Sunday, April 6, 2008

Easy System Administrator Security Blunders

Fatal System Administrator Mistakes
System Administration can be a stressful job and tedious. This leads admins who are either poorly educated or over work to make some very simple mistakes out of convenience, franticness, or frustration.

In a large enough environment, most companies take use of Active Directory. This cuts down on the amount of work a sys admin has to do for shared resources through centralized authentication. Which means most boxes in the corporate environment have two administrators(3 if you count the domain admin). One is the normal user who comes in and authenticates through AD transparently on his/her box. The other is the local Administrator of the box that was used to set up the machine, most sys admins do not remove or disable this account. And most sys admins use the same password for this account consistently, and it's usually not a really sophisticated password.

Consider looking at:
**Can't vouch for the torrent sites**

In a small to medium business, some times there is a crunch for budget and either the IT guy is really crunched for time, or there is no IT guy so the responsibility of the web server falls to either a web developer or a web designer. Most of these guys know what they are doing but there's a portion of them, that when they here security they think I don't have any mySQL injection points on my webpage, not maybe I shouldn't just set the webserver outside the firewall. I lot of web guys put servers outside of firewalls, or just forward enough ports to make the firewall ineffective, because it makes there job easier. Now a hardened FreeBSD box sitting outside a firewall, is on thing, but a Windows server 2000 box with the majority of ports turned to the internet is quite another, particularly if that box is doing more than web serving. Being that it's a web server there is probably a reluctance to update becuase of down time as well.

Consider looking at:
Core Impact(If someone finds a torrent for this let me know so I can post it)
Canvas(If someone finds a torrent for this let me know so I can post it)
**Can't vouch for torrent sites**

Not training employees to understand when it is ok to disclose there password and when not to can be a problem as well. We have all heard the example of the sticky note with the password right by the computer, however other helpfuls in social engineering are just reading the site and looking at the staff directory. Maybe visit the site to see how the physical security is, imagine if there was an rj45 port exposed, just hook up and set a small ap behind a chair and your in. And if you are into it, go ahead and do some trashing, just grab some bags from there dumpster see if anyone threw out one of those sticky notes you here so much about.

Visiting Web site
Visiting Physical Site

So there's three mistakes you might look for that an overworked or underworking IT pro might make.

No comments: