Re: overcome NIS

Stachu 'Dozzie' K. wrote: 
On 04.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:

On Sun, 04 Dec 2005 00:54:03 +0000, Stachu 'Dozzie' K. wrote:

On 03.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:

On Sat, 03 Dec 2005 22:05:08 +0000, John Thompson wrote:

Do you really let in laptops into your internal network? 

Well the only network i own is my home LAN and yes i have a laptop.


Or maybe you connect with bridge/switch wireless network with stationary
network?


Wouldn't this effectively make it /one/ network above the media level?


This _is_ serious design flaw.

??? 


We're talking about networks where NIS can do some work, that is
networks requiring some directory services, aren't we? Otherwise NIS is
unnecessary service and leaving it running is exactly the same "good"
idea as leaving Samba, Apache or any other useless service (providing
it's useless in particular case).


So now we now that you don't let laptops in. 

On other networks then mensioned above: i have no say in such things,
above and beyond consultancy. But assume it possible and in most places
not even far fetched ...


Which other systems can "they" posses? Your desktop systems?

Probably: given some effort. 


Then the system admin failed.


But they need not even try that (just
crosslink a laptop to one desktop systems NIC, fail a login on it
logging results on the laptop, spoof thier settings to those and connect
it to the network - and this is when they'd even care for going undetected.)



As I said, there're no laptops. Laptops are left at the entrance.
Netadmin should provide clear and forcable policy.

I for one can't see how this will make a significant difference given access to desktops on the network. Memory sticks and floppy disks quite concealable. If you are administering a network where you have users you can't trust you need added layers of protection or alternative setups.



Do you give to workstation user root access to that workstation? 

What's with all the personal questions? Thier irrelevant to the discussion
as far as i'm concerned.



Right. I've taken you on my sight just because it's easier to me to form
a sentence (at the language level; I don't speak English natively).

Neither does Menno. It's not my native language either. I didn't see the questions as particularly personal though just a way of asking opinion.

Nothing personal. I apologize if you feel offended.


I don't think so.

In providing NIS services one iplicitly trusts this to be so. Other
systems, providing similar functionality, take into account the
alternative possibility could conceivably be the case, if only for a small
timeframe. Protecting assets even from legit users with local root access
on client machines (say tech support admins.) 


Serving root through any directory service isn't too smart, I think.
One might try to intercept messages exchanged in authentication
procedure and crack root password offline. I can hardly imagine the
situation _requiring_ serving root account through DS.


Can you explain then, how your user could get administrative rights? 

Read above (ofcource there are more ways to skim a cat, use your
imagination.) You can tunnel/wrap/firewall/whatever sure, that's not my
point. Point though is: NIS doesn't savely account for the possibility...



Of course it doesn't. It wasn't designed to address these possibilities
(NIS+ reportedly was, but there's no NIS+ servers for Linux out there).
It's just its property. But it is not a security flaw itself. The flaw
is not to take this NIS property into an account. I suppose both of us
can agree with that.

.

Relevant Pages

  • Re: Network not working with Norton Internet Security?
    ... The 2nd option using the network wizard appears to have worked. ... NIS running on the desktop, the laptop does see the desktop and I can share ...
    (microsoft.public.windowsxp.network_web)
  • Re: Adding a password to desktop XP account blocks file, printer s
    ... as it seems that Norton starts some services but not all after a first ... I removed NIS 2009 - sharing came back ... Perhaps it can be disabled for network access. ... Laptop has Vista Home Premium and is connected via WiFi to a Siemens ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: How do I Edit a Registry?
    ... the NIS firewall de-activated, I still had to uninstall NIS on all computers ... the network doesn't even show in 'my network places'. ... desktop and old laptop run xp home and i can view and share files between ... Firstly have you turned off Simple File Sharing on the Pro laptop, ...
    (microsoft.public.windowsxp.basics)
  • Network not working with Norton Internet Security?
    ... I have a home network connecting through a Linksys 4-port Router. ... connect my Desktop and my Laptop on the network to share Internet and files ... Internet Protocol ... I have Norton Internet Security (NIS) installed on the Desktop, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networking 2 XP Pro systems w/ crossover cable
    ... running on both machines. ... This has really got me confused.....I have ran the network setup>>wizard on both computers choosing the appropriate settings for each system. ... Computer B has NIS 2003 ... make sure the browser service is running on each computer. ...
    (microsoft.public.windowsxp.network_web)