Nominations for sucky apps are always welcome at www.threatcode.com
Noah Eiger wrote:
Thanks all for the thoughts. I think that the thing I will need to
communicate to these folks is simply the tradeoffs and the risks. They
run many apps that force full admin rights on the workstations and
have concluded that this is an acceptable risk. We’ll see what they
say. In the end, I feel okay about it if they are fully cognizant of
the risks and then accept them. Maybe I’ll put something in about
double the hourly rate for cleanup ;-)
-- nme
P.S. Brian, could you elaborate on the inexpensive NAC products? I see
that IAS will be a RADIUS provider to 802.1x switches. Is there a
feature set within the IOS that can handle this (Catalyst 29xx and
35xx) or is it a separate device?
------------------------------------------------------------------------
*From:* Brian Desmond [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, June 08, 2006 9:05 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] OT: Security Policy Thoughts
*They’re keeping me a little busy down at the fun factory, so I’m up
pretty late. Actually I just flew back in yesterday from a client so I
was handling backlog.*
* *
*How is .1x cost prohibitive. Have you looked at the NAC products most
major VPN providers have to handle your fears about viruses and such?
Also realize you don’t need to open a lot of the ports representative
of that sort of stuff. Lock it down by job role. *
* *
*Thanks,*
*Brian Desmond*
[EMAIL PROTECTED]
* *
*c - 312.731.3132*
* *
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger
*Sent:* Thursday, June 08, 2006 12:59 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] OT: Security Policy Thoughts
Thanks, Brian. Don’t you sleep? It’s late in Chicago ;-)
802.1x is the direction they are heading. Right now, it is
cost-prohibitive. So the question is less “can I control this access”
but “should I”? Is that over-reacting?
Again with the VPN. My thoughts were to push it with an MSI, so I see
/how/ to control its distribution. The question is /should/ I limit it
to just the domain computers? How big is the risk? If the risk from
home computers is virus and malware, how do I justify preventing folks
from running it on their home Macs?
Thanks.
-- nme
------------------------------------------------------------------------
*From:* Brian Desmond [mailto:[EMAIL PROTECTED]
*Sent:* Wednesday, June 07, 2006 10:43 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] OT: Security Policy Thoughts
*My suggestion is that you implement 802.1x port auth to implement
port based authentication. You can use this to implement guest vlans
with the policy routing you describe.*
* *
*Isn’t the Cisco VPN a MSI? Use Group Policy or SMS if you have it.
You can do some NAC stuff with Cisco VPN as well as the personal
firewall built into it. *
* *
*I don’t see how you plan to prohibit OS X at least – put it on the
guest vlan if you must, but, realize that the marketing, pr, etc
people may live in a Mac world. *
* *
*Thanks,*
*Brian Desmond*
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*
* *
*c - 312.731.3132*
* *
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger
*Sent:* Thursday, June 08, 2006 12:16 AM
*To:* [email protected]
*Subject:* [ActiveDir] OT: Security Policy Thoughts
Hi:
I am facing some IT policy questions and wanted to get some
perspectives. In each of these areas, I am trying determine how
restrictive I need to be. The client has four sites connected over
high-speed links. I have good backing from management but will
undoubtedly get resistance on some of these.
The client is small, under 200 employees with most in one office. Some
small field offices are not managed (i.e., have workgroup networks,
often with a small server, but no AD). There are no SOX requirements
and the data are not sensitive (e.g., no credit cards). Almost
entirely Windows XP; all DC’s run W2k3.
Any thoughts on these topics welcome.
_Connecting to the wired network_. They do not run any IDS or
machine-based authentication. Given that, written policy carries some
weight. I want to require all non-domain machines to connect only to a
“public” VLAN that goes only to the Internet. I would apply this even
to staff “personal” computers, those of contractors (including me),
and machines from those field offices that are not on the domain.
_VPN_. They run a Cisco VPN. I want to distribute the client only to
domain-based machines. Others want the client for their home
computers, etc.
_Other Operating Systems_. I don’t want to allow other OS’s on the
network, unless we manage them. But what is the threat posed by a
Linux or OS X box on the network?
As always, many thanks.
-- nme
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.3/358 - Release Date: 6/7/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.3/358 - Release Date: 6/7/2006
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
