Hi Justin, > -----Original Message----- > From: Justin Shore [mailto:[EMAIL PROTECTED] > Sent: Monday, October 17, 2005 4:55 AM > To: Matt Jonkman; Omar A. Herrera > Cc: [email protected]; vipul kumra; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: IDS and Spywares > > There is an extremely easy solution to this problem. Remove local > administrative rights from users' PCs. There is absolutely no reason > whatsoever for a user in a corporate environment to have local admin > rights if they aren't actually a sysadm. In a home environment there is > absolutely no reason for a user to be a local admin all the time. Remove > this capability for the residential-grade OSs and make users utilize the > Run As feature of XP and 2000. Better yet make this process automatic > like in OS X. There is no reason in this day and age for users to need > constant local admin access, if they need local admin access, period.
I totally agree with, you, and I use privilege restrictions a lot (O.S. based privilege restrictions it is). But usually the rights of common users (enforced by the O.S.) are enough to create some harm. That is, we don't just want to restrict their privileges but also make sure they don't shoot themselves in their feet by abusing those privileges. A common example: some users are able to navigate on the web. From a FW/nIDS/nIPS point of view those users might just need ports TCP 80 and 443 open for outbound communication, but from an O.S. point of view you can only put very general restrictions (i.e. if they are able or not to open sockets from network communication). Malware can easily work in this restricted environment, so you need something else. A PFW that restricts outbound connections to certain applications or hIPS that is able to stop any unauthorized software are examples of how you can extend the security provided by O.S. privilege restrictions. Host based IDS are also able to detect execution of unauthorized software Kind regards, Omar Herrera ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
