Re: Seeking Win2000 Policy Advice
From: Mark J. Smith (mjsmith@dol.net)Date: 01/10/02
- Next message: Mark J. Smith: "Re: Login/out of shared network resources w/o logging out the current user."
- Previous message: Mark J. Smith: "Re: weird problem with SU.EXE in windows 2000..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark J. Smith" <mjsmith@dol.net> Date: Thu, 10 Jan 2002 07:15:38 GMT
Unfortunately, this is a difficult situation. "Not trusting your developers
is as bad, if not worse, than not trusting your network administrators." If
you have anyone serious about network security working in your company, you
don't trust your administrators. Administrative activity is logged and
monitored by other administrators, and different types of administrative
activities are segregated and not every administrator performs every type of
task.
>From a cost issue, many people don't understand the cost of repairing a
machine (or if you are really unlucky, a network) damaged by a user with
excessive permissions, including the downtime when one or more users cannot
work, but are still getting paid.
Also, many times a developer working in an environment different from the
users he is developing for will end up with a product that doesn't work
properly when put into production. This is assuming that the development is
for internal use.
"Developers, by definition, spend almost all day developing." Not true. A
great deal of time is spent in research, testing, and planning activities,
frequently using the internet as a resource.
The preferred method is to have a development machine separate from the
network, but this is not always possible. In general, though, a company big
enough to carry out such a change should be able to find an old workstation
somewhere that the developer can use for their "live" machine, since it will
mainly be used for e-mail and internet access, and therefore doesn't need to
be particularly powerful.
The unfortunate but nevertheless true reality is that most computer systems
damage and computer crime occurs from within the company. Not outsiders
breaking into the network. Employees of the company. I do not know the most
recent figures, but the percentage of outside attacks has gone up
considerably due to the proliferation of the internet and the rise of the
"script kiddie" class of intruders. However, the last number I did see was
88%. Almost nine out of every ten computer crimes are internal. The network
people have this to deal with- trying to protect the network from the users.
It usually irritates the users, particularly when initially implemented and
they go from an open, unsecured environment into a restricted, secure
environment. Frequently it comes across as "embarking on a major power
trip". Having full access to a local workstation is as good as having full
access to the network for a user with the intention of compromising the
network. Want to install a promiscuous network driver to sniff traffic on
the network? You need administrative privileges. Want to install a keystroke
logger, or a modified GINA? You need administrative privileges. These are
just some of the simpler possibilities.
"Do it in front of a nice high level boss so it really puts them on the
defensive. " Unless the high level boss has an understanding of network
principles, or perhaps was the one who decided that security needed to be
improved... this tactic could very easily get you into as much trouble as
you hoped to get them into. It most certainly will not encourage them to go
out of their way to make any exceptions for you, and the next time you do
need assistance you could find yourself at the bottom of the priority list.
You should consider that they are most likely working on such a major
project without any additional staff, and still have to maintain their
"normal" job functions. Perhaps the initial rollout will be fairly generic,
and the modifications for specific users' needs will come in a later stage.
Finally, here is my suggestion. Approach them with your concerns about
needing to access specific registry keys or directories on the machine for
development purposes. You do not need local administrative rights. You may
need to be able to add in ODBC entries and similar tasks, which can easily
be accommodated without full administrative privileges. (You do not need the
ability to change local user accounts, network settings, or standard
operating system components.) You will also find that they may have
overstated their plan, or assumed that they could do a few things that they
cannot: many common software packages need write access to parts of the
registry and file system for normal operation. Preferably, they will make
the OS relevant keys read-only, and will open up the other parts of the
registry. Confrontation is not the way to go... you may very well be
surprised how far you will get by asking for help, rather than demanding a
change, and by understanding their position and the purpose of what they are
doing. Securing a network is too much work and trouble for anyone to
undertake it without valid reasons.
- Next message: Mark J. Smith: "Re: Login/out of shared network resources w/o logging out the current user."
- Previous message: Mark J. Smith: "Re: weird problem with SU.EXE in windows 2000..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
