Re: Basic Windows Security Question

Doug.Janelle_at_Thermo.com
Date: 03/31/05

  • Next message: Herman Frederick Ebeling Jr.: "RE: Basic Windows Security Question"
    To: security-basics@securityfocus.com
    Date: Thu, 31 Mar 2005 16:23:00 -0400
    
    

    Barrie wrote:
    > There are very few reasons to use external media on a
    > connected network like this. The admin can and should
    > manage all software installs, Data can be passed around
    > over the network. On the rare occasion that something
    > absolutely has to be on physical media, let it go through
    > IT for checking first.

    Couldn't agree more! User's should have no need for
    passing data via any method outside the network. Those
    that are able to do so should be limited in number (clearly IT,
    and possibly a marketing or accounting POC, but not
    everyon in the dept). Unfortunately, actually implementing
    and enforcing such a policy is likely doomed to failure without
    full support from very, very high up the chain.

    <snip>
    > If you are the admin and/or in charge of network security. It
    > is your role to encourage the most secure option you can,
    > it's then the responsibility of the users to ask you to relax
    > some policies for their convenience. In most businesses this
    > trade off is inevitable, but you must, as the security professional
    > on-site, strive for the absolute best practise.

    Ask any admin what the best practice for a firewall is, and most
    will (correctly) respond "Block everything, then open only what's
    needed." So why do so many admins have so much trouble
    applying the same principal to other areas? Does every user
    really *need* a CD-ROM drive, let alone a CD burner? No.
    Floppy drive? No. USB device? No. We should err on the side
    of caution and, like our firewalls, protect all our data egress points
    with the idea that it will, by default, be blocked/disabled unless and
    until there is a clear business justification to the contrary.

    dcj2

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------


  • Next message: Herman Frederick Ebeling Jr.: "RE: Basic Windows Security Question"

    Relevant Pages

    • RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... I am a Techie Admin who is in management. ... the product, source it, install it, fix it, Admin it, everything except ... Then they had to retrofit the network. ... best work on our network and the purchased the right equipment, ...
      (Full-Disclosure)
    • Re: Security: VPN or RWW
      ... There is also an inherent flaw in 'port limited VPN', most people would want 'Windows File Sharing' to work, there goes a big hole that many viri use for vector. ... For all its current problems, it's possible to use it pretty well continuously without logging on as an admin, which I've never been able to do with XP. ... When all the network resources are concentrated in the server, either really or virtually, then nobody needs network browsing, nobody needs to have the same 'view' of the network locally and remotely. ... Whatever kind of encrypted remote link is used, connects from a single application at the remote end, not from the machine as a whole. ...
      (microsoft.public.windows.server.sbs)
    • Re: Linux client in Windows Domain (Security Advice)
      ... The user using the linux machine is part of our IT team and has full admin rights on the system as he would generally act as a back up to me in my absence. ... The machine should never have been introduced to the network in the first place however it was introduced when I was on leave with the backing of the head of IT who was not aware of the possible issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: Draytek Router Passwords
      ... As you log in to the router's admin web page, of course you give it to the ... consultant can simply sniff the admin's password. ... network, whether it was possible for him to sniff your internal network, ... Subject: Draytek Router Passwords ...
      (Security-Basics)