Security Basics mailing list archives

Re: Basic Windows Security Question


From: "Steve" <securityfocus () delahunty com>
Date: Tue, 5 Apr 2005 09:59:27 -0400

There is new technology that can scan outbound email for content violations
and flag for review accordingly, although not typically found in smaller
firms such as the case in the original question.

There will not always be a system to enforce a written policy but there
should be written guidance (policy) provided to the employees about company
confidential information etc.  Some discussion about this in the past, that
you may have policy where there are no systems to easily enforce the policy.
To take Herman's example further, an employee could copy printed materials
and take the paper home as well -- it doesn't make it acceptable though in
the case where they are deliberately stealing company secrets for instance.

STEVE
----- Original Message ----- 
From: "Herman Frederick Ebeling Jr." <hfebelingjr () lycos com>
To: <security-basics () securityfocus com>
Sent: Thursday, March 31, 2005 6:49 PM
Subject: RE: Basic Windows Security Question



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If the company allows it's employees to send and receive E-Mail from outside
of
the company then what is to stop an
employee from E-Mail his/her data home?  And likewise from sending PRG files
from home as well?  Other then of course
not ALLOWING any attachments in or out, but then IF their job is to review
submissions from outside sources would it be
possible restrict who can and cannot receive attachments???

Herman

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQkx4Oh/i52nbE9vTEQL9EQCfV1fvfBHuEjIgz+mt0J4efwP+4ZAAoOZu
NoWGcZsAj4Ip9++XPupzsebn
=CgXt
-----END PGP SIGNATURE-----

-----Original Message-----
From: Barrie Dempster [mailto:barrie () reboot-robot net]
Sent: Thursday, 31 March, 2005 08:49
To: Andrew McIntosh
Cc: security-basics () securityfocus com
Subject: Re: Basic Windows Security Question


Andrew McIntosh wrote:
<snip>
Disable USB Port - That would solve the particular problem and create
other problems. For instance, substitute the thumb drive with a floppy
disk or CD. For obvious reasons you don't want to disable those as well.

Which obvious reasons?
The company has less than 100 employees, they probably won't be passing
CD's around much. Disable/unplug/remove CD drives and floppies and have
all data to be added to the network go through checking by a relevant
competent staff member.

There are very few reasons to use external media on a connected network
like this. The admin can and should manage all software installs, Data
can be passed around over the network. On the rare occasion that
something absolutely has to be on physical media, let it go through IT
for checking first.

Restrict user permissions - That could potentially prevent a program
from installing itself, but it would also cause the user some grief if
they need to install programs themselves, or even do simple things like
changing personal settings.

User should not ever have the right ability or wish to install programs!

Everything they need to do their job will have been approved by IT and
will be in the base OS build, anything to be added to that will need to
be evaluated and approved, when it has been it again will be installed
by It and added to the build process. If you give your users access to
do this on a broad scale you are asking for trouble, on any sized network.

Security Policy - Haven't looked into this yet, but maybe there is a way
to prevent the use of thumb drives and other specific devices through
security policy.

Yes it can be done, but it should be in addition to removing the devices
completely whenever possible.

This is a subjective question, it relies entirely on the business at
hand and who is in charge of policy making decisions. If you are the
admin and/or in charge of network security. It is your role to encourage
the most secure option you can, it's then the responsibility of the
users to ask you to relax some policies for their convenience. In most
businesses this trade off is inevitable, but you must, as the security
professional on-site, strive for the absolute best practise.

Set the policies of the system on a per role basis, if someone needs to
do alot of work on external media give them access to the devices, those
that don't disable it. If someone want's access to the CD drive to
listen to their music, then it *might* be too much of a risk to the
network to allow this. You have to analyse what sort of impact
malicous/accidental access to the users accounts has on the network and
you also have to consider the users competency.

--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
CA: www.cacert.org

"He who hingeth aboot, getteth hee-haw" - Victor (Still Game)



---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------






---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------


Current thread: