RE: Controlling Admin Access

From: KEVIN BLACK (KBLACK_at_svmh.com)
Date: 02/19/04

  • Next message: Sergey V. Gordeychik: "RE: Preventing OS Detection" 
    To: 'Michael Cox' <mscox42@yahoo.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 19 Feb 2004 13:36:05 -0800

    I apologize if someone has already mentioned this but there is a pretty good
    solution for this. PGP is an encryption product and is supported in both the
    commercial and open source worlds. There is a commercial version of this
    that is designed for the Enterprise that I have used and implented fairly
    successfully. The enterprise version at http://www.pgp.com will provide you
    with integrated Outlook support providing the ability to sign and encrypt
    e-mail, the ability to sign and encrypt files or folders, the ability to
    create a mountable encrypted drive.

    The biggest issue with encryption was brought up by an earlier poster. What
    happens when the person disappears and noone knows his/her password? This is
    answered by creating a corporate ADK key. If configured correctly,
    everything the user encrypts will also be encrypted by this key and can thus
    be recovered in an emergency. This key can and should be split between
    multiple people thus requiring multiple people for decryption outside the
    users knowledge.

    PGP is also widely supported and accepted through out the world.
    I hope this helps...

    Thanks,
       Kevin Black
     
    -----Original Message-----
    From: Michael Cox [mailto:mscox42@yahoo.com]
    Sent: Friday, January 30, 2004 11:56 AM
    To: focus-ms@securityfocus.com
    Subject: Controlling Admin Access

    I'd like to solicit the group's input on the
    following.

    Domain administrators, by definition, are going to
    have complete access to member computers.

    Is anyone doing anything to mitigate the potential
    risks involved with access to, say, an executive's
    computer which could have very sensitive data on it
    (mergers and acquisitions, for example)?

    One obvious answer is encryption, but I'm curious what
    is available in the Windows world as I'm not as
    familiar with that.

    Even if something like object level auditing was
    enabled and the logs sent to a remote host, couldn't
    the admin, as a first step, disable this logging?

    Please answer both 1) what is possible, and 2) what is
    your organization or other organizations you know of
    doing about this (if anything).

    Many thanks in advance!

    Michael

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    http://webhosting.yahoo.com/ps/sb/

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    CONFIDENTIALITY NOTICE: This message and any included attachments are from
    Salinas Valley Memorial Hospital and are intended only for the addressee.
    The information contained in this message is confidential and may constitute
    inside or non-public information under international, federal, or state
    securities laws. Unauthorized forwarding, printing, copying, distribution,
    or use of such information is strictly prohibited and may be unlawful. If
    you are not the addressee, please promptly delete this message and notify
    the sender of the delivery error by e-mail or you may call Salinas Valley
    Memorial Healthcare System's Privacy Officer in Salinas, California, U.S.A
    at (+1) (831) 755-0755.

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.securityfocus.com/sponsor/Astaro_focus-ms_040219
    ---------------------------------------------------------------------------

  • Next message: Sergey V. Gordeychik: "RE: Preventing OS Detection"

    Relevant Pages

    • Re: Firefox32 and Thunderbird
      ... Industry-standard encryption, including support for PGP / GPG, ... before stating "evolution doesn't do PGP" you might want to do ...
      (Ubuntu)
    • Re: Ex2007 EVS on Windows 2008
      ... if it's possible to query the requested encryption of a WMI namespace. ... If the WMI namespace to be queried is known ahead of time, ... Microsoft Online Community Support ... the authentication level to PKT_PRIVACY. ...
      (microsoft.public.win32.programmer.wmi)
    • Friday Futures
      ... PGP To Offer Whole Disk OS X Encryption ... its whole disk encryption software for OS X in the near future. ... multimedia support for a 5 megapixal camera ...
      (comp.sys.mac.misc)
    • Re: "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt
      ... In addition to the Apple, IBM, SUN, Microsoft, and HP-UX support for IPsec I ... This was a public company which needed to meet Sarbanes-Oxley regulations and auditing, most of which covered security. ... I couldn't say whether IPSEC or some other form of encryption was really needed or not but I'm reasonably certain that none of my jobs since being discharged from the Army in 1969 used any form of encryption for internal network traffic. ...
      (comp.os.vms)
    • Re: Securing an Ad Hoc Network
      ... The data encryption is set to WEP, however from what I am reading this is a vulnerable method. ... Is there any way for me to enhance the security of these two units and still remain wireless? ... Perhaps make the network itself invisible? ... I don't know what wireless network adapters actually support ...
      (microsoft.public.windowsxp.network_web)
    • Quantcast