From: Kevin Sheldrake (kev@electriccat.co.uk)
Date: Tue Aug 24 2004 - 12:41:39 EDT
Wow. Hitting the nail firmly on the head with a sledge hammer there.
I've been toying with the idea of totally encrypting my fixed LAN with
IPSec. I'm still evaluating the availability characteristics of the IPSec
stack on my wireless network (I've only recently moved to a 2.6 kernel on
my gateway). When I'm sure it meets my requirements, then I'll probably
roll it out to the fixed environment and remove the need to modify
services by normal users (how my girlfriend would like to be referred to
as a 'normal user'.)
I've never really liked 'Run As' as a solution on Windows (although
admitedly, most of my experience has been as an observer as opposed to an
operator.) I still need to trust the people I give 'Run As' to, don't I,
not to do anything daft? I'm guessing that you can't tie that ability
down to a single component? Or can you?
It's a bit off-topic now, so I'm happy if replies are off-line.
Kev
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
>>>>>> "Kevin" == Kevin Sheldrake <kev@electriccat.co.uk> writes:
> Kevin> privileged users can write to raw sockets? Perhaps if the XP
> Kevin> installation forced the creation of at least one user account
> Kevin> and spat out a large alert when someone logged on as
>
> You are right --- the facilities are there. They are just not used.
>
> Kevin> For instance, my girlfriend uses Win2K on a laptop with a
> Kevin> wifi card. In order for her to start and stop the built-in
> Kevin> IPSec client (required when she switches between wired and
> Kevin> wireless), she needs to be a power user of some description.
> Kevin> Fine, I'm the administrator so I gave her the capabilities.
> Kevin> Now she can let malware act as a power user when it runs -
> Kevin> brilliant. On linux, for example, I simply su to start and
> Kevin> stop the IPSec and run the rest of my session as a normal
> Kevin> user. It's the simple concept of least privilege...
>
> No, on Linux you can do several things:
> a) always encrypt everything anyway. (simplies everything)
> b) run scripts from dhclient to auto-select things.
> c) use "sudo" to let her run a script
> d) write a setuid program that does the one task.
>
> Since Win2K, there has been the equivalent of "su". Including the GUI
> "Run-As" interface. Is it used? Not that I can tell.
> Why not?
>
> This isn't about technology --- it never has been.
>
> It is about letting very brilliant people with no non-MS experience
> run the show. They are too smart to bother learning from past mistakes,
> even their own.
>
> - --
> ] "Elmo went to the wrong fundraiser" - The Simpson |
> firewalls [
> ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net
> architect[
> ] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device
> driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security
> guy"); [
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
>
> iQCVAwUBQSjpUIqHRg3pndX9AQFfRwQAqvJZtep6edkIDr+LXl26dVenqGrSX+Z3
> KvbY5OVK9gUePhS3gLnFUbIIwkWlhI3EQ4JvoLPv8ZO/FvN8DzcEgslh2e8m6kMQ
> yc9yFZvaM4vl32vbGBpK883iKCWA6njF7Ky2Fftr8tgeN9LUSxxldKzZk7vy9ndW
> iSVY+fgGMFE=
> =rIzN
> -----END PGP SIGNATURE-----
>
>
>
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:00 EDT