Re: Ten least secure programs

From: Chris Berry (compjma_at_hotmail.com)
Date: 07/02/03

  • Next message: David Corking: "Re: Ten least secure programs" 
    To: security-basics@securityfocus.com
Date: Wed, 02 Jul 2003 12:53:26 -0700

    >From: "Roger A. Grimes" <rogerg@cox.net>
    >By disabling "ActiveX", you'll be telling your users they can only have a
    >limited experience (HTML, graphics, scripting) with IE. Not completely
    >unsound, but most users will revolt.

    Then the revolution will be crushed without mercy. Just like when we
    implemented site restrictions, although that one wasn't my idea.

    >Disable all ActiveX and then surf. You'll not be able to read most popular
    >web sites.

    Ahhum....BullS***

    >It won't load Flash, RealPlayer, Windows Media Player, or most other
    >plug-ins or Helper
    >Applications.

    Good, 95% of these have no legitimate business application anyways, and if
    they do I can enable them for that user.

    >This does decrease your risk of exploitation, but will your
    >users even listen to you?

    This isn't an issue, restrictions such as this must be enforced by
    technology not policy.

    >How will you stop them from loading ActiveX controls? There are ways
    >(IEAK,
    >Software Restriction Policies, registry edits), but it certainly won't be
    >as
    >easy as telling your user's not to do it.

    True, but no one said life as an Admin was easy.

    >If security is really that essential on
    >your network, remove any browser and any email client off their
    >workstations. Too much risk.

    Too drastic, will never be approved by management.

    >Want to use another browser that doesn't
    >accept ActiveX controls?

    Too unstandardized, wont' cover all situations.

    >What about Java applets? Secure? Nope. Java's been hacked dozens of
    >times.

    Too pervasive, can't restrict it.

    >You sound like someone new to this whole process. Unless you have your
    >administrative ducks in a row, you won't be able to stop your users from
    >installing whatever they want. How will you prevent them from install your
    >"illegal" apps? How will you detect when they install them anyways?

    Actually it's fairly easy using a combination of ACLs and a network wide
    software scanning system.

    >The point is that you need to support the applications you're users
    >want/need,

    Need yes, want, only if it fits within the rest of our business model.

    >and then it's your job to secure them to the best of your
    >ability.

    True

    >If you insist on your grand plan, come back in six months and tell me how
    >successful you were...and be honest.

    Been working on it since DEC 2001 when I got hired here. Would you believe
    they had everyone using the same password and 50% of the employees were in
    the domain admins group? My policy is to lock it down till they start
    screaming bloody murder, then back off just a little. You have to do this
    slowly though or it interferes with business processes, and that's not
    allowed.

    Chris Berry
    compjma@hotmail.com
    Systems Administrator
    JM Associates

    "Encrypt everything, and ask questions later."

    _________________________________________________________________
    MSN 8 with e-mail virus protection service: 2 months FREE*
    http://join.msn.com/?page=features/virus

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: David Corking: "Re: Ten least secure programs"