SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Wizard silver trophy Jeremy W.'s Avatar
    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    9,123
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Network Admin kicking my butt!

    Okay, I really need some help here.

    Our network setup goes something like this:

    Firewall: Secured ISA
    Network: win2k Active Directory based
    Mail Server: Exchange 2K
    DB Server: SQL Server 2K
    Webserver: win2k

    Now, for some reason the NA has put the Webserver on a completely different network. Apparently it's more secure. Aright, fine, I can deal with that. We rewrite our COM (never mind that it was never part of the operational requirements for it to be on another network, but that's another issue) and we get it working.

    The NA then goes about "tightening up the holes we've created". Things like disabling all access to the SQL Server directory, removing Modify and Execute permissions across the webserver, removing data tunneling from the webserver, removing "Everyone" permissions from the Registry.

    He then tells the Directors that the reason the site isn't functioning is MY team's fault!

    Which of these are valid/invalid security precautions and what can I do to defend against them:

    . Webserver on separate network plane
    . SQL Server directory locked down
    . Registry locked down (I swear this is one of hte problems since our COM relies on it)
    . Modify/Execute permissions disabled on webserver

    I know all this is whacked but I don't know what to say. And since we're 3 weeks overdue (my team was ready) on this project, the Directors aren't being too patient...

    The best "non techy" illustration I can come up with is that security is like a brick wall. Normally you should implement your wall so that it protects your "city" from invaders: Have it facing externally.

    However, we (NA) have made it so that not only are we protected externally (which we are) but we also have little walls all over the place in the city preventing our "citizens" (data) from travelling where they need to and how they need to...

    Help!
    SVP Marketing, SoCast SRM
    Personal blog: Strategerize
    Twitter: @jeremywright

  2. #2
    SitePoint Zealot easyrew's Avatar
    Join Date
    Nov 2001
    Location
    Milton Keynes, UK
    Posts
    186
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Post

    Wow - where do I begin? First by saying that I'm on your side - honest.

    Which of these are valid/invalid security precautions and what can I do to defend against them:

    . Webserver on separate network plane
    . SQL Server directory locked down
    . Registry locked down (I swear this is one of hte problems since our COM relies on it)
    . Modify/Execute permissions disabled on webserver
    I would argue that they are all valid security precautions. Your Network Admin must ensure that you are secure from external attack. But cannot be so arrogant as to assume that you are. Paranoia is sometimes a good personality trait (only sometimes).

    The NA must ensure that you are also secure internally. Its great to assume that your Dev. team are all responsible coders (I'm sure you all are ) - but assume for a minute that someone hacks their way through your "external" defences and is now on the inside. If your Network Admin hasn't secured the systems internally too - the intruder now has the freedom of your network.

    At work we have just completed the transition from being a very small part of an enormous organisation which provided a managed network infrastructure, to a very small company who now manage their own infrastructure.

    I'm a developer and had to ensure that all our systems would work in the new environment. My colleauge, Network Admin, had to ensure that the entire network was secure.

    We both had to work together to ensure that we could compromise but that the network wasn't compromised. It was in our interests to give and take a little to reach our common goal. (this all sounds so cheesy )

    In the long run this resulted in additional work for both of us (including me having to walk! to the server room, because there is no remote management of the live web or DB servers), but we got there.

    I'm not familiar enough with COM to suggest possible solutions or compromises, sorry. I've also moved away from SQL server in the last year. Why do you need access to the SQL server directory?

    What server-side language are you using that requires modify/execute enable on the web server? Is it required in all directories (ie, site-wide) - or could you have a specific directory with the scripts in?

    Registry Access: I would removed "everyone" access from the registry too if it were my server. Could the NA setup a specific user account for you and give only that account access to the registry?

    Just a few thoughts. I hope thats been helpful and look forward to your response and further questions.

    Rich
    If a man stands alone in the forest
    and there's no woman around to hear him,
    is he still wrong?
    w: www.EasyRew.com

  3. #3
    SitePoint Zealot easyrew's Avatar
    Join Date
    Nov 2001
    Location
    Milton Keynes, UK
    Posts
    186
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy D'oh!

    I touched on the "techy" bits - but not the pressing issue: how to best explain the situation to your boss so he doesn't kick your butt too.

    Perhaps it would be better to use an example your boss could easily relate to. Something like this:

    Network Admin = Security Guard
    Your web application/system = Office worker

    Situation: You are setting up a new office. Staff are employed - lots of planning has gone into ensuring that the workplace is fit for the tasks to be performed in it.

    The security guards job is to ensure the security of your offices and their contents.

    Two days before you are due to move into the offices and start work, the security guard changes the locks on all the filing cabinets. He will allow you into the building, and into most offices, but you can't get the information you need to do your job.

    Everything is secure - but the business stops running.
    There has to be a compromise.

    Rich
    If a man stands alone in the forest
    and there's no woman around to hear him,
    is he still wrong?
    w: www.EasyRew.com

  4. #4
    I'm NOT an Addict ! TheRock's Avatar
    Join Date
    Jul 2001
    Location
    Earth ... maybe
    Posts
    401
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The NA is always right...
    -*-
    B-School Forums - GMAT / MBA / Admissions discussions
    -*-

  5. #5
    Don't get too close, I bite! Nicky's Avatar
    Join Date
    Jul 1999
    Location
    Lancashire, UK
    Posts
    8,277
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The boss is always right...

  6. #6
    SitePoint Wizard silver trophy Jeremy W.'s Avatar
    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    9,123
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    easyrew, thank you for taking the time to answer I do believe I have a slightly better perspective. If it sounded like I was saying security isn't a priority I apologise. It was more the "your team has to fix this now cause it still isn't working" that was ticking me off. There needs to be communication and he obviously cannot keep changing the ways in which we need to get data from point to point.

    Case in point. For 4 years the main site has been using Frontpage Extensions to do a lot of the behind-the-scenes stuff. Not my decision, but changing it would have required bringing the site in house and recoding the entire thing (4,000 pages). It's on my list but not a priority. The NA decides FP Extensions are insecure so he switches them off. Users start complaining, CEO starts complaining and who gets the heat? Me ...

    NA is always right? That's like saying the client is always right.

    As far as needing access to the SQL Server directory: I don't. It was just an example of his "tightening up" without being aware of anything at all. There were no shares to that directory, there was nothing happening inside that directory (it took me 30 minutes to explain to him that SQL Server was not based on flat files because he wanted to lock down the individual database file).

    As far as COM and the Registry. I'd love to be able to lock the Registry down to one user, however I can guarantee with 99% certainty that it will not be just one user logged in all the time, and when it isn't that user or when something stops working it will, again, be my team who is told to fix it.

    Anyways Rock, I appreciate your input but a job title does not define rightness in any organisation. Is the CEO always right? No. Is the Janitor always right? No. If any individual makes a decision which adversely affects the organisation (we've had to put in nearly 200 extra man hours fixing just the fact that the webserver is on a separate network: That's roughly 10,000$ in extra costs for something that could have been phased in later!).
    Last edited by Jeremy W.; May 15, 2002 at 05:25.
    SVP Marketing, SoCast SRM
    Personal blog: Strategerize
    Twitter: @jeremywright

  7. #7
    SitePoint Wizard silver trophy Jeremy W.'s Avatar
    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    9,123
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    He isn't my boss.
    SVP Marketing, SoCast SRM
    Personal blog: Strategerize
    Twitter: @jeremywright

  8. #8
    Don't get too close, I bite! Nicky's Avatar
    Join Date
    Jul 1999
    Location
    Lancashire, UK
    Posts
    8,277
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    J, I beleive his name is easyrew!

  9. #9
    SitePoint Wizard silver trophy Jeremy W.'s Avatar
    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    9,123
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Sorry if I sound stressed guys I'm not really too stressed, just at a loss. I'm not so much trying to defend my position as trying to figure out how to compromise. If I go to the point of saying "Okay, if we have to we'll put the webserver on a separate network" he asks to lock up the registry. If I say "well... geeze, I dunno about that, but if we have to", he does something else.

    Guess I'm just wondering how far is right. I don't want the "Everyone" group to have access to everything anymore then he does however I also want the sites to work without us doubling our work (which has nearly happened already. We did the entire site in 2.5 weeks, and we've spent 2 weeks fixing the results of his changes).

    Anyways, I've got a meeting today and I'm sure it will get sorted out. Me and the NA are good friends, I just want to work this out for all involved but without any knowledge of networks or security it's really hard to be level-headed.

    So... Be level-headed, listen and say what... This is really my question. I'm probably simply going to ask that communcation be encouraged, that the NA share all his plans so that we can be prepared and that things be phased in when both departments are ready instead of just instituted unilaterally
    SVP Marketing, SoCast SRM
    Personal blog: Strategerize
    Twitter: @jeremywright

  10. #10
    I'm NOT an Addict ! TheRock's Avatar
    Join Date
    Jul 2001
    Location
    Earth ... maybe
    Posts
    401
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Jeremy W.
    NA is always right? That's like saying the client is always right.
    Succesful software project managers always make the client "believe" that "The Client is Right", and still go ahead with what they feel is right. What's wrong in trying the same with the NA ?

    -*-
    B-School Forums - GMAT / MBA / Admissions discussions
    -*-

  11. #11
    SitePoint Wizard silver trophy Jeremy W.'s Avatar
    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    9,123
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Because with clients you have control and you have the knowledge of the area. When the NA places the server on a different continent you don't. He holds the power keys both because he literally holds the keys to the server room and because he is trusted on issues of security (and rightfully so).

    Anyways, it's not a biggie, but thanx for letting me vent
    SVP Marketing, SoCast SRM
    Personal blog: Strategerize
    Twitter: @jeremywright

  12. #12
    I'm NOT an Addict ! TheRock's Avatar
    Join Date
    Jul 2001
    Location
    Earth ... maybe
    Posts
    401
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    -*-
    B-School Forums - GMAT / MBA / Admissions discussions
    -*-

  13. #13
    Net Senior Citizen tommatthews's Avatar
    Join Date
    Apr 2001
    Location
    Sydney Australia
    Posts
    869
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What's the difference between a Network Admin and God??

    God doesn't think he is a Network Admin!

    (Sorry-had to drag out that gem once again )


    affordable website design

    :: sydney australia ::

  14. #14
    Prolific Blogger silver trophy Technosailor's Avatar
    Join Date
    Jun 2001
    Location
    Before These Crowded Streets
    Posts
    9,446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess this means you'll have more time for Sitepoint, eh? lol

    Sketch
    Aaron Brazell
    Technosailor



  15. #15
    SitePoint Wizard silver trophy Jeremy W.'s Avatar
    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    9,123
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    SVP Marketing, SoCast SRM
    Personal blog: Strategerize
    Twitter: @jeremywright


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •