Concerning Windows Domain security - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Concerning Windows Domain security

  1. #11
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Therein lies the answer then slarty, setup one server box, setup DNS for it, and configure it as a vhost box. Then give file share access to each dev on this box locked to a directory with their domain accounts, and point IIS to those directories for the vhosting. Your devs can have local admin access so the software can do what it needs to to that one box, and they could access their results at the appropriate resolved URL. This is how we did all our development, for a few security reasons.

    It can be done so as to present little difficulty to the developer, and should help ease your security concerns.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  2. #12
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Slarty, although i agree that is easier to let developers have local admin access, it is possible that run without it. For example, i worked at a large bank here and NO developer has special access. Every test is done thru TEST servers, that were customized specially for make their job easier. However, i do agree that is harder than just let them test on their computers. But sometimes we need to sacrifice (in THEIR point of view) "productivity" to achieve security. It is not a easy balance to do.
    On that bank, there is a few group of people that has local admin. However, they signed an agreement about installing things on their computers. Just summ up, they can be fire with they get caught installing "un authorized" software on their computers. And the bank has a special audit procedure to take care of that.
    Just harderned local security and minimize possible local admin exposure we can:
    1) assign local admin (when needed) to a domain user - not give local admin user password to the requester;
    2) disable local admin account and monitor any attempt to re-enable it
    3) Just one local admin per machine - it is easy to get to invader
    4) config password on bios to avoid cd/floppy boot - it will dificult the usage of stand alone password crack tools
    5) fire out any deviation of that policy

    About ideas worked on that company, after some smart guys had been fired out ...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #13
    Junior Member
    Join Date
    May 2004
    Posts
    3
    We require 15+ mixed character passwords for service accounts.

    Domain Admin logons & above require a SecureID-type dongle.
    Oh, and as expected, that dongle needs a PIN to work.

    Could be better, but it's a start.

    Rootoo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides