Security Basics mailing list archives
RE: Rights
From: "Dan Bogda" <dan.bogda () kintera com>
Date: Fri, 30 Jun 2006 11:57:09 -0700
Jim, Only your company can tell you how much time and effort it is worth. Risk acceptance and mitigation are both business decisions. As you mention, if you can't do a task someone else has to. The cost is extra personnel and decreased productivity, the benefit is improved security. Likewise, in your environment the cost is security and the benefit is less fuss and bother ;) I.Freecycle.Too, Since this is a security mailing list, I would think our interests lie in restricting rights in favor of increased security. As Jim mentions though, it's a balancing act. Pick your poison if you will. My only suggestions if you have to provide power user or local admin rights make sure you have a simple backup and restore process, good auditing, minimize the valuable data on the desktops and provide other external security controls to mitigate anything that can happen. Giving local admin rights is not as costly if you can easily rebuild a desktop due to user negligence, infection or corruption. I really like Jeffrey Adams' Deepfreeze implementation, nothing is easier than simply rebooting the system. Other tools that make life easier are an IDS to watch for malicious traffic, a file server with regular backups to provide a single point of file management and recovery, scheduled scans to catch infections and regular virus def updates and scans. Good luck, hope this helps, Dan -----Original Message----- From: Lane, Jim [mailto:Jim.Lane () CIBC com] Sent: Friday, June 30, 2006 8:25 AM To: I Freecycle Cc: security-basics () securityfocus com Subject: RE: Rights I've just started work for a large bank as a sysadmin supporting a group of developers. It seems that the custom here is to grant local admin rights to developers and I was able to get myself so designated with a minimal amount of fuss and bother. To my mind this is a classic "pick your poison" sort of choice. The more hard nosed you are about this is the more difficult it is for some people to do their jobs, myself being one such. One size doesn't fit all. Some people really are "power users" and tightening up security controls doesn't change that. If users can't make necessary changes then somebody else has to do it for them. How much time and effort is it worth to devote to desktop security. You tell me. Regards, Jim Lane -----Original Message----- From: I Freecycle [mailto:i.freecycle.too () gmail com] Sent: June 28, 2006 1:02 PM To: security-basics () securityfocus com Subject: Rights Hello, I'm wondering how others deal with allowing users rights on work computers. At our school, users aren't normally given Administrator or Power User rights unless it's absolutely necessary. Occasionally we encounter employees and students that don't understand how easily a system can be messed up and the security issues involved nor why we feel it's necessary to operate like this. I would like to know what others do, and what policies they have in place to address these issues. Thanks, ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Rights Dan Bogda (Jul 04)
- RE: Rights Lane, Jim (Jul 04)
- Re: Rights DoubleR (Jul 06)
- RE: Rights Lane, Jim (Jul 04)