Slashdot Mirror
Balancing Bad Applications vs. Network Security?
Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"
We were told something similar with a new software package... turns out that a single registry key needed slightly different permissions. I wasn't too impressed with their suggestion that all users need to be administrators either!
Yeah. Or isolate on a Citrix / Term Serv box, and buplish only over ICA/RDP.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
I am just mitigating an oracle financials app that is hard-coded to have read/write access to files in the windows/system folder. Locally and on the server! Yowch.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Is it feasible to set up a domain for the software to run in? It's not a good answer, I know, but it may work, and the costs involved will probably be trivial if the software is critical enough.
I must admit, however, I'm having an incredibly hard time imagining what this software could be doing that requires Domain Administrator privileges. Poorly written doesn't even cover it.
Slashdot - where whining about luck is the new way to make the world you want.
I don't mean really to be obscure, or provocative.
Just think about what these things mean. Assume the real believer's position. Swearing on the Bible is a promise to God, by God, before God. You don't make that promise lightly, nor if you do not intend to carry it out. If you find an inherent contradiction in the promise you are making - do not lie to God, and make it anyway.
The Bible has many strange and contradictory injunctions - especially if these are read as literal - or approached merely intellectually. Literally, intellectually, the Bible does NOT say "marriage" is between a man and a woman. The biblical position of Abraham and others is that marriage is between a man and two or more women. Also, eating shellfish is an abomination in the eyes of the Lord - equal in approbation to homosexuality.
A true christian believer, who takes the statements of Jesus to heart, will have little or nothing to do with the "Old Testament". The laws of Deuteronomy and Leviticus were written by the very Temple priests that Jesus decried and vilified. The covenant of Moses was superceded by the revelation of Jesus.
Matthew 26:28:
This is my blood of the new covenant, which is poured out for many for the forgiveness of sins.
Forgiveness of sins. Not the license to condemn others, by old religious law.
So. With discursion these are some points, that ought to be of concern to a beleiver, who constantly interrogates their own sincerity.
I am not a christian believer - but I do try to interrogate myself over my own sincerity. This is the way to the truth. Seeking this is the true aim of any religion in its enlightened form.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
You could also create a domain for users of that application only. Use VLANs and install a small domain controller. Prevent any cross-contamination between the two domains.
After that, just let the users have at it. Most likely, they won't fuck up too bad. And their curosity to go sniffing around will be sated once they find that all that's out there is X-number of PCs exactly like theirs. No e-mail. No personal documents. No pr0n.
Give those users a laptop or another desktop with a KVM switch so they can access the companies' real domain when they need to. Just make sure the wallpapers on the secure box show that they don't need to be fucking around.
I'd rather you do it wrong, than for me to have to do it at all.
Try RunAs instead.w indows/xp/all/proddocs/en-us/runas.mspx
What do you think?
http://www.microsoft.com/resources/documentation/
SCIREV.NET - fanfics,reviews & more
I have had to accept Local Admin for their WS. This is done by machine GPOs, with a machine startup script that add them for the duration of the session: /ADD Administrators INTERACTIVE
NET LOCALGROUP
They are local admin, until logoff. This doesn't extend the privilege to any kind of Remote Auth (unless you count terminal services), and the user can't access C$ across the net to another host where they may also be logged in.
It's a compromise, and I noted the risks in my report.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
You need simple analogies to explain this to management.
:)
In the next meeting ask the boss for his house keys, then proceed to explain that you will now make copies of his house keys and along with directions to his house pass out the key copies to all employees.
When he freaks out explain this is the same as granting domain admin access to the systems.
That should help explain the importance of security
Threaten to the sales guy who's commission is on the line if you threaten to sue for a defective product if they don't accept a return of the licenses. Nothing will scream louder than someone that will have to return part of his paycheck if someone else doesn't follow through with resolving a problem that is their job to fix.
Your comment would have been helpful had your lawyer's firm not been totally owned because the Lexis Nexis firm management software that they rely on works in exactly the same fashion.
.exe to their local desktop so that everyone else loses access to the app. Doh! LOL!!!
Administrator privileges required on the workstation, sucks but common. Administrator privileges required on the server, totally ridiculous and unacceptable but, also increasingly common.
The moronic developers sales droids of these apps say; 'Oh, don't worry, we have security built into the application.' Translated, this means yet another directory for the admin to have to manage and yet another password for the users to remember or paste on their monitor. All this as opposed to integrating security into the existing enterprise directory(NDS, ADS, LDAP). But none of this "security" prevents the casual user from accidentally deleting the database file containing 5 years worth of mission critical business data! Or my favorite, dragging the
I remember way back in the "old days" of the mid 90's when Novell was used for the servers and applications came with a page or two of installation instructions for setting file access privileges for the apps. Read, File Scan, and Executable access for EXE's and DLL's. Modify and Delete Inhibit access to the data files. Create and Erase access for administrators only. Every app beyond shareware came like that. Then Microsoft came along and now nothing works with Everyone Full Control, Microsoft's default security setting.