Page 727 - StudyBook.pdf
P. 727
Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12 711
location, the changes are replicated across the network.This method of centralized
administration is considerably easier than the decentralized approach, which
required administrators to visit or connect to multiple servers across the network to
make security changes to accounts.
However, as with tasks that require the administrator’s physical presence at a
site, they can designate someone to perform basic account management functions
at a remote site. For example, someone at a remote location could be given the
necessary access privileges to create new accounts, modify existing accounts, or
delete accounts that are no longer needed. If a branch office hired a temporary
employee, such a person could create the account and remove it when the tempo-
rary employee no longer worked there.While this relieves the administrator from
having to manage all accounts in all locations, they need to trust that the person
they delegated this authority to is creating, modifying, and deleting accounts prop-
erly and according to policy.
Auditing
Auditing is the process of monitoring and examining items to determine if prob-
lems exist. Regular monitoring of different logs, data, and other sources can assist in
determining if there are lapses in security. Enabling auditing on a system allows the
system to record certain events to a log file or notify someone (e.g., by sending e-
mail, sending a page, and so forth). By analyzing these records, administrators can
identify attempted and successful breaches of security, and discover where lapses in
security exist.
Auditing can involve monitoring any number of events, allowing the adminis-
trator to track the activities of accounts and attempts to access data and resources.
For example, firewalls can be configured to monitor which Web sites users are vis-
iting through the corporate local area network (LAN), while a network OS can be
configured to monitor successful and unsuccessful logon attempts.Through
auditing, administrators can identify attempts to breach security and see if security
policies are being followed.
When enabling auditing, it is important to remember that system resources will
be used to monitor events, which will have an impact on performance.While pos-
sible to audit every event on a server, doing so could slow down the system signifi-
cantly.Also, the more events audited, the more entries are included in the log file
showing auditing results. It can be difficult to sift through a high volume of infor-
mation to find the information needed.To effectively audit a system, it is important
to first determine what events are significant and need to be monitored to protect
www.syngress.com
