Top-10 configuration mistakes

Commentary-- Configuresoft's George Gerchow warns that in many enterprises, the simplest configuration safeguards are overlooked, opening the door to potential breaches.
Written by George Gerchow, Contributor
Commentary--Configuration management has been on the minds and to do lists of IT executives and administrators for several years now and the universe of technology available to help organizations stay on track keeps growing. Yet, in many enterprises, the simplest configuration safeguards are overlooked, opening the door to potential breaches.

To follow are 10 common configuration mistakes that IT administrators will make in 2007 and suggestions on how to avoid them.

1. Anti-virus software: Anti-virus software is worthless to an enterprise if it is not properly installed and configured. Users are also known for disabling anti-virus from starting up with the operating system to speed their access to corporate materials, without realizing the security ramifications. Organizations should deploy an enterprise solution that can monitor for the presence of anti-virus software and ensure it is able to discover and remediate security threats.

2. Service accounts: If an incorrect account is assigned to a service, and if that account's password changes, the service will fail to start properly and that account becomes locked. Make sure that service accounts are consistently configured and the password is changed on a regular basis. Automating the change follows recommendations by NIST, DISA, and Microsoft Hardening Guidelines, among others.

3. Administrative and guest accounts & passwords: Servers are shipped with default passwords that are readily available from the manufacturers or online. Finding them is easy--see the following URL for an example: http://www.governmentsecurity.org/articles/ DefaultLoginsandPasswordsforNetworkedDevices.php

In many cases these passwords are never changed. In addition, administrators often use the same password on multiple pieces of equipment. Rename or change server and administrative passwords from their default settings and rename and change them on a regular basis. This falls into organizational and regulatory practices. Usually, the standard is changing passwords every 60-90 days, including for DMZ environments.

4. Software inventory: Too often, the wrong version of software is installed and running in the corporate environment. Ensure the version (product key) and install source are consistent with standard build documents. Ensure that software on the workstations or servers was distributed from ones network rather than from a rogue CD. Validate file system settings and registry keys to ensure that software is correctly installed.

5. Event log settings: Event logs are rarely set properly; they are set with too short of a retention window and log size and are inconsistent throughout the enterprise. Ensure that they are consistently configured across the board. Auditors make sure there are 60 days of retention and that they are configured and set to keep 60 days of data.

6. Global and Local Administrator Groups: Validate who is a member of local and global admin groups, ensuring access creep or extended permissions have not occurred. Specify members located across the board.

7. Open shares: The risk of sharing folders/permissions across the network means there is no way to track who has what rights to what shares. This should be consistently audited every 60 days to ensure organizations are following the concept of "least privilege" or need-to-know access.

8. OS levels and Service packs: Anecdotally, and based on a sampling of end-user enterprise organizations, approximately 10 out of 100 systems are mis-configured. Make sure all the operating systems are at an appropriate level to follow corporate standards and note compliance exceptions.

9. Patch management: Any large enterprise is usually a month behind on patches; there are always systems that are mis-configured with incorrect patch levels. Use due care in verifying every last DLL and registry key change to help meet SLAs and failed patch reports.

10. Change Rollback: Understand the unplanned, undesired changes; centralize automated and audited change rollbacks. From registry key changes to patch deployment and service settings, mitigate undesired and out of band changes. Patch rollback.

As Technology Strategist for Configuresoft's Centre for Policy and Compliance, George Gerchow brings 15 years of IT and systems management expertise to the application of IT process and disciplines that impact the security, compliance and operational status of complex, heterogeneous computing environments. Gerchow's practical experience and insight from managing the infrastructures of some of the world's largest corporate and government makes him a frequent speaker and invited panelist on topics including, ITIL, configuration management, operational and security compliance and patch strategy.

Editorial standards