A system administrators job is tough. There’s the myriad of daunting tasks, a constant need to update your knowledge as technology moves forward, not to mention the long hours you have to put in. Dealing with finicky hardware, obtuse software, and demanding users is not easy. As well as the things a system administrator needs to do there are also certain things that a system administrator should never do.
A domain controller is a machine that runs Window Active Directory; it goes without saying that it should be properly secured. The first step on the road to domain controller security is total isolation. The machine hosting Active Directory should only be used to host Active Directory and nothing else.
Hosting anything else on that machine is an invitation to test Murphy's Law. In information security, different assets should always be isolated. Should one asset be compromised, the others would remain safe for the time being. If on the other hand, one was to run a backup server on the same machine –should your backup server be compromised, how long do you think it would take the attacker to notice what else is running on that machine? Why take the risk?
This rule seems simple and obvious. That being said, common sense is not so common. A System Administrator should never re-use the same password for two different (or more) machines or services. If they do and an attacker decides to try that password on any service or machine that thesystem administrator connects to, they will have easy access.
If you use your administrator credentials to log onto the machine that is not a domain controller, you are literally handing your credentials to the next attacker. There are now really easy ways of getting your cached credentials. And for Local Admin, it takes less than 20 seconds to elevate privileges from Local Admin to Domain Admin using code freely available on the Github platform.
Here's a secret: default credentials never stay a secret. Someone eventually finds out, the information gets leaked, and everyone who cares now knows. Those default credentials then get added to a database or list of default credentials for whatever piece of hardware or software uses them, and now every script kiddie on the planet, as well as dedicated threat actors can access whatever was being protected. As a system administrator, that's a definite no-no.
There is no need for open Wi-Fi networks in corporate spaces. If you need a guest network, assign a password to it and change it regularly. If people complain that they always have to get the new password, ask yourself the following question: will those people be complaining when you're busy cleaning the mess caused by a compromise? One thing is for certain, when it goes wrong, you will be blamed for the mess. With technology like WebTitan WiFi you can easily provide a fast and secure Wi-Fi experience to people accessing your network. You can block malware and enforce acceptable browsing policies across locations.
In conclusion security should not be sacrificed at the altar of convenience. The majority of system administrators would never dream of doing the no-no’s listed in this article. It’s clear network administration is difficult and challenging. Every network is different -- so network configuration, security and troubleshooting remain highly specialized and valued skills. And so it shall continue to be at least until someone develops networks and devices that can read users minds.
In the meantime TitanHQ would like to make life just a bit easier for the overworked system administrator by providing a convenient list of tools for diagnosing common problems. This toolbox is a go-to location for system admins, containing lots of resources that will come in handy if you're ever hit with a security incident or breach. These tools guide you through preparing for a disaster and recovering from one.
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us