Slashdot Mirror
Balancing Bad Applications vs. Network Security?
Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"
Management doesn't want to know the details. Just say there are 'major security concerns'.
You shouldn't usually sacrifice security for productivity, unless you don't need the security. I suppose Windows is a good example of businesses sacrificing security for productivity, though. In most cases they probably get away with it by having firewalls and the like.
A reasonable option in this situation is to give the experts who will use the industry specific software their own subnet; and save all files to a shared server that then backs up to a server on the regular LAN. The only point of contact should be that file transfer protocol- NOTHING else should be allowed through. Then hire an IT guy to help out the experts, and leave it at that.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Definitely try to whip the vendor into shape, but have you considered running the application in a quarantine area, like a VMware VM?
:-)
It's trivial nowadays at least to set up separate little compartmentalized computers and networks, though I recognize that the carry-cost (virtual services are still supported services and need monitoring and troubleshooting and backups, etc etc) it would at least get around the privilege issue.
If this is totally non-helpful, sorry, it was the only thing I could think of
We were told something similar with a new software package... turns out that a single registry key needed slightly different permissions. I wasn't too impressed with their suggestion that all users need to be administrators either!
I have my own nightmeres from trying to support a 3rd party app like that. At this point I would suggest investigating the issue as much as possible. Set up a file request watcher(MS has one, but I can't recall its name), a port sniffer, keep an eye on the Active Directory. Log into the system and see what resources are being access that could require that kind of access. Is it updating the AD or trying to use LDAP? Is it performing some process remotely on the server? Is it trying to create/share/access some sort of network resource?
Find out what it is trying to do and open security only for that action to the users.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Oracle.
This is a big issue. IANAL, but I think there is a legal casse here. You may have signed this away by contract, so...
Under this configuration, there is no way that you company - if publicly traded - can meet the mandated compliance under SOX, etc. This doesn't touch the fact that you have now lowered authorization and access controls to a level that is inferior to MS-DOS.
And why does the DB vendor care? They assume all value is locked under their own controls - and the OS is insignificant. Bad shot. If you are a domain admin, you can always work your way into something - even put a keylogger on the financial controllers desktop, and capture the precious secrets for logging into the system.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
how do you explain to Management that they shouldn't run this software until the problem is resolved
"What would you do if you got the door to the breakroom replaced, no one could open it, and the manufacturer's solution was 'Give every single employee a copy of the Master Key for the entire building'?? Well, it's 100 times worse than that."
Speaking as someone who has had to support software written by people with no concept of security, if it is even remotely doable, even if it means a fair amount of work, take that machine off the domain. Jail and firewall the everloving snot out of it, don't let any data into it except through very controlled routes, and don't give it any privileges on the network, then give it all the admin rights it needs. Basically, just change it from a piece of software into an entire dedicated appliance.
Although you could spend the time to try and fix their problems, this kind of thing will come up over and over again. You'll save yourself time and effort if you nail it down now.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Note: IANAL
> One of our clients recently purchased a new financial software package
> from a major vendor for their industry.
When a business purchases software (or anything else) the manufacturer implicitly warrants that the item is suitable for its intended purpose.
> What's shocking is that to work around a problem preventing users
> from logging on, the manufacturer's recommended solution is to grant
> -Domain Administrator- privileges to all users, and they refuse
> (or are is unable) to explain that need further
Time for the client firm to call in the lawyers. Write up a formal document explaining that this is unacceptable from a security standpoint. Period.
That your firm cannot and will not accept -any- responsibility for anything that goes wrong if the client's management uses the software in this fashion.
Then write up a formal recommendation that the company either (A) sue the vendor or (B) place the payment for the software in an escrow account, and explain it will be turned over in payment only after the software is made usable by fixing the defects. Choice B is a standard option in dispute resolution; it demonstrates that the client party has every intention of paying, but not until the responsibilities of the vendor are met.
Have -your- firms lawyers look over all these documents and recommendations carefully, and put the right spin on it.
> Considering the enormous costs involved, how do you explain to Management
> that they shouldn't run this software until the problem is resolved --
> which could be a long time, costing even more money?
Lay out the business details. Explain to them that under current federal law, the -management- of the client firm will be assuming any an all liability for using unsecure software against all the recommendations of your firm's people.
However, even with all this, the client's management may choose to give away the keys. Cover your own asses. If you support the client in this, you may be liable. In situations like this, the client may choose to go full steam ahead; you can't stop them, you can only CYA.
Speak their language. Management types, around half the time, hear "security concern" and think you're some overstuffed loser with delusions of grandeur, afraid of THE HACKERS who care, at all, about your data. The other half are of the same ilk, but think you're suffering from a guilty conscience and are the "hacker" they need to worry about. Instead, warn them the security risks open the way for buzzword storms. Viruses! Worms! SPYWARE! SPAMMERS! Crashing servers! Cats and dogs, living together! Breaking Windows!
"It'll never happen to us!" is a mantra of the generation. It's what keeps sex feeling real, condomless good. It's what keeps us smoking those feel-nice cigarettes. It's what has us drive after that third beer. And, it's what has us open up port 3389 and upchuck admin privs to every dipshit who uses their first name and the number "1" as a password. Speak to their experience, and don't tell them what they want to hear (that you're a self-important geek.)
Tell them what they're most afraid of hearing.
Put the application in its own domain.
Here are some ideas you (and your management) can pursue, simultaneously if need be. Oh yeah, IANAL, but I've dealt with plenty of them.
1) See if you can figure out what requires Domain Admin access - usually it's file or registry issues. SysInternals RegMon and FileMon are excellent for spotting these - you just run the program with regular user privileges, and watch to see which requests fail.
2) If this is a large, contract-licensed piece of software, look to see if the contract's been breached. Even if the vendor indemnifies themselves thoroughly, a good lawyer might scare them into compliance - you never know which contract provisions a judge may find unenforceable. I've seen really strange things happen in court (both good and bad). If you're working with the vendor, you can use the "look, you've sold us unusable software - you have to either fix it now, or I have to turn this over to legal so they can get our money back, and try to recover compensation for the time and resources we've wasted" card. Don't rant and rave and scream and threaten - just be a nice, reasonable person and explain that they're not leaving you any alternatives. You need working software or you need compensation. Only a very stupid or very cocky vendor will refuse to work with you - nobody wants to be dragged into court. And you really don't want to go to court either, but you can't afford to get screwed
3) Another possible route is to get them to put in writing that their software will only run with Domain Admin priviliges or whatever. Tell them you just need it to cover your own butt. At that point, you can get your management to sign off on it as well, thus covering your butt completely, or your management can use it to help show they negotiated in bad faith while selling your company the software.
Whatever you do, don't let a vendor bully you into doing something stupid that violates your responsibilities as an admin.
Help save the critically endangered Blue Iguana
Enjoy.
Is it feasible to set up a domain for the software to run in? It's not a good answer, I know, but it may work, and the costs involved will probably be trivial if the software is critical enough.
I must admit, however, I'm having an incredibly hard time imagining what this software could be doing that requires Domain Administrator privileges. Poorly written doesn't even cover it.
Slashdot - where whining about luck is the new way to make the world you want.
I don't mean really to be obscure, or provocative.
Just think about what these things mean. Assume the real believer's position. Swearing on the Bible is a promise to God, by God, before God. You don't make that promise lightly, nor if you do not intend to carry it out. If you find an inherent contradiction in the promise you are making - do not lie to God, and make it anyway.
The Bible has many strange and contradictory injunctions - especially if these are read as literal - or approached merely intellectually. Literally, intellectually, the Bible does NOT say "marriage" is between a man and a woman. The biblical position of Abraham and others is that marriage is between a man and two or more women. Also, eating shellfish is an abomination in the eyes of the Lord - equal in approbation to homosexuality.
A true christian believer, who takes the statements of Jesus to heart, will have little or nothing to do with the "Old Testament". The laws of Deuteronomy and Leviticus were written by the very Temple priests that Jesus decried and vilified. The covenant of Moses was superceded by the revelation of Jesus.
Matthew 26:28:
This is my blood of the new covenant, which is poured out for many for the forgiveness of sins.
Forgiveness of sins. Not the license to condemn others, by old religious law.
So. With discursion these are some points, that ought to be of concern to a beleiver, who constantly interrogates their own sincerity.
I am not a christian believer - but I do try to interrogate myself over my own sincerity. This is the way to the truth. Seeking this is the true aim of any religion in its enlightened form.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
There is a simple solution to getting the problem fixed. Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation. And the hackers will find the network exploits that almost certainly exist in that package (and have instant Domain Administrator privilege). The company will either fix the problem or go out of business.
now we need to go OSS in diesel cars
"I've always been a bit confused as to how religious Christians pick which parts of the old testament are still valid."
Ususally, the parts endowing one's predjudices and fears with devine authority.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
But it doesn't address the fact that every user of the system (assuming a DB of some sort here) would be able to go in a screw up the application. If everyone using it is a domain admin, then they are able to change everyone else's passwords, then log in, scew with the data, and leave. They may not be able do that outside that particular domain, but now that application is still useless cause you can't trust its data.
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
Try RunAs instead.w indows/xp/all/proddocs/en-us/runas.mspx
What do you think?
http://www.microsoft.com/resources/documentation/
SCIREV.NET - fanfics,reviews & more
A reasonable option in this situation is to give the experts who will use the industry specific software their own subnet; and save all files to a shared server that then backs up to a server on the regular LAN.
If this financial software package is as expensive as "Darlok" makes it out to be, then just go to your local Microsoft rep and purchase a bunch of seats for a new Domain - the cost of the new seats would probably pale in comparison to the cost of the financial software package.
Then let their secondary accounts all be Admins within their own little domain, but with no special rights to the larger Active Directory tree.
Or do that old thing with NT 4.0 Domains, where Domain A trusts Domain B, but Domain B doesn't trust Domain A.
Or create two separate domains entirely [with no ambient Active Directory tree and no trust relationships], and just make everyone memorize two different user names and two different passwords.
That'll get management's attention.
Sage Software(formerly Best)
Full read/write permissions in the Windows folder for Crystal Report libraries.
Full read/write permissions on the program directories.
Disable real-time virus scanning of the program directories.
The read/write permissions aren't even documented because you can--and this is a direct quote from support--"just make the user a local admin."
..that I have been saying for a while that software sucks. Most Windows software requires local admin rights to get anything done these days. So many wankers keep correcting me and saying "we run a large enterprise site and we don't need to give our users any admin rights".
What they neglect to say is that they also don't give their users anymore than a basic suite of apps like Office and a web browser. When the user needs more (specialised software) there is usually an uphill battle against some anal retentive Windows admin (who should have stayed in his parents basement) and the staff who need some software that needs local admin. Usually the BOFH wins and the staff are left going without, again.
Fortunately where I work they have realised this and we can pretty much do whatever we want. The admin understands that most users are savvy enough to not bollocks things, and most of the time things don't get bollocksed. I think I work for a bunch of wierdos though because they're the only place who will actually give me local admin on my box.
Also, fortunately for me, I admin a Unix server so the joys of Winbites don't come up to haunt me too often... yay!
I think that you should explain to your boss that giving users of moderate computing skill domain-level admin privs is just asking for trouble if a worm or virus makes its way into your network. Just explain that if they don't have admin rights then the damage is localised to their files on their pc. IF they have admin rights the damage can potentially spread to every PC in the enterprise VERY easily!
Get onto the software company and cancel the cheque/credit card payment. You wouldn't pay for a car that required you to leave your garage unlocked 100% of the time. Why pay for their shit software? For a "large" operation, they certainly sound like a two-bit shit box of a company!
I drink to make other people interesting!
Threaten to the sales guy who's commission is on the line if you threaten to sue for a defective product if they don't accept a return of the licenses. Nothing will scream louder than someone that will have to return part of his paycheck if someone else doesn't follow through with resolving a problem that is their job to fix.