AM Reply	Security... ...is the implementation of policy. That's a definition stolen from Jim Dennis: `I like to think of security as the enforcement of policy. So, when evaluating the benefits, costs and risks of any particular package, feature or technique I ask: What policy does this allow me to enforce? What risks does it entail? If I want to have a policy that all system level changes must be done "in person" than BSD securelevel, LIDS and the "capabilities bounding set" (in the 2.3 kernels) are features that might enforce this.` Another definition is to protect access, integrity, accuracy, and availability of system data (and resources) -- which gives you a bare-bones policy. This, incidentally, is an excellent example of a good TWiki topic. `-- Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com] [link\|http://kmself.ix.netcom.com/\|[link\|http://kmself.ix.netcom.com/\|http://kmself.ix.netcom.com/]] What part of "gestalt" don't you understand?`
Post #33,114 by wharris2 3/22/02 2:14:50 AM Reply	Ick! We will finally be able to use policies and profiles in account creation and maintenance (something I've been crying about for months) oh wince I am also supposed to somehow pull out of my ass a design scheme for our migration to Active Directory services. Double wincer, sorta like asking if you want to be screwed three or nine times :=( (a) as a programmer-type, I'm automatically opposed to policies and profiles and whatever sh*t management might dream up. Use "policies" on me, and I'll quit, high-tech job market regardless. (b) as an administrator-type, I certainly don't want employees surfing Sports Illustrated on company time. (c) as me, I am horrified at a mandate to Active Directory, which will probably be obsoleted by whatever Microsoft jiggers into its next dot.net revision. "I didn't know you could drive to Europe." -- An eavesdropper, piping in when he overheard a conversation about someone who had driven to Montreal.
Post #33,123 by Silverlock 3/22/02 8:55:29 AM Reply	By "policies", I meant the ones inside usermanager. With this much manure around, there must be a pony somewhere.
Post #33,203 by Ashton 3/22/02 7:44:13 PM Reply	AD seen from the amateur viewpoint I was directed to an (otherwise) exc. book on "Windows 2000 Management" from O'Reilly. This massive tome was AT LEAST 2X as large for.. virtually every other reference to "doing something" possessing an exception.. or a correction or alteration IF.. You Poor Fucking Sap... You had to deal with AD! And I am not exaggerating the plethora of AD refs for even the simplest 'management' of this bloated all-in-One POS. A quote from the AUTHOR on page 127: An alternative approach is to upgrade your member server first, then take a year off and learn in detail how Active Directory works, and finally upgrade your PDC followed by your BDCs. A lot of admins seem to favor this approach! ..and this by someone who Likes W2K, or at least pretends to, in the book. (Fortunately re this standalone, not-web-connected local server - other than periodic reboots when it eats itself from whatever remain of mem. leaks and internal masturbation: I've not needed to actually Change anything. As to their backups [??] of RAID on this massive prof. Cpq. ProLiant box which whines laike a Banshee - don't ask..) Boy am I unsuited for this kind of techno-fascist 'world'. Ashton
Post #33,215 by Silverlock 3/22/02 10:27:50 PM Reply	I'm actually looking forward to it. Lately I feel as if I've been stagnating in my tech skills. AD may be the gift of Satan, but it is still something "new" to me. I think the reason this fell into my lap is that I am the only person on staff who has had any actual training in it. The training was long enough ago and my use of W2K/AD has been minimal enough that I really am starting almost fresh. Gaining knowledge is IMO always a good thing. The best scale for an experimental design is ten millimeters to the centimeter.
Post #33,243 by Ashton 3/23/02 2:23:21 PM Reply	Yeah I feel that way too sometimes.. Like when I get a Tektronix 485 (scope), a masterpiece of workmanship and clever ideas like - the virtually indestructible = fail-safe switching PS. Yes, it Will 'save itself' via crowbarring softly when load exceeds spec But.. It 'chirps'! = repeated restarts/shutdowns when any one of Several parallel loads is gollywampus {sigh} One Potato(e for some Pols) at a Time. SO then you look for the old electrolytic cap whose ESR has gone sky high.. somewhere in there. There's gotta be a better way to find The One, and if I were clever enough.. (Like.. why? didn't they just put some LEDs dynamically sensing current OL, so they'd flash in the Right place.. what could it have cost?) Now with el-cheapo \ufffd-dreck - ya just trash that $7 puppy which powers the $500 processor + MB yada yada. Hmmm maybe Excellent isn't always about quality alone, but R&R.. but I digress. bitch bitch If you're really gonna learn All about AD.. that's SCARY
Post #33,310 by folkert 3/24/02 9:51:15 PM Reply	First off.... Get Novell's eDIR foor the Windows platform. You no longer need to have a Novell server fro NDS. You then have almost zero boundaries to getting stuff implemented. Therefore AD is not big deal. eDIR just completely wraps around it. I have implemented eDIR (v8.01 when I did it) on Solaris and W2K servers. With NDS authentication for both Solaris and W2K domains. Then setup LDAP for other authentication... for things like Proxy servers, RAS and other programs needing authentication. You could even get LINUX to to do SMB authentication now and eDIR authentiation. You see TEMPLATES for users are a great thing. you can have 1000's of templates for different kinds of users.. amdinistrative roles for other things and Helpdesk remote control and such for using ZENworks... allowing lots of good things. As for AD. don't implement it. Period. I have done extensive testing with it along with TSE and CITRIX. Not a good mix. You can setup rogue AD and actually cause mayhem with Exchange, by impersonating literally ANYONE. As long as you know thier username in the domain you want to tamper with. One thing we have done at my place for user stuff: Verify whom these people are and where they are (we have callerID with names for all phones on Campus) for Password resets. If that fails then they must have thier Supervisor/director/Executive Budget Officer(EBCO) request the change. For new user creation/delettion, we get a list from HR daily that states who and when people are to be able to be created and when they are disabled. We also have an expiration process based on useage err non-useage of accounts. They are notified of non-use in e-mail, after 3 months, if they do not login withing 1 month they are completely dsabled. If after 2 more months they do not get the account re-enabled they are deleted. Thier EBCO is notified throughout the whole process and can delay but not stop the process as the onus is on the user. Cause if they ain't using the account why have it. As for deletion, if HR says disable it due to termination or other reason, the process is shortened 4 months. And the EBCO still has the ability to get the data but not enable the account. Best part, our backup solution will still keep 1 final version of all the users data of thier HOMEDIR for 60 days after it is deleted. They can get it back for that whole time. NO e-mail is not included in this. That has a different policy. We have a web-based application for account creation form submission policy. If everything is not filled in and properly the submitee cannot even submit the application. That has cut down on alot of "I sent it 2 weeks ago" or "I can't do my job cause I can't get to blah blah..." or "I didn't know about that requirement". We also state the the turn around time is 5 days for account creation. I know... I am in fantasy land. `greg, curley95@attbi.com -- REMEMBER ED CURRY!!!` In 2002, everyone will discover that everyone else is using linux. Linux: Good, fast AND cheap. Failure is not an option: It comes bundled with Windows. ** "Two rules to success in life: 1. Don't tell people everything you know." - Sassan Tat
Post #33,345 by Silverlock 3/25/02 9:49:34 AM Reply	Thanks I would feel a whole hell of a lot more comfortable with Novell Directory Services. I have some level of confidence in my usage of this product from a few years back and was quite impressed with my minimal exposure. Is there a evaluation program? Never mind, I'll just go checkout novell.com. I'm sure there must be something. The security tips was exactly the knd of thing I was looking for, many thanks. The best scale for an experimental design is ten millimeters to the centimeter.
Post #33,414 by folkert 3/25/02 7:32:57 PM Reply	Your welcome... Plus lotsa other stuff... plus a Juicy RUMOR If you have need for more info, I'd be more than happy to go over them off-line. I kinda get that wierd feeling, talking about these things in great detail over the Web in a Forum or Dialog... Ping me at "eduDOTgrccATgfolkert" for more kinds of these things. Having just come back from Brainshare last week, some really cool things are showing up finally! Light clients for Netware now, including no Client32. Native access for Windoze(using smb/cifs), Apple MacOs(afp or afpovertcp), NIX (nfs, smb, afp or afporvertcp)...all with eDIR authentication services. iLogin, iPrint, iFolder... etc. Really gonna hide those netware boxen even more now. You should see the Novell Portal Services.... AWESOME. Dynamic Grouping, Static grouping with Dynamic Grouping, Static Grouping... Sharing of standard widgets and such... CITRIX web-based ICA Clients work out well, token passing isn't broken, IP-Session mangement (called IPCHAINS(imagine my surprise, it ain't Linux either), can be round-robin or least-load based selection). As for Avaya, They have switched to Linux for thier Phone-Switches OS, plus any redundant options will ONLY be Linux based, and for the next versions of Audix. They are even going to Linux based routers very shortly. Thier newest one will be 10Gbit with 100Gbit switch Fabric and very fast management processors (finally). Heck even thier Layer-2 Switches will be Linux Based. They have even thrown around "Layer-4" switches... I gotta think that one through, dunno if I really want layer-4 switching... messy! I guess they eventually will get to Layer-7 switching... ICKY. That would just be wrong. On another note, IPv6 is extremely cool. Almost near zero chance of duplicate IP addresses. Your MAC IS your IP address, along with your region codes and such. No real broadcasting, get all your info from your default router. Should be interesting to see it actually get implemented. Be a rude awakening for alot of "Crackers" out there. Almost completely eliminates the chance for spoofing. Still can engineer packets though, and cause havoc. If ya want more good info, just goto IANA. Late notes, Novell is finally going to go blow for blow in advertising to combat the Vaporware announcing M$ always does. Dang .NET server ain't even available, and they are touting it as the end-all-be-all. CAUTION ! ! ! {RUMOR}Hah, just heard today there are rumblings in the inner ring that AD is going to be dead(read unsupported) in less than 2 years... M$ EOL'd it, superceded it with .NET authentication (or PASSPORT or whatever it is called)... hosted by them and them alone. Though you would still be able to "manage" it for your "domain".{/RUMOR} `greg, curley95@attbi.com -- REMEMBER ED CURRY!!!` In 2002, everyone will discover that everyone else is using linux. * Linux: Good, fast AND cheap. Failure is not an option: It comes bundled with Windows. "Two rules to success in life: 1. Don't tell people everything you know." - Sassan Tat

Welcome to IWETHEY!

CAUTION ! ! !