More thoughts just on technology...
> There's enough interesting things to this that I don't think there's a
> good basis for too strong an opinion either way, though the
> whistleblower's actions seem at least a little ill-advised...
http://www.decaturdaily.com/decaturdaily/news/040629/job.shtml
When does a firewall just "crash"? Someone explain that to me...
> The more interesting question there is how many folks who might have to
> ever monitor a system have invested in acquiring and testing the software
> they'd use to do it? Grabbing a Trojan off the Internet and installing it
> (especially a binary) seems like the *stupidest* path one could take in
> this situation. But I really didn't want to just push my analysis out
> there, I think it's worth some discussion in this community.
VNC Anyone? Dameware? In Dameware, you can push installs of software
to other machines without the enduser knowing...and then you can display
what's onscreen--again, without the end-user knowing. It works on any
Windows OS after 95. It contains no spyware, no malware, no trojans,
etc etc. You can download a fully functional 30-day eval, or you can
purchase one license for between $30 and $100 depending on the license
you get. Just about ANY retail software that doesn't modify the Windows
LOCAL_MACHINE registry settings can be pushed and installed without
rebooting the machine in question, with no interaction to the console.
> Yet, something must provide the motivation for change for the better-
> somehow organizations need to find a way to channel such energy toward
> the organizational goal, rather than lose valuable talent or even a chance
> to improve the organization...
Group policy and ghost imaging. You get a stable image of an OS, give a
user read/execute access, and write access only to specified directories
( C:\Documents and Settings\%username% ), and you cease to have a misuse
problem that would require you to single out a single user for
monitoring. At the network level, you could monitor the network
destinations and payload of ALL transmissions leaving and coming into
the network. If you've done your work on the workstation(s) in
question, there's no app abuse. This should be true from the CEO to the
mailroom clerk. Only change should be the apps dedicated to certain
departments--this then becomes just a granularity of policy issue...only
PC's in the accounting department get the accounting software, only the
mailroom gets the UPS and Fedex software, etc etc.
> I don't think the commercial world is all that different, unless someone
> *cares* enough to do good policy creation and enforcement. That's one of
> the reasons that I'd prefer to see people channel such energy, rather than
> letting it go off on tangents, no matter how just the cause.
I guess that's what I was trying to get across before. If this is an NT
4 or later system, why don't system and group policies apply (not
written organization policies)? It would seem to me you could curb
someone's app use pretty quickly if they didn't have administrative
access to their workstation and you were deploying NT policies
correctly. When deployed correctly, all workstations of a domain should
inherit them...this is not new technology, and it's pretty effective
when done correctly.
> I've always thought such things were stupid. They get in the way of many
> legitimate sites, and put you into a "if I can get at it, then it's ok"
> sort of mode. Better to summarize sites surfed and have the employee sign
> the reports, like larger companies do with phone logs. I also get the
> stupid bounce messages from lots of e-mail content filters, which are the
> logical extension, and I know lots of people miss otherwise important
> messages because of some phrase, tool name, or slightly off remark.
How does restricting stock-trading sites get in the way of legitimates
if you're talking about a gov't agency? I can see how this would be
true if you work at Ameritrade...but a gov't agency?
I have had experience with SurfControl. You flat-out deny casino sites,
adult sites, stock-trading, and you log everything else...you never get
locked out of sites you need access to with a well thought-out
implementation plan and ruleset.
You then keep the logs for 12 months. If an issue arises, you can go
back 1 year from that date and look up anyone in the company working
anywhere in that year time period--it's all logged by NT or AD
username/machine name/IP address. You are then NOT discriminating...you
are just logging everything and everyone. When everyone falls under the
same umbrella, no one can complain about being singled out and
discriminated against.
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 02 2004
Intro
