Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Sunday, January 18, 2009

Active directory management permissions

Our user accounts aren't, inexplicably, created within the IT team. That's a fight for another day, but right now I'm securing our Active directory, specifically against the people whose jobs it is to create our users, non of whom is anything else other than an IT part-timer. Unbelievably, they've been given full admin rights up to now, but today that stops.

So what I've done instead is to:

  • save an .msc file of the AD users and computers MMC snap in.
  • Create a user group called Account Managers and add these staff to it. I've granted this group Read Access to the .msc file, and provided them with the file path to it.
  • Give the Account Managers the neccesary permissions - Read, Write and Modify - to the OU's in which our user accounts (not our System Accounts - they're somewhere else)
  • Delegated control of user accounts by right-clicking on the root domain in AD Users and Computers and - well, just walking through the wizard.
  • Remove our users from the Admin groups
I'm sure there's going to be some whingeing sometime soon, but that I can handle, by the old-school SysAdmin technique of hiding behind my manager. Hey, it's what he's there for. And I'll sleep just a little bit better tonight, although I know I'll wake up tomorrow and find something else that frightens me.
Posted by at No comments:
Labels: , , ,

Downadup panic

I got to work, opened my email, checked the web for news and found that the Downadup worm's causing untold panic, such is the rate of spread. F-Secure estimate that the worm had infected nearly 9 million PC's by Friday, up from just over 2 million on Monday. The worm's hitting a long-standing vulnerability in XP, 2000 and Server 2003 which Microsoft patched - with plenty of publicity - 3 months ago.

Apart from demonstrating just how many systems out there haven't been patched, Downadup's also notable for the numerous ways in which it propogates, via flash and network drives, plus the usual array of social networking hooks.

It is though, easily removed. Tools are at F-Secure for free, and better directions at precisesecurity.

If nothing else, Downadup's showing again the best security practices of all - regular patching, up-to-dat AV and malware programs, and not opening spam. How easy does it have to be?
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)