mailing list archives
Admin rights via backdoors
From: WALI <hkhasgiwale () gmail com>
Date: Fri, 09 Mar 2007 18:02:22 +0400
I do understand the risks of seeing open ports on servers using nmap/nessus
but need to demonstrate a concept to my managers, the need for segregating
software developers and production environments, especially pertaining to
an financial application being built in-house.
I maintain that getting admin rights into an application while bypassing
logical access controls flowing down from Active directory or OS level is
trivial for a programmer if he hard codes some backdoor entry ports replete
with usernames and passwords. They disagree that if they have no AD rights
granted on the resource (different AD domains / filers etc), there is no
reason to physically isolate developers from production.
Is my contention conceptually correct? How can I demonstrate this with a