Re: removing domain admin daily id's
From: Marco (tired.of.spam_at_hotmail.com)
Date: 11/10/04
- Next message: John M: "Re: removing domain admin daily id's"
- Previous message: Marco: "Re: removing domain admin daily id's"
- Maybe in reply to: John M: "removing domain admin daily id's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Nov 2004 19:11:47 +0100
technically there is little difference, unless you can somewhat guarantee
that the MF boxes are more secure than your desktop. My guess is that they
want you to use a different machines because sysadmins can, and often do,
break company policies are their PCs are the least secure .. hence running
from a "clean" box has its advantages.
Marco
>
> "John M" <sdkfj@microsoft.com> wrote in message
> news:OzvdAg0xEHA.1392@TK2MSFTNGP14.phx.gbl...
>> so basically I'm trying to figure out if using runas on my desktop or
>> running a metaframe session as domain is the same thing or is one better
>> than the other
>>
>> "Marco" <tired.of.spam@hotmail.com> wrote in message
>> news:OKAOPa0xEHA.3224@TK2MSFTNGP14.phx.gbl...
>>> Hi John,
>>>
>>> I am a bit puzzled by the proposed solution: running as domain admin on
>>> MF
>>> is not much better than running as domain admin on your desktop -- as
>>> you
>>> could compromise both. MF environments are usually better controlled
>>> than
>>> desktops but as long as you are a domain admin (hence local admin on the
>>> box) you are both vulnerable to malware and can mess up the box
>>> yourself.
>>>
>>> >> So if I'm on as an admin, and user
>>> > b picks something up, can the user b session get into my session?
>>>
>>> I think that the problem is more ther other way around: you, logged as
>>> as
>>> admin, are more liley to pick up something and damage the system, not
>> users
>>> running with limited privileges.
>>>
>>> The answer to your other question is yes, a kernel mode virus can hijack
>> any
>>> session -- tricky but it can be done.
>>>
>>> The real difference I see is restricting the usage of the privilege
>> account
>>> for tasks that really require it: do you really need to run IE or
>>> Outlook
>>> while logged in as Domain Admin? forcing you to use a second account,
>>> perhaps on a clean machine, is somehwat better, but not that much.
>>>
>>> cheers,
>>>
>>> Marco
>>>
>>> --
>>> Free five computers' license for NeoExec for Active Directory
>>> [ www.neovalens.com ]
>>>
>>> ----
>>> "John M" <sdkfj@microsoft.com> wrote in message
>>> news:uHWHz8zxEHA.1404@TK2MSFTNGP11.phx.gbl...
>>> > We are doing a security project here, that removes domain admin from
>>> > our
>>> > daily login id's. It's been suggested that we run our admin tools and
>> id's
>>> > on Metaframe, because they don't want us using runas on our desktops.
>>> > Metaframe worries me a little because there are other non-admin people
>>> > using
>>> > the same system, and who knows what they are doing..
>>> > So I guess my question is, if one MF session got a virus of some kind
>> can
>>> > it
>>> > interact with any of the other sessions? So if I'm on as an admin, and
>>> > user
>>> > b picks something up, can the user b session get into my session?
>>> > Has anyone else had to do this, and what did you do?
>>> >
>>> > Thanks
>>> > John
>>> >
>>> >
>>>
>>>
>>
>>
>
>
- Next message: John M: "Re: removing domain admin daily id's"
- Previous message: Marco: "Re: removing domain admin daily id's"
- Maybe in reply to: John M: "removing domain admin daily id's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
