Ready to Start Your Career?
January 1, 2016
Sys Admin Security Training
January 1, 2016
January 1, 2016
I am trying to write up some training for my group. What security things as a sys admin are important to learn or know? What things would you like to learn security-wise that would make your system more secure? Start with network layers and SSL. It will take you further. SSL is important. Educate your SAs in how certificates work, and if you are using internal certificate authorities, how to request certificates, and what templates your organization uses and how those templates work. If your websites have usernames and passwords in your web.config files, they need to be encrypted, so learning how to make your RSA keys and encrypting your IIS hosted sites using aspnet\_regiis is good, but getting your developers to use integrated security is better. This should be common sense, but exercise the concept of least privilege. Restrict access to key areas by using security groups, and use service accounts to run your critical services. Use unique service accounts for each service, as when it comes to troubleshooting or finding security issues, you will be able to see in your logs and know which account did something. Speaking of accounts, change the defaults. Rename the administrator account, both in AD and on each workstation. Do not use the term "admin" in any of your privileged accounts, as attackers would be enumerating accounts, looking for those accounts that stand out to have special rights. Got file shares? Control access to them with AD groups. For the love of all that is good, give them a good damn description as to what they do (read: I'm currently dealing with this issue)! Most Microsoft applications use the SCHANNEL to communicate, so turn off your unwanted cipher suites (you're not using RC4 or MD5 related ciphers, are you?), and disable SSL 2.0, SSL 3.0 and TLS 1.0, or if you are using applications that run on .net 3.5, you can leave TLS 1.0 on, but disable SSL 3.0 at the very least, until you can move on to .net 4.5+, where you can stick to TLS 1.1 and 1.2. Java and some other applications use their own communications channel, so all the SCHANNEL stuff wont set your Weblogic servers to disable unwanted SSL versions. Work with your IA team or get your servers scanned for vulnerabilities. Nessus is a good way of checking your security posture. Also, you can look into things like CIS benchmarks, where they have things you can do to secure various server types, like STIGs for hardening SQL servers, DHCP servers, etc. No talk about servers is complete without talking about backups. You need to be doing backups, testing and securing your backups. Backups will help you recover from an incident like ransomware, or allow you to restore critical files that might be infected or removed. You need to learn network scanners, vulnerability scanners. Then learn network monitoring, SNMP, Cacti/Zabbix etc. You also need to know how to do packet analysis with whireshark. Depending on environment, go with the main flaw... Users. Access rights on shared folders and password policies. No offense, but you guys seem to be looking at this from an attacker perspective. Network/vulnerability scanners and those apps are not going to help a sysadmin improve the security or relate to their career path. If we are to discuss sysadmin security training, I'd picture things that a sysadmin could do to make their systems more secure. If you are going to discuss vulnerabilities, then an overview of a particular exploit would suffice. Talk about an exploit, how it works, and what a defender can do in order to defeat that exploit. The average sysadmin already has a lot on their plate, and if you want to maximize your returns on their time, as well as the time used to provide training for someone, then present them info that could readily help them, or get them thinking in the mindset you're steering them towards. There is so much organizations can do, and so much more that they can do better. Most companies cannot jump to a full-fledged, perfectly secure environment, so focus on some small goals that can improve the security posture, and lay some foundation for building upon, so there are milestones and security objectives that are measurable and clearly defined. I have to agree with creno13 on this. I think cybrary's strenght is also its weakness. This whole forum/site is build around the free pentesting course. Alot of users zoom in on this in every way possible. Ofcourse its good to look at that aspect, but sometimes its better to zoom out for the bigger picture. I do not necessary agree that most of the courses here are on the attacking side of the spectrum. Take CISSP, CISA and CISM, CASP for example, add there ITIL, PMP etc, cybrary it not just hacking and penetration testing. Having said that I don't see anything wrong in learning the attackers side, don't forget that in order to be good security professional and to defend your company, you need to know how attackers think, what kind of attacks they perform, how they exploit your system... you have to wear their hat in order to create good defensive strategy. I was not referring to the courses here being on the attacking side. I was referring to the topic of the post, which was a guy trying to write up some good things that sysadmins should know in order to help increase the security of the systems at his organization. Whatever he was going to do, it was likely going to be a short, unofficial course, with the goal of some immediate knowledge that could help his sysadmins. With that in mind, when you suggested scanners and other things that would be useful for a pentester or security professional, I said that none of that would be immediately useful for a sysadmin. The courses you just mentioned are fine for managers, particularly security managers. If we are to look at the average systems administrator, those are nice to know courses, but that is a lot of info to sift through in order to get a bit of useful info, plus most of those are geared towards high level views of a concept, not the "how to" that a sysadmin would need. If management was to send a sysadmin (or group of sysadmins) to a course to improve their skills, it would likely be a course for some technical specialization, like VMWare, NetApp, etc., not a course for CISSP or CISA. I know most topics here are a lot of repeat questions, where you can give some cookie cutter response, but if we want to improve the quality of this site, it helps to read and interpret what is trying to be accomplished. Security+, System Hardening. A lot of Sys Admin install Server on default setting forgetting to reset default passwords. Install services needed and disable/uninstall services not needed. https://www.cisecurity.org/ I agree to creno13 and Korinkov. From my Point of view, IT Systems have to improve business, and sysadmins have to keep that in mind. The job is not only to keep the Systems running, and the bad guys ( users ) away from them. The challenge ist to support and train the users, to make them able, to do a better job, do a better business in an easier way. You can give the sysadmin all teh ecurity training they can handle, and then comes a user, putting an usb stick in his device, that he found on the parking lot.... You can tell the sysadmin, that a cryptic Password with 16 keys is a secure, and the users will write them down, on a sticker under the keyboard... Thanks all. I am indeed looking for training for sys admin to help them secure their systems. I really appreciate the feedback. System hardening with SCM (configuration management software) like CFEngine, Ansible with strict policy based on CIS (we developed own policy for RHEL-based and FreeBSD systems). any more ideas than the ones outlined above, please?
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry