Printable View
The only way I know of is to disable removable media and to restrict download/email permissions to block all .zips, and the two executable files for take command. This is not a very fesable thing, as you may have a legit need to allow .zips, and the .exe files could always be renamed......
Now the real work begins!
at work they use zen works for desktops (novell),
only the novell delivered applications are executable...
there is no possibility of disabling removable media, or disabling downloading of zip, exe and com files, so for as far as i know, it has a leak which can't be closed, and i don't think they want to get novell to stop this problem...
and with novell, some other problems will surely arrise...
SO what is the real issue? The only thing you have done so far is maybe open up a command prompt...
The thing that I think you are overlooking, is that if the option to do something is disabled through the gui, it will also be blocked from the command line. For instance, you stated earlier that you could not map a drive or do anything like that. Just because you can now get to a command prompt doesn't mean that the "net" command will work for you.
The GPO policies that restrict sharing drives or mapping drives does not apply just to the GUI, it applies to the entire system.
This entire thread just goes to show the need for security in layers... So you can run a command prompt, that doesn't do any good if the only folder you have write permissions to are your user folders, with almost all of the other folders restricted to you. The only thing you are testing is how good your admins are, and how deep they took their security lockdown.
I'm pretty sure that most people on here will agree that if you can run whatever you want from a floppy and have physical access to the box there is very little that can be done to secure the machine. The real question is does it matter? So you have full access to a desktop machine.. Big deal.. Does it have any sensitive material on it? It shouldn't, and if it does you have a lot bigger problems to deal with than a user getting admin on a server that they have a legitimate login for.
I guess I just don't understand why it is that your company is paying you your salary to try and secure a workstation? It's just not that important.
My take on desktop security is that it needs to be strong enough to keep your system from getting infected with all of the different virii/trojans that keep popping up, and that it needs to keep the average user from screwing up the system by accident. In the cases of a snoopy employee who hacks into their own system, your HR policies should address those types of issues.
as far as im concerned the real issue is temp workers and disgruntled employees, not that i've ever come across a gruntled one. why lock down a workstation? so dishonest people hired as temps or unhappy employees aren’t able to access sensitive information and sell it to the competition they could even be getting payed by the competition to work as a temp using them as a reference to get hired at the target location. or a larcenist checking out your network security while under temporary hire.
its not a good idea for a security person to be oblivious to these things. once a command shell is acquired it's much easier to escalate privileges, plant backdoors like a reverse shell threw a shtml proxy, run a packet sniffer or just find out what’s there that can be exploited.
id like to point out that removing the floppy and cd and disallowing exe and zip files at the fire wall can in no way stop someone from getting an exe or any other type of file onto the computer as long as they have internet access and access to an unzipping util. its just a matter of encoding a file to a web page then copy and paste it into notepad.
yeah, you are right.Quote:
Originally posted here by lepricaun
there is no possibility of disabling removable media, or disabling downloading of zip, exe and com files, so for as far as i know, it has a leak which can't be closed, and i don't think they want to get novell to stop this problem...
and with novell, some other problems will surely arrise...
i do not wanna administrate such a network as we got at work...must be fustrating...
hey, you can do more with the command then with a gui, and the net command does work.
i do believe too that it shouldn't have to be disabled though, cause where is the trust?
and they are not paying me for this, it's just something i agreed to help with outside working hours...
i did it to learn!
and the cmd.exe doesn't work, but regedit and taskmgr does, only the regedit can view, but not modify....
gotta try something else...
hmmm...i will have a look into ntdll.dll
We are talking about a workstation though. A workstation should never have confidential material on it to begin with. It should be part of your security policy that all documents that are of a confidential or higher nature should be stored on a file server which is using some type of secure encryption. If you are not encrypting files that have sensitive or secure data in them, you have a lot bigger problems to deal with. It is also very unusual for people who are dealing with sensitive materials to share their workstations with temporary employees.Quote:
Originally posted here by Tedob1
as far as im concerned the real issue is temp workers and disgruntled employees, not that i've ever come across a gruntled one. why lock down a workstation? so dishonest people hired as temps or unhappy employees aren’t able to access sensitive information and sell it to the competition they could even be getting payed by the competition to work as a temp using them as a reference to get hired at the target location. or a larcenist checking out your network security while under temporary hire.
its not a good idea for a security person to be oblivious to these things. once a command shell is acquired it's much easier to escalate privileges, plant backdoors like a reverse shell threw a shtml proxy, run a packet sniffer or just find out what’s there that can be exploited.
id like to point out that removing the floppy and cd and disallowing exe and zip files at the fire wall can in no way stop someone from getting an exe or any other type of file onto the computer as long as they have internet access and access to an unzipping util. its just a matter of encoding a file to a web page then copy and paste it into notepad.
Ok, so you get admin access on a workstation and you are able to run a packet sniffer. A properly designed network would have probes that are searching for nics that are running in promiscious mode, and instantly shut those down, or atleast generate an alarm so somebody can go check it out. Or better yet, have something look for people that are sniffing the network as well as using switches to isolate traffic.
The worst case I can think of is that someone could plant a password sniffer and try to get the password of other people. But even this threat is easily turned into a moot point through proper procedures.
1) Make sure your admins have seperate user and admin accounts.
2) An admin should never log in with an domain administrative password on a client workstation. You have trusted workstations or servers that are used when an administrative login is needed. This way the worst you can do in terms of sniffing a password is get the local admin password on the client machine, or get the password of another client..
Even better yet, institute a tripwire type program to watch the files that are critical to winlogin to make sure they are not altered. This can very easily be done, and in most cases the person trying to hack your system is going to be unaware of the check being done.
But honestly, on a properly secured and patched system, getting just a dos prompt will get you very little. The main concern you would have is in dealing with a very sophisticated hacker, someone who has access to undisclosed expoits. But if this is the case, you are screwed anyway because they had you the moment you gave them physical access to the system.
The command may run, but if they are using GPO properly you will not be able to create a shared resource or map to a shared resource. But just the basic fact that you have run permissions on the net command shows that your administrators did not do their job properly. Or, as is the more likely case, they are fully aware that there is a vulnerability there, but the business model allows for the vulnerability to exist with minimal impact to the bottom line. The biggest thing about writing a security policy is knowing what needs to be very secure vs. what can be somewhat secure. You just have to make sure you have processes in place to deal with the minor security issues so that they don't turn into major issues.Quote:
hey, you can do more with the command then with a gui, and the net command does work.
mohaughn ....now your talken'. however i disagree that these faults are designed to produce minimal impact by default. they are not its up to the administrator to make sure they have minimal impact and that any infractions of policy are detected right away. to the best of my knowledge it takes third party software to detect a nic running in promiscious mode. if you can correct me on this i would appreciate it. too many believe that all one has to do is deny this any that and thats the end of story. if one isn't aware that this can be bypassed then the thought of layered security seems like un-necessary work. please dont negate the importance of threads like this by saying "big deal all they can do is ...". you seem to understand the importance of layered security. Me i had to learn it from boards like this and books. my employer dosen't want to pay for any courses at all and im sure im not alone in this.