Balancing Bad Applications vs. Network Security?

Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"

Simple terms.

[babbling]

Management doesn't want to know the details. Just say there are 'major security concerns'.

You shouldn't usually sacrifice security for productivity, unless you don't need the security. I suppose Windows is a good example of businesses sacrificing security for productivity, though. In most cases they probably get away with it by having firewalls and the like.

Re:Simple terms.

[secolactico]

Management doesn't want to know the details. Just say there are 'major security concerns'.

Explaint to them that granting domain admin priviledges to everyone means that even the interns they hired to do data entry will have *full* access to every resource on the domain. That includes servers and workstation with sensitive information (incl. upper management's). And that it's just a matter of someone getting up to to go to lunch and not locking their workstation to leave the door wide open to any passerby.

Problem is, by now your data is in this tool and you need to use it to work. So you'll have to bite the bullet anyway.

Re:Simple terms.

[Philip+K+Dickhead]

Explain to them that they cannot acheive SOX compliance, and that violations are punishable by jail-terms for responsible c-level officers.

Dodging the issue, but a workaround?

[MagicMike]

Definitely try to whip the vendor into shape, but have you considered running the application in a quarantine area, like a VMware VM?

It's trivial nowadays at least to set up separate little compartmentalized computers and networks, though I recognize that the carry-cost (virtual services are still supported services and need monitoring and troubleshooting and backups, etc etc) it would at least get around the privilege issue.

If this is totally non-helpful, sorry, it was the only thing I could think of :-)

Use an analogy...

[fredklein]

how do you explain to Management that they shouldn't run this software until the problem is resolved

"What would you do if you got the door to the breakroom replaced, no one could open it, and the manufacturer's solution was 'Give every single employee a copy of the Master Key for the entire building'?? Well, it's 100 times worse than that."

Simple solution to getting the problem fixed

[Skapare]

There is a simple solution to getting the problem fixed. Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation. And the hackers will find the network exploits that almost certainly exist in that package (and have instant Domain Administrator privilege). The company will either fix the problem or go out of business.