best practice

Onega March 2016 Planned Engineering and First Focus on DNS

This is to let you know about some March Planned Engineering and Service Updates - and our fist 'Bono Pastore' Focus area. Please see the background and overview of the program at http://www.onega.net/blog/2016/03/2/bono-pastore if you're not yet aware of this.

Our first best practice focus is going to be on DNS (Internet Domain Name Services) and making sure that clients systems (as well as our own) are in-line with best practice in this area.
 

In business terms:

DNS is the system that allows us to register Internet domains for our organisations and to browse the web and send emails with friendly names like www.bbc.co.uk www.onega.net and fred@onega.net etc. So much uses DNS that we often take it for granted much of the time – and well implemented so we should.

Being such an important system, we want to make sure that client implementations are optimal in three key areas relating to DNS:

Domain Registrations – This is the administration of your domain and the registration of it. We want to help make sure that all the details related to your domains are up to date, correct & appropriate, not due to expire any time soon etc.

Internal Resolution – This is how client and server computing devices carry out Internet resolution so that you can connect to the Cloud quickly, reliably and safely (see  Secure DNS Services for more on this).

External Resolution – This is how people find your organisation and services on the Internet – to know where to send you email, browse your website and communicate via electronic means etc. It is important that this service be provided robustly and reliably.

Our object is to conduct a review to ensure that these aspects of DNS are all well implemented across our client organisations.

The next steps are:

We will be in contact with clients over the coming weeks to ensure that we run through your DNS configuration with you. Don’t worry if you’re not technical – we are happy to take care of those parts. We have a checklist which we’ll complete with you so that we capture the key information about your domains, and identify any areas that need attention so that we (you or us as per preference and can work to resolve these and get them checked off.

For clients under Onega managed services contracts we'll liaise with you and do most of the running on this to help make sure your DNS is good and documented. For clients with whom we have PAYG agreementswe can agree with you who will do what with the aim that we make sure all our your services are robust.

Expect us to be in touch soon then about next steps and starting the process. If you are not under contract with Onega (or not sure) and would like to engage in the DNS best practice review process then please do get in touch and we’ll be happy to add you to the review rosta.

For reference:

Internet DNS Best Practice Policy – http://intwiki.onega.net/index.php?title=Internet_DNS_Configuration_Best_Practice_Policy

Organisational DNS Checklist - http://intwiki.onega.net/index.php?title=Organisational_DNS_Checklist

For information on Secure DNS Services:

http://www.onega.net/blog/2015/6/4/the-importance-of-using-secure-dns-servers

If you don’t have a login for the Onega’s Policy and Procedure wiki then please get in touch and we’ll setup access for you.

Technical changes that will occur on Onega Infrastructure:

Tuesday 22nd March 2016 12:00 (Midday) GMT - We will be changing the configuration of our two legacy DNS servers 81.3.75.71 and 81.3.75.72 to no longer act as recursive resolvers. Thus any computers or servers that are using these servers for DNS will need to be updated to use alternate (eg Secure DNS) servers before this cut off date.

Tuesday 12th April 2016 12:00 (Midday) GMT - We plan to turn off these two DNS servers - thus any zones hosted on these servers will need to be moved before that time.  We have new servers in place to take the zones and migrations will be done as part and in conjunction with the best practice review process – the new DNS servers being more best practice compliant than our legacy servers.

Why are we making these changes?

In short, so that we also comply with our own guidelines for Best Practice, but in more detail:

1) Comply with best practice - Recursive DNS Servers (ones that do lookups for client PCs) should be split off in role from ones that host DNS Zones.

2) For best security and maintain best performance of the service - Recursive resolvers can be abused in DNS Amplfication attacks (see https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html if you're interested to learn more

3) So that we make sure all clients are resolving securely to the Internet and to retire an older Windows Server 2003 DNS Server which is coming towards end of life.

What happens if I don’t have best practice DNS?

We don’t want to scare anyone but if you don’t comply with best practice then you risk (in the worst case):

  1. Losing your domain or having it suspended.
  2. Not being able to access the Internet
  3. Not being able to send or receive email
  4. Clients getting redirected to phishing or competitor’s websites and email going the same way.
  5. Being unprotected at DNS level against infected websites.

The above are worst case scenarios but we aim to greatly reduce the risk of occurrence by complying with best practice with regards to your domains.

Once we've been through the review process with you the outcome should be that we can all sleep easier knowing that the DNS aspect of your IT is in very good order.

The Importance of Using Secure DNS Servers

All good IT administrators know that maintaining a secure, productive and supportable computing environment means considering (and implementing) security at many levels. There is a whole load more to it than just installing a virus scanner on all your computers (though deploying a good antivirus and anti-malware solution is of course one element in this). Ideally you'll have Endpoint protection for AV and Malware on all desktops, laptops and servers (Onega tend to recommend and use Kaspersky, AVG and MalwareBytes depending on use case), but also a secure firewall (e.g. a good Watchguard XTM or similar unit) and external cloud based email filtering to reduce the risk of anything untoward getting into your network in the first place.

One thing we are also now recommending (aside from reminding people about limiting use of full admin rights to a PC - see http://www.onega.net/blog/2015/6/4/are-you-logged-in-with-admin-level-credentials-on-your-computer-right-now ) is to set your external DNS servers to be secure servers.

In QA format - here you are:

Q. What is the difference between Secure and Non-Secure DNS Servers?
A. In this context, the answer is that a standard or non-secure DNS server does a good job of DNS resolution and turning your request for http://www.randomwebsite.com/ into the IP address (143.95.83.184 in IPV4 Land as I type) that hosts the site for your web browser to connect to or your email to be delivered to etc.  The resolution process is simple, fast and robotic and the DNS server will cache entries for fast response or look them up for you recursively from first principles and the Root DNS Servers. When the server has the result then it gives it to you.  A secure DNS Server adds an extra level of security to this process. It will lookup websites and Internet addresses, but before giving you the result, it will check that the IP address is of known good or known bad reputation (or check it with a virus scanner first); such that if the site is deemed clean then your computer is given the IP address in the blink of an eye. If the site is one that you'd probably be glad not to be visiting, then the DNS server will redirect you to a harmless web page which will let you know why you are there.

Q. Put simply, what is the benefit of secure DNS?
A. It helps reduce this risk of accidentally browsing to an undesirable website that might otherwise have tried to install malware or other junk on your computer. Thus you are very likely to save hard money through reduced downtime and lost productivity and also less time to fix (and cost of fix) on a machine otherwise.

Q. Which Secure DNS Servers to we recommend?
A. The two main contenders at the moment for secure DNS are:

Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
(See https://www.comodo.com/secure-dns/index.html )

OpenDNS: 208.67.222.222 and 208.67.220.220 (others are available on premium packages - these are free for public use)
(See https://www.opendns.com/ )

Q. How to we implement Secure DNS?
A. Make note of the DNS server addresses above, and either set these individually on a PC / laptop (if not in an office environment) or else set these servers as the DNS Forwarding servers on a Linux / Windows / Mac Server DNS server in an office environment. DHCP should give out DNS servers that relate to these (or actually give the addresses out if you don't have an Active Directory environment).
.. or just ask Onega of course and we can help configure these for you quickly.

Q. Is there a Cost?
A. If you are a business then it is of benefit to subscribe to one of the premium services which has a modest charge but this is of relatively trivial level and soon, anecdotally, pays for itself. The premium services also give you the confidence of an SLA as well as extra features. On the setup / installation / configuration of secure DNS in your environment, Onega would do this for you, either free if you are under a proactive maintenance agreement with us, or based on our standard PAYG time charges (it would normally take no more than an hour on the average client network servers and firewalls, unless you have a really big system).

Q. What about Google's DNS - is that Service Secure? (8.8.8.8 and 8.8.4.4)
A. No, not in the sense being discussed here. Google being Google, that is likely to change over time.

 

Are you logged in with admin level credentials on your computer right now?

If you are reading this then there is a fair chance that you're categorised as a 'power user' or a full administrator on your IT systems. There is also a fair chance that right now, you may be logged in with an account that has admin rights to your local machine.

If you ask someone: 'Do you need admin rights on your computer?'; the answer, 90% of the time, is: 'Yes, I could not work without this'. Psychologically, we all like to have the power of full admin control to our own computers all the time. If you are used to having full admin rights to a local machine then this is hard to give up, and giving this up can be akin to giving up smoking, gambling, etc. Admin rights are addictive!

There is a strong case for best practice (basically not disputed) for having permissions set on the basis of least required permissions. Part of this is making sure that you only use the login / admin / access rights that you need at the time. For normal day to day use, we should only be logging into a computer with 'user level' access.

The reasons for this are many and whilst you probably already know these, the key ones are worth reiterating:

1) Reduced Malware Surface and Risk - By using a user level permission account in day to day use, you minimise the impact of any malware that you may inadvertently come across while browsing the web etc. Whilst there may be some malware that can very cleverly bypass permissions on a computer, or exploit zero day flaws, assuming your computer is up to date, then you reduce the attack surface (and hence risk of contracting malware, Viruses and APTs (Advanced Persistent Threats) on your computer by about 95% by using user level rights most of the time.

2) Regulatory Compliance- Nearly every IT security and relevant industry regulation standard specifies that organisations should adopt the principle of 'Least Privilege' . This includes UK PCI DSS standards, ISO27001, Sarbanes Oxley, UK Financial Conduct Authority (FCA was FSA) etc. This covers not only compliance from the security stand point, but also in compliance with company IT policies - for example, with company software licencing and authorised software. If a user does not have admin rights then they can't install a bit of software which is not approved or licenced. Thus, administrators and company managers can be confident that there are not any hidden liabilities around and that change control is maintained. We've seen many occasions when a user might install a piece of software that either 1) has a hidden (and very undesirable payload) or 2) causes unexpected repercussions if, for example, it installs DLLs that then cause other software to run less reliably - which may not be easy to diagnose as the problems might not appear straight away and sometimes are only cured by a restore from image backup or at worst require complete PC rebuild.

3) Evidence Proves the Point - Analysts such as Gartner have proven that statistically, if you remove admin rights from most users, then you reduce security breach incidences, but also save money and wasted time in IT support. Having least privilege makes for a more supportable, reliable, productive and hassle free environment, and with lower support cost through both reduction in direct support costs, and lost time in productivity if a user is unable to work for a while..

If you want a second, third or fourth opinion on this, Google 'IT security best practice for least permission' or look at other blog entries like http://blogs.gartner.com/neil_macdonald/2011/08/23/the-single-most-important-way-to-improve-endpoint-security/  - who make the point well also.

So how do we address this practically?

The first thing is to admit that we have a problem and accept that you may be an 'adminrightsoholic' personally or indeed even suffer from endemic CEPS - Corporate Elevated Permission Syndrome to coin a phrase or two.  You know you have admin rights, that others have full admin rights, and that you should give these up in every day use - you could give them up but you choose not to. Maybe you should stand up right now and state to the office that 'I'm an adminrightsoholic and I'm admitting this as the first step to changing my ways. I know it is not going to be easy and I'm going to ask for your support as trusted colleagues in getting through this tough time for the benefit of myself and the company. Will you join with me in this righteous journey?'

The key is to take things one step at a time, and learn to live with user permissions one day at a time.

The first steps:

We can address this personally and across a company. In taking Gandhi's words to heart that you should 'be the change you want to happen' the first place to start is on your own desktop or laptop computer.

If you are an administrator in a company, or genuinely (in this word is a world of debate and access to regression) need access to admin functions on your computer, then the best thing will be to create (if you don't have one already) a separate local admin account on your computer e.g. if you are BobP and this is your normal login, then you could perhaps create an account called 'bobpadmin' or suchlike. Both your new and normal accounts should have secure (complex passwords which are not easy to guess or Password123 etc.). Give the new admin account full local machine admin rights. Then log out of your normal account and log in with the admin account. Remove admin rights from your normal user account (on the local machine, such that you are only a User (or any other special groups you need). Then log out of the admin account and back in with your now only regular user level account. Congratulations; you just went cold turkey on desktop admin access on your Windows PC. Continue to work as normal and you can feel smug that you've given up your full admin permissions in day to day use. If and when you need to install software on your machine then you can;  but run the installer as your admin account.

You'll find that actually everything works fine. In reality we don't install software very often so you'll only rarely need to enter the higher level account details for elevated permissions. If you're still considering all this, ask yourself when you (knowingly) last installed a piece of software on your computer.

As I type this I can admit that 'I used to be an adminrightsoholic' and now I've turned a leaf. It was hard to do it but now I'm glad I have and like many things, this is something I should have done long ago. I can now be the most annoying type of reformed addict who can evangelise to the world about the benefits of giving up.

At the wider corporate level though, it is important that users and rights are documented and set on the principle of least permission. Some users may genuinely need admin rights but best if the dual account method is used here to minimise use of elevated rights, which includes for very senior network admins who should likely also have both a user level and an admin account so that things are done the right way and in the right place. If you are an Onega client then you'll have access to our Policies and Procedures Wiki Site where you can see formal policies for some of these. see http://intwiki.onega.net and the relevant section on this. If you don't have access to this and are a current client then feel free to contact us by any means at http://www.onega.net/contact.  If you're not a current client, we'd love to chew the fat and talk IT and about you becoming one :-)

Some advanced solutions exist to manage elevated permissions and remove various back door risks and human risks including  Avecto and  ViewFinity. However, beginning with the simple steps above is a good start. If there is enough demand, we'd be happy to run support group sessions for recovering adminrightoholics where you'll be amongst friends.

Wishing you happy and safe computing but bear in mind that, just like all the best fictional characters, IT superheroes should remember that whilst it is great to have superpowers, you should: only use them when you really need to, only use them for good and keep them hidden at all other times.