Re: Information Security

CHarles,

Change Management is very important. The big news for hardening servers / workstations and soon network devices, databases etc. is the Federal Desktop Core Configuration (FDCC) being designed from NIST. Read up on that, but that is going to be the top dog for securing systems. There are a few products that offer configuration management out there for the FDCC. Good luck!

Matt

-----Original Message-----
From: Charles Hardin <fonestorm@xxxxxxxxx>
Sent: Dec 13, 2007 8:03 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx, wifisec@xxxxxxxxxxxxxxxxx
Subject: Information Security

A few months ago I joined a medium sized company as a systems admin.
The company's prior IT team did little in the forms of maintenance and
nothing in the form of security. I come from an administration
background but only common sense when it comes to decent security.
There are shared domain admin passwords, shared user logons and many
users have local admin on their pcs. I know best practice is to
separate the admins from the security team but this company views IT
as a necessary evil, ie theres 4 IT techs for 7 sites and around 500
pc users spread across the sites, all techs being at corporate. These
issues are being addressed but what I would like to know from the
community is the following:

Id like to assemble a toolkit both for gaining security control and
then maintaining it. Also pointers as to best practices and the like
would be most appreciated.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


Relevant Pages

  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.security.misc)
  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Food for Thought
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... that telling the reader to do a Google search for sources isn't going to ... it's probably an admin who has ...
    (microsoft.public.win2000.security)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Rather funny; looks like page defacement to me
    ... > afford one (and often when they can't afford one this person works ... On top of all that pressure, ... so I was a bit caustic on the "incompetent admin" point; ... Nobody would hire me (I'm a security engineer) to draw structural diagrams. ...
    (Focus-IDS)