Beruflich Dokumente
Kultur Dokumente
system. This is highly recommended prior to making the transition on the file server to a RAID5
solution. Differential backups should be performed once every weekday at midnight and a full
backup will be performed on Saturday at 4AM while all employees are gone. These backups will
be backed using the tape drive system and every day and stored in the financial office with
customer data during the week and then every Monday the tapes from last week will be delivered
to the company rented safety deposit box at the local bank across town to reduce the possibility
of a fire or other disaster destroying all data. The people who currently maintain the file server
will be in charge of performing the backups and the mail team will be responsible for delivering
the tapes to the financial offices and the current Chief Financial Officer (CFO) will make the
delivery of tapes to the bank on Mondays as they are the only allowed person to have the safety
deposit box key.
Group Policy Objects
We need immediate modification to the organizations Group Policy Object (GPO). Many
of the settings are acceptable but we need to make modifications to our workstation policies.
Currently I recommend the following changes to the GPO inside the Account Policy and
contain both the Password Policy and the Account Lockout Policy group.
Policy
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity
Current Setting
0 passwords remembered
120 days
0 days
4 characters
Disabled
New Setting
12 passwords remembered
45 days
14 days
10 characters
Enabled
requirements
Account lockout duration
Account lockout threshold
Reset account lockout counter after
1 Minute
0 invalid login attempts
0 Minutes
60 Minutes
4 invalid login attempts
240 Minutes
The changes recommended to our GPO will help ensure users are more mindful about their
passwords. Currently the way things stand there is nothing that would stop an attacker from
attempting to brute force guess our passwords remotely.
Network/Infrastructure Security
Our firewall has not been reconfigured since it was originally installed and is overdue for
some dedicated attention. We currently have 9 servers which reside in the Demilitarized Zone
(DMZ) and are very vulnerable to outside attacks. I propose we move the servers into a separate
private network using 192.168.111.0/24. I then propose we build configure static NAT entries for
each of the services that requires outside access to reach internally. Specifically the HTTP(80),
HTTPS(443), FTP(20), SSH(22), SMTP(25), IMAP[TLS/SSL](993), Cisco VPN(4500). All
other applications can be added as the need arises. A survey was done in October of 2013and
these were the only services being used legitimately. Aside from the proposed firewall changes
we also need to make two hardware swaps. Currently there are four hubs being used, two in
human resources office and two in the research and development office. Using hubs both
increases the risk that users might sniff network traffic and obtain sensitive information as well
as degrading the bandwidth available due to increased collisions and unneeded broadcasting of
traffic.
Conclusion
In summary if we do not make the recommended changes to our infrastructure and security
policy it is simply a matter of time before we have a catastrophe that we cannot recover from.
The fact that we have several terabytes of data and have not had a hard drive failure yet is simply
miraculous luck and will not hold out forever. The changes to our GPO help reduce the
possibility of our user accounts being compromised which will lead to greater organizational
security. Last but not least we have several vital servers that are accessible from the internet
without any restraints on the type of services outside users are able to access. This is a major
concern that users could reach compromised customer information by accessing the database
ports directly from the outside. All of these changes fit together to create a more secure
environment for the company and ensure our ability to grow along with the future as security
becomes an even bigger focus on todays industry leaders.