Most organizations I know strive for excellence in their management of compliance rules and processes, however, they often face similar challenges. The places I’ve worked to set up compliance using Footprints Asset core experience a common hurdle. Ensuring compliance on those machines that rarely come back to the WAN to authenticate using Active Directory and getting fresh GPOs is almost impossible. Most folks call these users “Road Warriors”. This article will demonstrate the ability to use FPAC to force compliance rules to devices that otherwise are left vulnerable or out of compliance.
The first and most common compliance rule would be for users to change their network password no less than once every 90 days. Yours may be as often as 30 days and I have seen a handful as long as 120 days. The often overlooked area for security is the LOCAL ADMIN password. I rarely see enterprise organizations ever change the local machine’s administrative password. FPAC has the ability to manage the local machine’s security settings including managing USERS and GROUPS. As the person charged with IT Security of your organization, it would be prudent to have a process in place to change those local administrative passwords as often as you change user’s network password for ALL devices including the “road warrior” machines. This can be done using AD GPO for those machines on the network but impossible to do for the “road warrior” devices. Using Operational Rules you have visibility as to not only the primary administrative account but ALL other local accounts that are a member of the local admins groups. I will call these “extra” accounts and a back door into the machine.
The following Operational Rules will perform these actions on the local machine:
- Create New Local Account – FPACAdmin
- Add to Local Administrators Group
- Remove FPACAdmin from the Users Group (Default Behavior)
- Count the number of local user accounts in the Administrators group
- Return all Local accounts that are Members of Administrators Group – provides global view of ALL local accounts that are members of the Administrators Group for Audit verification and reveal any potential accounts not authorized to be local admins (Back Doors)
- Update the Master Database to make visible the values under Device > Inventory > Security Settings > User Accounts
FPAC has the ability to change the password of any local account. Once you have created this new FPACAdmin account you can disable the default administrator account.
Once run you can see the results in FPAC:
By Collection of Devices:
Now that we have the data we can run a compliance rule against our finding.
Create the various Compliance Rules in the interface (Compliance Module is a separate module and must be an active licensed component).
Results of the new rules:
As you can see we are not fully compliant. The first pie chart indicates there are devices reporting back where there are MORE than just 2 accounts on the local machine that are members of the Administrators Group. The second Pie Chart indicates that there are devices missing FPACAdmin as the local account used to manage that device. Remember our policy rules states:
- The default Administrator Account is disabled
- FPACAdmin is added and is a member of the Administrators group
- Only these two accounts are allowed in the Administrators group
- The FPACAmin account password must be changed no less than every 90 days per policy
Using FPAC you now have an absolute source of authority to manage and report on the state of these policies. This makes going through any audit process much less painful and much quicker. Remember that AD GPO is not required to manage this set of policies and these values can be set and monitored for both internal devices and remote devices that do not log into the domain to get GPO settings.
by Steve Gibbs, RightStar Systems