CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [239]
The problems first began when he was a Webelos scout and was encouraged by his leaders to have a fire starting kit. This caused me to change the no matches policy to exclude the fire starting kit—that is until he thought it alright to demonstrate his expertise with the kit to neighborhood boys in his room.
I could tell story after story of how problems occurred when I made exceptions to the rule—as long as the rule was absolute (one way or the other), problems stayed away. As soon as I deviated from the absolute, however (“it is now okay to have matches…”), the problems appeared. The same is true when you administer a network.
The easiest way to simplify network security is to organize users into groups and computers into roles. Rather than managing each user individually, you manage each group collectively. The group(s) the user is placed into should always be based upon the roles they need to perform their jobs with the minimum set of rights and privileges.
The rights and privileges available for assigning will differ in name based upon the operating system(s) you run (Chapter 5, “Implementing and Maintaining a Secure Network,” discusses different operating systems), but all employ similar concepts. The most important thing is to make certain that you assign users to a group only when they need the rights and privileges that group offers, and that you regularly monitor group ownership and remove users from groups when they no longer need those rights and privileges.
Real World Scenario
The Wide World of Groups
One of the system administrators in your office is going on paternity leave. Normally, he is the only one authorized to access certain files and run key reports. One of the accountants has graciously offered to run these reports while he is gone. How should you assign the needed permissions to the accountant?
There are two approaches to this scenario: one you should avoid, and one you should take. The first approach is to assign the necessary permissions specifically to the accountant—both to the data files and to the executables needed to run the report. This approach is not recommended because the number of files could be substantial and there is always a risk that you will overlook one when adding (or, worse yet, later removing) permissions.
The second approach—and the one that is recommended—is to add the accountant to a Reports group, which contains only the bare minimum permissions needed to run reports, and remove him from there when the administrator returns. If such a group does not exist, you should immediately create one.
Based upon the operating system(s) that you are using, a number of logical access control methods should factor into your implementation. Many of these have been discussed throughout this book, and Table 9.1 summarizes some factors to consider.
TABLE 9.1 Common Logical Access Control Methods/Topics
Assigning appropriate controls does not apply only to users and groups, it is equally important for those items they access, such as file and print resources. Make certain the permissions assigned to those resources are the minimum necessary to use the resources properly.
Understanding Security Awareness and Education
Security awareness and education are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.
A security-awareness and education program can do much to assist in your efforts to improve and maintain security. Such efforts need to be ongoing, and they should be part of the organization’s normal communications to be effective. The following sections discuss some of the things you can do as a security professional to address the business issues associated with training the people in your organization to operate in a manner that is consistent with organizational security goals.
Using