Network administrator security policies

Even though no network admin has ever harbored any malice or mischief, it's usually a good idea to implement specific controls and policies to cover the people who have "root" or "administrator" access to your applications, servers and network components.

First, it's a good idea to use stronger authentication for network admins than normal users, because their accounts are capable of much more than normal users. You may not be able to justify tokens, for instance, for all of your user community, but a half-dozen tokens for the administrators should be more palatable. Stronger authentication also includes free things like more stringent password rules and a faster inactivity logout.

Unfortunately, many network devices don't allow users to keep info private from administrators. For example, generally, network admins shouldn't be able to peek at the HR employee's data on a server. When the physical controls aren't present, it's even more important to emphasize your company policy and enable detailed logging and to audit those logs.

Don't forget things like tape backups either. It's another relatively easy way for an administrator to do things he shouldn't be doing, from peeking at the data to selling the tapes to a competitor. That would never happen, right? Security involves more than just putting a password on things and not letting mundane people in your raised floor. It takes well-considered processes, like having a person change tapes who does not have administrative access, and having a 3rd person store those tapes in a secure location.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.