begin quoting Andrew Lentvorski as of Thu, Sep 15, 2005 at 03:54:22PM -0700: > Gabriel Sechan wrote: > >Absolute security would be nice. Unfortunately, its not possible. With > >the current state of the art, we need to draw the line somewhere. I say > >complete lockdown of a desktop is too far, and costs more than it gains, > >both in dollars and in user frustration. > > I disagree. In most companies, a complete lockdown of the desktop is > *just fine*.
Take it a little further, even. Thin client boxen and diskless workstations make *sense* in a business environment. > The problem is that Windows makes that *hard*. VMWare on a Linux box and re-image the "disk" every restart. Not so hard, I'm told. :) [snip] > Agreed, but the issue is the responsiveness of the IT department. The > default should be that if I need a new application or hole, I submit a > web form, it opens the hole temporarily *only to my machine* (you have > to trust you employees *somewhat*) and the IT department begins > reviewing the impact. I'd rather drop you into your own DMZ (this requires everyone connecting to a managed switch, no doubt) with a hole open to your machine, and a quarantine period until the IT department can review the impact.... But then, I'm firmly in the "deny everything" camp, with the caveat that the IT guys need to walk around and make sure than everyone is able to get their work done. A user ought to be able to approach the system / network administrator *before* they do something stupid and get useful advice and assistance... proactive is better than reactive, both for the user, and for sake of the administrator's sanity. > One of the other big problems is that networks tend to be a big uniform > mish-mash once you penetrate the firewall. There are no firewalls > between networks so that you can permit certain actions only to certain > networks. Yes. Crunchy on the outside, smooth and creamy on the inside. -Stewart "First, say 'no', then, ask 'why', then say 'no' again." Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
