Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Assessment Of GoToMyPC vs. Network Security

From: "Chris Byrd" <cbyrd01 () gmail com>
Date: Fri, 7 Apr 2006 18:06:25 -0500
If you are allowing employees to add new WLANs, then why worry about
GoToMyPC?  You've got much bigger problems.

Check out Simple Nomad's talk (ppt and movie included) about hacking
WiFi clients.
http://www.shmoocon.org/speakers.html#simple

Your firewall isn't going to do a thing to stop you from being
compromised.  Attacking the wireless clients is enough.  Desktop
firewalls can help, but MiTM attacks can still be quite successful.

Also, I'd suggest telling your Windows folks that there are very few
apps that require Administrator access.  If all the app needs to do is
write a few registry keys or files, use the free tools from
sysinternals.com to profile its behavior and then change the ACLs
(perhaps through a group policy).  Running as power user doesn't help,
as a power user is just someone who hasn't made themselves a full
administrator yet.

It sounds like you need to explain the idea that a firewall is not all
that makes up a secure network to your upper management.

- Chris

On 4/7/06, Jim Seymour <jseymour () linxnet com> wrote:


"Paul D. Robertson" <paul () compuwar net> wrote:


You can control what software an employee can install, that's getting
easier/better in a Windows environment.

[snip]

Nice in theory.  Doesn't appear to work in practice.  We have, for
example, employees that must be able to add new WLANs when they're on
the road.  Lack of "Administrator" access apparently precludes this.
Ran into another one today.  Volo View (an AutoCAD viewer application)
insists on trying to modify the system registry.  So if the end-user
doesn't have "Admin," or at least "Power User," rights: No go.  The
list goes on and on.  Suffice it to say, we tried, we really, really
tried (and we're still trying) to limit end-user access as much as
possible.  But success has proven elusive.  (Note:  I'm not the 'doze
guru.  I'm going by what little I know and what those who are supposed
to know tell me.)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: