this is an inte resting thread
and here is my contribution
Aliyu Ahmed Ahmed
network Security Advisor
ahmedu2020@gmail.com08036241983
THE BEST SYSTEM ADMINISTRATOR
System Administrators are the people responsible for making computers work in the field. They are also responsible for the uninterrupted operation of the computers to take care of the business needs. System Administrator's knowledge on System security loopholes and their implications on business they are managing is a good asset to any Enterprise/Company. By following simple practices during their administrative functions, they can build secure and productive systems. These also help in reporting security incidents at an early stage and taking corrective measures.
Anywhere there is some sort of human activities, computers are needed and then system administrators to administer them. A system administrator is almost the most sensitive personnel in any organisation and I am saying this from experience. they have access to a lot of information from all departments in the course of troubleshooting systems. Some they see intentionally( probing) and some unintentionally(accident).I use to work as a system administrator in some big organisation and when troubleshooting systems I accidentally see stuffs like my GM's salary, the accountant's salary, the HR's CV or some love email letter written by my GM for his mistress on his laptop. In this regard the activities of the system administrators need to be watched closely by business managers. Business managers are scared of confronting the system administrator for the fear of the technicality of his job, most especially when the system administrators use technical terms to scare them. As a business manager , you need not turn the other side to the activities of your system administrator; give him room to exert all his technicalities but you need to know that you are his supervisor. Let me give you a lead, tomorrow when you resume work call your system administrator and ask him the following questions:
1. Do you have a diagram that shows what connects to where and how, with device IP addresses, names, locations etc listed on it?
2. Do you have an IT asset inventory?
3. Do you have a list of hosts, MAC addresses etc and their locations?
4. Do you have copies of the current configurations copied from all your network devices and burned to a CD in a fire safe?
5. Do you have network traces, traffic graphs etc taken during normal operation as a baseline?
6. Do you have a proper listing of all your WAN circuits/ISPs along with the contact details of the provider and the information you'll need to give them when reporting a fault?
7. Show me a script detailing your backup and disaster recovery plan.
8. Are all cable terminations labeled?
If he cant provide answers to these questions then you know someone somewhere is not doing his job. These issues are lifesavers in any computer network, because during all those slack days when things are running smoothly, your system administrator is not suppose to play doom or surf the internet but spend the time documenting his network:
Also, gone are the days where the IT department is just one flat department . These days the IT department is suppose to be sub divided into: Help Desk, Database, Networking and software/web application development department. Every IT complaint will first go to the helpdesk which will be routed to the appropriate IT sub department. Below I present a reminder as regards to best practice by system administrators:
Learn about your system
• Read appropriate security bulletins available from the vendors
• Subscribe for security bulletins from vendors and security advisories
• Understand each security issue with relevance to your configuration and environment
• Routinely monitor the IT website for updates and announcements
Define critical hosts
A critical host is a machine which, if compromised, could significantly harm the organisation including, but not limited to: reputation damage, interruption of a critical task, disclosure of confidential information, and legal liability. For example, any machine that may contain confidential data, medical records, payroll information, students transcripts, social security numbers, etc. "What are you trying to protect?" is a good question to ask before defining critical hosts.
Isolate domain controllers.
Update anti-virus software
Anti-virus software is available to staff at no cost. It is important to develop appropriate virus detection and eliminate the threat for servers.
Automatic updates to anti-virus software is essential to ensure new viruses are caught in a timely systematic fashion. It is a systems administrator's responsibility to ensure anti-virus definitions are up to date.
Protect passwords
• Use lengthy smart passwords (minimum length enforced)
• Make it for you to remember and hard for others to guess
• Use non-dictionary words
• Never store password as plain text or write it down on a paper
• Configure password-aging feature
• Use shadow password feature
Configure only essential services
• Maintain your servers with the minimum necessary services and packages
• Install only essential components, which are required for running the services and applications
• Remove any extra service running on your server
• Offer only essential network services and operating system services on the server machine
• Close unused TCP/UDP ports
• "Deny first, then allow"
• Remove old accounts
• Do not provide more access to system resources than the user needs
• Do not ignore warning signs- batteries, server restarting etc
Update your systems
• Patch, patch and re-patch
• Learn about the patches before applying them
• Remember to patch after a rebuild
• Apply the latest service packs
• Install latest updates and vulnerability hot fixes
• Make sure to update applications, not only operating systems
• Configure account lockout policy
• Isolate domain controllers
• Rename administrator’s account
Protect your systems from spyware
Spyware and adware pose security, privacy and productivity risks. It is important to keep your system protected from such malicious programs and protect your servers (where possible) with appropriate anti-spyware tools.
Use a firewall
A firewall is considered a high-risk network device. It helps you govern the network traffic to and from your network, needs monitoring in real time, and serves as a primary line of defense against external threats. Make sure to document any change made to the firewall configuration.
Define secure access policy
• Configure computers for user authentication
• Configure servers with appropriate object, device and file access controls
• Configure server for secure remote administration (VPN providing encryption and secure authentication)
Physically protect your servers
• Allow only appropriate physical access to computers
• Do not leave console logged in at any point of time
• Configure "time out" feature on your console system
• When you are away, system administrator console should be locked
Ensure data security and integrity
• Encrypt sensitive data where possible and needed
• Replace insecure programs with secure ones
• Avoid storing clear text passwords and private keys
• Securely remove data from storage media
Monitor your system
• Read your log files (hackers read them too)
• Use Log Analyzer
• Scan your systems periodically using appropriate tools (scan, evaluate, update, correct, and re-scan)
• Enforce access control rules for users / user restrictions
• Remove old accounts from machines
• Run MBSA regularly
• Check logon auditing
• Don’t make yourself indispensable by hiding knowledge from your helpdesk personnels
Document configurations and disaster recovery
• Document any changes in the system configuration
• Document (in steps) a disaster recovery plan and share it with your IT staff
Have a backup plan
• Make sure you have a tested backup strategy
• Keep your plan up to date by at least annual evaluation
• Train operators that work with you (if any)
• Plan for the worst, this should be part of disaster recovery plan
• Test the backup media, replace it if it needs replacement and don't take risks
• Identify what data needs to be backed-up (prioritize the data)
• Data should be backed up at least once a day, other data might need more frequent back-ups per day
• Backup media should be kept in a secure locked storage to prevent theft or tampering with stored data
• Password backups
Also, understanding the core of the OS is a necessity to understanding how attacks are structured. Most system administrators don’t know what goes on inside their operating systems. As system admins we have to go beyond just knowing how to administer our operating systems, we should posses the ability to see the bits off the wire, know the kernel architecture and how it keeps track of background processes, so as to help improve overall performance, and help the kernel whenever possible.
I am going to look into the operating system’s kernel but in a capsule. The kernel is the core of every operating system and it’s a process itself that controls other processes in the OS. A process is the execution of a program even though a program can initiate several processes: meaning several processes may be instances of one program. When you are browsing and you open various tabs on the taskbar, each tab represents a process. The Kernel has a process table that keeps track of all active processes and it communicates with other processes and the rest of the world via what we call the system calls
A process runs in two modes:
1. User mode: Can access its own instructions and data, but not kernel instruction and data
2. Kernel mode: Can access kernel and user instructions and data. When a process executes a system call, the execution mode of the process changes from user mode to kernel mode
I did mention that the kernel is a thread of execution—just like any other process. However, the kernel runs in a privileged mode. It can see the physical memory of the machine, and it can see all of the physical devices and ports. In addition to ruling over system memory, the kernel rules over all of the peripherals. These resources are too precious for you to allow a user process to touch them directly. Thus, the kernel provides various services that grant user processes access to these devices. The file system is a perfect example of a resource that user processes access frequently. The kernel enforces security restrictions so that users can’t gain unauthorized access to another user's files.
In the figure above you can see the kernel as being divided into two separate functional blocks. The lower functional block would consist of the device drivers, the virtual memory manager, and the scheduler. The upper functional block would consist of the system call processing functions. User processes view this part of the kernel as a library of service calls.
Service calls must communicate asynchronously with the lower level, but user processes don’t need to worry about how this communication occurs. A user process assumes that the system call is synchronous. For example, if a user process wants to write a large block of data to a file, the system call returns immediately, believing that the data have been written. The operating system may cache these transactions for several minutes before actually writing the data to disk. This caching allows the system to operate more efficiently as a whole. If it didn't work this way, the user process would have to wait for the write operation to complete or it would have to poll the operating system in order to make sure that the action actually happened.
The above is a UNIX platform, in Windows platform; let’s look at a program like Microsoft Word which when executed as a process could give birth to other instance of the same process(documents).
The question now is how comes about process 1, 2 and 3 in Microsoft word, and how does process 1 know what set of resources are been allotted to the program Microsoft Word while executing the program. Actually, it is the Window API functions such as createprocess, ntcreateprocess, createprocessasuser that are responsible for creating process 1, 2 and 3 within the Microsoft Word program. Each Windows process is represented by what we call the Executive Process Block (a.k.a Eprocess). Eprocess block has the ‘attributes’ of the process and other related data structure like Kernel Process Block (KProcess) and Process Environment Block (PEB).
In order to understand all these terms, we need to download a debugging tool for Windows and start windbg.exe in the kernel debugging mode. Some of these commands will give you a clear view of the data structure.
1. dt_Eprocess command gives the Eprocess data structure
2. dt_Kprocess gives the Kernel Process Block
3. !process give the address of PEB
When you use a debugging tool to view the kernel process block, you will see fields like: dispatcher
Resident kernel stack count
Default thread quantum
Thread seed
Attribute field like the image filename and image base address are two field in the Process block that will let process 1, 2 and 3 know the resources used by the Microsoft Word program. Since the createprocess function creates the instances of process 1, 2 and 3 lets now see the stages of the process creation
Stage 1: open EXE and create section object
Stage 2: create Windows Process Object
Stag 3: create Window Thread Object
Stage 4: notify Windows subsystem
Stage 5: start execution of the internal thread
In our example above since Microsoft Word is an executable file in Windows (winword.exe), it is used directly in the createprocess. However if the image is a non windows program createprocess goes through a series of steps to find a Windows support image to run it, then the createprocess calls a second function call ntcreateprocess to create a Windows Process Object which will run the image
Understanding and maneuvering the operating system kernel makes you an extraordinary user. You can play around with the virtual address space for any process and can even make a virtual address translation to the physical memory. The above explanation of the operating system kernel is by no means comprehensive because there is a lot of misery attached to the working of the operating system kernel.
Lastly but most importantly, business managers need to know how to terminate the job of their system administrator. At the friendly or unfriendly termination of the job of a system administrators, he or she should be escorted by security personnel to his office to pick up his belongings and leave. It sounds some how but honestly speaking it is best practice. At the same time, an account administrator should be disabling appropriate resource accounts and all passwords should be changed. Under no circumstances should the now former employee be allowed access to any information resources from the time he or she is terminated to the time he or she is escorted to the door.
![Nairaland [Nigerian Forum] Home](http://www.nairaland.com/Themes/default/images/english/home.gif)
Author
.I think linux will definately be better than microsoft in a matter of time.
in the main time i am enjoying my linux. , awk -f '{print $0}{print 'peace out'}';
