Domain Admin - Can't Touch This !

Joined
Oct 17, 2004
Messages
41
Greetings,

I work in a financial institution that must follow specific government regulations regarding logging, reporting and auditing. My role in the company is to administer 75+ servers both Windows and Linux, 100+ network devices including routers, switches, firewalls and UTM boxes. All of the network stuff are HP Procurve switches and Cisco everything else. My other role is network security for all of the above.

The government has a real problem with me having so much administrative level access to both the servers and network equipment. Their argument is I can change something on the network then go in and delete the log entries removing any evidence something was done.

What they want is to have everything send logs to a centeral logging server that I don't have access to.

Do any of you work in an environment like this and what do you do for auditing? What products are out there that can satisify these requirements?

Best regards,
The Dude
 
Since you shouldn't have access to it, I'd tell them it's someone else's problem to figure out... if you set it up who's to say you won't leave yourself access? :p

 
The windows server side stuff is easy. Group policy allows for auditing, but it also allows auditing of someone modifying the auditing logs. While it won't show what a person deleted, it will show that someone deleted something and when. This might be good enough for them, maybe not.

As far as products out there... look at kiwi syslog server by solarwinds.
 
Which particular govt regulations are you referring to that have a problem with your access?

Sounds like your organization needs some sort of privileged access control solution. A popular one is eDMZ (TPAM Suite) .

If its not some bank regulation issue, then just tell the auditors that your organization accepts the inherent risks associated with your access and move on :)
 
Last edited:
But who watches the watchers?

I maintain a government network and am certain there is no such requirement in the STIGs. This must be a banking thing.

Kiwi Syslog is an awesome product...nice enough that I purchased to use on our network when the money holders refused to. I use it daily. I don't believe it is what you are looking for though - at least not where the Cisco devices are concerned.

Our ACS keeps track of every command typed into the Cisco device. Each command must be approved by the ACS before the router gets it. As a result, every command is recorded and searchable for as far back as you want to keep the records. I can go back years. It has come in handy when one of my guys swore up and down that he didn't screw up a command and I was able to show him exactly what he typed. It also comes in handy when you need to troubleshoot issues. Kiwi Syslog only monitors the system logs of the devices...unless you have debugging turned on you won't get every command entered in a session. Even then it will be cluttered with a bunch of crap you don't need. The ACS will allow them to monitor each command.

I was under the impression that most enterprise level sites used a TACACS or something similar. It is far more secure than local accounts on the devices and the security configurations available on it are top notch.
 
Greetings,

Yes, this is a banking thing. We had a dedicated network infrastructure person and a dedicated server person and neither had access into the other. We're in the middle of a reorg where the network, server, DB, and other stuff will be consolidated into a team of 6 people that'll all be cross trained in the other skills. This will ruffle some feathers as all of these people must have the "keys to the kingdom" to every sensitive system.

What we're looking for is some way all of these key systems can log events to a system this group won't have access to. I've looked into Kiwi and used it extensivly in the past. I'll be meeting with our regulators to see if that's an adaquate solution or not.

I was wondering if anyone else out there had worked or was working in the banking industry and if so, what you did.

Best regards,
The Dude
 
It's a banking thing.

They should of given you some suggestions. ACS and Tacacs would get the job done as previously mentioned.
 
Kiwi Syslog is an awesome product...... I don't believe it is what you are looking for though - at least not where the Cisco devices are concerned.
> conf t
#> no logging console
#> logging <x.x.x.x> IP of your kiwi syslog server
#> archive
#> log config
#log> logging enable
#log> notify syslog
#log> hidekeys
#log> exit
#>exit

to confirm logging is setup run

#> show archive log config all
 
Six people with full admin on all systems seems a bit ridiculous to me even if you have sufficient logging in place.

Having worked with large banking and financial services clients I can tell you how most of them do it; they have separate people and roles for production and non production and the server admins are different than the network admins.


Greetings,

Yes, this is a banking thing. We had a dedicated network infrastructure person and a dedicated server person and neither had access into the other. We're in the middle of a reorg where the network, server, DB, and other stuff will be consolidated into a team of 6 people that'll all be cross trained in the other skills. This will ruffle some feathers as all of these people must have the "keys to the kingdom" to every sensitive system.

What we're looking for is some way all of these key systems can log events to a system this group won't have access to. I've looked into Kiwi and used it extensivly in the past. I'll be meeting with our regulators to see if that's an adaquate solution or not.

I was wondering if anyone else out there had worked or was working in the banking industry and if so, what you did.

Best regards,
The Dude
 
Six people with full admin on all systems seems a bit ridiculous to me even if you have sufficient logging in place.

Having worked with large banking and financial services clients I can tell you how most of them do it; they have separate people and roles for production and non production and the server admins are different than the network admins.

well if they have 6 people then they are not a large organization and probably do not have enough people to fully segregate duties.
 
Agreed, while full segregation of duties might not be practical there's no reason for every IT person to have full access to everything (or even six people in a small organization).


well if they have 6 people then they are not a large organization and probably do not have enough people to fully segregate duties.
 
400 employees
40 locations spread across the state
75 servers with a mix of Windows and Linux
Multiple DB servers including SQL, MySQL and DB2

It's a lot but, not as much as most.
 
Agreed, while full segregation of duties might not be practical there's no reason for every IT person to have full access to everything (or even six people in a small organization).

I agree, there is definitely some middle ground somewhere :)
 
Greetings,

I work in a financial institution that must follow specific government regulations regarding logging, reporting and auditing. My role in the company is to administer 75+ servers both Windows and Linux, 100+ network devices including routers, switches, firewalls and UTM boxes. All of the network stuff are HP Procurve switches and Cisco everything else. My other role is network security for all of the above.

The government has a real problem with me having so much administrative level access to both the servers and network equipment. Their argument is I can change something on the network then go in and delete the log entries removing any evidence something was done.

What they want is to have everything send logs to a centeral logging server that I don't have access to.

Do any of you work in an environment like this and what do you do for auditing? What products are out there that can satisify these requirements?

Best regards,
The Dude

My argument which sounds the same of ciggwin is that they should figure it out on there own, not your problem. Also trust me, this avoids the whole political mess if something happens where there is a breach. Rule out your name now while you can. If there worried about you having too much power, dont give them another excuse to throw you under the bus if the time ever came where they have to cover there ass.
 
Last edited:
Back
Top