The following recommendations are for functionality found upon the editing of a select user or a group policy.
|
Recommendation |
Rationale |
| 15. |
Group Policies
Symantec recommends the use of group policies to segment support desk representatives based on duties and job tasks. Functionality should be provided based on documented roles and responsibilities of the position. |
The concept of Least Privilege Access should be upheld when granting functionality to support representative accounts. |
| 16. |
Administrator Accounts
Symantec recommends that a minimal number of administrator accounts be created. Administrator access should be granted to the designated individuals responsible for administering the appliance and user accounts. |
A clear separation of duties should exist between the users and administrators. Administrative access should be granted only to designated individuals who are responsible for administrative duties. |
| 17. |
Allowed to Change Display Name
Unless a specific business requirement exists for a support desk representative to change his or her display name, Symantec recommends that this feature be disabled. |
Preventing users from changing their display name enforces accountability and consistency in customer support sessions. |
| 18. |
Allowed to View Reports
Symantec recommends that this functionality be limited to support desk representatives or managers that have a legitimate requirement for this data. |
Separation of duties ensures Least Privilege Access to the configuration or state of a remote client's computer system or server. |
| 19. |
Allowed to Edit File Store
Because files in the File Store can be transferred to a remote client's desktop, Symantec recommends that the ability to alter content within the File Store be limited to dedicated individuals. |
In order to maintain integrity of files offered for public download, files should be properly screened and approved prior to being placed online. Limiting access to the upload process ensures that only files from trusted individuals are transferred to remote support recipients. |
| 20. |
Allowed to Edit Public Site
Symantec recommends that this functionality be limited to designated individuals. |
Limiting access to alter the public website for the appliance ensures a consistent public image with appropriate content and messaging. |
| 21. |
Allowed to Edit Canned Messages
Symantec recommends that this functionality be provided as needed based on the structure of your support department. |
Providing access to edit canned messages to designated individuals ensures a consistent public image and messaging. |
| 22. |
Allowed to control customer's computer and use file transfer Interface
Symantec recommends that only trained and approved support representatives have access to initiate screen sharing functionality. |
Limiting remote control functionality to trained support representatives ensures a consistent level of response and support and complies with the best practice of only granting access to features/functionality to trained individuals. |
| 23. |
Prompt customer for approval when screen sharing and file transfer are requested
Symantec recommends that clients be provided the choice between Full Control, View Only, or be able to Cancel the support session. |
Requiring client approval provides an additional auditable layer of authorization between the remote client and the support representative. |
| 24. |
Allowed to use Push and Start
Symantec recommends that this functionality be limited to the designated support representatives that have the appropriate access on the remote computer. |
Because the Push and Start functionality requires credentials to access the remote computer, this functionality should be limited to the appropriate support individuals to ensure adequate separation of duties and adheres to the concept of Least Privilege Access. |
| 25. |
LDAP Support
If LDAP is utilized, Symantec recommends that support for encrypted LDAP sessions be enabled by configuring the appliance to use LDAPS or LDAP with TLS (RFC 2830). |
Security best practice is to encrypt authentication credentials if they transit a network. |
The Adobe® logo is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries.
PDF Version (387KB)
Email This Item