St at e of IT Changes Survey Result s + Infographic

Tips for a Bet t er Passw ord Securit y Policy

Dat a Governance: The Key t o Com pliance

Basic Rules How -t o: Ways t o a Bet t er Det ect ing Passw ord Changes in Act ive oPf aWsisnwdoowrds Server Direct ory SMecaunriatygem ent Contents

Nine St eps t o a Bet t er Passw ord Managem ent 3 by Richard Muniz

Why You Need t o Ensure Adm inist rat ors 5 Change Passw ords Regularly by Orin Thomas

How t o St ore and Ret rieve Passw ords Securely 7 w it h Pow erShell by Adam Bertram

3 Ways t o Prot ect t he Keys t o Your Kingdom - 11 Dom ain Adm inist rat or Credent ials by Russell Smith

June 2015 SysAdmin Magazine St at e of IT Changes Survey 2015: 13 Docum ent ing and Audit ing

Dat a Governanm e: The Key t o Com pliance 16 by Deb Shinder

Internet Usage Policy against Inappropriate 18 Content

by Richard Muniz

How to Detect Password Changes 20 in Active Directory

June 2015 SysAdmin Magazine Nine Steps to a Better Passw ord

Managem ent by Richard Muniz 20+ years in IT industry, a practicing systems administrator and a teacher

Passwords remind me a bit of the Coyote. Not Monde and right on the background, taped to the one that chases the Road Runner, but the the wall, is a list of passwords (and you thought one that lives in my native South-West and howls you had it rough with people taping them under at the moon. No matter how hard humans have their keyboard). And after years and years, the tried to get rid of it, it hangs in there, and in most most popular password out there is still cases, even manages to gain ground back. Why ?Password?. do I compare passwords to the Coyote? For years We can try and try: by GPO implementation and now they?ve been saying it was heading for talking to people. But all we end up with is the extinction and here we are, years later, it?s still realization that we might be able to build a fool hanging in there. Somehow, I suspect they?ll be proof system, but we can?t build a damn-fool with us for a long time to come. And as long as proof system. And we?ll still see people making we still have them out there, people will continue passwords that match someone?s birthday or to abuse them. address and taping them in a place for the world I suppose I don?t need to point to much further to see. than a video floating around the Internet of an Why? People are weak. We have so many employee being interviewed on French TV5 passwords, that keeping track of them is difficult. 3 June 2015 SysAdmin Magazine We write them down, and we paste them under 3. Recording of usernames and passwords for the keyboard, and we continue to be our own worst enemy. certain sites How do we fix it? Well, the answer is in this little A nice feature, and possibly one that can bite story. Years ago I encountered a very dynamic you, but one that might endear itself to your preacher, and we got to talking. I asked him how users. it was that people changed, and he rocked back a bit, narrowed his eyes, and said, ?Son, if you want 4. Storing certain kinds of passwords to take an old bone away from a dog without Some will only play nice with Active Directory, getting bit, you?d better offer him a steak in its some will let you record almost anything into place.? them. We want to take their piece of paper away and have them play nice. Problem is that unless we 5. Reminding questions give them a secure tools to keep the passwords, Everyone forgets things, and we still need they?ll continue to use their post-it notes, and something to allow them access the vault in case keep putting them under their keyboards. they forget, or at least reset the password, or Strangely, there are tons of password give them a reminder. management tools there that will help us. We call them password managers and a simple internet 6. Password generators search will give you at least a dozen, just on the For users, it?s a waste. For service accounts . . . first try. Some cost money, others are free. Some Priceless. are meant for a single user on one system; others are network based and can serve 7. Dual authentication hundreds of users. Some you might already have A card token and a password ? great. A password and not even know it (a lot of cloud services and a question ? slightly better than useless. provide this as part of service). 8. Self-securing What do you look for in a password manager? While I?m sure these folks always double check 1. Supported platforms their house door when they leave in the It can be the best manager in the world, but if it morning, they won?t hesitate to leave a site open. only runs on Linux and you?re a Windows house, Since this has everything and then some, we it isn?t going to do you much good. Also, how you might want it to close after a certain amount of access it is important. Is it compatible with IE and time. Firefox, or does it just work with Chrome? 9. Managable

2. Storage capability Letting folks choose their own tools is OK, but then you end up supporting something you The idea behind a password vault is to provide might know nothing about. An enterprise-based your users with a nice, encrypted site to stash managing tool is best, and it also levels the their passwords away in. But it?s also a great playing field for everyone. place to put important documents, notes, and so forth. I know some folks who keep scans of their Want to read more articles like this? social security cards and passports. While it?s not Subscribe to our blog: a substitute for full disk encryption, it is better blog.netwrix.com than just leaving them out in the open. 4 June 2015 SysAdmin Magazine Why You Need to Ensure Administrators Change Passw ords Regularly by Orin Thomas 20+ years in IT industry; MVP, MCT and other Microsoft MCSE and MCITP certifications. Authored 30+ books for Microsoft Press and is a contributing editor at Windows IT Pro magazine.

The first time I really felt like I was a system administrator was when the Unix systems administrator in the IT unit I worked for at an Australian University went on leave for three months. During this time I was responsible for all of the servers that he had managed, which included all minor departmental servers, not just the scattered ones I looked after, as well as the important faculty level servers. Although I?d been responsible for a couple of minor departmental servers before then, this was the first time I really worked without a safety net as, without this guy around, there was no one within reach who could help me out if something went wrong.

5 June 2015 SysAdmin Magazine When he was performing the handoff, I noticed Regularly changing administrator account something interesting. The administrator and passwords is even more important than regularly root accounts for all the servers he was changing unprivileged user account passwords. responsible for used exactly the same password. If an attacker gets the password of an The root account password for the faculty web administrative assistant, there is only a certain server (a DEC Alpha running UNIX) was the same amount of mischief that they can perpetrate. If as the password for the Administrator account in an attacker gets the password of a systems the faculty Windows NT 4 domain. I knew that administrator, the entire organization?s the process was questionable even if it did make infrastructure is at risk. Administrator passwords the handoff very simple. need to be subject to more stringent security requirements because the consequences if these After the administrator returned from his trip, he accounts are compromised are much greater. didn?t change passwords on any of the systems. When I left that position a year later, the servers It?s vital for organizations to perform regular all still had the same password. This was checks to ensure that system administrators are definitely a case where convenience triumphed updating their passwords on a regular basis. If over good security practice. these checks aren?t performed, there is little reason to believe that system administrators will People change passwords because do the right thing of their own accord. A system they have to, not because they have should be in place where notifications are raised each time a privileged account password is not any deep appreciation of the updated after a certain period of time. This arguments about password security. allows you to be sure that the passwords are being updated on a regular basis. Luckily, there are good free tools for that, which are easy to It?s no news to anyone that people hate the install and help streamline security. process of updating their passwords and that people hate having separate passwords for With Windows Server, it?s possible to run a query separate services and systems. Ordinary users against Active Directory to determine which don?t have much choice when it comes to having accounts are configured so that the associated to update their passwords because they can?t password never expires. Best practice is that no change the policies enforced by IT. They change accounts are configured in this manner. An passwords because they have to, not because interesting question to ask yourself is: ?How they have any deep appreciation of the many systems administrator accounts in my own arguments about password security. organization are configured so that their passwords will never expire?? System administrators are in a position where they can get around these policies. In talking with Unless your organization has exceptionally good many of them, a sizable number will sheepishly security practices, I?m betting the answer will be admit that they don?t change their passwords, ?more than one?. even though they force the users with normal user accounts to do this. The system administrators who do change their passwords Want to read more articles like this? regularly don?t do so out of any deep Subscribe to our blog: appreciation of the arguments around password security. It?s usually because there is an auditing blog.netwrix.com or enforcement mechanism in place that raises an alert if they don?t change their password. 6 June 2015 SysAdmin Magazine How to St ore and Ret rieve Passw ords Securely with PowerShell by Adam Bertram senior systems consultant, Pluralsight author and Powershell MVP

The Sony Pictures Entertainment hack that took place in November of 2014 was one of many recent high profile hacks brought on by malicious cyber criminals. During this hack, tens of thousands of employees' (and their families?) social security numbers and other personally identifiable information (PII) were stolen. Personal emails detailing private conversations between studio executive heads were stolen and published amongst many other damaging effects. This was a huge, high profile hack that was extremely detrimental to Sony Pictures.

7 June 2015 SysAdmin Magazine One of the highlights of this hack was the fact the Data Protection API (DPAPI). that Sony IT had a shared folder on their network The DPAPI is a method of encrypting and simply called ?Passwords? that contained (in decrypting text with a user password. One way clear text) hundreds of usernames and that PowerShell uses the DPAPI is through secure passwords for systems within Sony?s network. strings. Secure strings are values that are Talk about making a bad day worse. The hack encrypted and, when sent to a file, can be still would have happened regardless of this but encrypted on disk. This means no more plain it would have been far less damaging. text passwords files. I?m talking to you Sony IT. Your organization might not be publishing the When the information needs to be read, it can next controversial movie poking fun at North then be easily decrypted using the same user?s Korea but you?re still vulnerable. Every credentials seamlessly. organization has sensitive information that Let?s go over a quick example. Let?s say you?re malicious individuals would love to steal. Do you not Sony IT and you?ve got a text file full of have an Excel spreadsheet on your network usernames and passwords that look something unencrypted that contains sensitive information? like this. I hope not! If you do, pay attention while I give you three words of advice: Proper Password Management.

An organization doesn?t have to resort to keeping plain text files in a shared folder to store Instead of saving this file in a folder share sensitive information like passwords. There are somewhere you decide it needs to be protected plenty of ways to secure this information and still using secure strings and managed with Windows maintain some level of convenience when PowerShell. After doing a little bit of research accessing them. One method is simple and free you discover to do this you need to use the through Windows PowerShell scripting. ConvertTo-SecureString cmdlet to convert each PowerShell can leverage any Windows API password from plain text to a secure string available. One of those APIs that can be used to object. protect sensitive information like passwords is

You try this out by reading the contents of your password file and converting each of the passwords to a secure string object. Import-Csv C:\passwords.txt | Select-Object Username , @{n='EncryptedPassword';e = {$_.Password | ConvertTo-SecureString -AsPlainText -Force}} After this has ran you get an output like this but you?d expect the encrypted password to be a bunch of non-readable characters. What is this System.Security.SecureString?

8 June 2015 SysAdmin Magazine You check the password file and nothing has changed. What gives? It turns out that method is actually encrypting the password but it?s just in the PowerShell console. It?s not actually saved back to disk yet. To do this, you use the ConvertFrom-SecureString cmdlet which converts the secure string object to a state that can then be saved back to a file. Import-Csv C:\passwords.txt | Select-Object Username , @{n='EncryptedPassword';e = {$_.Password | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString}}

Now all we must do is to save it back to the disk and we?re now storing encrypted passwords. Import-Csv C:\passwords.txt | Select-Object Username , @{n='EncryptedPassword';e = {$_.Password | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString}} | Export-Csv C:\encryptedPasswords.txt -NoTypeInformation You now have a file called encryptedPasswords.txt that contains encrypted passwords along side each username.

Encrypted passwords on disk aren?t too much good unless they can be read by authorized individuals. The code may not be easy to understand but it works. I recommend perhaps making this a function if you decide to do this. In this example, I?m finding the username adam in my file and decrypting the encrypted password to show it in plain text. Import-Csv C:\encryptedPasswords.txt | Where-Object {$_.Username -eq 'adam'} | foreach {[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR( (ConvertTo-SecureString $_.EncryptedPassword) ))}

This is an example of using secure strings and it Even though an intruder may not be able to read is better than storing passwords in plain text, but the passwords during the attack he still might it?s not perfect. This method is limited to the make a copy and run a brute force attack on it in user account that encrypted the passwords and his own time. Pay attention to who and when since it is simply encrypted with a password it is anyone accesses a sensitive document like a known to be much less secure than using password file. A tool like Netwrix Auditor for File certificates. Servers could easily monitor this file and alert you if anyone attempts to read, copy or modify If you need more robust encryption method I your password file. Security is best applied in recommend encrypting your passwords with a layers. Don?t forget to keep a watchful eye out certificate using a tool like the ProtectedData on all your sensitive data as well. module or by a third party tool.

9 June 2015 SysAdmin Magazine Learn more: netwrix.com/ go/ vega

April 2015 SysAdmin Magazine 3 Ways to Protect the Keys to Your Kingdom ? Dom ain Adm inist rat or Credent ials

by Russell Smith Specializing in the management and security of Microsoft-based IT systems, Russell is the author of a book on Windows security and a contributing author and blogger.

The US Government reportedly has evidence that the Sony hack in November 2014 was carried out using stolen domain administrator credentials, and while at the time of writing there has been no official confirmation, it?s conceivable that this could be the case. Windows domain administrator credentials potentially allow an attacker to gain access to all servers in a domain, and although care must also be taken to protect server local administrator accounts, they provide an element of damage limitation by restricting access to individual servers. Whether compromised administrator credentials turn out to be the way hackers gained entry to Sony?s systems or not, the misuse and proliferation of administrator accounts across most organization?s IT systems is a risk that can be significantly reduced by following a few simple best practices.

11 June 2015 SysAdmin Magazine Isolat e Dom ain Cont rollers The servers that run Windows Active Directory Beginning in Windows Server 2012, support for are called domain controllers (DCs), and it?s virtualization makes it easier to ensure that critical that they are properly secured, both domain controllers don?t need to host other physically and logically. The first step to that goal workloads. Domain controller isolation also is to make sure domain controllers don?t host allows for separation of administration duties, workloads other than Active Directory. For i.e. regular maintenance of servers not hosting example, a domain controller shouldn?t double Active Directory shouldn?t require domain up as a file or SQL database server for a administrator privileges, and along with line-of-business application. It?s also worth delegation of control, DC isolation helps you to mentioning that domain controllers should be manage change on your systems. physically secured. Delegat ion of Cont rol Privileged accounts should never be used to log Server to get started in assigning Active Directory in to user workstations, and only be permitted access to IT staff, so they can perform daily for use on devices designated for administering administration tasks, such as user and group sensitive systems. IT staff don?t need domain management. And while it?s not possible to administrator accounts to perform regular tasks completely remove the need to use domain if you delegate rights. Start by configuring Active administrator credentials, you can assign a Directory so that a group other than Domain restricted group of users the right to reboot Admins is able to join computers to the domain, domain controllers, set up event log forwarding, and follow that by devising a strategy to assign and configure Windows Update to minimize the Remote Desktop access to a designated group. frequency with which domain administration credentials are required. Use the Delegation of Control Wizard in Windows

Prot ect ed Users and Aut hent icat ion Silos

The Protected Users group, in Windows Server legacy NTLM authentication protocol, weak 2012 and later, applies restrictions to user encryption in the Kerberos pre-authentication accounts that are designed to reduce the process, and Kerberos delegation. likelihood of compromise, including blocking the

Additionally, Windows Server 2012 R2 introduced authentication policies and silos, which can be used to restrict the devices from which users can authenticate. For example, you could create a policy and silo that prevent domain administrators authenticating from anything but domain controllers.

Want to read more articles like this? Subscribe to our blog: blog.netwrix.com

12 June 2015 SysAdmin Magazine St at e of IT Changes Survey 2015: Documenting and Auditing

How do most organizations handle the impact of unauthorized or incorrect changes to cause changes made and what methods do they use to service downtime, the worst offenders being maintain security and system availability? enterprises in 73% of cases. Netwrix 2015 State of IT Changes Survey, the All in all, too many organizations remain in the research of more than 700 IT professionals dark about what is going on across their IT across over 40 industries, reveals its unsettling infrastructures. They are unable to detect a results. Nearly 70% of organizations continue to security violation until a data breach is revealed. make undocumented changes and only 50% But despite the fact that companies still have have some kind of auditing in place. shortcomings in their change management Undocumented changes are a hazard for policies, the overall results of 2015 show a business continuity: by letting them slide you put positive trend. More and more organizations are sensitive data at risk. After showers of data establishing auditing processes to achieve breaches back in 2014, companies should have visibility into their IT infrastructures. understood that already. And it?s a good thing, that just 17% of companies admit to have made Full report is available at changes which eventually caused a data breach. netwrix.com/go/survey2015_report Still, the majority ? 67% of companies ? allow 13 June 2015 SysAdmin Magazine 14 June 2015 SysAdmin Magazine Top 10 Free Tools for Change Auditing and Password Management Track changes to Active Directory, Exchange, file servers, manage passwords and troubleshoot account lockouts at absolutely no cost.

Change Notifier for File Servers he following freeware tools can save you 6. Tracks changes to files and shares a lot of time and make your network permissions, detects deleted and more efficient ? at absolutely no cost. newly-created files, and reports on T Some of these tools have advanced file-access attempts. This freeware tool strengthens commercial versions with additional security of your Windowsbased file servers. features, but none of them will expire and stop Free Download working when you urgently need them.

Change Notifier for Active Directory Password Manager Tracks changes to Active Directory (AD) 7 . Allows users to reset forgotten passwords 1. users, group memberships, OUs, and unlock their accounts through a permissions, and provides visibility into convenient, web-based, self-service portal what?s happening inside your AD. and integration with the standard Windows logon produre. The tool supports up to 100 users. Free Download Free Download

Change Notifier for Group Policy Change Notifier for SQL Server 2. Tracks every change made to your group 8. Detects changes made to your SQL Server policy objects (GPOs), including GPO links, configurations, including database creation audit policy, password policy, and software and deletion, changes to database users, deployment changes, and fills major gaps found in roles, and schemas. It also reports ?before? and native auditing tools. ?after? values for every change, and sends daily Free Download reports showing all changes made. Free Download

Account Lockout Examiner Change Notifier for VMware 3. Alerts on account lockouts, helps 9. Allows you to control changes in your virtual troubleshoot these events, and analyzes environments. It notifies you about changes their potential causes. The accounts can be to VMware virtual machine settings, creation unlocked via Netwrix Account Lockout Examiner and deletion of virtual machines. It also sends daily console or mobile device. reports of all changes made in the past 24 hours Free Download with ?before?? and ?after? values. Free Download

Change Notifier for Exchange Change Notifier for Windows Server 4. Reports on what?s happening inside your 10. Alerts you about changes made to your Exchange servers, and tracks both Windows Server configurations, including configuration and permission changes with installed software and hardware, services ?before? and ?after? values. and scheduled tasks. It sends summary reports Free Download listing changes of the last 24 hours with ?before? and ?after?? values. Free Download Password Expiration Notifier Automatically reminds your users to change 5. their passwords before they expire so you can avoid password reset calls. It works JOHN BAGLEY nicely for users who don't log on interactively and Award-winning professional writer never receive standard password change reminders and independent consultant at logon time (e.g., VPN users). Free Download

15 June 2015 SysAdmin Magazine Data Governance: The Key to Com pliance by Deb Shinder MCSE, MVP (Security), technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security

In a legislation-laden era, more and more organizations are falling under the mandates of governmental or industry regulation. The requirements can be complex and confusing, and it?s hard to know where to start in creating and enforcing policies that will keep your company in compliance, so many IT departments live in fear of the upcoming compliance audit. But whether your company is covered by HIPAA, GLBA, SOX, PCI DSS, FISMA or other less-known regulations, data governance is a key element in meeting the standards.

Despite this, many IT professionals and even A good way to think of it is in terms of the old security experts don?t have a real understanding journalism school rule of thumb: Who, What, of what data governance comprises or how to When, Where and How. These are the questions implement an effective data governance policy. you need to ask when you formulate your Data governance refers to the collection of program. A more formal definition, from the established policies and procedures that govern Data Governance Institute, says it this way: ?Data the management of your data, both in transit Governance is a system of decision rights and and at rest, within and (in the case of cloud accountabilities for information-related processes, computing) outside of your organization?s executed according to agreed-upon models which premises. These policies should encompass describe who can take what actions with what usability and usage, availability and reliability, information, and when, under what circumstances, and the security and integrity of the data. using what methods.? 16 June 2015 SysAdmin Magazine A data governance program is a three-pronged committees and address what must (or must system: not) be done, who is responsible for doing it and for enforcing it, where the policy applies People (the governing body that establishes the (including exceptions), when the policy goes into policies and procedures, those tasked with effect and why the policy is needed (the implementing them, and the creators and users purpose/goal of what the policy is designed to of the data who are impacted)Policies and accomplish). Policies should be straight forward Procedures (the formal rules and and easy to understand, should cover as many implementation guidelines)Plan (a structured scenarios/situations as can be anticipated, and means by which to execute the procedures) should not conflict or overlap with one another. The people involved include designated roles Policies should be distributed to all who are such as data custodian, data steward, and data impacted by them. stakeholder. Beginning at the lowest level of Procedures are specific instructions on how to responsibility, the data stakeholders include any perform a task or process in a structured way. individuals or groups who are impacted by the Each procedure should address one task. The data governance decisions, so everyone who procedural document should specify who is creates or uses the data belongs in this group. authorized or required to perform it, what steps Data stewards are those who either set the are to be taken, when each step is to be taken policies (in small organizations) or make (order of steps) and how those steps are to be recommendations to higher authorities in larger performed, including specific protocols, organizations (which may have one or more chief applications, devices etc. that are to be used. data stewards). Data custodians are directly responsible for the maintenance of the safety The plan is a broader-based ?big picture? view of and integrity of the data when it is in transit and what will need to be in place to accomplish the in storage. Data custodians have responsibility data governance program mission, including for the technical aspects of protecting the data, timelines, budgets, hardware and software the ?how? of implementing the policies, whereas purchases, personnel, and so forth. data stewards are business-focused with One of the most difficult parts of establishing responsibility for the ?why? and ?what? of the compliance policies is the decision as to who will policies and procedures. be accountable for compliance-related tasks. Data governance is all about decision-making. Those who are assigned responsibility must have Before people can make decisions regarding the corresponding authority to carry out those data governance, a decision must be made tasks and this can get tricky in terms of internal regarding who has the authority to make which politics and ?turf wars? within an organization. decisions. This is called decision rights. In regard The plan should take this into account and to regulatory compliance, decisions include establish clear channels of communication and a whether to comply (a fairly easy decision when chain of command to avoid different individuals penalties for non-compliance are involved), when and groups duplicating effort or even working at to comply (how long it will take to implement full odds with one another toward compliance goals. compliance), what must be done to comply (the particular requirements) and how compliance will be achieved (what changes will be made and Want to read more articles like this? in what order). Subscribe to our blog: The policies are the rules and guidelines blog.netwrix.com developed by the governing individuals or

17 June 2015 SysAdmin Magazine Int ernet Usage Policy against Inappropriate Content

by Richard Muniz 20+ years in IT industry, a practicing systems administrator and a teacher A recent posting in Spiceworks caught my attention. It seems that this admin was asked to generate an Internet usage report on a fellow employee. The next thing he knows, the employee was let go. Of course he felt somewhat guilty about it. Another poster was talking about a fellow user who has been surfing porn while at work. Since management was watching, what should he do since he considered the colleague a friend? Well, in both instances, the solution to the problem lies on both sides of the equation - the HR side and the IT side.

First, HR has to establish some strong Internet speaking of the top, you cannot have a boss who usage policy. Often these rules are buried in the gives this lip service and is guilty of violating it. I user?s welcome package. I?d advocate an actual worked in a place once where we had a few form that they have to read, understand and employees surfing porn. Since this was sign; this becomes part of their employee packet. becoming a problem, the boss looked to IT for This would spell out exactly what you can and solution. ?Not a problem,? I said. ?We buy a cannot do, and what the penalties for violations license for the firewall, install it, and then we can are. So the warning starts at the top. And do a little more filtering to include porn.?

18 June 2015 SysAdmin Magazine ?Does that block everyone from reaching a porn St ep 4: Double click the ?Interactive logon: site?? he asked. Message title for users attempting to log on?, enter the title message ?Of course,? I answered, ?I can make some exceptions, but that might cause issues with the St ep 5: Double click the ?Interactive logon: team if one person does something and the Message text for users attempting to log on?, others can?t.? enter the notice message ?Well, that won?t work,? he said after a moment. St ep 6: Close the Group Policy Management He nixed the idea pretty quickly while continuing St ep 7: Run the ?gpupdate /force? on other to let people go. machines to force the group policy or just wait The majority of modern day firewalls will allow for it to replicate about. you to block websites of certain kinds. Most have One thing about the Banner! This is a legal some keyword programmed into them, and it?s document, so don?t play for cute on it. Indeed, these keywords the firewall jumps on whenever whatever you come up with should be approved someone tries going to them. And instead of by management. Don?t mention names or post looking at the screen they expected, they get a phone numbers, if someone is doing a little rather generic looking, semi-official web page hacking of the site; you just gave them a bit more telling them that the site has been blocked by information to help them do what they want to the company due to inappropriate content. do. What needs to be mentioned is that this is a Exceptions can be made, but they need to be private system, that it is monitored, and that treated on a case by case basis. You can also, in usage of your domain and network is for most cases, limit that access to only certain authorized users and usage only. You might also users, and still deny everyone else. In this way, want to mention that unauthorized usage is in everyone knows that there are reasons to grant violation of the company Internet usage policy access to certain sites, there is a process, and and can result in termination, criminal charges, that it has been approved. and/or civil actions. What a lot of companies do is they also run their Another step admins might want to consider is employees through a yearly Internet usage and what amounts to a more or less daily reminder. training course so they?re reminded of usage What you might want to do is configure a policy policies and better network protection (which setting so that when a person logs on he gets a implies an active anti-spam campaign). pop up banner that contains the warning. The Between training, warning banner, and the user must acknowledge it by clicking an ?OK? firewall we can consider the user warned! And button. This is done as part of GPO in Active violation means their indiscretion is on their Directory and goes to every server and head. workstation attached to it. To do this is very simple, just follow these few steps: St ep 1: Open Group Policy Management St ep 2: Right click on the Default Domain Policy under Group Policy Objects, click Edit Want to read more articles like this? St ep 3: Go to Computer Configuration, Policies, Subscribe to our blog: Windows Settings, Security Settings, Local blog.netwrix.com Policies, Security Options, Interactive logon

19 June 2015 SysAdmin Magazine How to Detect Password Changes in Active Directory

Changes to a user account password made by anyone other than a legitimate IT administrator or an account owner may be a sign that the account had been hacked. Having gained access to the account, a malefactor is getting an ability to read, copy, delete and distribute sensitive data, which may result in significant data leaks.

Run GPMC.msc (url2open.com/gpmc) > open ?Default Domain Policy? > Computer 1. Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy: - Audit account management > Define > Success and Failure.

2. Run GPMC.msc > open ?Default Domain Policy? > Computer Configuration > Policies > Windows Settings > Security Settings > Event Log > Define: - Maximum security log size to 1gb - Retention method for security log to Overwrite events as needed

3. Open Event viewer and search Security log for event id?s 628/4724 ? password reset attempt by administrator and 627/4723 ? password change attempt by user.

See Real-Life Use Cases: netwrix.com/go/password_changes_AD

20 June 2015 SysAdmin Magazine Next Steps Try #1 Change and Configuration Auditing Platform: Free Trial: setup in your own test environment netwrix.com/go/completevisibility Test Drive: virtual POC, try in a Netwrix-hosted test lab netwrix.com/go/test_drive Live Demo: product tour with Netwrix expert netwrix.com/go/live_demo Contact Sales to obtain more information netwrix.com/go/contact_sales

netwrix.com | netwrix.com/ social

Corporate Headquarters: 8001 Irvine Phone: 1-949-407-5125 Center Drive, Suite 820 Irvine, CA 92618 Toll-free: 888-638-9749 EMEA: +44 (0) 203-318-02

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/ or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.