Q: I was recently hired as a security administrator responsible for overall information security, including log management and access review. Software that I’m testing to review user and group access requires that I have administrative access to run the discovery tasks, but I don’t. I have to ask someone who has administrative access to install and run the discoveries for me. Log management tools also require that I have administrative access. From an auditing standpoint, I know that I should be able to monitor changes that administrators make but not make changes myself. Regarding setting Group Policy in Active Directory (AD, I know that I shouldn’t be able to set policies but should be able to view security policies. What type of access do you recommend for someone in my position?
A: Ideally, organizations should employ someone to be responsible for assessing and monitoring security, but that person shouldn’t be responsible for actually administering systems. Monitoring and administrative responsibilities should be divided to serve as a separation-of-duty control.
When the same individual or group performs both types of duties, there can be tension between security and system support, and busy administrators who have no oversight might shortcut security policies and procedures to solve problems. In addition, employees—even administrators—could become malicious. Having a dedicated security person reviewing employee actions is an effective deterrent.
In your position, you shouldn’t have administrative authority because no one reviews what you do. As you’ve discovered, however, many reporting programs that provide useful information for someone in your position aren’t designed with the concept of least privilege in mind, so an administrator must supervise the execution of such programs.
As for log management, many log monitoring solutions let you collect security logs from systems on your network and put them into a separate log management server under your control. Some of the solutions I recommend are Secure Vantage Technologies’ Security Control Management Pack for MOM 2005, TNT Software’s ELM Log Manager, Prism Microsystems’ EventTracker, GFI Software’s GFI LANguard Security Event Log Monitor, and Quest Software’s InTrust. After supervising the installation of the collection agent on each system by an administrator, you shouldn’t need further access to the systems being monitored. It’s important that the log management server be in a separate forest or be a standalone server. The server shouldn’t be in a forest administered by typical IT administrators because it would be subject to tampering by the employees the server is monitoring.
Specifically, to view Group Policy, all you need is Group Policy Management Console (GPMC) and a simple, unprivileged user account located somewhere in the AD forest. The Authenticated Users special principal, to which all users in the forest belong, has read access to Group Policy Objects (GPOs) and almost everything else in AD. However, when all you have is read access, only GPMC will let you view a GPO.