Slashdot Mirror

← Back to Stories (view on slashdot.org)

Balancing Bad Applications vs. Network Security?

Posted by ryuzaki0 on from the rocks-and-hard-places dept.

Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"

3 of 93 comments (clear)

  1. I wonder if it's the same app... by RingDev · · Score: 5, Informative

    I have my own nightmeres from trying to support a 3rd party app like that. At this point I would suggest investigating the issue as much as possible. Set up a file request watcher(MS has one, but I can't recall its name), a port sniffer, keep an eye on the Active Directory. Log into the system and see what resources are being access that could require that kind of access. Is it updating the AD or trying to use LDAP? Is it performing some process remotely on the server? Is it trying to create/share/access some sort of network resource?

    Find out what it is trying to do and open security only for that action to the users.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  2. Let's name NAMES by Philip+K+Dickhead · · Score: 5, Informative

    Oracle.

    This is a big issue. IANAL, but I think there is a legal casse here. You may have signed this away by contract, so...

    Under this configuration, there is no way that you company - if publicly traded - can meet the mandated compliance under SOX, etc. This doesn't touch the fact that you have now lowered authorization and access controls to a level that is inferior to MS-DOS.

    And why does the DB vendor care? They assume all value is locked under their own controls - and the OS is insignificant. Bad shot. If you are a domain admin, you can always work your way into something - even put a keylogger on the financial controllers desktop, and capture the precious secrets for logging into the system.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  3. Re:Simple terms. by Philip+K+Dickhead · · Score: 5, Insightful

    Explain to them that they cannot acheive SOX compliance, and that violations are punishable by jail-terms for responsible c-level officers.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell