Re: removing domain admin daily id's

From: John M (sdkfj_at_microsoft.com)
Date: 11/10/04


Date: Wed, 10 Nov 2004 12:30:05 -0600

ok thanks for the advice

"Marco" <tired.of.spam@hotmail.com> wrote in message
news:eO%23kb80xEHA.1308@TK2MSFTNGP09.phx.gbl...
> technically there is little difference, unless you can somewhat guarantee
> that the MF boxes are more secure than your desktop. My guess is that they
> want you to use a different machines because sysadmins can, and often do,
> break company policies are their PCs are the least secure .. hence running
> from a "clean" box has its advantages.
>
> Marco
>
> --
> Free five computers' license for NeoExec for Active Directory
> [ www.neovalens.com ]
> ----
>
>
> "John M" <sdkfj@microsoft.com> wrote in message
> news:OzvdAg0xEHA.1392@TK2MSFTNGP14.phx.gbl...
> > so basically I'm trying to figure out if using runas on my desktop or
> > running a metaframe session as domain is the same thing or is one better
> > than the other
> >
> > "Marco" <tired.of.spam@hotmail.com> wrote in message
> > news:OKAOPa0xEHA.3224@TK2MSFTNGP14.phx.gbl...
> >> Hi John,
> >>
> >> I am a bit puzzled by the proposed solution: running as domain admin on
> >> MF
> >> is not much better than running as domain admin on your desktop -- as
you
> >> could compromise both. MF environments are usually better controlled
than
> >> desktops but as long as you are a domain admin (hence local admin on
the
> >> box) you are both vulnerable to malware and can mess up the box
yourself.
> >>
> >> >> So if I'm on as an admin, and user
> >> > b picks something up, can the user b session get into my session?
> >>
> >> I think that the problem is more ther other way around: you, logged as
as
> >> admin, are more liley to pick up something and damage the system, not
> > users
> >> running with limited privileges.
> >>
> >> The answer to your other question is yes, a kernel mode virus can
hijack
> > any
> >> session -- tricky but it can be done.
> >>
> >> The real difference I see is restricting the usage of the privilege
> > account
> >> for tasks that really require it: do you really need to run IE or
Outlook
> >> while logged in as Domain Admin? forcing you to use a second account,
> >> perhaps on a clean machine, is somehwat better, but not that much.
> >>
> >> cheers,
> >>
> >> Marco
> >>
> >> --
> >> Free five computers' license for NeoExec for Active Directory
> >> [ www.neovalens.com ]
> >>
> >> ----
> >> "John M" <sdkfj@microsoft.com> wrote in message
> >> news:uHWHz8zxEHA.1404@TK2MSFTNGP11.phx.gbl...
> >> > We are doing a security project here, that removes domain admin from
> >> > our
> >> > daily login id's. It's been suggested that we run our admin tools and
> > id's
> >> > on Metaframe, because they don't want us using runas on our desktops.
> >> > Metaframe worries me a little because there are other non-admin
people
> >> > using
> >> > the same system, and who knows what they are doing..
> >> > So I guess my question is, if one MF session got a virus of some kind
> > can
> >> > it
> >> > interact with any of the other sessions? So if I'm on as an admin,
and
> >> > user
> >> > b picks something up, can the user b session get into my session?
> >> > Has anyone else had to do this, and what did you do?
> >> >
> >> > Thanks
> >> > John
> >> >
> >> >
> >>
> >>
> >
> >
>
>



Relevant Pages

  • Re: removing domain admin daily ids
    ... unless you can somewhat guarantee ... that the MF boxes are more secure than your desktop. ... break company policies are their PCs are the least secure .. ... >> running a metaframe session as domain is the same thing or is one better ...
    (microsoft.public.win2000.security)
  • Re: Internet Explorer has been hijacked by "About:Blank"
    ... You went to the wrong web page, didn't have your IE secure enough, dropped ... If you don't wish to follow all of the advice immediately, ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Internet Explorer has been hijacked by "About:Blank"
    ... It contains advice ... > Windows XP, I suggest you clean up your system first. ... You should at least turn on the built in firewall. ... That's one facet of a secure PC, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: outbound filtering
    ... person can be so sure in himself, and so "secure" in his belief that HIS ... and his advice should be followed. ... security specialists because they are omnipotent, ... I have no doubt in my mind that you possess a great deal of knowledge when ...
    (comp.security.firewalls)
  • Re: Apple is Impatient
    ... >> Don't forget the majors weren't building boxes either. ... > it helps if conventional applications can access it. ... be secure, XP was supposed to be secure, W2K was supposed to be ...
    (comp.sys.mac.advocacy)