Re: Basic Windows Security Question

From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 03/31/05

  • Next message: ben.smethurst_at_orange.net: "Re: Prividing Intranet Website Access To External Users"
    Date: Thu, 31 Mar 2005 14:49:27 +0100
    To: Andrew McIntosh <amcintosh@networkadvocates.com>
    
    
    

    Andrew McIntosh wrote:
    <snip>
    > Disable USB Port - That would solve the particular problem and create
    > other problems. For instance, substitute the thumb drive with a floppy
    > disk or CD. For obvious reasons you don't want to disable those as well.

    Which obvious reasons?
    The company has less than 100 employees, they probably won't be passing
    CD's around much. Disable/unplug/remove CD drives and floppies and have
    all data to be added to the network go through checking by a relevant
    competent staff member.

    There are very few reasons to use external media on a connected network
    like this. The admin can and should manage all software installs, Data
    can be passed around over the network. On the rare occasion that
    something absolutely has to be on physical media, let it go through IT
    for checking first.

    > Restrict user permissions - That could potentially prevent a program
    > from installing itself, but it would also cause the user some grief if
    > they need to install programs themselves, or even do simple things like
    > changing personal settings.

    User should not ever have the right ability or wish to install programs!

    Everything they need to do their job will have been approved by IT and
    will be in the base OS build, anything to be added to that will need to
    be evaluated and approved, when it has been it again will be installed
    by It and added to the build process. If you give your users access to
    do this on a broad scale you are asking for trouble, on any sized network.

    > Security Policy - Haven't looked into this yet, but maybe there is a way
    > to prevent the use of thumb drives and other specific devices through
    > security policy.

    Yes it can be done, but it should be in addition to removing the devices
    completely whenever possible.

    This is a subjective question, it relies entirely on the business at
    hand and who is in charge of policy making decisions. If you are the
    admin and/or in charge of network security. It is your role to encourage
    the most secure option you can, it's then the responsibility of the
    users to ask you to relax some policies for their convenience. In most
    businesses this trade off is inevitable, but you must, as the security
    professional on-site, strive for the absolute best practise.

    Set the policies of the system on a per role basis, if someone needs to
    do alot of work on external media give them access to the devices, those
    that don't disable it. If someone want's access to the CD drive to
    listen to their music, then it *might* be too much of a risk to the
    network to allow this. You have to analyse what sort of impact
    malicous/accidental access to the users accounts has on the network and
    you also have to consider the users competency.

    -- 
    With Regards..
    Barrie Dempster (zeedo) - Fortiter et Strenue
    blog: http://zeedo.blogspot.com
    site: http://www.bsrf.org.uk
    CA: www.cacert.org
    "He who hingeth aboot, getteth hee-haw" - Victor (Still Game)
    
    



  • Next message: ben.smethurst_at_orange.net: "Re: Prividing Intranet Website Access To External Users"