-----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, 18 April 2013 6:08 AM To: NT System Admin Issues Subject: Re: On the subject of security...
> If that's the case, then he didn't make his point at all clear. ... > True again - and again unremarkable. My point is that you have to use the > same methods to > protect unprivileged accounts as you do root/administrator. > ... > That's the import of my remarks about screensavers, FDE, not caching > passwords > for web sites in browsers, etc. - it's all about protecting the data; that > which resides > on the machine, and that which resides on teh intarwebs. If anyone's being unclear here, I think it's you. My reading of your comments is that a lot of your suggestions are geared towards preventing access to the system. All your suggestions about encrypting disks, having screen savers etc. are overkill if all my data is burnt to CDs. I'm better off investing in a safe to house them. Additionally, if my only PC is the one sitting in my living room, then when someone has got access to that machine (by breaking into my house), then a lack of password protected screensaver, or the fact that the password to the machine is on the bottom of the keyboard, is probably the least of my problems. Security is about managing risk: identify what the threats are, and the mitigate, transfer, accept etc. Security is not a checklist of technologies and processes. > I protect all of my accounts, privileged or not, in the same ways, and > have been doing so for so long that it's completely natural to me. It > just feels unnatural not to do so. > > No running executables from untrusted sources, turn off scripting in > my browsers, view all email as plain text, no remembering/caching of > passwords in browsers, using a unique password per web site and per > other accounts, regular clearing of cookies, no linking of accounts > between web sites, running current AV, no browsing with elevated > accounts, laptops have full disk encryption, etc., etc., etc. Without an evaluation of risks, this would be a complete waste of time for most people IMHO. I run as an admin on my personal machine. I don't bother reading all mail in "plain text", and I don’t full disk encrypt all my machines, and I don't clear my cookies. I've got better things to do with my time, and if I focus on protecting my identity and data instead, I'm probably just as likely as you to be "safe". Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
