RE: Rights



Jim,
Only your company can tell you how much time and effort it is worth.
Risk acceptance and mitigation are both business decisions. As you
mention, if you can't do a task someone else has to. The cost is extra
personnel and decreased productivity, the benefit is improved security.
Likewise, in your environment the cost is security and the benefit is
less fuss and bother ;)

I.Freecycle.Too,
Since this is a security mailing list, I would think our interests lie
in restricting rights in favor of increased security. As Jim mentions
though, it's a balancing act. Pick your poison if you will. My only
suggestions if you have to provide power user or local admin rights make
sure you have a simple backup and restore process, good auditing,
minimize the valuable data on the desktops and provide other external
security controls to mitigate anything that can happen.

Giving local admin rights is not as costly if you can easily rebuild a
desktop due to user negligence, infection or corruption. I really like
Jeffrey Adams' Deepfreeze implementation, nothing is easier than simply
rebooting the system. Other tools that make life easier are an IDS to
watch for malicious traffic, a file server with regular backups to
provide a single point of file management and recovery, scheduled scans
to catch infections and regular virus def updates and scans.

Good luck, hope this helps,
Dan

-----Original Message-----
From: Lane, Jim [mailto:Jim.Lane@xxxxxxxx]
Sent: Friday, June 30, 2006 8:25 AM
To: I Freecycle
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Rights

I've just started work for a large bank as a sysadmin supporting a group
of developers. It seems that the custom here is to grant local admin
rights to developers and I was able to get myself so designated with a
minimal amount of fuss and bother.
To my mind this is a classic "pick your poison" sort of choice. The more
hard nosed you are about this is the more difficult it is for some
people to do their jobs, myself being one such. One size doesn't fit
all. Some people really are "power users" and tightening up security
controls doesn't change that. If users can't make necessary changes then
somebody else has to do it for them. How much time and effort is it
worth to devote to desktop security. You tell me.

Regards,
Jim Lane

-----Original Message-----
From: I Freecycle [mailto:i.freecycle.too@xxxxxxxxx]
Sent: June 28, 2006 1:02 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Rights

Hello,

I'm wondering how others deal with allowing users rights on work
computers.

At our school, users aren't normally given Administrator or Power User
rights unless it's absolutely necessary.  Occasionally we
encounter employees and students that don't understand how easily a
system can be messed up and the security issues involved nor why we
feel it's necessary to operate like this.


I would like to know what others do, and what policies they have in
place to address these issues.

Thanks,

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Rights
    ... Subject: Rights ... use it as the standard student logon, ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • RE: A degree in MSIA - the various programs
    ... I am a 2005 graduate of the Norwich University Information Assurance ... Norwich is the well-known Information Security Specialist, ...
    (Security-Basics)
  • How to get into Penetration testing?
    ... I think it is very good for a pen tester to have programming ... security company's position. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • Re: Changing user password policy
    ... doing this with good security. ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The NSA has designated Norwich University a center of Academic Excellence ... Our program offers unparalleled Infosec management ...
    (Security-Basics)
  • RE: Sandboxie
    ... No sandbox product is fool proof. ... Java's first security model was fairly secure. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)