Securing administration #CyberSecMonth
Understanding tomorrow’s challenges
This is the theme of this fourth week of CyberSecMonth. Until 29 October, the debate will focus on the evolution of attacks, which are increasingly sophisticated, elaborate and destructive. Thus, the organisations participating in this European month of cybersecurity will be interested in the issues related to connected objects and artificial intelligence. This is an opportunity to highlight the specialists who integrate digital security into the development of artificial intelligence and connected products. Ensuring the reliability of these technologies is essential to avoid repeating the mistakes of the past.
Manage your fleet with complete peace of mind
The administrators must be more vigilant when with their administrative actions. Indeed, it is essential to guarantee the safety of these actions to ensure the integrity of the park and the system. Poor management of administrative rights can have very serious repercussions for an entity.
How to act without risk?
Isolate the administration from the rest of the system:
Workstations and servers used for administrative actions must not be able to access the Internet, as surfing the web can present risks in terms of cybersecurity. Administrators who need access to the Internet must do so from a different workstation. The use of office automation tools must be done via a remote virtualized machine to guarantee the integrity of the network.
The administration network allows to connect the administration workstations and servers and the equipment administration interfaces. It is necessary to partition the administration network of the employees’ office automation network to avoid compromise by bouncing from a user workstation. It is recommended to set up a physical partitioning of the networks or a cryptographic partitioning thanks to the installation of Ipsec tunnels to ensure the integrity and confidentiality of the information. If these actions prove impossible to implement, it is still important to create at least one partitioning by VLAN.
Restrict administration rights:
It is common for some employees in organizations to want additional privileges on their workstations (software installation, system configuration, etc.). A user, regardless of his or her hierarchical position, should not be granted these administrative privileges since he or she could be the source of malicious code execution. It is recommended to have an application store that meets security criteria defined by the entity to meet most employee needs. It is still possible to grant administrative privileges to a user, but this practice must be exceptional, tracked and limited in time (and therefore verified and updated later). In addition, these administrator accounts should only be used for administrative actions and not for daily use. It is therefore necessary to create registered administration accounts such as gbouchard-admin in order to keep a registered history of the park’s administration shares.
WAPT and Samba-AD, your strongest allies!
Application deployment with WAPT
WAPT is a software deployment tool for Windows that automates fleet management through its centralized management console. Our solution allows you to install, update and uninstall software and configurations with reliable and instant feedback. This way, you can remotely schedule your software deployments without disturbing your users. WAPT also allows you to provide your users with a software store validated by you by following your security policies. Your users with restricted rights will therefore be able to install from a store the software they want in complete security.
As part of the security of the administration, WAPT is able to ensure the management of rights. Thanks to its package signing system, only the administrator can deploy packages on the park, it is impossible to take any administrative action without a signature key. It is also possible to differentiate the roles of console administrators, so those in charge of deploying packages will not be able to create them and risk compromising the infrastructure.
Indeed, WAPT allows you to easily create your own packages thanks to the Wizard package. It is also possible to visit our store, which has more than 1,000 packages, to download a package securely, edit it if necessary, test it on an isolated machine and finally deploy it throughout the park.
Tranquil IT is the first Samba Active Directory integrator in France. Our expertise of more than 13 years on Samba allows us to effectively perform IT asset audits, Active Directory migrations, domain mergers and datadock certified training. We have carried out more than 270 projects thanks to our proximity to the Samba Team.
Samba Active Directory allows you to organize your entire network, define security policies for your fleet, control permissions and access rights, all through the same Windows RSAT administration consoles. System administrators familiar with the Microsoft Active Directory environment will not be out of place, while Linux system administrators will find the command line tools to efficiently administer the centralized directory.
Get help from an expert
Driven by the desire to help organizations manage their IT systems, we assist system administrators in their daily tasks. This desire results in a unique expertise on Samba Active Directory in France but also the development of WAPT, our open source package management tool. The fact that we have obtained ANSSI qualification for our software pushes us to enrich our DevSecOps methodologies.
Within Tranquil IT, we have always wanted to privilege Open Source tools for their reliability, maintainability and especially for the freedom they bring. Choosing Open Source means choosing to save on licensing costs and trust our experts!
Do you need to secture your computer equipment?
What you shouldn’t have missed:
Who to follow during the #CyberSecMonth?
Articles not to be missed:
- The EBIOS Risk Manager method: The guide – ANSSI
- Why your smartphone is the weakest link in IT Security – L’est éclair
Find all our recommendations on Twitter and LinkedIn and on hashtag: #TousSecNum, #CyberSecMonth, #ECSM2018 and #ECSM. Also follow our hashtag #CyberConseil to follow Tranquil IT’s advice and discover the following graphics.
Tranquil IT is now referenced to the UGAP through the multi-publisher contract carried by SCC. Behind all these somewhat bureaucratic terms is very good news for those who want to buy the innovative products and services offered by Tranquil IT. What does that mean? In...
This is already the end of the 2018 edition of CyberSecMonth, we hope that you will continue to raise awareness and remain vigilant about the challenges of digital security. On our side, we would like to conclude our CyberAdvice by sharing with you a latest graphic...