Category: Uncategorized

You need to decide how you will get from where you are now, possibly a Windows NT domain(s), to Windows 2000 or Server 2003 Active Directory domain(s). The pressure and work that goes along with moving from one network operating system to another network operating system can be intense. You will be required to make many decisions during your journey.

Will you have Windows 2000 or Windows Server 2003 domain controllers?
Will you run some of each type of domain controller?
What client operating system will you run for the IT staff, executives, and other employees?
How many Active Directory domains will you end up with?
How many Active Directory forests will you end up with?
How will you get from your Windows NT domains to Windows Active Directory domains?
What tools will you use to get to your Windows Active Directory domains?
Are there any security concerns that you need to consider during your move to Windows Active Directory?

It is this last question that is focus in this article. They discuss the primary options for going from Windows NT domains to Windows Active Directory domains. It then talks about each of the options, focusing on the different security considerations that you need to contemplate. When you are done reading this article, you should be able to pinpoint the key security considerations that you will face along your journey.

You have two primary options for moving from Windows NT domains to Windows 2000 or Server 2003 Active Directory domains. The second option is to perform a migration. A migration is more complex than an upgrade. With a migration, you will need to create your Active Directory domain(s) in conjunction with your Windows NT domain(s). This will require that you purchase additional hardware and server licenses.

The overall concept of the migration is to gradually move objects (user, group, and computer accounts) from Windows NT to Windows Active Directory.

An upgrade is much simpler in all aspects. With an upgrade you work with the existing Windows NT domain and domain controllers. You will take the Windows 2000 Server or Windows Server 2003 installation CD and place it in the Windows NT Primary Domain Controller. You follow the steps in the wizard and when the computer restarts, you have a Windows Active Directory domain. All of the objects that were once in the Windows NT domain have completely been retained and are immediately available in the Windows Active Directory domain.

If you choose to perform a migration, you most likely are consolidating multiple Windows NT domains into a few (hopefully one) Windows Active Directory domains. It is the method that is available for moving accounts from multiple domains into just a few domains. However, as you perform your migration, you will have unique security concerns that you need to consider during the process.

Here are some of the most prominent security concerns that you will run into.
As you migrate user accounts from NT to Active Directory, you will end up with duplicate user accounts, with one in each domain. Most tools will allow you to control the state of both of the accounts after the migration. There might be times when you want the source user account to be active, and other times when the target user account should be active.
Regardless of your decision, you need to be aware that there are two user accounts in two domains.

When you migrate a user account from NT to Active Directory, you need to consider how the new user account will continue to access resources that exist in the Windows NT domain. This new property is referred to as SIDHistory. During a migration, the primary objects that you will migrate include user, group, and computer accounts, as well as trusts. However, the other configurations that you once had in Windows NT are not transposed to the Active Directory domain. This includes the account policy settings, which include the password min age, max age, min length, and password complexity.

Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security.

http://www.windowsecurity.com/articles/Security-Concerns-Migrations-Upgrades-Windows-Active-Directory.html

For too long now we’ve seen security threats have a negative impact on internal networks, and as a result, a harmful effect on employee and company productivity. And for far too long, enterprises of all sizes have neglected to focus enough resources and energy on securing these valuable internal network resources. And this year, the information technology industry will see this phenomenon further evolve as organizations begin to focus on securing their internal networks with the same vigor they have applied at the perimeter.

Internal security refers to a focused effort to secure resources on internal networks, or LANs. These resources can include applications, data, servers, and endpoint devices.

Meta Group has observed that “only 10-20 percent of organizations with relatively mature security programs have managed to address internal security to a meaningful extent.” Why is internal security finally becoming a priority?

First, there are business drivers prompting more focus on internal security. Around the globe, companies are being forced to comply with regulations that ensure the privacy of customer data and the security of intellectual property that resides on internal networks. These regulations drive an increased need for internal security.

Second, there is increased awareness about internal hacking. Organizations can no longer take a “don’t look, don’t tell” approach. Instead, many are now required to provide proof that they are continuously looking for internal hackers. How large has the internal hacking threat become? The CSI/FBI Computer Crime and Security Survey showed that 66 percent of organizations suffered an insider attack in 2003.

At the same time, the financial impact of worm and other new types of destructive threats has increased and become more visible in the industry. Having the ability to protect against and contain worms, is perhaps the No. 1 problem driving the investment in internal security solutions. It is estimated that the Slammer worm alone resulted in more than $1billion in damage, for example.

Furthermore, as security vulnerabilities in software have become more proactively communicated by Microsoft (Nasdaq: MSFT) and other sources, the timeline from vulnerability to exploit is shrinking. The time to patch the announced security holes remains ever-present — and just takes too long. So companies are searching for ways to protect their LAN resources during this period of susceptibility – until the holes can be filled with properly patched software.

Lastly, IT organizations have realized that endpoint devices — whether a personal computer, PDA or other device, must be as secure on LANs as they are when connecting from outside the perimeter (such as on a VPN connection.) Once these endpoints are secure internally as well as externally, they will no longer inadvertently introduce malicious code and other security threats.

Companies of all sizes are beginning to shift their attention to the topic of internal security. They are starting to initiate change in how they protect resources on the LAN, and in turn, protect their employees’ productivity.

2005 is the year of internal security.

A combination of business and technology drivers are triggering this revolution, including worm outbreaks, privacy regulations, reduced windows of time to react and a multitude of new types of threats. There are simple steps organizations can take to get started on protecting their internal network resources. For the organizations who make these moves, in 2005 they will reap the benefits of having more secure and stable LANs, and in turn, a more productive workforce.

http://www.technewsworld.com/rsstory/42227.html

See Terms of Use and Privacy notice.

Use file integrity checking
File integrity checking tells you if the software you think you have installed on your network is actually what it is supposed to be. There are a number of free utilities to do this — Tripwire is the best known among them. Traditionally, file integrity checking is used is to identify recent changes on a PC. That way, when things go desperately wrong you can try to back out of the latest changes. File integrity checking is also useful for discovering spyware and viruses your antivirus software has missed.

Run new or unknown software in a sandbox
A new generation of antivirus software extends file integrity checking by making unknown software run in a “sandbox.” This form of isolation prevents viruses or worms from propagating unless they can trick a known program into doing the work for them. Another way to develop a sandbox is by using Microsoft’s Active Directory to keep users from installing anything new. Any new software is then carefully checked by the network administrator before it is installed on the rest of the network. In effect, this makes the network administrator’s PC the sandbox.

Scan autoruns
Each PC’s autorun programs should be periodically scanned for threats. There is a terrific free utility from SysInternals that will show you everything that is run when you boot up your PC.

Use intrusion prevention at the gateway and on each desktop
Effective intrusion prevention soft-ware monitors network traffic and matches it to known types of attacks. This approach would have stopped the Sasser and Korgo.W worms in their tracks since they exploited known vulnerabilities. Intrusion prevention rules are continually updated by your vendor. You also should be able to add new intrusion prevention rules yourself.

Use heuristic and signature- based antivirus software
A recent addition is the ability for users to easily create their own virus signatures and to distribute them throughout their networks.

Be aware of Microsoft holes
It is no secret that Microsoft systems and programs are the most vulnerable to attack. Some software vendors have extended Microsoft’s security by adding to Windows the concept of program permissions. Just as users have permissions for directories and files, programs can have permissions to access different parts of the operating system, giving you direct control over what they can and cannot do.

http://www.networkingpipeline.com/160902074

CSOs say they can lead their functions to be more effective and save money at the same time. It means overcoming the challenges posed by executives who don’t buy the idea, and staff who will resist you. Here’s a guide to understanding both the upside and the hurdles to holistic security management.

Talk to Jim Mecsics about the benefits of convergence, and you’ll first have to stomach a metaphor about belly buttons. At the end of the day, says Mecsics, if there’s a security problem, the CEO is going to jab Mecsics’ belly button, hold him accountable and say, “Fix it.”

His point: In a converged security organization, there’s only one button to push—executives don’t have to contemplate whether to call the corporate security director or head of IT security or the facilities manager when they have a security issue.

Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program—to bring together previously disparate pieces of security, including physical and information security, under one roof. It didn’t take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks. Mecsics and his team went to work—they set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).

The Payoff: Executive-level backing and a mandate to run one operation for all security functions gives CSOs the chance to create more effective teams.

And did we mention the part about saving money? “That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says. Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit. (Mecsics left Equifax last year and now works as a senior security analyst at SAIC, a research and engineering company.)

Improved collaboration among security functions is just one of the payoffs of convergence. Others include better alignment of security with business operations, establishing the CSO as a single point of contact for all security issues, the opportunity to cross-train employees, increased information-sharing that leads to more efficient problem solving and, if you’re trying to convince otherwise skeptical execs of why convergence is worth doing, you can pull out your trump card: cost savings.

In this story, security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo talk about why they’ve converged and the payoffs they’ve achieved from reorganizing their security departments to better meet the needs of their businesses.

Payoff #1 A comprehensive security strategy better aligns security goals with
Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold onto the traditional view of security as just another cost center are failing to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO (and who served as the founding director of security for President Reagan’s strategic defense initiative program in the ’80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture. Sanders’ mission was made easier because senior executives at the company viewed security as a key enabler for the business. “We’re a network services provider—we’re all about network availability. If the network isn’t available due to a logical or physical incident, it’s a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture,” he says.

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3 (see “Security Committee,” Page 28). “It’s critical to have top-down sponsorship,” Sanders says, adding that in his case, the CEO “realized security needed to be integrated into the architecture of the business.” The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. “It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problem—it’s a business concern.”

Sanders defines convergence as the integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.)

Payoff #2 The CSO can be a single point of contact
When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO. John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn’t have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. But bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist among people who previously had prime allegiance to their individual security function.

Payoff #3 Information-sharing among disparate security functions increases
Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. “We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day,” says Loving. Contributing to the vulnerabilities is that these networks are generally managed by process control engineers, whose job has been to make sure the systems run day and night, not to worry about hackers or other cybercriminals. For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers.

Payoff #4 Convergence gives you a more versatile staff
Although the unified security theme resonates today at Wells Fargo, it wasn’t long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. That led to inefficiencies, where two separate teams could be investigating the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents. Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren’t previously part of their job descriptions.

In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. “The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally,” says Wipprecht.

Triwest’s Pontrelli and Pemco’s Telders cross-train their physical and infosec staff. “It’s mostly a people cost savings,” says Telders. “I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job,” he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.

Payoff #5 You save the company money
OK, you’d like to be converged, you’ve talked up the benefits of single points of contact and holistic strategies and aligning security operations with business goals—and you’ve met with glassy eyes, thinly disguised yawns and general apathy from senior execs. Now’s the time to pull out your trump card: Cost savings. One area that’s generating savings is technology convergence, the intersection of physical and information security.

That’s what Telders at Pemco Insurance has found. Telders has put smiles on the suits at Pemco by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. “If a DVR goes out, it could cost five grand. If a disk goes out, it costs $150,” he notes. Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.)

The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Stephen Baird, vice president of corporate security at United Rentals, North America’s largest equipment rental company, is similarly using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn’t as clearly defined.) He reports to the company’s president and CFO. Since coming on board, he’s been working on upgrading the company’s digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations—using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company’s corporate facilities first and hopes to roll it out in stores eventually. He’s also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Stephen Baird, VP of corporate security at United Rentals, is the company’s single point of contact for all security matters. Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. GPS systems would allow security to track where the tower is, how long it’s been there and even if it was turned on. “We’ve had theft of everything,” says Baird. But rolling out a GPS system won’t happen automatically—as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

But if you’ve done the due diligence and believe that convergence can enhance your security posture and bring more value to the business, the CSOs in this story will tell you that you can converge and not just survive, but prosper.

http://www.csoonline.com/read/041505/payoffpain.html

Almost all companies test for vulnerable versions (i.e., missing security patches) and default configuration files.

Before investing any time or money in securing or verifying the security of an application, first perform a risk assessment.

The following are areas that should be considered:
– Scripting;
– Enumeration;
– Passwords;
– Sessions;
– Error handling;
– Field variables;
– Code commenting;
– Session time-out;
– Session cache; and
– Network parameters.

http://insight.zdnet.co.uk/internet/security/0,39020457,39194163,00.htm

The backbone of every enterprise infrastructure is a massive network of servers, network devices, security and other infrastructure that creates the complex communications network–or nerve center–of a company. Every day, system, network and security administrators are logging-on these critical infrastructure points for routine maintenance, repair and application of the most updated security patches. Many of them are running around with ROOT and ADMINISTRATOR privileges, either with their personal users or with commonly used accounts.

Enterprises have gone to great lengths to educate end-users and implement tools to help them choose complex passwords, avoid obvious ones, eliminate leaving them on Post-it notes, and change them frequently. It goes without saying that the same precautions apply to administrative passwords; however there are several additional security measures that need to be addressed since administrative user rights are extremely powerful, and thus call for an extra level of caution and security.
Administrators have the best intentions, but the more those passwords exchange hands or remain unchanged, then the greater the likelihood of a security breach.

Establishing a password control and change management program As a stop-gap measure, many enterprises store passwords for these systems in files like spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents.

Mismanagement of administrative passwords is a major cause for security breaches and one of the top reasons for long recovery processes from IT failures.

Here’s a checklist of best practices that should be included as a part of an administrative password control and change management policy that can be used when creating a program and evaluating the software and services to support it.

– Centralized Administration
– Secure Storage
– Worldwide, Secure Availability
– A Dual-control Mechanism
– Routinely Change Passwords and Track History
– Intuitive Auditing
– Disaster Recovery Plan

http://www.zdnetindia.com/news/commentary/stories/119420.html