IDS mailing list archives

RE: IDS and Spywares

From: "Omar Herrera" <oherrera () prodigy net mx>
Date: Mon, 17 Oct 2005 13:52:35 +0100

Hi Justin,

-----Original Message-----
From: Justin Shore [mailto:justin.shore () sktbcs com]
Sent: Monday, October 17, 2005 4:55 AM
To: Matt Jonkman; Omar A. Herrera
Cc: focus-ids () securityfocus com; vipul kumra; dhruv_ymca () yahoo com;
neelabhsharma1 () gmail com
Subject: RE: IDS and Spywares

There is an extremely easy solution to this problem.  Remove local
administrative rights from users' PCs.  There is absolutely no reason
whatsoever for a user in a corporate environment to have local admin
rights if they aren't actually a sysadm.  In a home environment there is
absolutely no reason for a user to be a local admin all the time.  Remove
this capability for the residential-grade OSs and make users utilize the
Run As feature of XP and 2000.  Better yet make this process automatic
like in OS X.  There is no reason in this day and age for users to need
constant local admin access, if they need local admin access, period.


I totally agree with, you, and I use privilege restrictions a lot (O.S.
based privilege restrictions it is). But usually the rights of common users
(enforced by the O.S.) are enough to create some harm. That is, we don't
just want to restrict their privileges but also make sure they don't shoot
themselves in their feet by abusing those privileges.

A common example: some users are able to navigate on the web. From a
FW/nIDS/nIPS point of view those users might just need ports TCP 80 and 443
open for outbound communication, but from an O.S. point of view you can only
put very general restrictions (i.e. if they are able or not to open sockets
from network communication).

Malware can easily work in this restricted environment, so you need
something else. A PFW that restricts outbound connections to certain
applications or hIPS that is able to stop any unauthorized software are
examples of how you can extend the security provided by O.S. privilege
restrictions. Host based IDS are also able to detect execution of
unauthorized software

Kind regards,

Omar Herrera 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

RE: IDS and Spywares, (continued)
- - - RE: IDS and Spywares Matt Jonkman (Oct 14)
    - RE: IDS and Spywares Omar A. Herrera (Oct 14)
    - RE: IDS and Spywares Matt Jonkman (Oct 14)
    - RE: IDS and Spywares Omar A. Herrera (Oct 14)
    - RE: IDS and Spywares Frank Knobbe (Oct 18)
    - RE: IDS and Spywares Omar Herrera (Oct 18)
    - RE: IDS and Spywares Dhruv Soi (Oct 18)
    - RE: IDS and Spywares Frank Knobbe (Oct 18)
    - RE: IDS and Spywares Omar A. Herrera (Oct 18)
- RE: IDS and Spywares Justin Shore (Oct 18)
  - RE: IDS and Spywares Omar Herrera (Oct 18)