Penetration Testing mailing list archives
Re: XPSP2 compatability
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Tue, 24 Aug 2004 17:41:39 +0100
Wow. Hitting the nail firmly on the head with a sledge hammer there.I've been toying with the idea of totally encrypting my fixed LAN with IPSec. I'm still evaluating the availability characteristics of the IPSec stack on my wireless network (I've only recently moved to a 2.6 kernel on my gateway). When I'm sure it meets my requirements, then I'll probably roll it out to the fixed environment and remove the need to modify services by normal users (how my girlfriend would like to be referred to as a 'normal user'.)
I've never really liked 'Run As' as a solution on Windows (although admitedly, most of my experience has been as an observer as opposed to an operator.) I still need to trust the people I give 'Run As' to, don't I, not to do anything daft? I'm guessing that you can't tie that ability down to a single component? Or can you?
It's a bit off-topic now, so I'm happy if replies are off-line. Kev
-----BEGIN PGP SIGNED MESSAGE-----"Kevin" == Kevin Sheldrake <kev () electriccat co uk> writes:Kevin> privileged users can write to raw sockets? Perhaps if the XP Kevin> installation forced the creation of at least one user account Kevin> and spat out a large alert when someone logged on as You are right --- the facilities are there. They are just not used. Kevin> For instance, my girlfriend uses Win2K on a laptop with a Kevin> wifi card. In order for her to start and stop the built-in Kevin> IPSec client (required when she switches between wired and Kevin> wireless), she needs to be a power user of some description. Kevin> Fine, I'm the administrator so I gave her the capabilities. Kevin> Now she can let malware act as a power user when it runs - Kevin> brilliant. On linux, for example, I simply su to start and Kevin> stop the IPSec and run the rest of my session as a normal Kevin> user. It's the simple concept of least privilege... No, on Linux you can do several things: a) always encrypt everything anyway. (simplies everything) b) run scripts from dhclient to auto-select things. c) use "sudo" to let her run a script d) write a setuid program that does the one task. Since Win2K, there has been the equivalent of "su". Including the GUI "Run-As" interface. Is it used? Not that I can tell. Why not? This isn't about technology --- it never has been. It is about letting very brilliant people with no non-MS experience run the show. They are too smart to bother learning from past mistakes, even their own. - --] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQSjpUIqHRg3pndX9AQFfRwQAqvJZtep6edkIDr+LXl26dVenqGrSX+Z3 KvbY5OVK9gUePhS3gLnFUbIIwkWlhI3EQ4JvoLPv8ZO/FvN8DzcEgslh2e8m6kMQ yc9yFZvaM4vl32vbGBpK883iKCWA6njF7Ky2Fftr8tgeN9LUSxxldKzZk7vy9ndW iSVY+fgGMFE= =rIzN -----END PGP SIGNATURE-----
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: XPSP2 compatability, (continued)
- RE: XPSP2 compatability Todd Towles (Aug 20)
- RE: XPSP2 compatability Joe Smith (Aug 22)
- RE: XPSP2 compatability Chris Brenton (Aug 22)
- RE: XPSP2 compatability Joe Smith (Aug 22)
- RE: XPSP2 compatability OBrien, Brennan (Aug 20)
- Re: XPSP2 compatability Kevin Sheldrake (Aug 21)
- Re: XPSP2 compatability Jophn Deo (Aug 22)
- Re: XPSP2 compatability Max (Aug 24)
- Re: XPSP2 compatability Kevin Sheldrake (Aug 21)
- RE: XPSP2 compatability Todd Towles (Aug 20)
- RE: XPSP2 compatability Wozny, Scott (US - New York) (Aug 20)
- Re: XPSP2 compatability Kevin Sheldrake (Aug 21)
- Re: XPSP2 compatability Michael Richardson (Aug 24)
- Re: XPSP2 compatability Kevin Sheldrake (Aug 24)
- Re: XPSP2 compatability Michael Richardson (Aug 24)
- Re: XPSP2 compatability Kevin Sheldrake (Aug 21)