System assessment for clarity purposes

 In Cikkek

This is the summary of a system assessment for company dealing with ERP systems, which was prepared to help the management see clearly where the system is the most vulnerable and where it is most in need of development.

System assessment involved the following activities:

The work starts with IT network analysis, which involves topology preparation, the listing of physical assets and the logical structure. This is followed by the assessment of the Microsoft server infrastructure and the active directory, which involves the assessment of the assets, the domain controller functions, the centralized file sharing, the IIS service, the authentication, the FTP service, the database service, the remote desktop connection, the licences, the SSL vulnerability and the preparation of an active directory topology. In addition, we also check the data storages, the server virtualization and its environment, and the uninterrupted power supply.

 

Has it been a long time since the last security check of your corporate IT system? Would you like to prevent system failures or data loss due to ransomware?

Is there an ever growing and changing pool of assets available with no documentation for them?

Is it difficult to follow who has access to what?

Are there business continuity issues if a power failure occurs?

Do you wonder whether your IT solution is reasonable both from a professional and financial aspect?

 

Contact us if you would like a similar system assessment. >>>

 

Case study of a detailed system assessment

 

Topology

rendszerfelmérés

Microsoft server infrastructure and active directory:

 Name IP addresses Roles OS
*****.ad.*****.hu 192.168.*.*** AD, DC, DNS Microsoft Windows Server 2012 R2 Standard x64 ENG
*****.ad.*****.hu 192.168.*.*** AD, DC, DNS Microsoft Windows Server 2012 R2 Standard x64 ENG
*****.ad.*****.hu 192.168.*.*** MSSQL Microsoft Windows Server 2012 R2 Standard x64 ENG
*****.ad.*****.hu 192.168.*.*** IIS, FS, ****, FTP Microsoft Windows Server 2012 R2 Standard x64 ENG
*****.ad.*****.hu 192.168.*.*** RDS, IIS Microsoft Windows Server 2012 R2 Standard x64 ENG

Result of the SSL vulnerability assessment:

rendszerfelmérés

 rendszerfelmérés

System assessment findings

Development plans and project proposals

We also give you development plans and project proposals, e.g. as follows:

  1. Creating a backup in the MS Data Protection manager system (Offsite or onsite)
  2. Fixing SSL vulnerabilities
  3. Creating a central VMWARE infrastructure. Introducing HA functions with the VCENTER server. Currently when a hypervisor host fails, the VMs running on it stop working, so there is no service.
  4. Creating a redundant storage. The opportunities for replication should be discussed with Fujitsu product support services.
  5. Enabling the verification of network entry and exit points. ASSET SWAP!
  • Eliminating external symmetric port forwarding, with special emphasis on MS RDP connections. The RDP protocol is a high risk attack point!
  • Creating and access system, integrating external (VPN) access into the AD system.
  • Creating an internal VLAN separation in a test/dev/prod environment. The aim is a controllable access.
  1. Separating domain controllers on a different physical server. The current solution constitutes a risk!
  2. Restructuring the permission and access structure of Active Directory, as follows:
  • There is a “Create” GPO option for the \\****\COMMON network share, which is not justified, as it is also enabled with the “Replace” option, which creates the mounting, if there isn’t one already.
  • The “Run in logged-on user’s security context (user policy option)” option is not activated at the mounting of network drives, so it is run as SYSTEM and not as the user, who has the permission.
  • At GPOs security filtering should be assigned to security groups instead of authenticated users, as permissions are difficult to handle this way.
  • Different network drive mounts should be inserted into different GPOs in order to be able to manage them dynamically and independently.
  • The “*** finance” GPO is empty, it can be deleted.
  • According to current “Default domain policy” settings, there is no limit on login attempts. This setting is not appropriate from a security point of view.

Further proposals

  • Administrative and non-administrative users should be organized into separate organizational units, so the scope can be applied to separate OUs, with separate permissions.
  • It is recommended to assign each permission to security groups created according to departments and to assign the security groups (network sharing, VPN, etc.) created for permissions to the departments, so they can be managed dynamically and in a transparent way.
  • Currently the two domain controllers are on the same physical server, therefore, in the event of a physical server malfunction, the domain name system won’t be accessible, so it is recommended to separate servers on different physical servers, at least in site.
  • It is worth storing network shares in a designated storage, organized in folders, instead of selecting the storage itself as share, because this way the creation of a new share requires the mounting of a new storage, unless we would like to create it under the existing shares, otherwise only the folder has to be managed, which is significantly easier.
  • The shared folder permissions give everyone “Full control” rights, so everyone can change the permissions currently defined.
  • Shared folder permissions should not be managed in global groups (Domain Admins, Domain Users), but in different dedicated groups (E.g. SG_Finance_RW, SG_Public_R, etc.)
  • It is advisable to introduce the Distributed File System service in order to dynamically manage access to shares (and this way servers too).
  1. IT policy and management

The development of internal operational policies and procedures is necessary for organized IT operations, which involves the definition of user management and resource allocation permissions.

Creating the recommended internal documentation:

  • Disaster Recovery plan: it includes the procedures to be followed if a failure of business-critical services occurs. E.g. backup and recovery policy, etc.
  • IT Security Policy: it defines the details of access and data storage rules. The method of virtual resource management can be included in it too: Who can create them? Who can delete them? Who or what kind of system is responsible for managing the lifecycle of inactive assets? …

Contact us if you would like a similar system assessment. >>>


Leave a Comment