The line which they mentioned
"If not set appropriately,
these accounts
can be exploited to gain unauthorized access to the network."does not hold
any water ,they same can done at business hours,It only reduces the risk.
They have only added the above line in order to "raise suspicion"
and also to validate their VALUE ADDED.
> ----------
> From: Roger Seielstad[SMTP:[EMAIL PROTECTED]]
> Reply To: NT System Admin Issues
> Sent: Friday, August 17, 2001 11:56 PM
> To: NT System Admin Issues
> Subject: RE: audit
>
> And if you listen to silly advice from a public forum, foo on you.
>
> Certain institutions (including financialinstitutions) usually subject
> themselves to audits to earn certain certifications, such as SAS70. These
> certifications ensure the other companies they deal with that they meet a
> certain minimum set of criteria for infosec practices, physical access
> control, etc. Its a fairly detailed audit, and I could easily see why a
> credit union would want to pursue something like it.
>
> One of our divisions runs a SAS70 certified network, because of the
> business
> they are in. There were a LOT of things that came out of it that were very
> much needed improvements. I would say less than 10% fell into the fluff
> category.
>
> Roger
> ------------------------------------------------------
> Roger D. Seielstad - MCSE MCT
> Senior Systems Administrator
> Peregrine Systems
> Atlanta, GA
> http://www.peregrine.com
>
>
> > -----Original Message-----
> > From: Jeff Herr [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, August 17, 2001 2:04 PM
> > To: NT System Admin Issues
> > Subject: RE: audit
> >
> >
> > auditors are usually untrained in all aspects of network issues.
> > they usually come in and try to "raise suspicion" in order to
> > validate their
> > VALUE ADDED.
> >
> > if your management buys it, too bad for you.
> >
> > if your management questions it, good for them, give them
> > good solid answers
> > to alleviate their fears.
> >
> > make them all happy and "re-evaluate" your security
> > environ......reduce the
> > allowed logon windows....maybe bump all off from 11pm to 5am....as an
> > "added" security measure.
> >
> >
> > your management has auditors in there to do a job.....like it or not.
> > go along with them....show your boss your bigger than they are.
> >
> >
> >
> > -----Original Message-----
> > From: Shirley Laliberte [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, August 14, 2001 7:04 AM
> > To: NT System Admin Issues
> > Subject: audit
> >
> >
> > Our auditors just wrote us up.
> > Here's their statement "The credit Union is not utilizing time/day
> > restrictions in Windows. These setting restrict users from
> > gaining network
> > access during non-business hours. If not set appropriately,
> > these accounts
> > can be exploited to gain unauthorized access to the network".
> >
> > We have not dial up connections to the network. The only
> > thing we have
> > setup is to allow a connection to the Exchange server for
> > internet email.
> > We have eight digit passwords and an account is locked out
> > after 3 invalid
> > attempts.
> >
> > I don't believe having logon hour restrictions will improve
> > security but I
> > would like other opinions.
> >
> > Opinions???
> >
> > Shirley Laliberte
> > Quincy Municipal Credit Union
> >
> >
> >
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> >
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
