Great Circle Associates Firewalls
(October 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: NT Security
From: fdehert @ innet . be (Frank J.J. De Hert)
Date: Sun, 06 Oct 1996 22:13:23 -0100
To: patton @ sysnet . net
Cc: firewalls @ greatcircle . com 
>> This is true if the user hasn't taken ownership of certain directories and
>> set the permissions such that only the user has access. For even an
>
>ahh, so local users have FULL CONTROL so they can play havoc with file

Discretionary Access Control does mean just that, the user can decide who
gets access to his/her OWN files, and what kind of access. However, it does
not mean
that the user should have full control of 'system files', especially
executables. One of the main principles you have to stick by when securing a
computer system is making sure that system executables are read and/or
execute (whichever is appropriate for your O.S.) ONLY. NT however demands
that a lot of executables (mostly .DLLs) are Change enabled for Everyone.
Well, bring in the Trojan Horses...

>ownership and permissions?  You got a bigger problem.  I don't blame
>you, NT's permissions out of the box are bar none the worst in the

As I mentioned in one of my previous msgs, we're used to a VMS environment,
and when we looked at how NT came out of the box we nearly had a fit. We
tried to mimic VMS file protections, which resulted in a setup that was
useless to the users. e.g. MSOffice shortcutbar showed only questionmarks in
stead of the usual icons (small problem to us but not, apparently, to the
majority of users. Mind you for the Administrator the shortcutbar had all
its correct icons!), Word stopped working, PowerPoint had problems,
helpfiles wouldn't open, etc, etc, etc, ...

>industry.  I bet 99.9% of admins don't even look to see how bad it
>really is.  Tightening them up can be quite a chore, especially when
>you're doing it by trial and error.  But I've managed to pull it off on
>one of our public boxes.  Was a several week hastle though.

After running around fixing files left and right, we're now at the point
where we, sadly enough, give Everyone (shudder) full control and then deny
access to a list of directories and files half a mile long. We hope we have
most files covered, but if your method works well, maybe you'd like to share
it with us so we can try it out and compare. Because currently, of course,
users can still 
play havoc on their 'own' drive and trash any of the applications they have
installed.

>
>
--
Frank De Hert
System/Security Manager
NATO Programming Centre.

"It's the damndest job, but some poor schmuck has to do it!"
Indexed By Date Previous: Re: inability of Greatcircle.com
From: scs @ lokkur . dexter . mi . us (Steve Simmons)
Next: Re: Financial transactions and firewalls.
From: nkeenan @ gsionline . com (Nick Keenan)
Indexed By Thread Previous: RE: NT Security
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Next: NT security
From: Frank Beall <fbeall @ borg . mayfield . hp . com>
Google
 
Search Internet Search www.greatcircle.com