RE: Windows Reverification
From: Kit (kit@smallfoxx.com)Date: 06/10/02
- Previous message: Gallant, David: "RE: Help me and my ISA server"
- In reply to: Markiewicz, Douglas: "Windows Reverification"
- Next in thread: deepblue: "RE: Windows Reverification"
- Reply: deepblue: "RE: Windows Reverification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kit" <kit@smallfoxx.com> To: "Markiewicz, Douglas" <dma2p@allstate.com>, <focus-ms@securityfocus.com> Date: Mon, 10 Jun 2002 15:32:41 -0500
Well, there are a lot of security documentation of best practices and
base-lines found at Microsoft's Security Site
(http://www.microsoft.com/technet/security). As for assisting in Auditing
permissions, consider setting up a Security Template and then using that to
audit the machines. For sending messages to owners of certain groups, you
could write an application to query the AD using ADSI then send an SMTP or
CDO message to notify them. You could do this with either WSH or most
compiled languages, but it requires some programming knowledge.
I think there are some security auditing tools that will do things like
that. For instance, I think Retina from eEye will do a lot of the auditing
for you, but I could be mistaken so check them out.
-K
> -----Original Message-----
> From: Markiewicz, Douglas [mailto:dma2p@allstate.com]
> Sent: Monday, June 10, 2002 7:45 AM
> To: 'focus-ms@securityfocus.com'
> Subject: Windows Reverification
>
>
> I am looking to reverify access controls in the Windows
> environment. There
> are two major components involved in the efforts: 1) reverifying access to
> global security groups, 2) file system access reverification.
>
> The biggest problem with even getting this effort off the ground is
> scalability. We have approximately 16,000+ global security
> groups all with
> different owners based on the area using the global group. Some
> don't even
> have owners listed in AD. All we'd like from the effort is to
> send an email
> or some other notification to the group owner, have them reverify the
> members of the group, and send back notice giving an OK with any changes
> that have been made. Has anybody done anything like this in the past?
>
> Once this is done, we'd like to perform file system access reverification.
> As in, what does any one user have access to on their workstation. Seems
> like the best way to do this is to set permission standards based on the
> type of access you have. Our base image centralizes most user
> settings (my
> documents, local settings, temp, etc.) so denying write access to
> everything
> but the personal folder would make the effort much more simplified. Not
> sure what kind of problems this may bring up though. Thoughts on this as
> well?
>
> I haven't found any good documentation from Microsoft on this (e.g. Best
> Practices) nor have I found a really good tool to assist in our efforts.
> Any feedback would be appreciated.
>
- Previous message: Gallant, David: "RE: Help me and my ISA server"
- In reply to: Markiewicz, Douglas: "Windows Reverification"
- Next in thread: deepblue: "RE: Windows Reverification"
- Reply: deepblue: "RE: Windows Reverification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
