IS Decisions' Blog

Password Policy: Sharing Passwords

Fri, 04 May 2012 05:48:00 -0400

This is a guest post by W. Benson Dana, IT internal auditor for the Maine state government.

At one point in my career, I worked at a place where management in one unit had allowed a senior manager to collect the log on and email passwords of the employees of the unit. There had been complete resistance to giving up this policy, and the excuse was that this unit’s mission and objectives were unique (how many times does the internal auditor hear this excuse?) and that this arrangement was absolutely necessary.

I called a meeting and here is my description of the meeting agenda:

« We will discuss the specific IT security policy that prohibits the sharing of passwords. I understand that the unit has a policy that the Assistant Director must have the AD (Active Directory) password of at least a subset of the unit’s employees if not all. This would be a direct violation of the IT security policy. I am not interested in discussing any other aspect of IT policies or operations, past or present.

I am not aware of any other unit in the company with a similar policy. If it were, that unit would receive the same degree of scrutiny. I am not interested in discussing any other unit’s policies or procedures, unless anyone knows of a similar policy.

Your AD password is unique to you and is not known by anyone else unless you share it, overtly or inadvertently. The members of the help desk who are so authorized CAN reset your password if you forget it. When that happens, you type in a NEW password that is again unknown to anyone else.

Our IT systems monitor when passwords are changed, but not what the password is.

The prohibition to sharing passwords is a basic and standard internal control around the world. One of its primary purposes is to protect OTHER employees from inappropriate suspicion in the event that account is used for inappropriate purposes.
This is similar in concept to the requirement that each cashier use their own cash drawer instead of a shared cash register drawer. If 2 people share a cash drawer, and one steals, they both come under suspicion. The employer owes its employees a duty to see that their employees cannot be falsely accused of inappropriate conduct.

If a password is shared, the person who knows another’s password now becomes automatically suspect whenever that user’s account is used for inappropriate, illegal or unethical purposes. One of the 2 WILL be falsely accused of the violation. If the matter is not resolved, they BOTH will remain under the cloud of suspicion. That is a BAD result.

Every employee in history who has been convicted of theft, embezzlement, or other crime was hired as a trusted employee. This policy has nothing to do with trust. The Maine Attorney General’s office recently terminated the employment of an employee, licensed to practice law in Maine, who is accused in connection to a pornography violation. Until this was brought to light, this lawyer was considered a trusted employee above reproach. I am not interested in discussing anything related to trusting employees.

Are passwords inadvertently shared? Probably. Does that make it right or smart? No.

In the case when an employee has a planned leave, email can simply be forwarded to another person. In the event an employee is sick, they can usually manage to log on, activate the forwarding feature, and log off. In an emergency situation, the help desk can perform this action. I’m interested in knowing how many such emergency situations have occurred in the past 6 to 12 months. I am not inclined to plumb the depths of history with respect to this one aspect of the discussion. »

I was successful in getting the unit to stop sharing passwords.

This article has been originally published on Internal Control Freak, W. Benson Dana’s blog where you will find other stories related to Fraud prevention and accounting and business advice.

Prevent concurrent logins

W. Benson Dana is perfectly right here: password sharing creates accountability and non-repudiation issue as user A, connected to the network with the credentials of user B, can access user B’s data and applications, send e-mails in his/her name, etc.

Passwords can be shared inadvertently (ever seen a password written on a Post-it note and attached to a monitor?) or consciously (a manager does not want to approve purchase requisitions and so just logs on for one of his subordinates and then allows him to approve each purchase requisitionin his place) .Educating users about the dangers of such practices is a good thing but is it good enough?

Human beings usually need to be properly motivated to adopt best practices and follow rules and policy.

UserLock comes handy here, as this unique software solution prevents (among numerous other security features) concurrent logins to a Windows network.

On a UserLock-protected network, a user cannot share his password without taking a major risk of being unable to logon himself. Can you think of better motivation?

Check UserLock detailed features

Download a free, fully-functional trial

UserLock is part of PC Mag’s Best Apps for 2012

Mon, 23 Jan 2012 04:28:00 -0500

UserLock, our software solution that limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network, has been picked by PC Mag to be part of their “25 excellent applications for small-to-mid-sized businesses to consider in 2012”.

Samara Lynn, Lead Analyst at PC Mag, describes UserLock as “an impressive product”, emphasizes its efficiency and scalability and highlights its usefulness for organizations that have to adhere to compliance regulations like HIPAA or SOX.

UserLock allows Network Administrators to:

Limit or prevent concurrent logins to Windows networks, based on user, user groups, Organizational Units or session types.
Restrict user access to the network with multiple criteria: workstations, time, business hours, and connection type.
Follow the session activity on the network in real-time and get detailed, graphical reporting
Remotely close or lock user sessions, shutdown workstations, from anywhere using the Web console

More than one million UserLock licenses are currently in use by hundreds of security demanding organizations worldwide, including:
The US DoJ, the FBI, the DEA, the United Nations, Barclays Bank, Banco Santander, Cigna, as well as numerous SMBs and academic institutions.

Read the article on PC Mag

UserLock detailed features

Download a fully-functional trial

70% of young workers ignore IT security rules: how to tame them?

Fri, 30 Dec 2011 08:18:42 -0500

According to a report recently issued by Cisco Systems, 7 out of 10 young employees frequently ignore IT policies and two-thirds said they believe their company’s policies need to be modified. About 61 percent said corporate IT security isn’t their responsibility, believing it is that of their employer or the maker of their devices.

Of those who were aware of IT security policies, 70% of employees worldwide admitted to breaking policy with varying regularity. Among the different reasons, the most common was the belief that employees were not doing anything wrong (33%). One in five (22%) cited the need to access unauthorized programs and applications to get their job done, while 19% admitted the policies are not enforced. Some (18%) said they do not have time to think about policies when they are working, and others either said adhering to the policies is not convenient (16%), they forget to do so (15%), or their bosses aren’t watching them (14%). The attitude of younger workers to technology clearly represents a new and growing threat to corporate IT security.

Beyond IT security awareness and training programs, organizations must find ways to efficiently enforce their computer security policies.

UserLock has a role to play here, as this software solution gives CSOs and Network Administrators the means to secure access to their Windows network and to quickly react in case of inappropriate behavior.

Using UserLock makes it possible to:

Automatically notify all users prior to gaining access to a system with a tailor-made disclaimer

Users can for example be advised that system usage is monitored, recorded, subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties. This is an efficient reminder for thoughtless employees, young or not.

Restrict user access to the network with multiple criteria: workstations, time, business hours, quotas and connection type

UserLock allows setting and enforcing access restrictions in a granular way. An example of multi-criteria restriction could be: prevent a given user (or group, or Organizational Unit) from logging to the network:

from a computer outside of a given department
outside of business hours
via a VPN connection.

The login system is the first line of defense of a Windows network. Restricting user access reduces the attack surface of the network and keeps rogue or careless users at bay.

Follow the session activity on the network in real-time, be alerted and remotely lock, logoff and reset all sessions immediately

UserLock allows real time session surveillance and monitoring; at all times a System Administrator knows who is connected, from what workstation(s), since when, etc. Popup or email alerts can also be sent to the network administrators for specific events such as denied logins, successful logins and logoffs.

In case of suspicious behavior, System Administrators can instantly take action to tackle insider threats.

Limit or prevent concurrent logins to a Windows network, based on user, user groups, Organizational Units and session types

Limiting or preventing concurrent logins decreases the ability of users to share their credentials, as it would impact their own ability to access to the network.

It also makes it impossible for a rogue user to seamlessly use valid credentials at the same time as their legitimate owner, access that user’s data and applications, send Emails in his name, etc.

Simultaneous logins limitation or prevention avoids serious accountability and non-repudiation issues.

Check UserLock detailed features

Download a free trial

We curate Microsoft related news for you

Thu, 22 Dec 2011 10:06:56 -0500

Volunteers among IS Decisions’ Team constantly review dozens of information sources (websites, blogs, Twitter accounts, etc.), carefully select content for its quality, originality and relevance, and create compelling online magazines.

Our goal is to provide IT pros with online resources that help them easily get useful, up to date information about Microsoft technologies, IT security and more, in order to streamline their technology watch activities.

Topics we cover include:

Microsoft
“Microsoft’s products, people and strategies”

Windows Infrastructure
“Hot off the presses for Windows IT pros”

IT Security
“Windows IT Security News”

PowerShell
“Everything PowerShell”

MVP
“What’s new in the Microsoft MVPs world”

You can receive a daily digest by Email for the topic(s) of your choice:

Click on the “Follow” button at the top right corner of every page (under the mention “curated by IS Decisions”) of the topic(s), then type in your Email address. You can opt out whenever you want by clicking “Unfollow”.

Please check our online magazines out and let us know what you think. Thanks for your feedback!

Check the December issue of IS Decisions Wire

Mon, 19 Dec 2011 09:41:42 -0500

The December issue of IS Decisions Wire, our bimonthly E-newsletter is out.

Drawing inspiration from Microsoft’s Metro design language, IS Decisions Wire celebrates an elegant and clean look & feel that we hope you will find pleasant to look at and interesting to read.

Subscribe now to get the next issue: it’s free!

How to remotely deploy Internet Explorer 9 on your network

Tue, 13 Dec 2011 05:09:24 -0500

Simple and direct deployment

Easily deploy the new Internet Explorer 9 (IE9) browser on chosen computers by following these instructions.

Download the four existing IE 9 packages from the Microsoft Web site
- IE9-Windows7-x64-enu.exe
- IE9-Windows7-x86-enu.exe
- IE9-WindowsVista-x64-enu.exe
- IE9-WindowsVista-x86-enu.exe
Open RemoteExec and go to Remote Jobs/New Remote Job/Multiple actions through the Configuration tree.
Click on Add Files to execute/deploy in the Quick access pane. A browser will open. Browse to the four downloaded IE 9 packages, select them and click on Open.
Go to the Target Computers section and select the computers on which you want to deploy IE 9.
You can now start your deployment by clicking on
The Progress window will open in a new tab to permit you to follow the remote operation process.

Advanced deployment

The simplified and direct deployment previously described shows the easiest path possible. This is the full scenario to follow if you want to deploy the required hotfix and Internet Explorer 9.

Requirements

Here is the list of requirements needed to deploy Internet Explorer 9:

Windows Vista, Seven, 2008 or 2008 R2 (You cannot install IE 9 on Windows XP or Windows 2003).
For Windows Seven and Windows 2008 R2, the KB2454826 is required if you have not yet deploy the Service Pack 1 released in February.
This deployment can require a system reboot.

In this article we describe how to build your deployment scenario automatically.

Create your scenario

Download the four existing IE 9 packages from Microsoft Web site and the two KB2454826 hotfixs packages:
- IE9-Windows7-x64-enu.exe
- IE9-Windows7-x86-enu.exe
- IE9-WindowsVista-x64-enu.exe
- IE9-WindowsVista-x86-enu.exe
- Windows6.1-KB2454826-v2-x64.msu
- Windows6.1-KB2454826-v2-x86.msu
Open RemoteExec and go to Remote Jobs/New Remote Job/Multiple actions through the Configuration tree.
The Quick access pane allows you to add all Remote Actions needed for this deployment scenario. Click on Add a wake up. This System action will be added to the central window. As it’s already pre-set, you’ve nothing else to do: RemoteExec will wake up the target computers¹ and wait until an answer is received before performing the next action.

¹: RemoteExec should have automatically scanned the Mac addresses and subnet of Target computers. RemoteExec automatically scans for MAC addresses and subnets at each start-up. You can launch or schedule the scan of MAC addresses during working hours with the Get wake up info Action. You can also check all previously scanned MAC addresses or add manually MAC addresses and subnets in the RemoteExec Options.
Click on Add Files to execute/deploy in the Quick access pane. A browser will open. Browse to the two KB2454826 hotfixs packages. Select them and click on Open.

RemoteExec will detect the package type as an Update installation action and will set all parameters automatically².

²: If the KB2454826 has been already installed, RemoteExec will display a warning message in the Execution Results Windows: Exit code not null (0x240006 The update to be installed is already installed on the system.). Then it will launch the next action.
Click on Add a reboot in the Quick access pane.
As the reboot needs only be done for the computers which just received the hotfixs, double-click on the Reboot action in the list and check the option Reboot only if needed.
Repeat step 4 to add the IE 9 installation files clicking on Add Files to execute/deploy in the Quick access pane.
Add another Reboot action after the IE 9 installation actions. As in step 6, enable the Reboot only if needed check box. IE 9 deployment require a reboot to finalize his installation.
To finish, click on Add a shutdown to power off your computers.
Your whole IE 9 deployment scenario is now complete.

You can select your Target computers in the third section as wanted: only the machines which can accept the hotfixs or this Internet Explorer version will be processed.
Schedule your Job deployment as explained in a previous article

Want more?

It can be useful to save this scenario deployment for re-use, when you add new computers to your network for example. Once you’ve finished your Multiple actions configuration, select it in the Configuration tree and then click on Save in my Remote Actions through the context menu or the Quick access pane.

Type a name for this Multiple actions in the pop-up and validate. You will be able to use it later in My Remote Actions menu through the Use action in a new remote job command.

Netware to Active Directory migration: what about limiting concurrent logins?

Mon, 12 Dec 2011 04:59:28 -0500

NDS and NetWare gave network administrators the ability to easily enforce certain restrictions on their network especially the ability for a person to open simultaneous sessions with the same login.

As with most things in Netware Directory Services, restricting concurrent connections could be performed from the administrative workstation using the NetWare Administrator utility.

When migrating to Windows Server and Active Directory, former Netware network administrators are therefore surprised to discover that Windows offers no native feature to prevent or limit simultaneous logins to their new network.

That is where UserLock comes in handy, with concurrent logins limitation features even more powerful than Netware’s native features. UserLock allows you to limit or prevent simultaneous logins to a Microsoft Windows network, per user, user group or per session type (workstation, terminal, interactive or VPN/RAS).

Limitations can be set in a granular way and can vary from one user to another or from one group to another.

With UserLock you will be able to define and enforce:

the maximum number of concurrent workstations where a user can be logged on
the maximum number of terminal sessions that a user can open
the maximum number of simultaneous VPN/RAS sessions that a user can open
the maximum total number of sessions (all session types) that a user can open

You will also be able to:

define a maximum limit for combinations of several kinds of sessions.
You can for example set a custom limit to prevent the number of workstation sessions plus the number of VPN/RAS sessions to be greater than one.
allow users to remotely logoff an existing session if their number of allowed sessions has already been reached.
A user will then be able to remotely close a previous session from the new workstation on which he is not allowed to logon due to his current UserLock restriction.

Additional UserLock features

Workstation restriction
Time restriction
Real-time session monitoring and alerts
Reporting on session history and statistics
Remote session administration

More info

RemoteExec vs. PsExec : not in the same league

Fri, 25 Nov 2011 09:30:00 -0500

Interacting with remote Windows systems is a daily task for IT professionals.

Everyone will agree that application deployment, remote server reboots, emergency updates, user session locking, etc. are tedious, time consuming chores without the help provided by efficient tools.

IS Decisions prides itself in building top notch solutions for IT pros. Our remote deployment and execution solution is called RemoteExec and here’s a comparison with Microsoft’s PsExec:

RemoteExec

RemoteExec is an agentless software solution that allows IT pros to execute predefined remote actions through a graphical interface.

RemoteExec remotely installs applications, executes programs/scripts and updates files and folders on Windows systems throughout the network.

RemoteExec logs execution history and results allowing administrators to reload remote actions and generate reports.

RemoteExec was created in 2000 by IS Decisions and is in its 5th major version.

PsExec

PsExec is a light-weight telnet-replacement freeware that lets IT pros execute processes on other Windows systems, complete with full interactivity for console applications, without having to manually install client software.

It was initially developed by Sysinternals, which is now owned by Microsoft.

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their system utilities and technical information.

GUI and command line vs command line only

RemoteExec has an intuitive, user-friendly GUI (tabbed interface, dockable windows) with predefined action types while PsExec is a command line tool only.

As an example, with RemoteExec, a Microsoft hotfix deployment will only require you to specify the hotfix path while PsExec will require determining every hotfix switch.

RemoteExec can also be used via the command line and be invoked by a script or any automation tool if needed.

RemoteExec Interface

Multithreading vs single-threading

RemoteExec uses fully multithreaded technology while PsExec performs remote executions on one computer at the time.

This can be extremely frustrating especially on large networks or when remote computers are unavailable.

RemoteExec Multithreading example

Execution logging vs console output

RemoteExec comprehensively logs all remote executions (and their results) it performs and automatically generates graphical, printable reports, so you can relaunch them (or schedule a new try) if some of them happen to be unsuccessful.

PsExec only provides you with a console output and a return code.

RemoteExec report example

Integrated Scheduling vs nothing

The scheduler is integrated in RemoteExec. You can perform and manage remote executions and reports outside of business hours.

PsExec does not have any scheduling features. You will have to manually build and enter the command line expression into the Scheduler.

RemoteExec scheduler

Conditional execution vs nothing

RemoteExec comes with a mini scanner allowing remote systems configuration information to be collected and used for conditional updating: OS version, OS level (server/workstation), Service Pack, Internet Explorer version, customizable registry key/value, OS language, architecture, etc.

This makes it possible to execute a deployment on Windows 7 SP1 workstations only, without having to select them manually.

There is no such possibility in PsExec.

RemoteExec filter example

Full reusability vs saving script files

RemoteExec gives you the ability to save Remote Action configurations in a favorite folder (My Remote Actions) in order to use them again quickly on different target computers (for example to perform on demand deployment).

PsExec will only allow you to save your command lines as a script file.

RemoteExec “My Remote Actions” menu

Encryption vs insecurity

RemoteExec’s communications are encrypted. Unfortunately, when you use a specific user account, PsExec passes credentials in the clear to the remote workstation, thus exposing the credentials to anyone who happens to be «listening in».

Conclusion

PsExec is a smart unsupported utility that can be very useful if you are on a tight budget, manage a small-sized Windows network and have minimal feature and security requirements.

RemoteExec is a secure, feature-rich enterprise software solution that meets the performance and security requirements of savvy IT professionals managing small to very large (up to tens of thousands endpoints) Windows networks.

IS Decisions now has an official page on Google+

Tue, 08 Nov 2011 03:57:42 -0500

At IS Decisions, we believe that customers, prospects, partners and more widely IT professionals in the field provide the best source of ideas for enhancing our software solutions and improving the quality of our service.

That is why we created IS Decisions’ official page on Google+ as another way to exchange with savvy IT pros worldwide.

Our aspiration is to get feedback, suggestions, share information and tips, and sometimes, well, just have some fun together!

Please let us know what kind of content you would like us to cover on Google+ and add us to your circles.

Check the September issue of IS Decisions Wire

Fri, 23 Sep 2011 09:19:45 -0400

The September issue of IS Decisions Wire, our bimonthly E-newsletter is out.

We designed it as a tribute to Windows 8 and the Metro-UI and made sure
you can read it from your desktop and/or your smartphone.

Subscribe now to get the next issue: it’s free!

Best of BUILD and Windows 8: articles and posts we like best

Tue, 20 Sep 2011 08:52:00 -0400

Last week was pretty exciting! At BUILD, Microsoft unveiled Windows 8 and we must admit that what we have seen so far about this new OS is pretty impressive.

A lot of IT journalists and bloggers have started writing about Windows 8, a bunch of videos and screenshots have been published, and as usual, the best and the worst coexist in that steady stream of information.

We therefore tried to separate the wheat from the chaff and here are our favorites:

On Windows 8

If You Already Hate Windows 8 Then You Hate Technology
(on Gizmodo, by Mat Honan)

Windows 8: BFD — Big Forking Decision
(on Monday Note, by Jean-Louis Gassée)

4 things Microsoft must do to make Windows 8 work
(on PCPro, by Barry Collins)

Windows 8: The ultimate guide to BUILD and more
(on Neowin, by Owen Williams)

On Windows Server 8

What’s New in Windows Server 8 Active Directory
(on Windows IT Pro, by Sean Deuby)

10 best new features of Windows Server 8
(on InfoWorld, by Doug Dineley and Brian Chee)

What’s new in Windows Server 8
(on Mark Minasi’s Windows Networking Tech Page)

And saving the best for last, here is the silliest article ever written about Windows 8:

EXCLUSIVE: Corp. America to Microsoft: We’ll Pass on Windows 8
(on Fox News, by John Brandon)

and the delicious way Ed Bott crucifies it:

About that Fox News Windows 8 “exclusive”
(on Ed Bott’s blog)

IS Decisions software nominated for the 2011 Windows IT Pro Community Choice Awards

Mon, 29 Aug 2011 06:36:00 -0400

Our 4 software solutions have been nominated for the 2011 Windows IT Pro Community Choice Awards.

You use and appreciate them? Please help us creating awareness about our innovative Infrastructure & Security Management solutions for Microsoft Windows by voting for them before September 7th (it will only take 2 minutes of your time)!

- UserLock
UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.
Nominated in category #22: Best Security Product

- RemoteExec
RemoteExec remotely installs applications, executes programs/scripts and updates files and folders on Windows systems throughout the network.
Nominated in category #6: Best Deployment/Configuration Product

- FileAudit
FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.
Nominated in category #3: Best Auditing & Compliance Product

- WinReporter
WinReporter retrieves detailed information about hardware, software and security settings from Windows systems and automatically generates reports.
Nominated in category #25: Best Systems Monitoring Product

You can also show your appreciation for the great job performed by our dedicated Technical Support Team by voting for IS Decisions as “Best Vendor Tech Support” (category #30).

Cast your vote now and thank you in advance for your valued support!

FISMA Compliance – What’s the big deal anyway?

Wed, 13 Jul 2011 11:08:00 -0400

The article below is a guest post by our US partner Information Systems Laboratories). ISL offers a wide range of services to help companies implement or improve a corporate cyber/information security program, including independent IT security evaluations, threat and vulnerability analysis and incident response plans.
ISL has entered a partnership with IS Decisions, as they recognize UserLock and FileAudit as efficient software solutions to implement FISMA/NIST compliance for 3 key NIST 800-53 control families:

Access Control (AC)

Identification and Authentication (IA)

System and Information Integrity (SI)

UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Windows systems.

Hope you enjoy the article and I look forward to your comments,
François AMIGORENA
President & CEO

In the United States, FISMA Compliance is a matter of national security. To elevate its importance, all federal agencies are given an annual – and very publicly available – grade based on the effectiveness of their IT security programs. As a further incentive, if after failing a compliance assessment, in addition to the publication of your failing grade, your CIO may be greeted with a congressional hearing. If that is not enough, after the hearing, the Office of Management and Budget (OMB) may just cancel or delay funding of your government programs - none of which would be considered welcome news nor career-enabling.

Whether you work for a corporation or government agency, the importance of ensuring your data is safe goes without saying. In fact, the larger your corporation, the government places more importance on your data, thus moving you closer to the same requirements government agencies have.

What is FISMA?

The Federal Information Security Management Act (FISMA) was devised to assist agencies and departments of the federal government in securing their data. Chief Information Officers (CIOs), Inspectors General (IGs) and officials of government programs are required to conduct annual reviews of their information security program and report their findings to the Office of Management and Budget (OMB). The OMB then reports to Congress on each agency’s compliance. The annual report also must include an independent cyber security evaluation

What is NIST?

As an agency of the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) has developed a set of controls and guidelines supporting FISMA which Federal agencies and organizations supporting them must follow.

NIST 800-53 Control Families

The 18 control families and their 205 respective controls covered by NIST 800-53 encompass everything from physical security to information systems security to spam prevention and has been designed to work for any organization - as long as the controls are selectively chosen and implemented. For the cyber security novice, though secure, implementing all the controls to their fullest extent would not only be prohibitively expensive but would severely cripple the organization’s ability to function efficiently which is in direct conflict to the purpose of these controls. The intent is to take a calculated risk-based approach to security by implementing just the right amount of controls. Doing so not only saves money, but also helps to improve your organization’s operational efficiencies. Maximizing these benefits is where the assistance of trained Cyber Security professionals is critical. The best Cyber Security Evaluation companies are those who take the necessary time to learn your environment and processes to ensure the optimum controls are selected and adhered to.

NIST 800-53 Control Family Summaries

Below are some of the points contained within each of the control families. For a complete view into each control, we recommend ISL’s Cyber Security Search Engine.

Access Control (AC)

Control: 22 | Class: Technical

The 22 controls making up this family provides security guidance with a focus on access control-based policies and procedures, remote access, access control lists (ACL), etc. helping to ensure access to physical and computer-based information systems are restricted to authorized individuals only.

Access Control: a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.

Awareness and Training (AT)

Control: 5 | Class: Operational

The intention of these 5 controls is to ensure a Security Awareness and Training policy is established along with its respective procedures and sufficient security awareness training programs are employed.

Awareness: Activities which seek to focus an individuals attention on an (information security) issue or set of issues.
Training: strives to produce relevant and needed (information) security skills and competencies. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individuals attention on an issue or set of issues.

Audit and Accountability (AU)

Control: 14 | Class: Technical

The purpose of this set of 14 controls is to have the organization identify, audit, track and report on particular events that could be a security risk.

Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Security Assessment and Authorization (CA)

Control: 7 | Class: Management

This set of 7 controls ensures the organization has a Security Assessment Plan which specifies the included controls and enhancements, their procedures and the selection of an independent assessment team to conduct an impartial assessment. In the event the assessment is conducted by an internal team (because the company is small for instance), the results of the assessment are to be reviewed and analyzed by an independent team of experts such as by ISL’s Cyber Security Evaluation team (Information Systems Laboratories).

Configuration Management (CM)

Control: 9 | Class: Operational

The intent of these 9 controls is to ensure the organization has a Configuration Management policy and formalized procedures in place to establish baseline configurations, change control, security impact analyses, component inventory, etc. to help ensure changes to systems are tracked since even minor changes can have severe security implications.

Configuration management is unique identification, controlled storage, change control, and status reporting of selected intermediate work products, product components, and products during the life of a system.

Contingency Planning (CP)

Control: 10 | Class: Operational

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised.

Identification and Authentication (IA)

Control: 8 | Class: Technical

Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.
Authentication: A process that establishes the origin of information or determines an entity’s identity.

Incident Response (IR)

Control: 8 | Class: Operational

The 8 controls contained within this family guide the organization in the creation of a incident response policy and procedures to assist the proper response to an incident that may jeopardize the organization’s information system.

Maintenance (MA)

Control: 6 | Class: Operational

The intent of these 6 controls is to have the organization develop a System Maintenance Policy and supporting procedures to ensure the organization schedules, documents and reviews all maintenance and repairs of systems; uses approved maintenance tools; employing strong identification and authentication for remote maintenance, etc. In other words, these are operations required to keep hardware, software, data, etc. in good working order.

Media Protection (MP)

Control: 6 | Class: Operational

The 6 controls within the Media Protection family is to ensure the organization creates a Media Protection policy and supporting procedures to ensure proper steps are taken to protect data and prevent unintentional access and loss.

Physical and Environmental Protection (PE)

Control: 19 | Class: Operational

The 19 controls within this family help to enforce measures to protect information systems from unauthorized physical access.

Planning (PL)

Control: 6 | Class: Management

This family of 6 controls encourages the development of a System Security Plan, online rules of behavior for employees along with a security planning policy and procedures.

Personnel Security (PS)

Control: 8 | Class: Operational

The intent of the Personnel Security control family is to provide guidance in the hiring, security management and termination of employees.

Risk Assessment (RA)

Control: 5 | Class: Management

The Risk Assessment control family directs the organization in the creation of a Risk Assessment Policy and resulting procedures in order to assess the potential and magnitude of harm in the event of unauthorized access of information systems. In addition to the understanding of the potential risks, software and hardware solutions are implemented to help mitigate risk by identifying and addressing vulnerabilities.

System and Services Acquisition (SA)

Control: 14 | Class: Management

The System and Services Acquisition control family exists to ensure the budgetary means to support the ongoing security needs of the organization are established; systems are properly documented; software licensing is documented and enforced; peer-to-peer file sharing is not used to share unauthorized data or copyrighted material, etc.

System and Communications Protection (SC)

Control: 34 | Class: Technical

The System and Communications Protection control family consists of 34 controls. However, this is a little misleading as 11 of the controls have been withdrawn leaving 23 active controls. The breadth of this control family covers topics such as the physical and/or logical separation of system management interfaces from user functionality; security from non-security functions of the system; the prevention of unauthorized transfer of information from a commonly shared resource such as system memory; the protection of systems from Denial of Service attacks (DoS attacks); even the priority of system resources is called into question to ensure low priority services don’t negatively impact those of a higher priority.

System and Information Integrity (SI)

Control: 13 | Class: Operational

Some of the purposes behind the 12 controls within the System and Information Integrity control family are to identify, report and correct flaws in code including proper error handling; protection from malicious code such as viruses, Trojans, and spyware; monitoring of systems; the reception and reaction to internal and external security alerts; detection of unauthorized changes to data and software; protection from spam and predicting and preventing the failure of systems.

Program Management (PM)

Control: 11 | Class: Management

The 13 controls within the Program Management family directs the organization to develop an Information Security Program Plan, a process to ensure Plans of Action and Milestones (POA&M) are properly worked, etc.. Appointing a Senior Information Security Officer (SISO) or if your organization is a federal agency, a Senior Agency Information Security Officer (SAISO) are among some of the other directives to ensure the information security program is established and in working order.

Though this overview vastly simplifies the complexities and nuances of cyber security, we hope you have found this helpful. Should you have questions or would like to explore how your organization measures up to these and other controls, let us recommend our partner, Information Systems Laboratories (ISL).

Contact them if you are interested in receiving an Independent Cyber Security Evaluation.

You can also download free trial versions of UserLock and FileAudit from our website.

"It is almost never safe to download executable programs from peer-to-peer file sharing networks..."

Mon, 20 Jun 2011 08:00:39 -0400

“It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.”

- Brian Krebs on KrebsOnSecurity.com

IS Decisions opens UserLock 6.0 Beta Testing Program

Wed, 30 Mar 2011 10:53:22 -0400

We are pleased to announce the UserLock 6.0 Beta Testing Program.

UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.

UserLock 6.0 is a major upgrade that comes with numerous new features and enhancements including:

- Time quotas: ability to define daily, weekly, monthly, etc. quotas.
- A third type of Protected Account: Organizational Units.
- Protection of IIS sessions (Ex: control access to Outlook Web Access or an Intranet).
- Ability to set the protected zone by selecting multiple computer Organization Units.
- Ability to define restrictions on workstations with computer Organizational Units.
- Audit and display session with local accounts.
- Specialized reports for RAS sessions (history, evolution and statistics).
- And more…

UserLock 6 beta will be ready in a couple of weeks. Would you like to test it?

Join our Beta Testing Program by filling out this online Web form.

We will share documents and resources and provide personalized technical support during your tests of the Beta.

Thank you in advance for your interest in UserLock 6.0!

UserLock and FileAudit help guard against rogue sys admins

Fri, 25 Mar 2011 05:51:38 -0400

Back in September 2010, Network World published an insightful article by Carolyn Duffy Marsan, titled «6 tips for guarding against rogue sys admins».

In this article, Carolyn underlined the fact that «one of the biggest threats that organizations face is losing sensitive data […] to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.»

Carolyn then described several practical steps IT departments can take to minimize the insider threat, including:

«Restrict and monitor users with special privileges»

More easily said than done if you only rely on native Windows features. Windows lacks the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware.

UserLock comes in handy here, as this software solution allows CIOs to:

limit or prevent concurrent logins to a Windows network, based on user, user groups or session types,

restrict user access to the network with multiple criteria: workstations, time, business hours, and connection type,

follow the session activity on the network in real-time and get detailed, graphical reporting,

automatically receive popup or email alerts for specific events such as denied logins, successful logins and logoffs.

«Keep user access and privileges current, particularly during times of job changes or layoffs»

Here again, native Windows features are not really oriented to easily provide this functionality.

Imagine the following example:
A Sys Admin (let us call him John) is fired and knows that his dismissal is coming. John is logged on at 04:00 pm and at 04:05 pm the CIO disables and/or deletes his account. Guess what happens? John is still logged on to a workstation and connected to some servers. All he has to do is unlock the workstation, (typically workstations do not go and check unlock requests with the domain controller). The result is that John is still able to work on his desktop and local drives, even though his account has been disabled and deleted.

With UserLock, a CIO can remotely lock, logoff and reset all sessions immediately, from potentially anywhere using the Web interface.

«Monitor employees found guilty of minor online misconduct»

When it comes to employees’ online behavior surveillance, two things are crucial:

To monitor logon sessions

Here again, native Windows features are not sufficient. System Admins are not able to answer the following questions in real time:

Who is logged on at which computers?
Which computers are being used by a given user?
Who are the users currently logged on at this particular computer?

UserLock allows real time session surveillance and monitoring; at all times a CIO knows who is connected, from what workstation(s), since when…

To monitor access to files and folders

To monitor access to an organization’s files and folders, standard Microsoft systems only propose manual event logs. This functionality leaves administrators with hundreds or even thousands of events to decrypt and analyze to pinpoint the information of interest. This generates endless hours of non productive and error-prone work.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

FileAudit instantly gives a comprehensive list of:

read/write accesses

file ownership changes (accepted or denied)

permission modifications (accepted or denied)

Each record details:

the user

the domain

the date and time of connection and disconnection

for:

a file

a selection of files

a folder and subfolder

a selection of folders and subfolders

«Educate your employees about insider threat»

Raising employees’ awareness about insider threat is a key component of an efficient IT security strategy. Regular training or offering a hotline so that employees can anonymously report fraud are part of the insightful measures that should be taken to mitigate insider threat. But one of the most efficient ways to make users security aware is to systematically remind them of their rights and duties each time they log on.

UserLock allows notifying all users prior to gaining access to a system with a tailor- made disclaimer. Users can for example be advised that system usage is monitored, recorded, subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties.

Another efficient way is to provide users at each connection with detailed information about their previous logons, so they can easily detect if someone else had successfully logged on (or attempted to log on)as them and potentially impersonated them. This is missing from native Windows features.

At each logon, UserLock provides users with information such as:

last workstation logged on,

date and time of last successful logon,

history of all logons denied by UserLock and Windows since last successful logon,

number of logons denied by UserLock and Windows since last successful logon.

We look forward to your comments and concerns. Feel free to post your remarks hereunder or use Twitter or Facebook to exchange with us.

Download UserLock now

Download FileAudit now

How to deploy SP1 for Windows 7 and Windows Server 2008 R2 outside of office hours with RemoteExec

Mon, 28 Feb 2011 11:16:00 -0500

RemoteExec can easily deploy the Windows 7/2008 R2 Service Pack 1. This can be useful if you have to update servers without an Internet connection or workstations with the Windows Update engine turned off.

Direct deployment

You can update your system directly following the 6 steps below. Before getting started, check to see if the Targets Computers are being used as this operation will consume resources and will require at least one reboot.

Open RemoteExec and go to Remote Jobs/New Remote Job/Update installation through the Configuration tree.
In the first section Settings, browse to the Service Pack installation file in File field.
RemoteExec will detect automatically the name, type, architecture and operating systems concerned. We advise you to keep the option Don’t reboot disabled¹ : this update needs at least one reboot to process fully.
There is nothing else to set.
- ¹: The reboot will be initiated only if no session is open on the target computers. If a session is opened or locked, RemoteExec will notify the user through a popup inviting him to reboot the computer . If you want to force the reboot, you need to create a Multiple actions with first this Update installation and then a Reboot System action. Make sure that the following options are enables for this reboot: Force applications to close and Reboot only if needed.
As you see below, the second section called Filter that RemoteExec automatically configures the required conditions. You can set additional filters such as the target OS level since this Service Pack can address both Windows 7 and Windows 2008 R2.
Go to the Target Computers section and select the computers on which you want to deploy this Service Pack.
You can now start your update by clicking on
The Progress window will open in a new tab to permit you to follow the remote operation process.

Schedule this update

The size of this new service pack needs to be taken in consideration for this operation:

32 bits version: 537 MB
64 bits version: 903 MB

The time taken for this deployment can fluctuate (depending on the target computer system and the bandwidth available) between 15 minutes to more than half an hour. As in every Windows Service Pack installation, hardware resources will be impacted. That is why we advise to schedule this operation during off business hours. In the example below, we have planned it for Sunday evening

Follow the previous steps 1 to 4.
Instead of launching the deployment directly, click in the Quick Access Pane on .
Enter a name on the Schedule Wizard for this new Task.
Validate the new Task name and the Windows scheduler pop-up window will appear. Set the task to Once and choose the Start time settings. Validate by clicking OK. You will be prompted to set an administrative account for this Task.

The RemoteExec Scheduler now displays our new scheduled job.

Want more?

In this example we have scheduled the SP1 update on Sunday evening. You can also schedule the results report of this deployment in order to find it into our mailbox² Monday morning when coming back to work.

Go to Reporter/Execution results through the Configuration tree.
Set the Report as wanted. In the Time section, leave the Execution combo list to the last Execution done³.
Click in the Quick Access Pane on
Select the Task we previously created and click OK.

The Report will be added in the chosen Scheduled Task.
In the Configuration Tree, go to the Scheduled Task.
Select the Report node Execution results. The report configuration form will be displayed into the Central Window. Go to the Document Generation section and check the box for The first file to generate.

Choose the path and format settings for the report.
Click on Add notification in the Quick Access pane. It will be added just after the Execution results report into the Scheduled Task.
Double click on the Notification line to display its parameters. Check the box Send documents by E-mail and fill in the different fields as needed.

The report will be available in your email box when you will come back to work on Monday morning and you will be able to check if the SP1 deployment was successful.
- ² : The SMTP information used for the email expedition needs to be set in the Console Options available at the bottom of the Configuration tree.
- ³ : When you schedule a report, if you select the latest execution, the report will always be generated for the latest execution.

Download RemoteExec now Check RemoteExec detailed features

How to remotely (and automatically) shutdown thousands of PCs at night with RemoteExec

Thu, 17 Feb 2011 08:45:37 -0500

The example below illustrates the use of a predefined System Action to ensure the automatic shutdown of all workstations. The time you choose for switching off your computer must coincide with your company business needs.

Take note that:

A user might be working on the target machine.
A session can be opened on the target machine without a user in front of it, but with documents opened or applications running.
A session can be locked on the target machine with some documents opened or applications running.

Our goal in this example is to shutdown all computers, even those with documents unsaved or applications running. You should communicate this as part of your global Green Charter to your users.

How to shutdown all computers

Open RemoteExec and go to Remote Jobs/New Remote Job/System action through the Configuration tree.
In the first section «Settings», choose in the combo list System action named Shutdown.
RemoteExec can check if a user is currently working on the target machine, and can process the System action differently in this case.

Choosing the option Immediate execution, notify otherwise means:
- If there is no user connected on the workstation, the shutdown will be initiated immediately.
- If there is a user connected on the workstation, a Notification will be displayed to the connected user. The shutdown will be initiated depending on the mode defined in step 4 for this Notification.
Notification mode
Two options to define how the shutdown will be initiated:
- Execute after showing notification during
  The shutdown will be executed after displaying the message during the number of minutes typed. The Notification displayed can be hidden by users, but it regularly pops in foreground.
- Indefinitely notify every
  The Notification is displayed indefinitely until users click on the button to initiate the shutdown. Users can hide the Notification, but it will pop again every number of minutes you’ve defined.
As we defined in the preamble, we want to shutdown all workstations. We will choose here to execute this System action after the Notification period. We will set a sufficient delay allowing users to finish their current work.
Leave the third combo list on the Don’t wait for the end of the execution option. (This option is pertinent in multi action mode, not in our example here).
Check the Force applications to close option.

We will be sure that all sessions kept opened will be closed. Although users have been informed about this Green Charter action, there will be always some thoughtlessness.
Set your Notification message to explain the imminent shutdown and provide instruction to avoid losing documents/work recently modified.
We want to power off all workstation from our network. That’s why in Target Computers section we have selected the whole domain. As we don’t want servers to be concerned by this Remote Action, we will set the Filter section option named OS level only to workstation.
The remote shutdown job is now ready and fully set.

This is how the Notification will be displayed to users connected on the target machines:
Click in Quick Access Pane on
Enter a name on the Schedule Wizard for this new task.
Once validating the new task name, the Windows scheduler pop-up will appear. Set the task to Daily and the hour settings in according to your company hours. Validate by clicking OK. You will be prompted to set an administrative account for this task.

In this example setting 09h30 PM means that the computers will be powered off by 10:00 at the latest. (9h30 + 30 minutes countdown).

The RemoteExec Scheduler now displays our new scheduled Job.

Want more ?

In this example, all computers have been shut down during the night. In the same way, you may decide to automatically switch on computers on allowing users to work immediately upon their arrival. This is also possible through RemoteExec Wake up System action.

The computers using the Wake-on-line technology (available on most computers today) can be remotely powered on if this option is enabled. You just have previously to scan the Mac addresses and Subnet of your network machines using the System action Get wake up info (which can also be scheduled). Then using the same concept, you can choose to wake up users’ computers automatically.

During your tests

If for any reason you remotely launch a shutdown that you want to abort, you can use the specific System action.

Download RemoteExec now Check RemoteExec detailed features

IS Decisions launches MVPtweets.com

Wed, 16 Feb 2011 08:45:00 -0500

As a contribution to the Microsoft 2011 MVP Global Summit, IS Decisions today launched MVPtweets.com, a website that displays in real time:

- tweets from more than 1,100 Microsoft Most Valuable Professionals (MVPs)
- tweets from Microsoft MVP Leads and Community Managers
- tweets with #MVP11 and #MVPbuzz hashtags

and allows instant visualization of what is going on in the Microsoft MVPs community.

If you are a Microsoft MVP and noticed that your Twitter profile is not on MVPtweets.com, please just tweet us and we will add you.

Visit MVPtweets.com

Follow IS Decisions on Twitter

How to install and run CCleaner on thousands of Windows workstations with RemoteExec

Wed, 02 Feb 2011 05:05:00 -0500

CCleaner supports the cleaning of temporary or potentially unwanted files left by certain programs, including Firefox, Opera, Internet Explorer, Safari, and other applications along with browsing history, cookies, Recycle bin, memory dumps, file fragments, log files, system caches, application data, autocomplete form history, and various other data.
Source: Wikipedia

Deployment with default settings

Download the latest version of CCleaner from: http://www.piriform.com/ccleaner/download
Open RemoteExec and go to Remote Jobs/New Remote Job/File execution through the Configuration tree.
In the first section «Settings», browse the File field to the setup file previously downloaded.
You can find in the help file of CCleaner all command line parameters.

/S: Performs a silent install of CCleaner with default options.
/D= Permits to choose a different installation folder than the default.
/L= Choose the language file identified by the locale ID.
- List of locale ID: http://support.microsoft.com/kb/221435
- List of CCleaner supported language: http://www.piriform.com/docs/ccleaner/ccleaner-settings/…
At minima you must specify the /S as Argument. If you’d like, you can choose the installation path and language.
Set the Context to Administrative and keep the Auto option checked. RemoteExec will optimize the remote execution.
Go to the Target Computers section and select the computers on which you want to deploy CCleaner.
You can now start your deployment by clicking on . The Progress window will pop in a new tab allowing you to follow the remote execution process.

Custom installation

First install CCleaner on your own computer.
Personalize the parameters.
Save these parameters in an ini file: Menu Options/Advanced – Check the box «Save all settings to INI file».
This option allows CCleaner to use the parameters stored into this INI file instead of those contained in the Windows registry.
Once this option enabled, your CCleaner installation is now portable.
Open RemoteExec and go to Remote Jobs/New Remote Job/File operation.
Select in the «Settings» section the Operation «Copy a folder».
In the Source path, browse to the installation folder on your workstation.
By default: C:\Program Files\CCleaner.
Type in the Target path field the folder path you want to set on Target Computers¹. It can be the same as on your workstation: C:\Program Files\.
Go to the Target Computers section and select the computers on which you want to deploy CCleaner.
You can now start your deployment by clicking on . The Progress window will pop in a new tab allowing you to follow the remote execution process.

¹: If the target path doesn’t exist, all the folders composing the path tree will be created

Note: If you already have a CCleaner installation on Target Computers (with default parameters or even personalized parameters as done here), you can update/change the CCleaner settings using the Ini file. Change the parameters as wanted in your proper installation or directly in an Ini file copy then push it using RemoteExec selecting the File operation «Copy a file». Ini settings description: http://www.piriform.com/docs/ccleaner/advanced-usage/ccleaner-ini-files/using-ccleanerini-to-modify-how-ccleaner-runs

Using CCleaner

You can run CCleaner remotely and silently on computers using RemoteExec. The settings taken into account for this remote runs are those set on target machines (see previous paragraph).

RemoteExec and go to Remote Jobs/New Remote Job/File execution through the Configuration tree.
In the File field, specify the remote CCleaner.exe path.
By default: C:\Program Files\CCleaner\CCleaner.exe
Fill Argument(s) field with «/AUTO».
Set the Context to Administrative.
Uncheck the Auto box.
Select the Verb «Open».
Select «No» for the Copy files option.
Go to the Target Computers section and select the computers on which you want to run CCleaner.
You can now start your remote execution by clicking on . The Progress window will pop in a new tab allowing you to follow the remote execution process.

Note: When you run CCleaner.exe using the /AUTO parameter, CCleaner does not run the Registry cleaner. You cannot currently run the Registry cleaner through a command-line parameter.

Download RemoteExec now Check RemoteExec detailed features