EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to Mele20
Emotion and security implementation
My decisions and recommendations on system security are based on factfinding, discovery, needs requirements and risk analysis, and implemented as processes. Any inclusion of limited user as security is based on the results of this study. The implementations may include limited user, simple file sharing, applications, policies and procedures, tools and so on, and are not dictated by emotional opinion.
When security planning is based on emotion, it often fails to provide neither security nor function. Similarly, assuming emotional states of individuals based on the tools and methods used to secure systems is unhelpful and invalid, and does not serve to further the cause of good system security.
--
Insert catchy sig line here |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to Mele20
Re: Real Computer Security: File & Dir Permissions
said by Mele20  :...I don't care what the "principle" is... Then, might I simply suggest that it's obvious this thread is not for you, and perhaps you could just let the rest of us discuss the issues, without worrying about having to explain ourselves to someone who gets offended merely because we discuss a matter they disagree with?
--
I am the sole arbiter of what is important enough to spend my time on - not anyone else here, or anywhere else. You take care of yourself, and leave me to me, got it? |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to Marilla
Re: Real Computer Security: File & Dir Permissions
Let me give an example of why 'limiting what you can do' is a good idea. I touched on this before, but maybe I should repeat it.
I rarely make writeable shares. They're read-only, even to me.
If I need writeable directories, I just put a write-access share on one directory, alone.
I never share out whole disk volumes, even to me.
In a company I used to work at, we had a major Nimda outbreak. As it happens, the outbreak was first noticed by myself and another guy (and both of us were excused from running anti-virus software for sound technical reasons). We didn't get infected, because we used good share hygiene. We simply noticed the network was as busy as hell.
Everyone else in the company (all of them running AV software) got infected, primarily because they "didn't like to limit themselves". So they pulled stupid stunts like putting a single writeable share at the root of the system disk; that way they could remotely access anything they suddenly needed to. So, too, could the worm.
I think it took the rest of them a week to clean up the mess. (And the AV company managed to detect it 24 hours after everyone had got infected - handy, that, I'm sure). |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
1 edit | Re: Real Computer Security: File & Dir Permissions
Upon reflection, I do not wish to post. Take me back! |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to Marilla
This is an important subject and I hate to see it ruined. Please get back to the main subject which is discussing file and folder permissions. If you think it doesn't apply to you, stay out.
--
You can catch the Devil, but you can't hold him long. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | reply to Marilla
I think this is where the Windows Shared Computer Toolkit also can be used for additional security. No reason to let someone have access even accidentally to the operating system.
Using the proper ID as well as script's it is still very easy to do OS Updates including A/V and Spyware updates as well.
It's very easy to partition a drive or use other drives for personal areas with this and can be set up differently for different users as well.
Just another way to keep XP as it was before a person logged on, when they log off, the OS is the same way it was before they logged on. It can be a GREAT combination with Directory and File security.
More Info Here:
»www.microsoft.com/windowsxp/shar···ult.mspx
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to Marilla
Re: Real Computer Security: File & Dir Permissions
Well, I did learn one thing by posting this thread:
Not very many people at this forum are interested at all in discussion beyond what super 'tool' they can use, or what FUD is playing on the local podcast... with apologies to the many quality posters who obviously are.
This place used to be more interesting, when you could actually have discussions about topics beyond who says the sky is falling today, or what VaporWare 'tool' you can install to Protect the World from CyberAIDS.
This could have been a really nice thread about a topic that many of the detractors here could have learned from. A topic that I could have learned from, too.
Instead, certain folks just constantly are tolerated in bringing the overall intelligence down repeatedly, and people who are just trying to keep the quality level a little bit higher get the beatings for it, while the FUDMeisters just keep breezing on, without an apparent care in the world.
I came to this place originally because of timely and informed discussion about issues, as they were happening - often before anywhere else did. But lately, I doubt I could trust much at all that was posted here, because it seems raw 'civility' is more valued than true helpfulness, relevance and accuracy.
I stayed here because of interesting discussions on interesting practical or theoretical issues of security. But again, much of that anymore just gets filled with worse-than-worthless crap and FUD, and anyone trying to correct the incessant deluge of idiocy gets moderated out of the way.
So yeah; This could have been a really great thread, among so many others, WildCatBoy. You can look at the sources of the interesting and worthwhile threads around here, and look at the sources of the ones that just bring things down again and again. Perhaps, instead of blaming the frustrated regulars who are desperately trying to cling to some semblance of order and practical value here, some regular trouble-makers could maybe...
Bleh. Why am I bothering. This post is headed for the delete-heap, anyway.
--
I am the sole arbiter of what is important enough to spend my time on - not anyone else here, or anywhere else. You take care of yourself, and leave me to me, got it? |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
| reply to Marilla
said by Marilla :I thought I'd start a topic on this; see what thoughts, ideas, problems and other comments others had, as a user or administrator. One problem is corporate politics. All it takes is one user with clout and the administrator will be opening up file & directory permissions, regardless of the security implications.
Corporate political security footballs: 1) users' files & directories by default that are set to be read-from or written-to by any user, 2) remote logins from other systems based on individuals users' .rhosts file. Reason given - to inconvenient for the users other wise.
Admins perspective: Don't come crying to me when somebody hacks one remote system, then logins into this system and wipes all users (with default permissions) data out in few minutes. |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| said by astirusty :One problem is corporate politics. All it takes is one user with clout and the administrator will be opening up file & directory permissions, regardless of the security implications. Yes, absolutely. Maybe IT should have something like what I recall hearing was the case with a ship you own, but hire someone to be captain of; When at sea, in dangerous conditions, what the captain says goes.
Then again, once you reach shore, the captain might get fired, if the boss doesn't realize his life had been in danger. heh
--
I am the sole arbiter of what is important enough to spend my time on - not anyone else here, or anywhere else. You take care of yourself, and leave me to me, got it? |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to Marilla
Yes, this thread could have been more interesting and still can but as much as you'd like to blame others for it, you're just as responsible for it failing as others if not more, and there are two reasons for it:
a) You started the thread with a vague suggestion without telling people how. It's great to preach a concept but if people don't know how to use file and folder permissions and what they really are, then the discussion won't go anywhere.
You should have explained them better and provided examples as how they can be helpful. Most people don't have a clue what they are. In fact in this very thread I've seen indications that some think file permissions are the same as user permissions.
b) You helped this thread go off topic by responding to off topic remarks. To me, those who respond to Trolls or off topic remarks are more harmful than Trolls themselves and I have always warned those who respond, long before warning the Trolls themselves and I always will. Next time you think a remark is too idiotic, or off topic, simply move on with the main discussion and ignore the remark. You'll be amazed how well it works.
So stop blaming the forum, its members, the Moderator and the world. Look at the things you've done before blaming others.
--
You can catch the Devil, but you can't hold him long. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | reply to astirusty
Will Second that, they want methods that are idiot proof.
There are many issues simply caused by accidental changes or deletions of a part of the OS. So I am not sure I would call file security "Real Security".
My take is, listen, if I can remove the possibility of the Operating System and all the supported applications being damaged, deleted or modified by users and malware, well then the remaining issues are easier to manage for clients.
File security is an important part of it, but because of the way Windows is designed by its basic nature it requires additional protection methods, and in some cases on a per-option basis, especially where the same executable might perform many functions. In these cases simple file security becomes too restrictive.
Recovery seems to be the word of choice these days with clients, because of Zero-Day exploits and accidental changes.
So how quickly can one recover from something that was caused by human error or malware not yet in the wild?
In the bitter end, personally, I think that's "Real Security".
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to astirusty
Setting permissions using active directory?
The use of granular file permissions has good potential for security/functionality balancing, but I've run into a bit of a roadblock for implementing across larger user bases. Setting the permissions PC by PC can become a tedious and time-consuming task.
Is thare a way to set them using group policies and in active directory in domains? By this I mean creating a group profile with granular permissions to folder MYFOLDER and files FILEA FILEB FILEC that are common on PCs used by the defined group.
--
Insert catchy sig line here |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
|  reply to Marilla
Re: Real Computer Security: File & Dir Permissions
said by Marilla :... as I'm something of an ACL-adjusting junkie ... Have you (or anyone else reading this) seen a program that will set all MS Windows files & directories to:
1) MS Official default values,
2) Still usable but higher than default security values,
3) Paranoid / Tin-Foil-Hat Security values
???? |
|
