| Table of Contents |
|---|
| Task | Tools to Identify and Classify Systems | Potentially Useful Classifications | Remediation Strategies |
|---|---|---|---|
| Patching |
|
| If not automatic, make automatic. Else:
|
| Encryption |
|
| Primary concern: "not encrypted, but required" systems. Must make compliant. Any way to automate such systems' encryption? |
| Screen Lock |
|
| Current solution: manually verify non-networked systems for screen lock compliance. |
Understanding Main Considerations
...
- To identify which critical computers are in Active Directory without "Managed Update"; and
- To identify which critical computers are not in Active Directory, for those are the systems whose patching status cannot be automatically verified.
Current Solution to Patching Concern #1
As of early October, 2017, there were 111 critical computers with Managed Update. Therefore, to answer how many critical computers are in AD, but not undergoing Managed Update, all that is needed is to subtract 111 from the number of critical computers in AD. This can be done by searching the inventory for critical computers that follow the "AS-" naming convention (which means it is in Active Directory) and subtracting 111 from the number yielded from the search. The resulting number would be the answer to how many systems are in concern #1.
To generate the list, assuming the inventory search is dependable, perform the above search and generate an excel file. Then bring to that file the list of systems undergoing Managed Update and compare. The list of systems in the search that are not in Managed Update should be as large as the number of systems in the search subtracted by the number of systems in Managed Update (111 as of early October, 2017).
Current Solution to Patching Concern #2
To identify which critical computers are not in AD, simply perform an inventory search for critical computers that don't follow the naming convention (resulting number as of October 20, 2017: 313). The resulting number of systems should be the same as the number of critical computers (596) minus the number of critical computers in AD (283) ==> 313.
...
- Finding out which non-excepted critical computers are not in AD
- Finding out which excepted critical computers are in AD and are encrypted.
Current Solution to Encryption Concern #1
Simply perform a search of critical computers whose function is not instrumentation or virtual machines and whose machine name is not the naming convention (starting with "AS-") to arrive at a tentative list of computers we might be concerned about since we can't verify encryption status if not in AD and since it is not excepted (and therefore must be remediated if not compliant).
Current Solution to Encryption Concern #2
This will require getting a list from AD of all critical computers that are encrypted and generating an excel file from inventory of all critical computers whose function is not instrumentation or virtual machines and whose machine name follows the naming convention. Then, match up the two lists and find out which ones are in common to solve concern #2.
Screen Lock
5.10 mandates that all computer systems not in a secure, private space run a password-protected screen saver that is automatically triggered after 15 minutes of inactivity.
Our main efforts, then, will be to eliminate systems that are typically in secured locations (such as instrumentation machines) from our search to refine which systems are at most risk, and therefore need more immediate attention for remediation. Thus, our primary concern is the following:
- Find out which non-secured critical computers are not in AD.
Current Solution to Screen Lock Conern #1
So far, we know to conduct a standard search of critical computers not in AD, but with the caveat that they also not be instrumentation machines (as these are tyically secured).
Remediation
Edge Cases
After we have gathered enough information and have started/almost finished remediation on critical computers of primary concern, then we can deal with edge cases, including: other operating systems, exceptions, etc. We simply need to focus our efforts on more important considerations before having a complete implementation of the policies.