Security Basics mailing list archives
RE: Deny access to copy files
From: Craig Wright <Craig.Wright () bdo com au>
Date: Tue, 3 Jun 2008 18:35:51 +1000
Hello Yahsodhan, Are you serious or is this some sort of troll? First, "common repository where the code resides". If there is a shared common repository then you have missed the entire point. You have just given away the code - and then added controls that have nothing to do with this. "I think the above should work, I know it is restrictive to the developer, but we are trying to find a solution aren't we?" Not in this manner. You state: " The Developer account does not have the rights to install any software." And " No browser on the VM" I have to ask after these, have you worked with a developer? Used development tools? You are suggesting an MS environment so let us assume something such as .Net and Visual Studio (not that it matters). .Net is an application that allows email and internet access in effect (with a few lines of code). Visual Studio *** IS *** a web browser. It *** IS *** an email client. Even if it was not, it is a simple drop and drag of a few objects to make your own - which does not need to be installed to run. You are stating, in effect, that the developers have to write code in notepad and hope it works. Developers NEED to install software. Software flaws are a big risk. This means testing and QA. This means installing compiled code. Guess what... .Net security is at the mercy of the developers. I suggest that you read up on managed code, the common language runtime (CLR), assemblies, manifests etc. On top of this, there are stack and protocol libraries built into C++, C# etc. "Maximal security" is not always the answer, it is rather an exception. Schneier, B. (2002) Developers care more about making profit than producing secure applications. Security comes in second after developers' own needs and demands. Since the programmer is not forced to follow guiding principles, nothing guarantees that security will be obtained... To achieve a acceptable security processing much of the responsibility is left to the programmer. Regards, Dr Craig Wright GSE GNET Some reading follows: . Brown, Keith (2001) Security in .NET: Enforce Code Access Rights with the Common . Language Runtime, MSDN Magazine (Feb. 2001) . Mark Higgins (2002) Symantec Internet Security Threat Report Attack Trends for Q3 and Q4 . 2002 . Microsoft (2003) What is the Microsoft .NET Framework?, Microsoft .NET, . http://www.microsoft.com/net/basics/framework.asp . Microsoft (2003) .NET Framework Developer's Guide, Introduction to Code Access Security, . http://msdn.microsoft.com/library/default.asp?url=/library/enus/ . cpguide/html/cpconcodeaccesssecurity.asp . Microsoft (2003) .NET Framework Developer's Guide, Role-based Security, . http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconrolebasedsecurity. . asp . Microsoft (2003) .NET Framework Developer's Guide, Introduction to Code Access Security, . http://msdn.microsoft.com/library/default.asp?url=/library/enus/ . cpguide/html/cpconintroductiontocodeaccesssecurity.asp . Microsoft (2003) .NET Framework Developer's Guide, Role-Based Security Checks, . http://msdn.microsoft.com/library/default.asp?url=/library/enus/ . cpguide/html/cpconrequestingpermissions.asp . Microsoft (2003) .NET Framework Developer's Guide, Requesting Permissions, . http://msdn.microsoft.com/library/default.asp?url=/library/enus/ . cpguide/html/cpconrequestingpermissions.asp . Microsoft (2003) .NET Framework Developer's Guide, Overriding Security Checks, . http://msdn.microsoft.com/library/default.asp?url=/library/enus/ . cpguide/html/cpconoverridingsecuritychecks . Microsoft (2003) .NET Framework Developer's Guide, Compiling to MSIL, . http://msdn.microsoft.com/library/default.asp?url=/library/enus/ . cpguide/html/cpconmicrosoftintermediatelanguagemsil.asp . Parihara et al. (2001) ASP.NET Bible, Hungry Minds, Inc, ISBN: 0-7645-4816-6 . Sharp, J. Jagger, J. (2002) Microsoft Visual C# .NET step by step, Microsoft press, ISBN 0- . 7356-1289-7 . Warson et al. (2001) Börja med C#, Pagina Förlags AB, Sundbyberg, ISBN 91-636-0712-3 . Watkins, Demien (2002) An Overview of Security in the .NET Framework, . http://www.msdnaa.net/Resources/pfv.aspx?ResID=1430 . Wemberg et al. (2001) Experimentell studie av säkerhetsbrister i Microsoft Internet Information . Server 4 och Microsoft SQL Server 2000 - vid tillämpning av standardinställningar., University of Kalmar Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: Yahsodhan Deshpande [mailto:yahsodhan.deshpande () nevisnetworks com] Sent: Tuesday, 3 June 2008 4:30 PM To: Craig Wright; Adam Pal; Ahmed Khalid Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com Subject: RE: Deny access to copy files Hi Craig, Let's assume that following things are theoretically possible. Create a virtual machine with Windows OS Create a separate domain for developers Set the permissions accordingly for that domain Only thing accessible to the domain users is the common repository where the code resides All the tools necessary for the developer are preinstalled on the VM The VM is hardened No browser on the VM The Developer account does not have the rights to install any software. The VM comes up with no local storage, only storage it points to is the code storage. There are no file/ directory sharing services No outlook / email access No access to the internet The ip addresses assigned to the VM is a different subnet/ VLAN Restrictive policies on the switches to avoid inter VLAN communication. Once such VM is created, it can be distributed to as many developers as needed. This VM can now be run by any developer on his/her PC and do the development under that environment. I think the above should work, I know it is restrictive to the developer, but we are trying to find a solution aren't we? I am not saying that this is a full proof method, but a mid way where enough deterrents are put in the way that it won't be that easy/ obvious to do that. Regards, Yashodhan -----Original Message----- From: Craig Wright [mailto:Craig.Wright () bdo com au] Sent: Monday, June 02, 2008 8:41 PM To: Yahsodhan Deshpande; Adam Pal; Ahmed Khalid Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com Subject: RE: Deny access to copy files This is ok for a single developer, assuming that the developer follows the rules etc and that the host is not really locked down etc. If the developer has access to the Internet on a PC and also access to the VM, then there is nothing on earth that will restrict the ability to send code. Next, if the VM is on a system that the developer is sitting on (generally requiring admin rights) they can bypass the admin controls. This comes back to a hope the developer does the right thing issue. To which I say trust but verify. Next, you want to lock down a development VM host? A host with admin rights usually supplied to the developer. A host with compilers and tools? Please I would ask how do you propose to have a viable development platform (fit for purpose) that is secured and bastionised? Regards, Dr Craig Wright GSE LLM Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: Yahsodhan Deshpande [mailto:yahsodhan.deshpande () nevisnetworks com] Sent: Tuesday, 3 June 2008 9:55 AM To: Craig Wright; Adam Pal; Ahmed Khalid Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com Subject: RE: Deny access to copy files I think we are missing the point here; the idea of VM was to create a sand box for the developer. He will keep using his own environment; browse the internet using his/her pc/laptop, but all the development work will have to be done under the VM. The VM is in control of the admin, and will have much better chance of having the control within that environment, rather than restricting the user from his normal activities. I am not suggesting using VM as a security device, rather just limiting the management overhead to each individual pc/laptop to a centrally managed VM, with least effect on the end user in his normal activities. As I already mentioned hardening the VM is a task in itself, but once achieved is much more maintainable. Regards, Yashodhan -----Original Message----- From: Craig Wright [mailto:Craig.Wright () bdo com au] Sent: Monday, June 02, 2008 4:21 PM To: Yahsodhan Deshpande; Adam Pal; Ahmed Khalid Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com Subject: RE: Deny access to copy files So add an extra layer of risk? With no gain? Why? VMs are not a security device (as much as people like to believe this). The locking down of the VM is the same process as locking down the host, but now you also have a hypervisor layer to be concerned over. Regards, Dr Craig Wright GSE LLM Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Yahsodhan Deshpande Sent: Tuesday, 3 June 2008 7:29 AM To: Adam Pal; Ahmed Khalid Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com Subject: RE: Deny access to copy files Hi Ahmed, How about creating a virtual machine (which is hardened enough), and then allow the access to the code only via the virtual machine. Hardening the VM would be a task in itself, but it would solve much of the issues related to USB and mass storage devices. Regards, Yashodhan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adam Pal Sent: Monday, June 02, 2008 1:15 PM To: Ahmed Khalid Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com Subject: Re: Deny access to copy files Hello Ahmed, Sounds more like you try washing your hands without getting wet :) I can hardly imagine, that the programmers should be able to read but not to copy, so if they need to programm they need access to the code. I think its more frustrating for programmers to know that they have to work with "handcuffs". I think the problem lies much deeper : do you trust your programmers? If not, hire another, if yes, no such measurements needed, or better say not more than written agreements about security policy. About blocking web access: As i can remember that one of the core problems of security is that you cannot protect your data efficiently from attackers within the company. I can remember about agreements which contain things like: -not connecting mobile storage devices to the workstation (this can be monitored) -not connecting mobile devices to the internal network (this can also be monitored) -not taking parts of code out of the company (which can also be monitored) Of course, bad-intentioned people will be able to bypass such agreements but i preffer to assume that in your staff are good people only. One more - what about using interfaces for programming? Doing so, every one holds only a small, unusable piece of the "puzzle". -- Best regards, Adam Pal Sunday, June 1, 2008, 8:20:25 PM, you wrote: <==============Original message text=============== AK> I am working for a software house, they are developing a software product AK> and their requirement is to restrict programmers to take the code out of AK> office premises due to company policy. I am trying to configure a windows AK> based machine which denies access to copy files to external storage devices AK> connected to USB. There is an NTFS permission "Read + Execute" I guess this AK> could do the work but is there any other way to do it? AK> They also don't need programmers to take the code with them in their email. AK> I can restrict SMTP and POP ports but when it comes to web based emails I am AK> clueless, How can I restrict web based emails like hotmail, gmail, yahoo AK> there are so many of these and if I somehow manage to block all web based AK> email sites someone can write a script to send emails, if not a script HTTP AK> tunneling would bypass any checks and bounds defined by my proxy/gateway AK> machine. How can I block such thing? AK> Any help would be highly appreciated. AK> Regards, AK> Ahmed Khalid <===========End of original message text===========
Current thread:
- RE: Deny access to copy files, (continued)
- RE: Deny access to copy files Jeff Dinger (Jun 02)
- Re: Deny access to copy files Ali, Saqib (Jun 02)
- RE: Deny access to copy files Fielder, Kevin (GE Money) (Jun 02)
- Re: Deny access to copy files Adam Pal (Jun 02)
- RE: Deny access to copy files Yahsodhan Deshpande (Jun 02)
- Re: Deny access to copy files Liam Jewell (Jun 03)
- RE: Deny access to copy files Craig Wright (Jun 03)
- RE: Deny access to copy files Yahsodhan Deshpande (Jun 03)
- RE: Deny access to copy files Craig Wright (Jun 03)
- RE: Deny access to copy files Yahsodhan Deshpande (Jun 03)
- RE: Deny access to copy files Craig Wright (Jun 03)
- RE: Deny access to copy files Yahsodhan Deshpande (Jun 02)
- RE: Deny access to copy files James Finnican (Jun 17)
- Re: Deny access to copy files GSO GSO (Jun 17)
- Re: Deny access to copy files Atif Azim (Jun 19)
- RE: Deny access to copy files Michael P. Carter (Jun 19)
- Re: Deny access to copy files Shreyas Zare (Jun 20)
- Message not available
- Re: Deny access to copy files Shreyas Zare (Jun 23)