Securing administration #CyberSecMonth

CyberSecMonth is coming to an end,and we hope you have read a lot of relevant articles and interesting infographics. On our side, we still have a few CyberAdvice’s to share with you and we are counting on the most greedy of you to be present at our “meetings” (every Monday, Tuesday and Thursday)!

Secure the administration of your park to manage it with ease

As administrators, you must be particularly vigilant when performing administrative actions. To ensure the integrity of the park and the system it is essential to guarantee the safety of your actions. Poor management of administrative rights can have very serious repercussions for an entity.

The security of the information system depends on the proper management of administrative rights. There are many good practices and solutions to ensure that you can act safely and without compromising the organization.

How to act without risk?

Isolate the administration from the rest of the system:

Workstations and servers used for administrative actions must not be able to access the Internet, as surfing the web can present risks in terms of cybersecurity. Administrators who need access to the Internet must do so from a different workstation. The use of office automation tools must be done via a remote virtualized machine to guarantee the integrity of the network. The administration network allows to connect the administration workstations and servers and the equipment administration interfaces. It is necessary to partition the administration network of the employees’ office automation network to avoid compromise by bouncing from a user workstation. It is recommended to set up a physical partitioning of the networks or a cryptographic partitioning thanks to the installation of Ipsec tunnels to ensure the integrity and confidentiality of the information. If these actions prove impossible to implement, it is still important to create at least one partitioning by VLAN.

Restrict administration rights:

It is common for some employees in organizations to want additional privileges on their workstations (software installation, system configuration, etc.). A user, regardless of his or her hierarchical position, should not be granted these administrative privileges since he or she could be the source of malicious code execution. It is recommended to have an application store that meets security criteria defined by the entity to meet most employee needs. It is still possible to grant administrative privileges to a user, but this practice must be exceptional, tracked and limited in time (and therefore verified and updated later). In addition, these administrator accounts should only be used for administrative actions and not for daily use. It is therefore necessary to create registered administration accounts such as gbouchard-admin in order to keep a registered history of the park’s administration shares.

WAPT and Samba-AD, your strongest allies!

Application deployment with WAPT

WAPT is a software deployment tool for Windows that automates fleet management through its centralized management console. Our solution allows you to install, update and uninstall software and configurations with reliable and instant feedback. This way, you can remotely schedule your software deployments without disturbing your users. WAPT also allows you to provide your users with a software store validated by you by following your security policies. Your users with restricted rights will therefore be able to install from a store the software they want in complete security. WAPT’s security has been recognized by ANSSI, which has awarded it the standard qualification for the Enterprise version (1.5) of the software. As part of the security of the administration, WAPT is able to ensure the management of rights. Thanks to its package signing system, only the administrator can deploy packages on the park, it is impossible to take any administrative action without a signature key. It is also possible to differentiate the roles of console administrators, so those in charge of deploying packages will not be able to create them and risk compromising the infrastructure. Indeed, WAPT allows you to easily create your own packages thanks to the Wizard package. It is also possible to visit our store, which has more than 1,000 packages, to download a package securely, edit it if necessary, test it on an isolated machine and finally deploy it throughout the park.

Samba Active Directory, l’alternative Open Source

Tranquil IT est le premier intégrateur de Samba Active Directory en France. Notre expertise de plus de 13 ans sur Samba nous permet de réaliser efficacement des audits de parc informatique, des migrations d’Active Directory, des fusions de domaines et des transferts de compétences sur Samba Active Directory. Nous avons mené plus de 270 projets grâce à notre proximité avec la Samba Team.

Samba Active Directory permet d’organiser l’ensemble de votre réseau, définir des politiques de sécurité pour votre parc, de contrôler les autorisations et les droits d’accès, etc. Le tout au travers des mêmes consoles d’administration Windows RSAT. Les administrateurs systèmes habitués à l’environnement Microsoft Active Directory ne seront pas dépaysés. Les administrateurs systèmes Linux retrouveront les outils en ligne de commande permettant d’administrer l’annuaire centralisé efficacement.

Get help from an expert to secure the administration of your IT park

Driven by the desire to help organizations manage their IT systems, we assist system administrators in their daily tasks. This desire results in a unique expertise on Samba Active Directory in France but also the development of WAPT, our open source package management tool. The fact that we have obtained ANSSI qualification for our software pushes us to enrich our DevSecOps methodologies. Within Tranquil IT, we have always wanted to privilege Open Source tools for their reliability, maintainability and especially for the freedom they bring. Choosing Open Source means choosing to save on licensing costs and trust our experts!

Understanding tomorrow’s challenges

This is the theme of this fourth week of CyberSecMonth. Until 29 October, the debate will focus on the evolution of attacks, which are increasingly sophisticated, elaborate and destructive. Thus, the organisations participating in this European month of cybersecurity will be interested in the issues related to connected objects and artificial intelligence. This is an opportunity to highlight the specialists who integrate digital security into the development of artificial intelligence and connected products. Ensuring the reliability of these technologies is essential to avoid repeating the mistakes of the past.

Articles not to be missed:

• The EBIOS Risk Manager method: The guide – ANSSI
• Why your smartphone is the weakest link in IT Security – L’est éclair

Find all our recommendations on Twitter and LinkedIn and on hashtag: #TousSecNum, #CyberSecMonth, #ECSM2018 and #ECSM. Also follow our hashtag #CyberConseil to follow Tranquil IT’s advice and discover the following graphics.