Re: Spying in a corporate environment

On 22-Nov-07, at 8:47 AM, Ansgar -59cobalt- Wiechers wrote:

> On 2007-11-22 Mario DeBono wrote:
> > If you have a 2003 domain enforce group policies and restrict access
> > to certain windows components. I presume even if a user has admin
> > rights on a pc, he should not be able to over right the group
> > policies, if he is not so keen to remove the policies from the pc
> > himself.
>
> You're mistaken. A local admin can override policies (at the very  
> least
> for a short while until they are reapplied), and even if that wasn't
> possible (s)he can always log on locally, in which case domain  
> policies
> don't apply at all. The only way to control users with local admin
> privileges is to revoke their local admin privileges. Everything else
> are futile efforts.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq

There are a lot of ways to control and monitor user behaviours outside  
host controls that can be overridden by local administrators.    
Network and gateway AV scanning, content controls at the perimeter,  
proper network segmentation, intelligent use of ACL's .... the list  
goes on.  In most office environments, any harm that is going to be  
done to a pc is brought in by the user to the desktop via the network.

Prevent it from getting to the desktop.  Tie that in with use of a  
variety of network controls and you can dramatically increase the  
safety of your infrastructure.

Cheers,

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"