Re: removing domain admin daily id's

From: Marco (tired.of.spam_at_hotmail.com)
Date: 11/10/04


Date: Wed, 10 Nov 2004 19:11:47 +0100

technically there is little difference, unless you can somewhat guarantee
that the MF boxes are more secure than your desktop. My guess is that they
 want you to use a different machines because sysadmins can, and often do,
 break company policies are their PCs are the least secure .. hence running
 from a "clean" box has its advantages.

 Marco

>
> "John M" <sdkfj@microsoft.com> wrote in message
> news:OzvdAg0xEHA.1392@TK2MSFTNGP14.phx.gbl...
>> so basically I'm trying to figure out if using runas on my desktop or
>> running a metaframe session as domain is the same thing or is one better
>> than the other
>>
>> "Marco" <tired.of.spam@hotmail.com> wrote in message
>> news:OKAOPa0xEHA.3224@TK2MSFTNGP14.phx.gbl...
>>> Hi John,
>>>
>>> I am a bit puzzled by the proposed solution: running as domain admin on
>>> MF
>>> is not much better than running as domain admin on your desktop -- as
>>> you
>>> could compromise both. MF environments are usually better controlled
>>> than
>>> desktops but as long as you are a domain admin (hence local admin on the
>>> box) you are both vulnerable to malware and can mess up the box
>>> yourself.
>>>
>>> >> So if I'm on as an admin, and user
>>> > b picks something up, can the user b session get into my session?
>>>
>>> I think that the problem is more ther other way around: you, logged as
>>> as
>>> admin, are more liley to pick up something and damage the system, not
>> users
>>> running with limited privileges.
>>>
>>> The answer to your other question is yes, a kernel mode virus can hijack
>> any
>>> session -- tricky but it can be done.
>>>
>>> The real difference I see is restricting the usage of the privilege
>> account
>>> for tasks that really require it: do you really need to run IE or
>>> Outlook
>>> while logged in as Domain Admin? forcing you to use a second account,
>>> perhaps on a clean machine, is somehwat better, but not that much.
>>>
>>> cheers,
>>>
>>> Marco
>>>
>>> --
>>> Free five computers' license for NeoExec for Active Directory
>>> [ www.neovalens.com ]
>>>
>>> ----
>>> "John M" <sdkfj@microsoft.com> wrote in message
>>> news:uHWHz8zxEHA.1404@TK2MSFTNGP11.phx.gbl...
>>> > We are doing a security project here, that removes domain admin from
>>> > our
>>> > daily login id's. It's been suggested that we run our admin tools and
>> id's
>>> > on Metaframe, because they don't want us using runas on our desktops.
>>> > Metaframe worries me a little because there are other non-admin people
>>> > using
>>> > the same system, and who knows what they are doing..
>>> > So I guess my question is, if one MF session got a virus of some kind
>> can
>>> > it
>>> > interact with any of the other sessions? So if I'm on as an admin, and
>>> > user
>>> > b picks something up, can the user b session get into my session?
>>> > Has anyone else had to do this, and what did you do?
>>> >
>>> > Thanks
>>> > John
>>> >
>>> >
>>>
>>>
>>
>>
>
>



Relevant Pages

  • Re: Wireless Launch Controller for sale
    ... combinations there is no guarantee that it is secure from stray ... transmissions or a user with another system with the same code, ...
    (uk.tech.rocketry)
  • Re: I need a system the U.S. government cannot hack
    ... > security functions, but no guarantee has been made as to the robustness ... but is not necessarily secure by default. ... Interesting comment you make Karl ...
    (microsoft.public.security)
  • Re: Dumb assed small town restaurant thing
    ... Wondering why insure, "to guarantee against loss or harm", would not be ... equally appropriate as ensure "to secure or guarantee" "to make secure ... Word usage, meaning, and pronunciation is completely based on the ... Bob was quite the gay fellow. ...
    (misc.rural)
  • Re: removing domain admin daily ids
    ... ok thanks for the advice ... > technically there is little difference, unless you can somewhat guarantee ... > that the MF boxes are more secure than your desktop. ... > break company policies are their PCs are the least secure .. ...
    (microsoft.public.win2000.security)
  • Re: ensuring total security
    ... :Is there a way I can guarantee that no one can open a certain ... 100.00000000000000000000% secure: ... encryption system is susceptable to psychological analysis of the ...
    (comp.security.misc)