Re: Basic Windows Security Question

[Sebastian <sebastian.sorri () welho com>]

Herman (and all),

In practice, considering normal business use of email I would say not. 
Imagine your first exec, marketing, customer relations, sales or nearly 
whichever kind of user and you'll find it impossible even if there's a 
strict and enforced company policy of what is allowed and what is not. 
Not knowing your line of business, I'd say your first task is to figure 
out the people that actually need to have any kind of physical access to 
any equipment except keyboards and such. If the station(s) can be locked 
in, do so. If not, stick with the company policy.

Just my two cents of whichever currency,

-Sebastian


Herman Frederick Ebeling Jr. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If the company allows it's employees to send and receive E-Mail from outside of
> the company then what is to stop an
> employee from E-Mail his/her data home?  And likewise from sending PRG files
> from home as well?  Other then of course
> not ALLOWING any attachments in or out, but then IF their job is to review
> submissions from outside sources would it be
> possible restrict who can and cannot receive attachments???
>
> Herman
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQkx4Oh/i52nbE9vTEQL9EQCfV1fvfBHuEjIgz+mt0J4efwP+4ZAAoOZu
> NoWGcZsAj4Ip9++XPupzsebn
> =CgXt
> -----END PGP SIGNATURE-----
>
> -----Original Message-----
> From: Barrie Dempster [mailto:barrie () reboot-robot net]
> Sent: Thursday, 31 March, 2005 08:49
> To: Andrew McIntosh
> Cc: security-basics () securityfocus com
> Subject: Re: Basic Windows Security Question
>
>
> Andrew McIntosh wrote:
> <snip>
>  
>
> > Disable USB Port - That would solve the particular problem and create
> > other problems. For instance, substitute the thumb drive with a floppy
> > disk or CD. For obvious reasons you don't want to disable those as well.
> >    
>
> Which obvious reasons?
> The company has less than 100 employees, they probably won't be passing
> CD's around much. Disable/unplug/remove CD drives and floppies and have
> all data to be added to the network go through checking by a relevant
> competent staff member.
>
> There are very few reasons to use external media on a connected network
> like this. The admin can and should manage all software installs, Data
> can be passed around over the network. On the rare occasion that
> something absolutely has to be on physical media, let it go through IT
> for checking first.
>
>  
>
> > Restrict user permissions - That could potentially prevent a program
> > from installing itself, but it would also cause the user some grief if
> > they need to install programs themselves, or even do simple things like
> > changing personal settings.
> >    
>
> User should not ever have the right ability or wish to install programs!
>
> Everything they need to do their job will have been approved by IT and
> will be in the base OS build, anything to be added to that will need to
> be evaluated and approved, when it has been it again will be installed
> by It and added to the build process. If you give your users access to
> do this on a broad scale you are asking for trouble, on any sized network.
>
>  
>
> > Security Policy - Haven't looked into this yet, but maybe there is a way
> > to prevent the use of thumb drives and other specific devices through
> > security policy.
> >    
>
> Yes it can be done, but it should be in addition to removing the devices
> completely whenever possible.
>
> This is a subjective question, it relies entirely on the business at
> hand and who is in charge of policy making decisions. If you are the
> admin and/or in charge of network security. It is your role to encourage
> the most secure option you can, it's then the responsibility of the
> users to ask you to relax some policies for their convenience. In most
> businesses this trade off is inevitable, but you must, as the security
> professional on-site, strive for the absolute best practise.
>
> Set the policies of the system on a per role basis, if someone needs to
> do alot of work on external media give them access to the devices, those
> that don't disable it. If someone want's access to the CD drive to
> listen to their music, then it *might* be too much of a risk to the
> network to allow this. You have to analyse what sort of impact
> malicous/accidental access to the users accounts has on the network and
> you also have to consider the users competency.
>
> --
> With Regards..
> Barrie Dempster (zeedo) - Fortiter et Strenue
>
> blog: http://zeedo.blogspot.com
> site: http://www.bsrf.org.uk
> CA: www.cacert.org
>
> "He who hingeth aboot, getteth hee-haw" - Victor (Still Game)
>
>
>
> ---------------------------------------------------------------------------
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly qualified information security 
> professionals.  Norwich University is fulfilling this demand with its MS in 
> Information Security offered online.  Recognized by the NSA as an 
> academically excellent program, NU offers you the opportunity to earn your 
> degree without disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> ----------------------------------------------------------------------------
>
>  


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------