ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to Assess the Security of Software Tools being Used by our Admins?


Newbie

Posts: 3
Date: Dec 15, 2010
How to Assess the Security of Software Tools being Used by our Admins?
Permalink  
 


Hello,

First of all, I would like to say that it is really nice to see a forum dedicated to the subject of Active Directory security. This is obviously a very important area of security in Windows networks, so thank you for this.

Getting to my question now, I would like to know whether we should have some kind of policy in place that establishes some set of basic essential requirements that must be met before our admins acquire and deploy a variety of tools on their administrative machines.

The question was prompted by the fact that recently we had an admin who wanted to do some basic network analysis reporting, and so he found a free utility online, downloaded it and started using it. We did not know about it until we started seeing some unusual traffic patterns from his computer, and when we looked deeper, it was found that this free utility was built by some company in Romania, and that it might have been doing some additional things as well (without the admin's knowledge that is.)

This is really concerning to us, and so we are contemplating on establishing some basic set of standards/requirements that must be met before our admins can download and install any piece of software from the Internet. (The fact that they are admins too makes it a little hard to enforce our policies, but we at least would like to do whatever we can.)

I would welcome and be thankful for any ideas or suggestions that you might have in this regard. It is not that we do not trust our admins, it is just that they might trust a little too much in stuff available on the Internet, and we would just like to make it secure enough for them to download and unleash anything even potentially suspect or malicious in our internal environment, because as we all know, once malicious code hits your systems, it is virtually impossible to completely get rid of it. We think it is better to be safe than sorry.

Thank you in advance.
Hans



__________________

A fine beer may be judged with only one sip, but it's better to be thoroughly sure!

 



Veteran Member

Posts: 28
Date: Jun 27, 2012
RE: How to Assess the Security of Software Tools being Used by our Admins?
Permalink  
 


Hans,

You bring up a very important point, and one that all of us should give some serious thought to.

The security of the tools we use as admins is very important, yet it is also the most overlooked fact in security. In my career thusfar, I have seen so many admins who will not hesitate for one second to download a free tool from the Internet and use it! 

They do so without giving any regard to 1) who built the tool 2) is it trustworthy enough, and if so, on what basis, 3) where was it built, 4) why is it free, 5) does my company policy permit the use of such a tool?

The dangers of using untrustworthy software are very high, and the dangers of using a free tool are higher still, because if the tool turns out to be malicious, its writer only needs for you to run it once in your administrative contexts, and he's basically compromised your organization's security without you knowing it.

At my employer, we have strict security policies that prohibit us from downloading or using free software of any kind from the Internet.

We also have a one-page Trustworthy Software checklist to help us determine whether or not the use of a specific tool would be allowed in our organization. While I cannot share the whole thing, because its our company's IP, I can give you the Top-6 items rephrased - 

1. Is the software vendor a reputable organization trusted by other reputable organizations?

2. Is the software built in a trustworthy region (e.g. USA) or is built in suspect regions (e.g. Russia, China, India (border-line))

3. Is the software designed by recognized experts or by self-claimed experts?

4. Is the authenticity of the software verifiable?

5. Is the software fully supported? 

6. Does the software need to be run in administrative contexts, and/or does it require the installation of agents in our environment?

All our IT admins are required to adhere by this policy, and we ave a zero-tolerance policy for any violations to this policy, because a malicious piece of software only needs to be run once in our company to result in tremendous harm and substantial costs.

To some this might sound like a bit overdone, but we actually had a security incident once where a newly hired admin downloaded a free tool from the Internet, and within days, all systems on that LAN segment were infected and compromised.

So, your concerns are very valid, and you should certainly consider establishing a similar Trustworthiness Checklist as well.

At the very least, free untrustworthy tools should be an absolute NO. 

Good luck, and thanks for raising a very important question.

Jack.



__________________

We will NEVER forget.



Newbie

Posts: 3
Date: Jun 29, 2012
RE: How to Assess the Security of Software Tools being Used by our Admins?
Permalink  
 


Hello Jack,

Thank you for sharing your thoughts, and for providing a good checklist. I have passed this along to my management and we will try to establish a similar check-list.

Jack, if I may, one thing I would like to say is that your checklist while very good seems a little unrealistic, in that I'm not sure there is an Active Directory reporting/security tool that would meet all the points.

I say that because in my experience, I have come across many Active Directory reporting  tools, -

1. but either most of them seem to be developed outside the US, or offered by US companies but their development is still offshore. 

2. There are also a lot of free tools that obviously do not have any way of ensuring authenticity and are obviously not supported.

3. Finally, many tools are very affordable, but its very difficult to find out who made them, so there is often no way of knowing whether they were made by a expert such as Microsoft MVP or by someone who read a book and decided to make a tool.

So, in light of all these practical findings, I doubt one find a tool that meets the high bar your Trustworthiness Checklist sets.

These are just some initial thoughts I had. We will certainly make a check-list and try to find the right tools based on it, with some practicality built in, although I suppose some compromise might be required.

Thank you.

Hans.



__________________

A fine beer may be judged with only one sip, but it's better to be thoroughly sure!

 

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me