Re: Permissions (EVERYONE POST TO THIS)

From: Jeff Cochran (jcochran.nospam@naplesgov.com)
Date: 01/07/03 

From: jcochran.nospam@naplesgov.com (Jeff Cochran)
Date: Tue, 07 Jan 2003 17:58:39 GMT

>Removing Admin rights from your users is the prudent thing to do.

In many networks, it is.

>This isn't a battle as some have suggested here, but more a realization that
>a central focus needs to be maintained and that users can bring in some
>horrendous consequences on their own.

But they can do this without being local administrators as well.

>For instance a user with Admin rights
>has the ability to open up Active Scripting on his/her system and start a
>fire from a control dl from the Internet.

As opposed to the many networks that use scripting as part of their
applications or network operations? Or network admins that don't
update local system software wirth the latest patches?

>You allow one Hacker control of a desktop within your environment, and more
>than likely that same IT admin that allowed Full Admin rights for all users
>to their desktops, allows other what he/she would consider inconsequential
>priveledes, and before you know it, you have lost control of your network.

Hackers are usually the least of my security worries. Statistically,
we face far greater potential loss from a user changing a few bits of
data in our financial software than any outside hacking and gaining
control of a workstation.

>As someone who works within this area, allow me one desktop, I will find a
>way to own it all. Therefore, allowing users to run your network, (if you
>allow them Admin rights to their desktop, you are basically allowing them to
>run it since they can allow anything in to their system from the outside),
>you will find yourself without a job someday.

Admin rights to the desktop allows access to the desktop, not
necessarily the network. And you're assuming you can get to the
desktop to begin with.

>My basic analogy that teaches the above point is this. We all pay Homeowners
>Insurance with the hope we never have to use it, but we still pay it anyway.
>Therefore protect your network the same and use the prudent protection
>available to you and make your network functional without having "hundreds
>of Desktop Admins".

Unless of course the functionality you require also requires
administrator access to the desktop by users. In which case, you use
other means to secure your network.

>And finally, to address another comment made here, IT Admins who are
>careless and state that it works for them is fine, error on the side of
>caution. It is your job as also stated here. I wouldn't want to be
>explaining to my boss or more accurately my clients why something happened
>and how easily it could have been avoided with some judicious common sense.
>I would make note of that.

Note made. FWIW, my boss and all our superiors are aware of the risks
and consequences. The balance between security and functionality is
always changing, and everyone up the chain is informed of the
consequences of changes. There may come a time when the directive
comes in to remove all security to all systems, in which case we would
prepare a report of the potential exposure, then implement the change
and open everything up. We may get a directive to lock the desktops
for users and tighten security as far as possible, in which case a
similar report on the consequences would be prepared, and then the
systems locked down.

Note that I don't disagree that removing local administrator access is
a good security choice for many organizations. Even that it should be
required for many organizations. Just not ours. Or at least, not at
this time. And I personally don't place the importance on it that
others appear to. There are quite a few other potential risks that
are potentially more damaging to our organizaqtion and more cost
effective to control.

And don't get me wrong, I'm not advocating that admins ignore the
security risks in their networks. Just that they should be aware of
the risks as well as the costs associated with reducing those risks.
To use your homeowner's insurance analogy, you wouldn't pay $200,000
for insurance on a $100,000 home.

Jeff

Relevant Pages

  • Risks Digest 25.33
    ... States throw out costly electronic voting machines ... San Francisco officials looking for hidden network device ... Risks of better security ... ...
    (comp.risks)
  • Re: Locking down Mac OSX clients
    ... > Why are you giving them admin rights if you want to restrict their ... administrators because they product that they support must be installed ... Not to mention there are certain things (i.e. network prefs) that I ... preferences as the user then remove the preference panes. ...
    (comp.sys.mac.system)
  • Re: [fw-wiz] (In)security of wireless LANs and the Cisco Wireless Security Sui te
    ... is soundling like an inside only wireless deployment, ... information security mag recently, or network mag. ... > at ameliorating the risks involved with wireless. ...
    (Firewall-Wizards)
  • Re: Pen Testing
    ... Is it common that a security company would need rights such as domain ... admin rights to perform an audit on the network? ... Depends on what you want them to audit. ... network plug and maybe an IP address they can use - plus the ...
    (Pen-Test)
  • Re: co-worker spy annoyance
    ... >>assume that disabling that service did not have the desired effect. ... ensure she doesn't have admin rights on your computer. ... > admin rights she can install and run just about anything. ... complain to your network guys ...
    (comp.security.misc)