Most system administrators have a rather long to-do list. As soon as one item is cleared, another two seem to take its place. Oftentimes there are simply not enough hours in the day to deal with all of the issues. There are software problems, hardware problems, user problems, and it can be hard to find time to be proactive instead of reactive.
We would like to make your job easier and reduce the number of items on your future to-do lists. With this in mind we have listed five issues that you should avoid to prevent future headaches. They are basic, but that is why many system administrators forget them.
Network Security No No’s
Never host more than Windows Active Directory on a domain controller
Active Directory looks after the identities and relationships of your network. It will allow you to provide all employees with SSO (Single Sign-On) access. However, it is important that Active Directory is isolated and the machine you use is not used for anything else. Don’t mix up your assets, as in the event of one being compromised, anything else hosted on the same machine is also likely to be affected. After all, hackers are likely to have a snoop around and see what else is running on a server they have managed to gain access to. Keep everything separate, and you will be limiting the damage that can be caused in the event of a security breach.
Don’t access a workstation using your administrator credentials
Your administrator login credentials, if compromised, would allow a malicious insider or outsider to gain access to systems where a lot of damage can be caused. If you login to a compromised workstation using your administrator login, you could be giving your access rights to a hacker. Cached login credentials are not difficult to obtain. Github offers code that will allow anyone to change Local Admin privileges to Domain Admin privileges. If that happens, a hacker really can unleash hell.
Don’t ever reuse passwords
One of the most elementary data security measures is to ensure passwords are impossible to guess. In the unlikely event that your password is guessed, or is somehow compromised, it is essential that the password cannot be used to access any other systems, servers or workstations. Setting different access passwords for everything is a pain, but it is an essential security measure.
Don’t leave default logins active
Default logins are often exploited. Many can be obtained with a very quick search on the Internet. This applies for all networked devices, routers, and equipment. It is usually the first thing that will be attempted in order to gain access. How easy is this? Take hospital drug pumps as an example. There have been instances of patients searching online for the manufacturer’s website, obtaining the default login details, and then logging in to up their morphine doses. If patients can do it, it would not be too hard for a hacker.
Never, ever use an open Wi-Fi network
In a business environment, it is not possible to justify using an open Wi-Fi network. The risks that insecure Wi-Fi creates are simply too high. If you need to provide guest access, set up a guest login and password and make sure it is changed regularly. You may get a few complaints, but not as many as you will get when your system is compromised, data is exfiltrated, or heaven forbid, data is deleted or encrypted with ransomware.
It may be more convenient to share passwords, allow anyone to access Wi-Fi, share servers and use the same login to access everything, but it is a recipe for disaster. If anything goes wrong, and it eventually will, you must ensure that the damage caused is limited as far as is possible. Convenience should never jeopardize system security.