Re: removing domain admin daily id's

From: John M (sdkfj_at_microsoft.com)
Date: 11/10/04


Date: Wed, 10 Nov 2004 12:30:05 -0600

ok thanks for the advice

"Marco" <tired.of.spam@hotmail.com> wrote in message
news:eO%23kb80xEHA.1308@TK2MSFTNGP09.phx.gbl...
> technically there is little difference, unless you can somewhat guarantee
> that the MF boxes are more secure than your desktop. My guess is that they
> want you to use a different machines because sysadmins can, and often do,
> break company policies are their PCs are the least secure .. hence running
> from a "clean" box has its advantages.
>
> Marco
>
> --
> Free five computers' license for NeoExec for Active Directory
> [ www.neovalens.com ]
> ----
>
>
> "John M" <sdkfj@microsoft.com> wrote in message
> news:OzvdAg0xEHA.1392@TK2MSFTNGP14.phx.gbl...
> > so basically I'm trying to figure out if using runas on my desktop or
> > running a metaframe session as domain is the same thing or is one better
> > than the other
> >
> > "Marco" <tired.of.spam@hotmail.com> wrote in message
> > news:OKAOPa0xEHA.3224@TK2MSFTNGP14.phx.gbl...
> >> Hi John,
> >>
> >> I am a bit puzzled by the proposed solution: running as domain admin on
> >> MF
> >> is not much better than running as domain admin on your desktop -- as
you
> >> could compromise both. MF environments are usually better controlled
than
> >> desktops but as long as you are a domain admin (hence local admin on
the
> >> box) you are both vulnerable to malware and can mess up the box
yourself.
> >>
> >> >> So if I'm on as an admin, and user
> >> > b picks something up, can the user b session get into my session?
> >>
> >> I think that the problem is more ther other way around: you, logged as
as
> >> admin, are more liley to pick up something and damage the system, not
> > users
> >> running with limited privileges.
> >>
> >> The answer to your other question is yes, a kernel mode virus can
hijack
> > any
> >> session -- tricky but it can be done.
> >>
> >> The real difference I see is restricting the usage of the privilege
> > account
> >> for tasks that really require it: do you really need to run IE or
Outlook
> >> while logged in as Domain Admin? forcing you to use a second account,
> >> perhaps on a clean machine, is somehwat better, but not that much.
> >>
> >> cheers,
> >>
> >> Marco
> >>
> >> --
> >> Free five computers' license for NeoExec for Active Directory
> >> [ www.neovalens.com ]
> >>
> >> ----
> >> "John M" <sdkfj@microsoft.com> wrote in message
> >> news:uHWHz8zxEHA.1404@TK2MSFTNGP11.phx.gbl...
> >> > We are doing a security project here, that removes domain admin from
> >> > our
> >> > daily login id's. It's been suggested that we run our admin tools and
> > id's
> >> > on Metaframe, because they don't want us using runas on our desktops.
> >> > Metaframe worries me a little because there are other non-admin
people
> >> > using
> >> > the same system, and who knows what they are doing..
> >> > So I guess my question is, if one MF session got a virus of some kind
> > can
> >> > it
> >> > interact with any of the other sessions? So if I'm on as an admin,
and
> >> > user
> >> > b picks something up, can the user b session get into my session?
> >> > Has anyone else had to do this, and what did you do?
> >> >
> >> > Thanks
> >> > John
> >> >
> >> >
> >>
> >>
> >
> >
>
>