Referencing Styles : Harvard
One of the requirements of being a system administrator is to make decisions about overall structures and procedures. Below is a typical organization. You have recently been employed by this organization as the new chief information officer and systems administrator. Your first job is to clean up this organization’s computing – what would you do? When devising a response you should think about the following 1. Design of systems and network. 2. Administration and Management of systems and network. 3. Service Management. 4. Security. 5. Operating Procedures. 6. Disaster Recovery and, 7. Organisational requirements. Provide a written response outlining the problems with this computing environment and why. Once you have done this provide either technical or procedural solutions to these problems. You are basically going to devise a computing strategy for this organization. Where possible outline potential technological solutions you may employ to solve a particular problem. For each issue-identified outline the potential impacts it may have on the organization and why it is important to address. For example you may identify there is no security and decide to place a firewall into the organization to fix this. If you do this what services would you allow in/out of your network? Is that enough? You may decide a CISCO Pix would be a good tool to solve this problem. Another example may be you identify the need to backup data. If that’s the case how frequently should it be, what should you backup? Where do you plan to store backups? CSCI322/MCS9322 Spring Session 2015 – Assignment Four Page 2 Organisational Details. The organization in question is small software house. The software house is working on innovative software, which it plans to sell in the near future. Most code and documentation is stored on servers, which are publicly accessible via the Internet. The organization has a considerable investment in this data (for corporate purposes), hence its integrity and confidentially is important. The organization has a number of staff that are responsible for the management of the server infrastructure, however administration is somewhat lacked with many people across the organization knowing administrative passwords. At present there isn’t a full time administrator – the administration of services and systems seems to be the role of several developers who know ‘some stuff’. Employees of the organization currently enjoy free, open, unrestricted access to the Internet but realistically they only need to browse certain websites on the Internet. The management would like there to be a system in place to minimise the cost of accessing web resources. The organization consists of the following departments: 1. Research and Development (56 people) 2. Management (4 people) 3. Human Resources & Legal (5 people) 4. Finance (3 person) There are no concerns with the performance of the software/ hardware – though the management is confidant this can be improved. There are however major concerns about the potential impacts of disasters, downtime, compromises and the potential loss of intellectual property. Severs. The organization uses a number of servers to perform its core business. The servers are not very busy. In total there are six servers. These servers include a CIFS (Windows File Sharing) Server (running on a Windows NT server), Windows Active Directory Server (running on a Windows NT server), Apache Web Server (running on Mac OS X machine), Development Server (typically accessed using telnet and ftp) (running on Linux), Exchange Server (running on a Windows NT Server) and Oracle Server (running on a Solaris – Sun machine). Each of these servers are, independent machines with vanilla installs of the operating system. The servers are not running the latest operating systems nor have they been patched. These machines have publicly accessible addresses and hence can be access from the Internet. The servers are commodity x86 boxes or servers that have been acquired through various means i.e. the Sparc Station was purchased from Ebay by some employee’s who wanted to learn Solaris and the Mac, well it was purchased because there is a Mac head in the organization who really loves Mac’s. There is no maintenance on either the hardware or software. Some of the servers are over five years old e.g. the Sparc Station. CSCI322/MCS9322 Spring Session 2015 – Assignment Four Page 3 Services and Data The servers store the following; 1. Home directories, 2. Mail, 3. Database objects for various development and production environments (for various departments), 4. Active Directory Meta Data Object, 5. Project Build and Information Directories, 6. Code Versioning System (CVS) Data/ Directories, 7. Corporate Finance and Personnel Data, 8. Web Page Data. This data is stored on disks in a number of different boxes. For example the Mail Exchange server stores mail on a internal disk. Where as the Oracle Databases are kept on the oracle servers using a number of disks. The Oracle server also plays home to most of the corporate data. Project Build and CVS data are kept on the development server, which web pages are kept on the web server. Most services are only used within the organization, however the organization does have a internet presence via its web page and mail server. Despite this some developers work from home in the evenings and access some services e.g. CVS from there home workstation. You can assume there is no redundancy/ fail over in the disks hence if a disk goes bad, that data is lost and the service associated with it fails. The most important data is the organizations data (mail, web and corporate finance/ personnel data), project builds and CVS information. The integrity of this data must always be preserved. In terms of services the most important service are the web page, email service and CVS infrastructure. Server Administration. Most of the staff in the organization knows the root/ administration passwords to the servers. Most of the administration of the hosts is done via the network using tools such as telnet and rsh. It should be noted that all users have accounts on every server regardless of if they are admin’s. The administrators do a bad job of administering these machines, as disks are often filling up and there are lots of active but unused accounts (because people leave the organization). The organization depends on the services offered by its servers so very much for its business but there is nothing in place to monitor them. System administration here is basically fire fighting. External hackers have compromised some desktop machines in the past. The administrators are reasonably confidant that the servers have no been compromised yet (this is probably sheer luck but they are unsure about this). That said when a host is compromised; the administrators merely disable the hack and continue to allow the machine to be used. Most compromises are noticed too late i.e. well after they have been done. Security. The organization does not have a firewall or any other security system in place. Currently all services offered by the servers are accessible via the Internet. There is no email/ virus protection in this organization. CSCI322/MCS9322 Spring Session 2015 – Assignment Four Page 4 Backup and Disaster Recovery. The organization does not have any backup or disaster recovery systems/ procedures. Network and Physical Location. The servers and core network infrastructure are located in common workspace as other infrastructure and employee’s of the organisation. In addition to this the servers are on the same networks as user workstations and there is no network security. The organization is connected to the Internet via a ADSL modem connected to a router. The router connects to a several 10mb hubs, which provide access to the staff (there is only one LAN). Individual Workstations & Passwords Each employee has a desktop computer. Most of the computers are running a vanilla install of a Windows like operating system that has not been patched since install. Employees keep corporate data on these hosts in their home directory, which is not backed up. In addition to this everyone has administrator privileges to their workstation. As the environment is relaxed, a user can have accounts on other employee computers possibly using the same or different password. The organization has no hard and fast rules about passwords; infact the most common password used is the person’s name. These passwords are also indicative of what is used on the server machines. Place your answer for this in a file called ass4task1.pdf. Part Two (3 Marks) Lets imagine you work for the Australian Nuclear Science Technology Organisation (ANSTO). ANSTO’s primary business is to manage its Nuclear facilities and perform scientific research. Information Technology at ANSTO is controlled by the Division of Information Technology. ANSTO employ’s a number of administrators to maintain IT resources across site – this includes production systems which offer services and user workstations. In addition to this ANSTO employs on a full/part time basis a number of staff to perform operational roles in various units such as Reactor Operations, HR and Payroll. There are currently 1000 operational staff. Some staff are employed under fixed term contracts whilst others may be contractors to ANSTO i.e. they own a business and contract to the organization. That said from time to time people would need Administrator privileges to Enterprise systems or workstations. We need a guideline to decide who, when and why someone should receive these privileges. By default everyone is given normal user privileges. You are employed as the Security Advisor for the organization. The task that is handed to you by the Chief Information Officer now is to write a guideline for the granting of privileged accounts to users. When granting privileges such as the administrator account you really need to think of the role and type of employment of the individual. You also need to think about the attributes this individual must possess and CSCI322/MCS9322 Spring Session 2015 – Assignment Four Page 5 the requirements they must have met. How will you implement this? For example if a person from HR wants the administrator account to their desktop computer – what would you do? What if they wanted administrator privileges to a production system? What if a person who is responsible for Information Technology wants administrator accounts to a desktop workstation or production – what would you do, would you always grant them this right? In your guideline you should: 1. define the intent of the guideline 2. any definitions which are used through out the document. 3. responsibilities of individuals i.e. those who enforce the guideline 4. rationale for the guideline 5. scope of the guideline i.e. who and what it effects and then: define the actual guideline itself. You should note that ANSTO has a Chief Information Officer responsible for Information Technology across the site, and an IT security advisor responsible for the formulation of such policies. The IT Security advisor is responsible for enforcing this guideline. Your job is to write the policy for the above scenario. You can do this task in groups of 3 or 4 but ideally I’d prefer you to do it on your own. Place your answer for this in a file called ass4task2.pdf
-
- Assignment status: Resolved by our Writing Team
- Source@PrimeWritersBay.com
Comments
Post a Comment