Slashdot Mirror

← Back to Stories (view on slashdot.org)

Balancing Bad Applications vs. Network Security?

Posted by ryuzaki0 on from the rocks-and-hard-places dept.

Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"

6 of 93 comments (clear)

  1. Sounds familiar by karlto · · Score: 4, Interesting

    We were told something similar with a new software package... turns out that a single registry key needed slightly different permissions. I wasn't too impressed with their suggestion that all users need to be administrators either!

  2. Re:Give management an option by Philip+K+Dickhead · · Score: 3, Interesting

    Yeah. Or isolate on a Citrix / Term Serv box, and buplish only over ICA/RDP.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  3. Re:Let's name NAMES by Philip+K+Dickhead · · Score: 3, Interesting

    I am just mitigating an oracle financials app that is hard-coded to have read/write access to files in the windows/system folder. Locally and on the server! Yowch.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  4. Re:sudo by wolverine1999 · · Score: 4, Interesting

    Try RunAs instead.
    What do you think?
    http://www.microsoft.com/resources/documentation/w indows/xp/all/proddocs/en-us/runas.mspx

    --
    SCIREV.NET - fanfics,reviews & more
  5. Re:Another NAME by Philip+K+Dickhead · · Score: 3, Interesting

    I have had to accept Local Admin for their WS. This is done by machine GPOs, with a machine startup script that add them for the duration of the session:
    NET LOCALGROUP /ADD Administrators INTERACTIVE

    They are local admin, until logoff. This doesn't extend the privilege to any kind of Remote Auth (unless you count terminal services), and the user can't access C$ across the net to another host where they may also be logged in.

    It's a compromise, and I noted the risks in my report.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  6. Re:Simple terms. by mork · · Score: 4, Interesting

    You need simple analogies to explain this to management.
    In the next meeting ask the boss for his house keys, then proceed to explain that you will now make copies of his house keys and along with directions to his house pass out the key copies to all employees.
    When he freaks out explain this is the same as granting domain admin access to the systems.

    That should help explain the importance of security :)