Security Basics mailing list archives
Re: SUS server
From: Randy Williams <randyw () techsource com>
Date: Fri, 08 Apr 2005 13:48:08 -0400
Greetings All,While local Admin rights may violate quite a few security protocols as well as administration protocols, it sometimes is the ONLY way to get certain things done. I manage a small group of Engineers that do everything from CAD work to ASIC design. It is in their job descriptions to constantly attempt new design changes/fixes/upgrades and a lot of the time they are installing new patches/upgrades/versions of the tools that they use. Even with push out from AD, this would still slow them down too much.
Power User level won't work either, as too many of these programs want to write to "privileged" places on the file structure. Yes, they do blow stuff up from time to time (which we warn them is THEIR responsibility), anything other than local admin simply isn't productive.
So I can sympathize with the original poster on this issue. However, from the SUS perspective, I just force the updates/reboots as necessary and warn the whole department via policy that this will occur. If they leave themselves logged in and not save something, their manager will ask them why they violated procedure.
Just my $0.02 worth. RandyW Paris E. Stone wrote:
Drop the local admin rights, as a previous poster said. All that is, is more work for you. What requirement is in place that gives them local admin rights? ~~~~~ Paris E. Stone, "Linux Zealot" CISSP, CCNP, CNE, MCSE ~~~~~ The only thing necessary for the triumph of evil, is for good men to do nothing. - Edmund Burke -----Original Message-----From: Raoul Armfield [mailto:armfield () amnh org] Sent: Thursday, April 07, 2005 11:14 AMTo: Chinnery, Paul Cc: security-basics () securityfocus com Subject: Re: SUS server Chinnery, Paul wrote:Why rely on the users to install the patches? I set mine up to autoinstall and reboot the system (I set mine to go at 3 AM). Course, since it's a hospital environment, there are some machines that have to be done manually.That is exactly my question. I do NOT want to rely on the users to install the patches. However, if they are local admins they are prompted to install and they can opt not to either through action or a lack thereof. I was hoping for a way to force the update even if they users are local admins.
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINEOrganizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- SUS server Raoul Armfield (Apr 06)
- RE: SUS server hartmann (Apr 07)
- RE: SUS server warcat (Apr 07)
- Re: SUS server Tiberio Martinez (Apr 07)
- <Possible follow-ups>
- RE: SUS server Chinnery, Paul (Apr 07)
- Re: SUS server Raoul Armfield (Apr 07)
- RE: SUS server hartmann (Apr 08)
- Re: SUS server Raoul Armfield (Apr 07)
- RE: SUS server Douglas Schlachta (Sr. Infrastructure Securty Analyst) (Apr 07)
- RE: SUS server Paris E. Stone (Apr 08)
- Re: SUS server Randy Williams (Apr 08)
- RE: SUS server hartmann (Apr 08)
- RE: SUS server Douglas Schlachta (Sr. Infrastructure Securty Analyst) (Apr 08)
- RE: SUS server Douglas Schlachta (Sr. Infrastructure Securty Analyst) (Apr 08)
- RE: SUS server hartmann (Apr 08)
- Re: SUS server Raoul Armfield (Apr 08)
- RE: SUS server hartmann (Apr 11)
- Re: SUS server Raoul Armfield (Apr 12)
- RE: SUS server hartmann (Apr 13)