Excellent article just read it. Defintely a product and skill set that can be utilized in a lot of business/organizations.
You sure you wouldn't mind being cloned James and hop across the pond for a US engagement... J J/K Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, September 19, 2012 10:41 AM To: NT System Admin Issues Subject: RE: This is what I get.... Read. Relevant. Forwarded!! From: James Rankin [mailto:kz2...@googlemail.com] Sent: Wednesday, September 19, 2012 6:59 AM To: NT System Admin Issues Subject: Re: This is what I get.... I just did a blog post regarding user rights elevation - obviously there's loads of different ways to do this, just thought it was fairly relevant to the discussion (or it's just shameless self-promotion, take your pick) :-) http://appsensebigot.blogspot.co.uk/2012/09/using-appsense-application-m anager-user.html On 19 September 2012 14:55, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: BTW, I like where your response was coming from. It is the same tact I took. We will make it work the way the users need it to without them having admin rights. And then I delivered on that promise. From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, September 19, 2012 9:48 AM To: NT System Admin Issues Subject: RE: This is what I get.... +1 After this reply to my coworker, I started working on exactly this. Since we are basically a SaaS shop, our exec's have a habit of focusing only on client-side IT issues/development and employee-facing IT is scarcely on any C-level's radar. I am also guessing this is not unusual for this type of company... Dave From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, September 18, 2012 7:43 PM To: NT System Admin Issues Subject: RE: This is what I get.... IMHO this is just wasting your time, and could potentially backfire. Write a business case instead, backed by actual figures/facts, and it needs to go up the chain to management. Making major changes to how a business works is not the job of IT (except in the smallest of organisations), and IT trying to enforce something like this just makes IT a target for end-user frustration. It will make your job harder in future. Instead, business operations really is the job of the COO (or CIO, or even the business enterprise architect - if you have one). Get them to make an informed decision, and enforce it down the chain of management. That's what they are paid to do. Cheers Ken From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, 19 September 2012 12:47 AM To: NT System Admin Issues Subject: RE: This is what I get.... After I cooled off, I gave him this reply: Clearly you've never tried to not make them local admins. Give me two of where a typical employee (this mean not developers) , and I'll give you two examples of how it can be accomplished WITHOUT them being local admin... From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Tuesday, September 18, 2012 7:30 AM To: NT System Admin Issues Subject: Re: This is what I get.... Are those calls documented? And what was the nature of the call? After the initial transition, this will actually make admin's lives easier, since they have a more controlled environment to work in. Yeah, some things are easier when they have admin rights, but that doesn't mean that users should be doing those things, either. On Tue, Sep 18, 2012 at 10:22 AM, David Lum <david....@nwea.org> wrote: Here's how much fight I get when I even SUGGEST we should be removing admin right from our users. Worthy to note I am not a local admin on my own NWEA machine, and none of my %sidejob% clients are local admins on theirs. This guy knows this, but still fights me every time. This reply incensed me enough to start again working on the management buy-in, as it's a lot harder to stop a top down order. Sent: Tuesday, September 18, 2012 6:35 AM To: David Lum Subject: RE: IE 0-day, MS releases bulletin We have this very rare instance of a Zero Day attack in IE for a few sites and you think that is a reason to create the complete nightmare of taking away Admin rights to a local machine. Clearly you don't know how often our users are using their admin rights on their machines. The SD got a call once a week from the ONE person who had that setup when she was moved to Windows 7. If we spent some time building the infrastructure that makes such a situation workable (like I did at the school district I worked at), then we could live with our 500 users not being admins. David Grand From: David Lum Sent: Tuesday, September 18, 2012 6:24 AM Subject: IE 0-day, MS releases bulletin Please read this article and weigh in on the suggested workarounds. Microsoft has released a bulletin on this, and has suggested workarounds. Most can be achieved via GPO: http://technet.microsoft.com/en-us/security/advisory/2757760 Note 1: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." SD - this exact scenario is the benefit of users not being local administrators. Note 2: Some of this is already done via the Trusted Site GPO. Their additional recommendations recommend disabling ActiveX for Internet and Local Intranet. The latter would disable some Commons functionality, but we can disable it on the Internet site zone temporarily. Even this will generate Service Desk calls but I feel this is worth mitigating the risk. Dave From: David Lum Sent: Monday, September 17, 2012 12:39 PM Subject: Just so you know that I know.. 0-day of the week: http://www.computerworld.com/s/article/9231367/Hackers_exploit_new_IE_ze ro_day_vulnerability?source=rss_latest_content&utm_source=feedburner&utm _medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+ from+Computerworld%29 Dave ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. I am not responsible for any changes made to the message after it has been sent, in more or less the same way that cyclozine manufacturers aren't responsible for drug addicts mixing it with methadone and overdosing, so I'm glad I cleared the confusion up there nice and early. Where opinions are expressed, they are not necessarily mine. However, I don't make a habit of expressing other people's opinions for them, so you shouldn't take that statement as an indication that I am in the business of providing an opinion-expressing service. In the event that I did, this discourse would provide no guarantee that I would do it anyway, but I don't, so I won't. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended addressee, or the person responsible for delivering it to them, aside from the fact that you've clearly got some level of unauthorised access to their account or are at least engaged in some sort of fraud, I'm obliged to tell you that may not copy, forward disclose or otherwise use it or any part of it in any way. To do so may be unlawful, and as you're already breaking the law, I am sure that bombshell makes you quake in your boots and turn yourself over to law enforcement immediately. If you receive this e-mail by mistake, please advise the sender immediately. That would be me, and as I am clearly prone to sending emails to completely the wrong person, I should instantly be stripped of my status as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin