Balancing Bad Applications vs. Network Security? 93
Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"
Simple terms. (Score:5, Insightful)
You shouldn't usually sacrifice security for productivity, unless you don't need the security. I suppose Windows is a good example of businesses sacrificing security for productivity, though. In most cases they probably get away with it by having firewalls and the like.
Re:Simple terms. (Score:5, Insightful)
Explaint to them that granting domain admin priviledges to everyone means that even the interns they hired to do data entry will have *full* access to every resource on the domain. That includes servers and workstation with sensitive information (incl. upper management's). And that it's just a matter of someone getting up to to go to lunch and not locking their workstation to leave the door wide open to any passerby.
Problem is, by now your data is in this tool and you need to use it to work. So you'll have to bite the bullet anyway.
Re:Simple terms. (Score:5, Insightful)
Sig (Score:1, Offtopic)
Basically, it means the Bible is more important than the Constitution.
So how does pointing this out help your case?
Re:Sig (Score:2)
I guess I'm dense... Are you referring to me, yourself, the Senator from your anecdote, who?
Re:Sig (Score:2, Interesting)
Just think about what these things mean. Assume the real believer's position. Swearing on the Bible is a promise to God, by God, before God. You don't make that promise lightly, nor if you do not intend to carry it out. If you find an inherent contradiction in the promise you are making - do not lie to God, and make it anyway.
The Bible has many strange and contradictory injunctions - especially if these are read as literal - or approached merely intellect
Re:Sig (Score:2)
Towards what you said though, I've always been a bit confused as to how religious Christians pick which parts of the old testament are still valid.
Re:Sig (Score:3, Insightful)
Ususally, the parts endowing one's predjudices and fears with devine authority.
Re:Sig (Score:2)
Re:Sig (Score:2)
Re:Sig (Score:1)
Don't worry, they're confused about it, too. What's funny, of course, is that we see the same thing in Judaism, where there isn't some guy coming along and giving us a new law.
I won't pretend that it's simple to explain (Score:2)
A good discussion of this can be found here:
http://www.tektonics.org/lp/lawrole.html [tektonics.org]
----- Begin from that page
If one then happens to ask, "On what basis do you then continue to say that these laws are still valid morally?" -- beyond the "all agree" level of things like murder, and in the category of things like h
Re:I won't pretend that it's simple to explain (Score:2)
You're welcome (Score:2)
Christianity is the only world view that fully works, as far as I'm concerned.
For what it's worth, even as a devoted Christian there are things about Christianity that perplex me, but I have two comments about that:
1) There are far larger and far more questions related to *every* other world view I have examined, and
2) The big questions ha
Re:You're welcome (Score:2)
I've only casually looked at the material you've provided, but I intend to read more about it.
Re:Simple terms. (Score:2)
Re:Simple terms. (Score:2)
Re:Simple terms. (Score:4, Interesting)
In the next meeting ask the boss for his house keys, then proceed to explain that you will now make copies of his house keys and along with directions to his house pass out the key copies to all employees.
When he freaks out explain this is the same as granting domain admin access to the systems.
That should help explain the importance of security
Re:Simple terms. (Score:1)
Not true. Computers owuld be more secure, and a lot less productive, if they weren't networked. Everything gets compromised
Give management an option (Score:5, Informative)
Re:Give management an option (Score:3, Interesting)
Or give them their own Domain entirely. (Score:5, Informative)
A reasonable option in this situation is to give the experts who will use the industry specific software their own subnet; and save all files to a shared server that then backs up to a server on the regular LAN.
If this financial software package is as expensive as "Darlok" makes it out to be, then just go to your local Microsoft rep and purchase a bunch of seats for a new Domain - the cost of the new seats would probably pale in comparison to the cost of the financial software package.
Then let their secondary accounts all be Admins within their own little domain, but with no special rights to the larger Active Directory tree.
Or do that old thing with NT 4.0 Domains, where Domain A trusts Domain B, but Domain B doesn't trust Domain A.
Or create two separate domains entirely [with no ambient Active Directory tree and no trust relationships], and just make everyone memorize two different user names and two different passwords.
That'll get management's attention.
Dodging the issue, but a workaround? (Score:5, Insightful)
It's trivial nowadays at least to set up separate little compartmentalized computers and networks, though I recognize that the carry-cost (virtual services are still supported services and need monitoring and troubleshooting and backups, etc etc) it would at least get around the privilege issue.
If this is totally non-helpful, sorry, it was the only thing I could think of
Sounds familiar (Score:4, Interesting)
We were told something similar with a new software package... turns out that a single registry key needed slightly different permissions. I wasn't too impressed with their suggestion that all users need to be administrators either!
regmon and filemon are your friend (Score:1)
I wonder if it's the same app... (Score:5, Informative)
Find out what it is trying to do and open security only for that action to the users.
-Rick
Re:I wonder if it's the same app... (Score:3, Interesting)
After that, just let the users have at it. Most likely, they won't fuck up too bad. And their curosity to go sniffing around will be sated once they find that all that's out there is X-number of PCs exactly like theirs. No e-mail. No personal documents. No pr0n.
Give those users a laptop or another desktop with a KVM switch so they
Let's name NAMES (Score:5, Informative)
This is a big issue. IANAL, but I think there is a legal casse here. You may have signed this away by contract, so...
Under this configuration, there is no way that you company - if publicly traded - can meet the mandated compliance under SOX, etc. This doesn't touch the fact that you have now lowered authorization and access controls to a level that is inferior to MS-DOS.
And why does the DB vendor care? They assume all value is locked under their own controls - and the OS is insignificant. Bad shot. If you are a domain admin, you can always work your way into something - even put a keylogger on the financial controllers desktop, and capture the precious secrets for logging into the system.
Re:Let's name NAMES (Score:2)
Exactly what product does Oracle require this permission?
Re:Let's name NAMES (Score:3, Interesting)
Re:Let's name NAMES (Score:2)
-Rick
Re:Let's name NAMES (Score:1)
Re:Let's name NAMES (Score:3, Insightful)
Re:Let's name NAMES (Score:1)
Re:Let's name NAMES (Score:2)
Then the consultant is a MORON. If giving users Domain Admin access is the ONLY possible solution (which I highly doubt) there is still no reason to give the entire Domain Users group Domain Admin access. You would still only increase access for those users who need it. If we're going to name names, what is the name of the consultant who told this to you? Just so I know to make sure I don't inadvertantly wind up hiring him.
-Rick
Re:Let's name NAMES (Score:1)
Whacking bad problem! All c$ shares and remote registry available to everyone, everywhere on a flat network! Even PT security guards in the middle of the night.
I don't know how they missed a worm infestation.
Re:Let's name NAMES (Score:2)
No kidding! A domain admin can set security policies that effectively prevent *anyone* from logging in, and propagate those policies to all the workstations on the domain, thus disabling local logins on every machine in the company! All it takes is one malware program...
Another NAME (Score:2, Informative)
Full read/write permissions in the Windows folder for Crystal Report libraries.
Full read/write permissions on the program directories.
Disable real-time virus scanning of the program directories.
The read/write permissions aren't even documented because you can--and this is a direct quote from support--"just make the user a local admin."
Re:Another NAME (Score:3, Interesting)
NET LOCALGROUP
They are local admin, until logoff. This doesn't extend the privilege to any kind of Remote Auth (unless you count terminal services), and the user can't access C$ across the net to another host where they may also be logged in.
It's a compromise, and I noted the risks in my report.
Use an analogy... (Score:4, Insightful)
"What would you do if you got the door to the breakroom replaced, no one could open it, and the manufacturer's solution was 'Give every single employee a copy of the Master Key for the entire building'?? Well, it's 100 times worse than that."
Jail it off (Score:5, Informative)
Speaking as someone who has had to support software written by people with no concept of security, if it is even remotely doable, even if it means a fair amount of work, take that machine off the domain. Jail and firewall the everloving snot out of it, don't let any data into it except through very controlled routes, and don't give it any privileges on the network, then give it all the admin rights it needs. Basically, just change it from a piece of software into an entire dedicated appliance.
Although you could spend the time to try and fix their problems, this kind of thing will come up over and over again. You'll save yourself time and effort if you nail it down now.
Difficult situation (Score:5, Informative)
> One of our clients recently purchased a new financial software package
> from a major vendor for their industry.
When a business purchases software (or anything else) the manufacturer implicitly warrants that the item is suitable for its intended purpose.
> What's shocking is that to work around a problem preventing users
> from logging on, the manufacturer's recommended solution is to grant
> -Domain Administrator- privileges to all users, and they refuse
> (or are is unable) to explain that need further
Time for the client firm to call in the lawyers. Write up a formal document explaining that this is unacceptable from a security standpoint. Period.
That your firm cannot and will not accept -any- responsibility for anything that goes wrong if the client's management uses the software in this fashion.
Then write up a formal recommendation that the company either (A) sue the vendor or (B) place the payment for the software in an escrow account, and explain it will be turned over in payment only after the software is made usable by fixing the defects. Choice B is a standard option in dispute resolution; it demonstrates that the client party has every intention of paying, but not until the responsibilities of the vendor are met.
Have -your- firms lawyers look over all these documents and recommendations carefully, and put the right spin on it.
> Considering the enormous costs involved, how do you explain to Management
> that they shouldn't run this software until the problem is resolved --
> which could be a long time, costing even more money?
Lay out the business details. Explain to them that under current federal law, the -management- of the client firm will be assuming any an all liability for using unsecure software against all the recommendations of your firm's people.
However, even with all this, the client's management may choose to give away the keys. Cover your own asses. If you support the client in this, you may be liable. In situations like this, the client may choose to go full steam ahead; you can't stop them, you can only CYA.
Re:Difficult situation (Score:3, Insightful)
Re:Difficult situation (Score:2)
Actually, I have.
> In all the ones that I have seen the manufacturer doesn't guarantee that
> the software will do anything, including its intended purpose.
The law (in the US) doesn't permit a person to waive -all- legal protections under licensing agreements. These kinds of dodges in license agreements are generally held to have limited effect on software designed and marketed for business purposes.
I'm not saying it's a slam-du
Re:Difficult situation (Score:2)
No comment, other than to state that this only affects whether there is a presumption of default on the part of the vendor; it doesn't affect whether you can sue (or escrow payments) or whether the suit can be brought.
> In addition, there is no "US law" in this situation. This is a garden variety
> contracts question, which is a state law question, so these assumptions may not
> apply.
With the additional point that contract law is governed by precedent under the common law,
Re:Difficult situation (Score:2)
> No, this is not the way the common law works in the US. A decision
> concerning a state law question in Illinois is not binding on courts
> in Ohio (unless the Ohio court is applying Illinois law, but this
> is uncommon).
Quite correct; I did not intend to imply otherwise. However, this is an area in which the rules are similar in most states. The various state legislatures and courts have worked to keep a certain commonality. Among other things, it serves the interests
LOL - Lexis Nexis (Score:1, Interesting)
Administrator privileges required on the workstation, sucks but common. Administrator privileges required on the server, totally ridiculous and unacceptable but, also increasingly common.
The moronic developers sales droids of these apps say; 'Oh, don't worry, we have security built into the application.' Translated, this means
Bring a translator. (Score:2, Funny)
Very easily fixed (Score:3, Insightful)
Re:Very easily fixed (Score:2)
That solves part of the problem (Score:3, Informative)
That's not a fix at all (Score:2)
In rea
Investigate, and threaten litigation. (Score:5, Informative)
1) See if you can figure out what requires Domain Admin access - usually it's file or registry issues. SysInternals RegMon and FileMon are excellent for spotting these - you just run the program with regular user privileges, and watch to see which requests fail.
2) If this is a large, contract-licensed piece of software, look to see if the contract's been breached. Even if the vendor indemnifies themselves thoroughly, a good lawyer might scare them into compliance - you never know which contract provisions a judge may find unenforceable. I've seen really strange things happen in court (both good and bad). If you're working with the vendor, you can use the "look, you've sold us unusable software - you have to either fix it now, or I have to turn this over to legal so they can get our money back, and try to recover compensation for the time and resources we've wasted" card. Don't rant and rave and scream and threaten - just be a nice, reasonable person and explain that they're not leaving you any alternatives. You need working software or you need compensation. Only a very stupid or very cocky vendor will refuse to work with you - nobody wants to be dragged into court. And you really don't want to go to court either, but you can't afford to get screwed
3) Another possible route is to get them to put in writing that their software will only run with Domain Admin priviliges or whatever. Tell them you just need it to cover your own butt. At that point, you can get your management to sign off on it as well, thus covering your butt completely, or your management can use it to help show they negotiated in bad faith while selling your company the software.
Whatever you do, don't let a vendor bully you into doing something stupid that violates your responsibilities as an admin.
yeah, well... (Score:2)
These machines might as well be in a vault in the Bank
You are absolutely right (Score:2)
Makes you think.
Re:You are absolutely right (Score:2)
And that is my vindication that the security measures are working. I would be worried if they had lost more time/money (data is debatable) to a breach than security measures.
The art of saying "no". (Score:3, Insightful)
Enjoy.
Maybe an obvious answer (Score:2, Interesting)
I must admit, however, I'm having an incredibly hard time imagining what this software could be doing that requires Domain Administrator privileges. Poorly written doesn't even cover it.
fire the client (Score:2)
Some clients just aren't worth keeping. Ones who don't take your advice seriously, and are willing to do things that will put themselves, and possibly you, in legally precarious positions, just aren't worth hanging onto. If they insist on going this route, and you've done everything you can
Re:fire the client (Score:1)
Damn duplicate acronyms.
Oh, for the love of god... (Score:2)
I'm pretty sure you are not talking about the kit I've worked on, but I sure know the type. My bane is DBA's *love* to screw with stuff because we allow them to manually run the setup if they like. Some claim it is to improve performance, some security... All in all, it makes for obscure errors and headaches later on when additional components are added to the system. It costs money to make a specific environment 'tested' year after year with all the possible permutations. Yes
Maybe they want complete control. (Score:2)
Maybe they want complete control over your computers remotely at all times. If they decide to put you out of business, in favor of a competitor, they can change their EULA (which they usually say they can do at any time) and uninstall or corrupt their software.
--
The movie Loose Change, 2nd Edition [google.com] explores 9/11 issues.
Simple solution to getting the problem fixed (Score:5, Insightful)
There is a simple solution to getting the problem fixed. Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation. And the hackers will find the network exploits that almost certainly exist in that package (and have instant Domain Administrator privilege). The company will either fix the problem or go out of business.
Re:Simple solution to getting the problem fixed (Score:2)
Maybe the customer should remind the vendor of that.
Don't shoot the messenger. (Score:1)
Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation.
The reputation is ruined by the faulty product, a substandard OS, and a lack of information. People who need to know about the package are going to find out. Better they find out here than waste their money and vow to never buy another program from the company again. Full disclosure protects your reputation.
Re:Don't shoot the messenger. (Score:2)
I think he was taking issue with what I said implying that hackers would not be able to crack the software unless the information is posted on slashdot. I could have worded it better. Hackers probably have already cracked it. It's just that we don't have a name of the product, yet, to associate what cracks are available in this particular case. But in the unlikly case it hasn't been cracked, yet, knowing that so many networks will be running it with Domain Administrator access will just make it doubly a
Re:sudo (Score:4, Interesting)
What do you think?
http://www.microsoft.com/resources/documentation/
Re:sudo (Score:1, Insightful)
Re:sudo (Score:2)
It's Funny... (Score:3, Insightful)
What they neglect to say is that they also don't give their users anymore than a basic suite of apps like Office and a web browser. When the user needs more (specialised software) there is usually an uphill battle against some anal retentive Windows admin (who should have stayed in his parents basement) and the staff who need some software that needs local admin. Usually the BOFH wins and the staff are left going without, again.
Fortunately where I work they have realised this and we can pretty much do whatever we want. The admin understands that most users are savvy enough to not bollocks things, and most of the time things don't get bollocksed. I think I work for a bunch of wierdos though because they're the only place who will actually give me local admin on my box.
Also, fortunately for me, I admin a Unix server so the joys of Winbites don't come up to haunt me too often... yay!
I think that you should explain to your boss that giving users of moderate computing skill domain-level admin privs is just asking for trouble if a worm or virus makes its way into your network. Just explain that if they don't have admin rights then the damage is localised to their files on their pc. IF they have admin rights the damage can potentially spread to every PC in the enterprise VERY easily!
Get onto the software company and cancel the cheque/credit card payment. You wouldn't pay for a car that required you to leave your garage unlocked 100% of the time. Why pay for their shit software? For a "large" operation, they certainly sound like a two-bit shit box of a company!
Easy... (Score:3, Interesting)
Re:Easy... (Score:1)
Actually, I do have a couple serious things to say about this situation...
First, what a support department says has to be done has more to do with what's easy for support personnel that with what is really necessary. They don't care if all that needs to be changed is one registry key setting somewhere, it's easier to say to make everyone an admin and you know you've sidestepped all permissions issues. I've even found
sounds like quickbooks (Score:2)
Quickbooks (Score:2)
It is possible to get it to run without it, but it is less than fun:
http://www.sbslinks.com/lua2.htm [sbslinks.com]
crappy hosptial ware (Score:2)
Being at a hospital, we have TONS of specialized software. Every flippin department has their own contracted 3rd party stuff, and all of it sub-par software which requires users to be local admins.
I did figure out that they don't need to be admins for Citrix though. Just a permission change on a registry key (MSLicensing) and they're good to go. But jeez...
Windows Terminal Services (Score:1)
Does the application really need Domain Admin? (Score:1)
Something like this happened at my work. An application required Domain Admin rights for its service account. When the vendor was pressed as to why they needed full read/write access rights to AD (schema changes, value changes, etc.) they also couldn't explain why. Their answer was that their install documentation said so.
When their SE was onsite to do the install I asked him again why his company's application needed Domain Admin rights he was able to give one reason. During the install the applicati
Been there! (Score:1)
It wasn't til I tried to get it hosted on our corporate servers ($1000/month) that we found out it requires admin rights on the server to run. Also the software requires the database and the web server have to be on the same machine.
After spending god knows how much money testing/configuring/getting 10 managers to sign a piece of paper we said TO HELL WITH THIS - and put the application on
Microsoft CRM 3.0 is awful (Score:1)
Actual requirement: "You must be logged in with Domain Administrator and Local Administrator privileges when running Microsoft CRM Setup".
Also, two Active Directory requirements that look suspiciously mutually exclusive:
-Active Directory must be in native mode before you can install Microsoft CRM.
-For the Microsoft CRM servers to have access to Active Directory Organizational Units where users
Three simple words (Score:2)
"Not my responsibility"
Make clear to them that they shouldn't bitch and moan and should certainly not hold you accountable for problems arising from said software after you've given them adequete warning. It may seem drastic, but sometimes you have to have a firm hand with managers to help them lose bad habits
Two solutions that should work (Score:1)