One More Week for MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

System Administration

Featuring 42 Papers as of December 5, 2017

  • The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment Graduate Student Research
    by Tobais McCurry - December 5, 2017 

    Windows privileges add to the complexity of Windows user permissions. Each additional user added to a group could lead to a domain compromise if not evaluated. Privileges can override permission causing a gap of perceived effective permission. Currently, system administrators rely on tools such as Security Explorer, Permissions Analyzer for Active Directory, or Gold Finger help with this problem. An analysis of these three tools that are supposed to help with permissions is needed to provide administrators a window into these complex effective permissions. The results of this research discovered a gap in identifying users with privileges with the current tools available. This gap was filled by the author by using powershell.

  • Security Assurance of Docker Containers Graduate Student Research
    by Stefan Winkle - November 22, 2016 

    With recent movements like DevOps and the conversion towards application security as a service, the IT industry is in the middle of a set of substantial changes with how software is developed and deployed. In the infrastructure space, we see the uptake of lightweight container technology, while application technologies are moving towards distributed micros services. There is a recent explosion in popularity of package managers and distributors like OneGet, NPM, RubyGems and PyPI. More and more software development becomes dependent on small, reusable components developed by many different developers and often distributed by infrastructures outside our control. In the midst of this all, we often find application containers like Docker, LXC, and Rocket to compartmentalize software components. The Notary project, recently introduced in Docker, is built upon the assumption the software distribution pipeline can no longer be trusted. Notary attempts to protect against attacks on the software distribution pipeline by association of trust and duty separation to Docker containers. In this paper, we explore the Notary service and take a look at security testing of Docker containers.

  • Node Router Sensors: What just happened? by Kim Cary - November 22, 2016 

    When an airliner crashes, one of the most important tasks is the recovery of the flight recorder or black box. This device gives precise & objective information about what happened and when before the crash. When an information security incident occurs on a network, it is equally important to have access to precise information about what happened to the victim machine and what it did after any compromise. A network of devices can be designed, economically constructed and managed to automatically capture and make available this type of data to information security incident handlers. In any environment, this complete record of network data comes with legal and ethical concerns regarding its use. Proper technical, legal and ethical operation must be baked into the design and operational procedures for devices that capture information on any network. These considerations are particularly necessary on a college campus, where such operations are subject to public discussion. This paper details the benefits, designs, operational procedures and controls and sample results of the use of "Node Router Sensors" in solving information security incidents on a busy college network.

  • eAUDIT: Designing a generic tool to review entitlements Graduate Student Research
    by Francois Begin - June 22, 2015 

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Inside Mac Security by Ben Knowles - March 19, 2014 

    Apple, Inc.'s OS X family is both the result of decades of operating system development and a collection of systems and features from many other systems combined with many unique ideas and implementations.

  • Systems Engineering: Required for Cost-Effective Development of Secure Products by Dan Lyon - October 8, 2012 

    Security of data and systems is critical to consider during development of a complex system, and by taking a systems approach, secure design can be achieved in a cost effective manner.

  • Privileged Password Sharing: "root" of All Evil Analyst Paper (requires membership in community)
    by J. Michael Butler - February 12, 2012 

    This paper addresses the issue of managing privileged accounts and offers advice on how to move toward better centralization of privileged account management.

  • Securing Blackboard Learn on Linux by David Lyon - December 1, 2011 

    Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

  • Securely Deploying Android Devices by Angel Alonso-Parrizas - September 23, 2011 

    Nowadays it is necessary for most companies to provide e-mail/Internet access to employees outside of the office, hence many business provide their staff with BlackBerrys, iPhones, Android or other smartphones with Internet connectivity.

  • Application Whitelisting: Panacea or Propaganda Graduate Student Research
    by Jim Beechey - January 18, 2011 

    Every day, organizations of all sizes struggle to protect their endpoints from a constant barrage of malware. The number of threats continues to increase dramatically each year.

  • Keys to the Kingdom: Monitoring Privileged User Actions for Security and Compliance Analyst Paper (requires membership in community)
    by Dave Shackleford - May 2, 2010 

    This paper explores some of the types of insider threat organizations face today and discusses monitoring and managing privileged user actions and the role this level of monitoring plays in today's compliance reporting efforts.

  • Preventing Incidents with a Hardened Web Browser by Chris Crowley - December 15, 2009 

    There is substantial industry documentation on web browser security because the web browser is currently a frequently used vector of attack. This paper investigates current literature discussing the threats present in today's environment.

  • Is Internet Explorer More Secure than FireFox? by Larry Fortier - October 1, 2007 

    It is common practice to compare web browser security based on known exploits but this paper raises the idea that security is a broader concept and that there are other important issues that need to be considered. In this paper we look at how it is possible to circumvent a company’s security policy by using a web browser. Specifically, we compare Internet Explorer with FireFox web browser when connecting to a website that is not FIPS-140 compliant and the companies policy is to use FIPS-140 complaint algorithms for web connections. Using this example we discuss best practices in choosing an encryption product (assuming data should be encrypted). We then end with a discussion emphasizing how important it is for security professionals to create a ‘security culture’ within an organization and how to handle the struggle between usability and security in a real world setting.

  • OS and Application Fingerprinting Techniques Graduate Student Research
    by Jon Mark Allen - September 27, 2007 

    This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting applications: nmap, Xprobe2, and p0f. I will discuss similarities and differences between not only active scanning and passive detection, but also the differences between the two active scanners as well. We will conclude with a brief discussion of why successful application or OS identification might be a bad thing for an administrator and offer suggestions to avoid successful detection.

  • Security Implications of the Virtualized Data Center by Alan Murphy - June 19, 2007 

    The concepts behind application and operation system virtualization are not new concepte,they have been around long before server appliances and desktop PCs were readily available in our daily vocabulary.

  • Port Knocking: Beyond the Basics by Dawn Isabel - May 17, 2005 

    Port knocking has recently become a popular and controversial topic in security. A basic overview of port knocking is given, and it is assumed that when carefully implemented, port knocking can be a useful tool in some situations.

  • Linux Repository Server: Implementing and Hardening Step by Step by Alexandre Teixeira - May 5, 2005 

    One of the highly critical roles in computers security maintenance is patch management, this paper discusses the process of implementing softwares and measures in order successfully accomplish such role.

  • Linux Repository Server: Implementing and Hardening Step by Step by Alexandre Teixeira - March 9, 2005 

    One of the highly critical roles in computers security maintenance is patch management, this paper discusses the process of implementing softwares and measures in order to successfully accomplish such role.

  • Meeting the challenges of automated patch management by John Walther - September 16, 2004 

    According to the CERT(R) Coordination Center (CERT(R)/CC), 95 percent of all network intrusions could be avoided by keeping systems up-to-date.

  • Metrics for Operational Security Control by Richard Cambra - August 15, 2004 

    This paper aims to inform the reader on what metrics are, why metrics can be an important tool for controlling security systems; and, how metrics fit into the day to day IT operations to improve security by measuring, reporting and tracking key elements of systems that have an impact on security.

  • Protecting Students in the Public School Environment by John Decker - July 25, 2004 

    Today's network security issues not only involve the protection of the vital data of commerce, but also, whether by law, policy or common sense, the people and the parts of their lives that may be included in that data.

  • Operating System Build Management in the Enterprise by Duncan Beattie - April 8, 2004 

    Mitigating the risk to critical systems from vulnerabilities in operating system builds is an important responsibility of any system administrator. In organisations with a large number of servers, running multiple applications and services, managing the state of production builds can be a time consuming exercise.

  • Options for Secure Personal Password Management by Hugh Ranalli - December 14, 2003 

    In this paper I have used my personal needs for password management as a starting point, trying to determine a solution which would work both for IT personnel, and which would also be suitable for use by the average computer user.

  • Role-Based Access Control: The NIST Solution by Hazen Weber - December 13, 2003 

    RBAC3, when properly implemented following a well-defined organizational policy, can allow for a very scaleable, logical, and secure means of distributing access to file systems, applications, sub-systems or the like.

  • Implementing the "Just-enough Privilege" Security Model by Tom Martzahn - November 19, 2003 

    This paper discusses some of the challenges associated with migrating a large, widely distributed Windows NT environment with widespread administrative access for the application and server support personnel to a native Windows 2000 environment which embraces the philosophy of the "Just-enough privilege" (JeP) security model to complete assigned job responsibilities.

  • Securing Internet Explorer Through Patch Management by Ben Meader - October 30, 2003 

    This paper addresses the current state of patch management, demonstrates what could happen to your network if you leave IE unpatched and provides information on how to mitigate the risk of IE being attacked through the application of strong security settings.

  • Keeping Red Hat Linux Systems Secure with up2date by John Mravunac - September 8, 2003 

    In this paper I will give an in depth overview of the software update mechanisms used by the Red Hat Network from Red Hat Inc.

  • Methodologically Upgrading A Production System by Otan Ayan - June 27, 2003 

    This paper attempts to outline the process an administrator should follow after a security patch has been released. Since this process is a consistently repeatable task, a Standard Operating Procedure (SOP) can be revised and enhanced as needed.

  • Protecting Insecure Programs by Shawn Instenes - June 27, 2003 

    This document examines several strategies to protect programs from malicious input, so that they will, in the worst case, abort processing rather than cause malicious code to be executed.

  • Security Administration Solution or Why We Implemented An Identity Management/Account Provisioning T by Suzette Franklin - March 28, 2003 

    This paper presents a case study of how our company took the challenge and implemented an account provisioning solution.

  • Systems Security Management: Small Business Style by Nathaniel Dean - February 14, 2003 

    Most small businesses simply do not have the resources for even one full-time employee dedicated to Information Systems; however, four servers and thirty workstations can be a bit much without a good plan and the right tools to aid in the execution.

  • Steps Toward a Secure Windows XP Stand Alone Workstation Abstract by Patrick Grace - August 14, 2002 

    These pages constitute a "how to" guide for configuring public access computers to protect them from user alterations.

  • Slogging (syslog-ging) through the Mud by Michael Sullivan - April 9, 2002 

    This paper focuses on what the author feels are some of the most important -- but often taken for granted - mechanisms of defense in depth: logging and auditing.

  • Proposal for Managing System Security Patches in an Enterprise Network by Karenda Bernal - January 30, 2002 

    This paper details one possible solution to establishing an Emergency Vulnerability Alert (EVA) structure, the EVA process preparation; what will need to be in place prior to the implementation of the process, a complete layout of the EVA process detail, and finally what challenges (downfalls) may be faced with implementing the process proposed in this practical.

  • Patch DoS by Chad Oleary - December 12, 2001 

    This paper describes how we are just starting to feel the ramifications of the "ship first, patch later" methodology used in most IT projects, especially as they relate to security in a 24x7x365, ecommerce environment.

  • Systems Administrators: The First Line of Defense by Elizabeth Frank - December 3, 2001 

    This paper examines the role of systems administrators, those people responsible for the defense of a company's cyber structure.

  • Some of the Dangers of Connecting your AS/400 to a Network by Michael Walsh - September 25, 2001 

    from lost productivity, lost or corrupted data, and time consumed in resuming normal operation.

  • Non-Malicious Destruction of Data by Saffet Ozdemir - August 23, 2001 

    This paper examines how any backup solution must protect the enterprise and the individual users within the enterprise from lost productivity, lost or corrupted data, and time consumed in resuming normal operation.

  • The Divine Right of Kings: Domain Administrators and your (In)secure Network by Mark Austin - August 17, 2001 

    This paper will focus on access control of network resources, and how it relates to information theft and sabotage.

  • Backup Rotations - A Final Defense by Stephen Lennon - August 16, 2001 

    This paper examines various rotation strategies that can be applied to protecting data stored on an organization's computer system.

  • Password Security in NIS Systems by Eric Gallagher - July 19, 2001 

    This material begins with a dual survey of NIS security and password security and goes beyond the initial reading into an attempt to advance password security practice in NIS.

  • Using Fport on Windows NT to Map Applications to Open Ports by Teena Henson - April 9, 2001 

    To develop defense-in-depth computer security, an understanding of various vulnerabilities must be realized before a protection strategy is developed.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.