Register

Forgot Password

Site FAQ

Home > IT Answers > Security > Admin Access to IT Auditor?

Uneev

5 pts.

Admin Access to IT Auditor?

Auditor Permissions, Audits, Domain Administrator, IT auditing

The IT auditor is asking for domain admin access to perform various IT audits during the year. Is there a reason they would need this? Also, is there a way to give read-only admin access - across windows, UNIX etc? Thanks

Software/Hardware used:

ASKED: June 19, 2009 4:52 PM

UPDATED: June 29, 2009 2:35 PM

RELATED QUESTIONS

Answer Wiki:

In dealing with previous security audits, that's normally an account they would request. They would have 3 tactics at the account level (null account, regular user account, and a domain admin account). The lower accounts are doing penetration type audits to see for example a server is secure from a visitor (dull account) and domain user (regular user account). The admin accounts test the password security of your user environment, audits hard-coded server for patches, etc.

Last Wiki Answer Submitted: June 19, 2009 4:57 pm by Aguacer0

8,120 pts.

All Answer Wiki Contributors: Aguacer0

8,120 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Jun 22, 2009 6:03 PM (GMT)

IMHO, the answer to this question depends on whether the auditor in question is an employee of your organization, or an external auditor/consultant.

If the former, I would ask that they submit some kind of paperwork, authorized by their manager and hopefully yours (or your information security officer). That way, should things go sideways, you’re not held liable.

If the latter, never, ever give any credentials out. In my audits, the auditors are free to sit with me, request that I perform various tasks, take notes, request screenshots (scrubbed where necessary to obfuscate proprietary or confidential details (details of client records, IPs, URLs, things of that nature). The fact that they’re asking might be an underhanded way of testing access controls.

Hope that helps.

Sonotsky

680 pts.

POSTED: Jun 22, 2009 6:04 PM (GMT)

The account should be set with an expiration date and monitoring so that their activities can be tracked also. The other alternative is to have a security manager run the reports in a read-only format (PDF or screenshots) for the auditor’s use.

Troy Tate

0 pts.

POSTED: Jun 29, 2009 2:35 PM (GMT)

This is something I do all the time in my security assessments…I have my clients setup test accounts that expire after a certain period. I also remind them to disable those accounts when I’m done.

Take Sonotsky’s latter route and you nor your auditor are going to get what you need. It’s just too impractical. If there’s mistrust or paranoia involved, perhaps you can look over the auditor’s shoulder. Something that’ll last for an hour or so at best until the auditor proves his trust and value…and because you have better things to be doing.

Kevin Beaver

11,040 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags