Home page logo
/

basics logo Security Basics mailing list archives

RE: Deny access to copy files
From: "Yahsodhan Deshpande" <yahsodhan.deshpande () nevisnetworks com>
Date: Mon, 2 Jun 2008 23:30:03 -0700

Hi Craig,
   Let's assume that following things are theoretically possible.

Create a virtual machine with Windows OS
Create a separate domain for developers
Set the permissions accordingly for that domain
Only thing accessible to the domain users is the common repository where
the code resides
All the tools necessary for the developer are preinstalled on the VM
The VM is hardened
   No browser on the VM
   The Developer account does not have the rights to install any
software.
   The VM comes up with no local storage, only storage it points to is
the code storage.
   There are no file/ directory sharing services
   No outlook / email access
   No access to the internet
   The ip addresses assigned to the VM is a different subnet/ VLAN
   Restrictive policies on the switches to avoid inter VLAN
communication.

Once such VM is created, it can be distributed to as many developers as
needed.

This VM can now be run by any developer on his/her PC and do the
development under that environment.

I think the above should work, I know it is restrictive to the
developer, but we are trying to find a solution aren't we?

I am not saying that this is a full proof method, but a mid way where
enough deterrents are put in the way that it won't be that easy/ obvious
to do that.

Regards,
Yashodhan
 

-----Original Message-----
From: Craig Wright [mailto:Craig.Wright () bdo com au] 
Sent: Monday, June 02, 2008 8:41 PM
To: Yahsodhan Deshpande; Adam Pal; Ahmed Khalid
Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: RE: Deny access to copy files


This is ok for a single developer, assuming that the developer follows
the rules etc and that the host is not really locked down etc.

If the developer has access to the Internet on a PC and also access to
the VM, then there is nothing on earth that will restrict the ability to
send code. Next, if the VM is on a system that the developer is sitting
on (generally requiring admin rights) they can bypass the admin
controls.

This comes back to a hope the developer does the right thing issue. To
which I say trust but verify.

Next, you want to lock down a development VM host? A host with admin
rights usually supplied to the developer. A host with compilers and
tools? Please I would ask how do you propose to have a viable
development platform (fit for purpose) that is secured and bastionised?

Regards,
Dr Craig Wright GSE LLM


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains. If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system.

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls. You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls. It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects. BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached. A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au 

BDO Kendalls is a national association of separate partnerships and
entities. Liability limited by a scheme approved under Professional
Standards Legislation.
-----Original Message-----

From: Yahsodhan Deshpande [mailto:yahsodhan.deshpande () nevisnetworks com]
Sent: Tuesday, 3 June 2008 9:55 AM
To: Craig Wright; Adam Pal; Ahmed Khalid
Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: RE: Deny access to copy files

I think we are missing the point here; the idea of VM was to create a
sand box for the developer. He will keep using his own environment;
browse the internet using his/her pc/laptop, but all the development
work will have to be done under the VM.

The VM is in control of the admin, and will have much better chance of
having the control within that environment, rather than restricting the
user from his normal activities.

I am not suggesting using VM as a security device, rather just limiting
the management overhead to each individual pc/laptop to a centrally
managed VM, with least effect on the end user in his normal activities.

As I already mentioned hardening the VM is a task in itself, but once
achieved is much more maintainable.

Regards,
Yashodhan

-----Original Message-----
From: Craig Wright [mailto:Craig.Wright () bdo com au]
Sent: Monday, June 02, 2008 4:21 PM
To: Yahsodhan Deshpande; Adam Pal; Ahmed Khalid
Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: RE: Deny access to copy files


So add an extra layer of risk? With no gain? Why?

VMs are not a security device (as much as people like to believe this).
The locking down of the VM is the same process as locking down the host,
but now you also have a hypervisor layer to be concerned over.

Regards,
Dr Craig Wright GSE LLM


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains. If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system.

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls. You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls. It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects. BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached. A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au 

BDO Kendalls is a national association of separate partnerships and
entities. Liability limited by a scheme approved under Professional
Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Yahsodhan Deshpande
Sent: Tuesday, 3 June 2008 7:29 AM
To: Adam Pal; Ahmed Khalid
Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: RE: Deny access to copy files

Hi Ahmed,
   How about creating a virtual machine (which is hardened enough), and
then allow the access to the code only via the virtual machine.

   Hardening the VM would be a task in itself, but it would solve much
of the issues related to USB and mass storage devices.

Regards,
Yashodhan


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adam Pal
Sent: Monday, June 02, 2008 1:15 PM
To: Ahmed Khalid
Cc: focus-ms () securityfocus com; security-basics () lists securityfocus com
Subject: Re: Deny access to copy files

Hello Ahmed,

Sounds more like you try washing your hands without getting wet :)
I can hardly imagine, that the programmers should be able to read but
not to copy, so if they need to programm they need access to the code.
I think its more frustrating for programmers to know that they have to
work with "handcuffs".
I think the problem lies much deeper :
do you trust your programmers?
If not, hire another, if yes, no such measurements needed, or better
say not more than written agreements about security policy.
About blocking web access:
As i can remember that one of the core problems of security is that
you cannot protect your data efficiently from attackers within the
company.
I can remember about agreements which contain things like:
-not connecting mobile storage devices to the workstation (this can be
monitored)
-not connecting mobile devices to the internal network (this can also
be monitored)
-not taking parts of code out of the company (which can also be
monitored)

Of course, bad-intentioned people will be able to bypass such
agreements but i preffer to assume that in your staff are good people
only.
One more - what about using interfaces for programming? Doing so,
every one holds only a small, unusable piece of the "puzzle".


--
Best regards,
 Adam Pal

Sunday, June 1, 2008, 8:20:25 PM, you wrote:

<==============Original message text===============
AK> I am working for a software house, they are developing a software
product
AK> and their requirement is to restrict programmers to take the code
out of
AK> office premises due to company policy. I am trying to configure a
windows
AK> based machine which denies access to copy files to external storage
devices
AK> connected to USB. There is an NTFS permission "Read + Execute" I
guess this
AK> could do the work but is there any other way to do it?

AK> They also don't need programmers to take the code with them in their
email.
AK> I can restrict SMTP and POP ports but when it comes to web based
emails I am
AK> clueless,  How can I restrict web based emails like hotmail, gmail,
yahoo
AK> there are so many of these and if I somehow manage to block all web
based
AK> email sites someone can write a script to send emails, if not a
script HTTP
AK> tunneling would bypass any checks and bounds defined by my
proxy/gateway
AK> machine. How can I block such thing?

AK> Any help would be highly appreciated.

AK> Regards,
AK> Ahmed Khalid

<===========End of original message text===========





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault