|
Posted by jwgoerlich on September 13, 2007, 9:25 am
Please log in for more thread options
I will let someone else address the question on commercial auditing
tools. (I am interested in that answer myself.)
Regarding your audit, the privilege escalation in this sense means
logging on as one user account and then launching a process as the
administrator (runas or sudo). Mitigating controls include: limit
knowledge of the administrator password to one individual (and
possibly keeping a copy in a sealed envelop in a safe); audit all
login activity; set the NTFS ACL on %systemroot%\system32\runas.exe to
restrict its use to those with a business need.
Hope that helps and good luck on the audit,
J Wolfgang Goerlich
>
> <quote>
> Risk Area:
> Lack of audit log of privileged user activities and contrls to prevent
> privilege escalation on critical systems
>
> Observation:
> There is no control to prevent privilege escalation if user has knowledge
> of the system admin password. Furthermore, user accountability can not be
> established without user activity audit logs"
>
> Improvement Opportunity:
> Use system function / tools to prevent privilege escalation and establish
> user activity accountability
> </quote>
>
> What's the point of preventing privilege escalation? If you've been given
> the privilege to do something, and its prevented, then you don't have the
> privilege at all... huh?
| 
XML Sitemap