Re: SUS server
From: Randy Williams (randyw_at_techsource.com)
Date: 04/08/05
- Previous message: David Gillett: "RE: an error in the NMAP docs?"
- In reply to: Paris E. Stone: "RE: SUS server"
- Next in thread: hartmann: "RE: SUS server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Apr 2005 13:48:08 -0400 To: security-basics@securityfocus.com
Greetings All,
While local Admin rights may violate quite a few security protocols as
well as administration protocols, it sometimes is the ONLY way to get
certain things done. I manage a small group of Engineers that do
everything from CAD work to ASIC design. It is in their job
descriptions to constantly attempt new design changes/fixes/upgrades and
a lot of the time they are installing new patches/upgrades/versions of
the tools that they use. Even with push out from AD, this would still
slow them down too much.
Power User level won't work either, as too many of these programs want
to write to "privileged" places on the file structure. Yes, they do
blow stuff up from time to time (which we warn them is THEIR
responsibility), anything other than local admin simply isn't productive.
So I can sympathize with the original poster on this issue. However,
from the SUS perspective, I just force the updates/reboots as necessary
and warn the whole department via policy that this will occur. If they
leave themselves logged in and not save something, their manager will
ask them why they violated procedure.
Just my $0.02 worth.
RandyW
Paris E. Stone wrote:
>Drop the local admin rights, as a previous poster said. All that is, is
>more work for you.
>
>What requirement is in place that gives them local admin rights?
>
>~~~~~
>Paris E. Stone, "Linux Zealot"
>CISSP, CCNP, CNE, MCSE
>~~~~~
>The only thing necessary for the triumph of evil,
>is for good men to do nothing.
>- Edmund Burke
>
>
>-----Original Message-----
>From: Raoul Armfield [mailto:armfield@amnh.org]
>Sent: Thursday, April 07, 2005 11:14 AM
>To: Chinnery, Paul
>Cc: security-basics@securityfocus.com
>Subject: Re: SUS server
>
>Chinnery, Paul wrote:
>
>
>>Why rely on the users to install the patches? I set mine up to auto
>>
>>
>install and reboot the system (I set mine to go at 3 AM). Course, since
>it's a hospital environment, there are some machines that have to be
>done manually.
>
>
>That is exactly my question. I do NOT want to rely on the users to
>install the patches. However, if they are local admins they are
>prompted to install and they can opt not to either through action or a
>lack thereof. I was hoping for a way to force the update even if they
>users are local admins.
>
>
>
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
- Previous message: David Gillett: "RE: an error in the NMAP docs?"
- In reply to: Paris E. Stone: "RE: SUS server"
- Next in thread: hartmann: "RE: SUS server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
