How Active Directory can help protect against rogue network admins

Windows and Active Director security expert warns of network threats

With RSA still wiping the egg off its face from last week’s attack, and Gucci on the hook for $200,000 worth of damage from a fired network admin, it’s time for companies to double-down on their efforts to protect corporate networks. Security consultant Randy Franklin Smith says that Active Directory can become one your best defenses.

He has begun advising companies to scan Active Directory to look for what may be rogue accounts. An employee could create their own rogue account right before leaving the company, knowing that their official account will be deleted once they leave. They could still enter a back door into the network long after they departed through that rogue account.

Smith spoke during a webinar dubbed Ultimate Windows Security, on Thursday and gave system administrators all sorts of new things to worry about in terms of signs they need to watch for that may indicate someone’s trying to break into their network or sabotage it from within. While mostly discussing Windows threats, he says other non-Windows systems should also be protected.

A lot of the hour-long web session centered on rouge administrators who may be disloyal or out to damage the network. Smith explained the purpose of the “jump box,” more formally known as the “terminal services administration point,” that is essentially the entry point for administrators to log into the network. If an administrator bypasses the jump box, that should raise a red flag, he says.

Another red flag: A user who gains physical access to a company building with a key card in, say, Philadelphia, while simultaneously logging into the network from an IP address in, say, Chicago. That could be done with a Star Trek Transporter, but not in the real world.

Smith advises companies to adopt naming conventions for various categories of users, such as executives, finance, human resources, sales, etc. that are unique to the company. An attacker trying to create a fake user name after hacking into the network wouldn’t know the naming convention and could be more easily exposed. Also suspicious is the creation of a new user account, some sudden activity on that account, followed by the quick deletion of that account. A hacker may be doing that to break in, engage in some “nefarious” activity and then cover his tracks, Smith warns.

“With a lot of these you have to take into account your own environment. I’m trying to give you scenarios and patterns you can look for and you can evaluate them and compare them to your environment,” he says.

Smith further advises companies to pay more attention to the basics: watching logs for what may be suspicious repeated log-in attempts, look for signs of audit tampering, and drilling down into a particular user’s account to observe activity based on time of day or day of the week that may reveal suspicious patterns. Also, if network administrators are all based in one physical office but one admin logs in from a distant location, that would be out of the norm.

Smith also shared time during the webinar with Trent Heisler, director of sales engineering at LogRhythm, a provider of a security incident and event management (SIEM) dashboard that dynamically tracks all sorts of network activity, points out where variations from the norm may be occurring and intervenes to stop suspicious behavior. The webinar gave Heisler an opportunity to plug his business, but there are, of course, many others. A Gartner Magic Quadrant ranking of the 2010 leaders in the SIEM space includes ArcSight, Q1 Labs, SenSage, Symantec and, ironically, RSA.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in