6 Replies Latest reply on Apr 23, 2013 9:56 PM by noxigen

    In our ever continuing admin rights battle with the TSA...

    bsciencefiction.tv

      We are yet again in a battle to keep our admin rights to our app servers and pollers.

       

      Does anyone else have issues with their security team wanting to remove admin rights to their app servers.

       

      We have tried to explain over and over again the necessity for admin rights.

       

      Restarting services

      Viewing Security logs

      add and remove roles

      manage iis.

       

      I am curious is this a battle we are alone in, or are there more of you with security run by people who think removing all access is security?

        • Re: In our ever continuing admin rights battle with the TSA...
          RichardLetts

          Assuming they don't mean removing remote desktop access, just membership of the all-powerful administartors group then I feel they should be providing you a workaround, and I think there are ways around everything you've listed

           

           

          I've been fortunate in that where I've managed SolarwindsOrion I've either been the security/server administrator  or here where I have a separate login that I have to use for server administration.

            • Re: In our ever continuing admin rights battle with the TSA...
              bsciencefiction.tv

              They want to relegate us to RDP only access or access through a worthless product called CyberArk Password Vault.  I can say worthless, because I used to administer the product and have spen the last couple of years apologizing to anyone and everyone I set the system up to use.

               

              It really is a power struggle, I am better than you issue.  The Server Team Manager approved the access, we are the only apps on these servers and we purchased them from our budget.  It just seems our security group is managed by someone who did not have a subdivision to be Home Owners president over or a small Island to be dictator of.

                • Re: In our ever continuing admin rights battle with the TSA...
                  Leon Adato

                  In those cases (and yes, I've had them), I think the most expedient thing is to explain to them (and cc: your stakeholders and supporters) what you will no longer be able to provide, including (but not limited to)

                  • Any new reports
                  • Any scheduled report emails
                  • Any new alerts
                  • Any new views or accounts that require account limitations
                  • Any further SolarWinds updates, patches, or MIB updates
                  • ...etc...

                   

                  In addition, you had better let the security team/dictator/evil emperor know that anything based on WMI requires an account with *at least* the same permissions described above, and often more, and thus that account should be limited as well. Of course, that means you won't be able to actually USE the account, and therefore you would need to add a whole set of other items to the list of "no longer possible", including windows volume mount points, service monitoring, etc (assuming you have SAM).

                   

                  The upshot: Kill 'em with compliance.

                  • Re: In our ever continuing admin rights battle with the TSA...
                    pyro13g

                    Cyberark is being implemented at our company also.  Only time will tell as far as what it does or doesn't cause.  I think the Cyberark admins will get sick of approving requests all day long, being awoken all night, etc..  What I see happening, and I have heard with my own ears in a meeting, is that there will be a process for gaining automated approval without security reviewing an approving. That leaves me scratching my head.

                      • Re: In our ever continuing admin rights battle with the TSA...
                        bsciencefiction.tv

                        Password Vault is great for people who have to get on a server like twice a year.  It is a nightmare for sys admins, especially if you have to be on a server for a long period of time or more than one at once.  Every time the screen lockout triggers, you have to log back into the Password Vault web console and launch a new session.  And it opens 2 windows for every session, one is blank.  there is really no security value add unless you use the record function.

                         

                        Like I said, it was so bad, I literally have apologized to almost everyone I set up in it.  Most of them forgave me.  We had to get a special exemption from our CISO, because it so hindered our performance and made working from home almost impossible.

                  • Re: In our ever continuing admin rights battle with the TSA...
                    noxigen

                    I've been on both sides of this fence and I understand where you're coming from in that your team needs a certain level of rights to effectively support the application. The Principle of Least Privilege dictates that you should only have enough rights to perform your duties. How to go about doing that is completely subjective and can cause much turmoil between information security and application support teams.

                     

                    There are tools out there that can help make you, your security team and business stakeholders happy by removing administrator access, while still giving more granular control to the application support team. With good policies and procedures in place, support can end up being a lot smoother and easier to manage.