Definitely not, you have to have very thorough clearance to even physically get into the installations I was thinking of. If there are any black marks on your record, forget about getting in at all.
I was only trying to note a similar level of paranoia, certainly for a different reason. Interesting dilemma when you know the bad guys are already inside by design and you have to grant access and mitigate that risk. From: Ray [mailto:[email protected]] Sent: Friday, January 07, 2011 9:14 AM To: NT System Admin Issues Subject: RE: AD and firewall ports I would hope the people carrying the weapons haven't broken the law like those in orange, whether it be white collar fraud, a sex offense, or murder. At this time, our inmates can't be in AD, so they log on locally. But they also need access to server resources, including our ERP system. So they created an "inmate vlan", which unfortunately was a bit short-sighted in implementation - it's strictly one-way communication. So I can't RDP, or SCCM, or anything to connect to them, and they can't easily get MS updates. From: Free, Bob [mailto:[email protected]] Sent: Friday, January 07, 2011 9:48 AM To: NT System Admin Issues Subject: RE: AD and firewall ports > You want paranoia try working in an environment where many of the "employees" > are wearing orange. Or khakis Or camouflage Or dark blue etc..... Basically anywhere that some or all of the employees carry one or more automatic weapons at all times :) From: Ray [mailto:[email protected]] Sent: Friday, January 07, 2011 5:58 AM To: NT System Admin Issues Subject: RE: AD and firewall ports Yup. It all depends on your level of paranoia, how much you want to live in fear, and how much you want to make daily operations a pain in the a$$ for the end user in the name of security. I worked at TriWest Healthcare. They stole the disk drives. Another company in Scottsdale they stole the servers. At the Mayo, they bought some PCs with that kind of clamshell design that was supposed to make it fast for techs to work on. We found several with their HD missing. USB drives are getting bigger, cheaper and smaller. You can buy USB watches. Unless you're shutting down all USB devices, not hard to grab entire databases. How long do you allow your PC's to sit idle before the password protected screen saver kicks in? You want paranoia try working in an environment where many of the "employees" are wearing orange. From: Don Ely [mailto:[email protected]] Sent: Thursday, January 06, 2011 10:00 PM To: NT System Admin Issues Subject: Re: AD and firewall ports Kurt, If someone wants your data, they WILL get it. It's not a matter of IF, it's a matter of WHEN. People WANT the governments data, without absolute sneaker net, it is nearly IMPOSSIBLE to protect completely. There will always be a hole somewhere no matter how secure the environment is. It's all a matter of risk and the cost to mitigate the risk. There are fundamentally secure ways to accomplish what has been asked. Is it a perfect solution? Maybe not, but it is doable. You are a talented IT professional, but I think you may be living in the IT fantasy land... On Thu, Jan 6, 2011 at 8:41 PM, Kurt Buff <[email protected]<mailto:[email protected]>> wrote: On Thu, Jan 6, 2011 at 18:11, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: > Hi, > > Then you should turn of all your computers, encase them in concrete, and > launch them into outer space - and into the Sun. That is the best way of > stopping anyone compromising one of your machines. Got to love the straw man argument. > Having a non-domain joined SQL Server in your DMZ is far less secure than > that. Than what? Launching it into the sun? You conveniently ignore that I said "when you know there are better ways", and the > Hint: go and read some books on security first. *All* security is risk > mitigation. > For example: that's why we still have passwords that are only "x" characters > long, > rather than "x + 1" (where x is any number less than infinity). I have read security books, and keep up with Full Disclosure, FW Wizards and several other lists, as well as monitoring isc.sans.org<http://isc.sans.org/>. And you exaggerate again. We have passwords that are 'x' characters long (I tend to use 20+ character passphrases myself) because the effort to crack them is, so far, infeasible, due to the lack of rainbow tables of the size necessary to do so, and the lack of time to brute force them before I change them. If firms (such as my own work, I'll admit) are so foolish as to ignore this limit, then they will likely suffer for it, and deserve to do so. > Everything in security is about: > a) analysing what risks you face, > b) working out what the likelihood of it eventuating > c) working out the cost of the likelihood eventuating > d) working out the cost of making the risk go away > e) working out whether it's cost effective to implement (d) given (a)(b)(c) It's a b) that the risk mitigation wizards fail. Spectacularly. IMHO, "risk mitigation" is a mantra that has gone way too far, in the relentless pursuit of cost and effort savings. The above recommendation to turn a firewall into a safe passage for intruders is a prime example. > That is why a national government has a far more secure, cumbersome network > than your average business. Because the risks are different. Oh, yeah - that's worked out well, hasn't it? I believe you have that problem by the wrong end of the stick. National government networks are more cumbersome, and not more secure, in the main. That's because they're, wait for it, run by bureaucrats. They danced the risk mitigation dance, and we got wikileaks, infected thumb drives, virus infestations on supposedly secure networks, and all manner of silliness. > That why we don't all blithely implement the same way of doing things. > Because doing > things *costs* money (whether that be products, convenience, productivity etc) And doing them intelligently costs less money than doing them stupidly. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
