Re: disclosure the administrative password
From: Thor (thor_at_hammerofgod.com)
Date: 02/02/05
- Previous message: Jack Me: "Re: disclosure the administrative password"
- In reply to: Boris Skoblo: "Re: disclosure the administrative password"
- Next in thread: Tom Stowell: "Re: disclosure the administrative password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Boris Skoblo" <borsk@techunix.technion.ac.il>, <focus-ms@securityfocus.com> Date: Wed, 2 Feb 2005 09:47:03 -0800
Thanks for the explanation- it helps to have context in mind when offering
opinions...
Inline--
>> This sounds like one of those "loaded" questions... This is a security
>> list, so we will want to know "why." Why is a smart card and all other
>> hardware not applicable?
>
> These methods not applicable because of budgetary limitations
You can use USB-based readers that aren't that expensive at all... Just have
the admin keep it in his bag o' tricks. It's smart to require smartcard
logon for admin anyway, and it is a very effective way to require 2 stage
authentication.
>> Why can't the operations be delegated?
>
> For example, stoping and starting of various services for the diagnostic
> purposes
Remote management would work in this example, and hopefully many others.
>> Wipe the machine and prevent non-admin loading of drivers. User SAFER
>> restrictions to only allow designated software to run. Initiate
>> corporate policy to fire and or prosecute offending users.
>>
>> Use Remote Desktop on XP to initiate administrative tasks which bypass
>> the hardware keystroke logger (until Blue Boar and I write our Terminal
>> Services Keystroke Logger, that is. We're calling it Terminal Stroke.)
>> Worse case, change the admin password after you have to do whatever it is
>> you have to do as an admin on the box.
>
> As about W2K workstations ?
SAFER restrictions wouldn't apply, but the general policy of restricting
driver installation would. It should really be a standard policy setting
anyway. Note that there is a separate policy object that also allows/denies
*printer* driver installation as well. Typically in larger organizations,
I've seen the policy set to allow users to install printers but not other
drivers. While I've never seen a root-kit posing as a printer driver, it's
doable, so you would have to weigh the cost of having an admin install
drivers vs. the risk of introducing a root-kit via printer driver.
As stated before, Remote Desktop would work on XP, but not Win2k
workstations. You'd need some other remote-management software for those.
But if budget is an issue, that probably won't fly. Also, many of these
remote-management products introduce their own security concerns in the
process.
Knowing that budget keeps you from using smart cards, I'd like to offer the
following: IT expenditures should not look only at hard dollars. Buying a
few smart card readers and some smart cards will cost you X. What will
*not* buying them cost you? How much additional admin time will be burned
by administering cut-and-paste-from-floppy kludges? How much admin time will
be burned by having to change the admin password every time someone uses
RunAs at a workstation? How much for remote admin software or upgrades to
XP? And in the end, these solutions still leave admin access open to anyone
with the password.
But, barring all that, the simplest "as is" solution is group policy and
remote admin.
t
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Jack Me: "Re: disclosure the administrative password"
- In reply to: Boris Skoblo: "Re: disclosure the administrative password"
- Next in thread: Tom Stowell: "Re: disclosure the administrative password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
