I was recently hired as a security administrator responsible for overall information security, including log management and access review. Software I'm testing to review user
and group access require me to have
administrative access to run the discovery
tasks, but I don't have administrative
access and have to ask
someone who does to install and run
the discoveries for me. Log management
tools also require me to have
administrative access. However, from
an auditing standpoint, I shouldn't
have administrative access; although
I should be able to monitor changes
that administrators make, I shouldn't
be able to make changes myself.
Another example is setting Group
Policy in Active Directory (AD): I
shouldn't be able to go into AD to set
policies, but I should be able to view
security policies. Do you have recommendations
about the type of access
someone in my position should have?
Ideally, organizations should employ someone to be responsible for assessing and monitoring security, but that person shouldn't be responsible for actually administering systems. Monitoring and administrative responsibilities should be divided to serve as a separation-of-duty control.
There are two risks when the same individual or group performs both types of duties. First, there's tension between security and system support, and a busy administrator who has no one looking over his or her shoulder will often shortcut security policies and procedures to solve problems. Second, employees—even administrators—can sometimes become malicious and turn into rogues. Having a dedicated security person reviewing employee actions is an effective deterrent.
In your position, you shouldn't have administrative authority because no one reviews what you do. As you've discovered, however, many reporting programs that provide useful information for someone in your position aren't designed with the concept of least privilege in mind, so an administrator must supervise the execution of such programs.
As for log management, many log monitoring solutions let you collect security logs from systems on your network and put them into a separate log management server under your control. Some of the solutions I recommend are Secure Vantage Technologies' Security Control Management Pack for MOM 2005, TNT Software's ELM Log Manager, Prism Microsystems' EventTracker, GFI Software's GFI LANguard Security Event Log Monitor, and Quest Software's InTrust. After supervising the installation of the collection agent on each system by an administrator, you shouldn't need further access to the systems being monitored. It's important that the log management server be in a separate forest or be a standalone server. The server shouldn't be in a forest administered by typical IT administrators because it would be subject to tampering by the employees the server is monitoring.
To view Group Policy, all you need is Group Policy Management Console (GPMC) and a simple, unprivileged user account located somewhere in the AD forest. The Authenticated Users special principal, to which all users in the forest belong, has read access to Group Policy Objects (GPOs) and almost everything else in AD. However, when all you have is read access, only GPMC will let you view a GPO.