How an Access Rights Manager Improves Cybersecurity

Have you ever “proofread” something you’ve written without the computer’s spell checker or grammar checker on? Risky business. Most people simply cannot see their mistakes. In fact, the brain fills in the corrections and it is easy to miss the error.

Your IT staff probably needs help

Servers do not have spell checkers, grammar checkers or native server checkers. Additionally, many server IT staff groups are small and very little cross checking is performed. So, the IT staff needs to proof check their work themselves. Unfortunately, techniques that work on written text like “reading backwards,” simply do not work.

Setting up a server is similar to proofreading

Generally, IT professionals are extremely accurate. But like proofreading, when setting up our own work it can be difficult to see our own mistakes. In the area of Information Technology, a specific area of concern is in the setup and implementation of “User Access Rights.”

This area defines what users have access to, and where, on the server.  In most cyber secure systems (NIST SP800-172), the definition of “User Access Rights” is simple and limited to “need to know basis.” But it can become very complex with multiple paths allowing access to the same information –  employee hirings, new job roles, leaves of absences and terminations.

The tools native with many Server Operating Systems are clear cut, but IT professionals need to be well-trained on the subtle differences in icons for them to detect status, as well as the corporate status of team staff. Missing a detail in “User Access Rights” is a much bigger deal than missing a typo.

Active Directory provides security access

Servers use an operating system software called Active Directory (AD). This is the operating system utility that provides the security access a user has on a Server.  It controls any changes to User, Groups, Shares, Computers, and many other areas.

For simplicity’s sake, this where a Server Administrator would create a user account, reset a password, or provide any type of access to a user. It is a very complex area where Group relationships are linked together in Parent-Child format. This format can cover many generations, making it easy for mistakes to be made — for example,  where a grandchild is also the parent of the grandfather. This error is called “Group in Recursions.”

Active Directory is easy to use, but sometimes hard to visualize. Subtle changes in icons denote conditions like “active and inactive accounts.”

To provide a more graphical representation, designed to detect errors and anomalies, an Access Rights Manager can be used. It is  another tool to provide insight — with visualization — into the interactions of Groups, Users and Computers.

ARM Server Software is the solution

To help resolve and identify possible errors, Protomatic has installed a special software called an Access Right Manager (ARM). This software provides a comparison of benchmark conditions, providing alerts for “new accounts” or changes in existing accounts. It also provides a historical log for AD changes for Cyber Security Requirements such as NIST SP800-172 and Cybersecurity Maturity Model Certification (CMMC) requirements.

Software tools used at Protomatic offer one more way to provide a high cyber-hygiene workspace, and document specific changes to Active Directory.  It is one of the best approaches to improving industry resilience to cyber-attacks and protecting our customers and our sensitive information.

About the author: Doug Wetzel is Vice President and General Manager of Protomatic. Protomatic is a CNC precision machining shop specializing in prototype and short-run production components for the medical, aerospace and other technical industries. Because of the critical nature of the parts they design and manufacture, the emphasis is always on Life-Saving Precision.