Wow. Hitting the nail firmly on the head with a sledge hammer there.
I've been toying with the idea of totally encrypting my fixed LAN with
IPSec. I'm still evaluating the availability characteristics of the IPSec
stack on my wireless network (I've only recently moved to a 2.6 kernel on
my gateway). When I'm sure it meets my requirements, then I'll probably
roll it out to the fixed environment and remove the need to modify
services by normal users (how my girlfriend would like to be referred to
as a 'normal user'.)
I've never really liked 'Run As' as a solution on Windows (although
admitedly, most of my experience has been as an observer as opposed to an
operator.) I still need to trust the people I give 'Run As' to, don't I,
not to do anything daft? I'm guessing that you can't tie that ability
down to a single component? Or can you?
It's a bit off-topic now, so I'm happy if replies are off-line.
Kev
-----BEGIN PGP SIGNED MESSAGE-----
"Kevin" == Kevin Sheldrake <kev@electriccat.co.uk> writes:
Kevin> privileged users can write to raw sockets? Perhaps if the XP
Kevin> installation forced the creation of at least one user account
Kevin> and spat out a large alert when someone logged on as
You are right --- the facilities are there. They are just not used.
Kevin> For instance, my girlfriend uses Win2K on a laptop with a
Kevin> wifi card. In order for her to start and stop the built-in
Kevin> IPSec client (required when she switches between wired and
Kevin> wireless), she needs to be a power user of some description.
Kevin> Fine, I'm the administrator so I gave her the capabilities.
Kevin> Now she can let malware act as a power user when it runs -
Kevin> brilliant. On linux, for example, I simply su to start and
Kevin> stop the IPSec and run the rest of my session as a normal
Kevin> user. It's the simple concept of least privilege...
No, on Linux you can do several things:
a) always encrypt everything anyway. (simplies everything)
b) run scripts from dhclient to auto-select things.
c) use "sudo" to let her run a script
d) write a setuid program that does the one task.
Since Win2K, there has been the equivalent of "su". Including the GUI
"Run-As" interface. Is it used? Not that I can tell.
Why not?
This isn't about technology --- it never has been.
It is about letting very brilliant people with no non-MS experience
run the show. They are too smart to bother learning from past mistakes,
even their own.
- --
] "Elmo went to the wrong fundraiser" - The Simpson |
firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net
architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device
driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security
guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQSjpUIqHRg3pndX9AQFfRwQAqvJZtep6edkIDr+LXl26dVenqGrSX+Z3
KvbY5OVK9gUePhS3gLnFUbIIwkWlhI3EQ4JvoLPv8ZO/FvN8DzcEgslh2e8m6kMQ
yc9yFZvaM4vl32vbGBpK883iKCWA6njF7Ky2Fftr8tgeN9LUSxxldKzZk7vy9ndW
iSVY+fgGMFE=
=rIzN
-----END PGP SIGNATURE-----
--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
