On Wed, Apr 17, 2013 at 4:29 PM, Ken Schaefer <k...@adopenstatic.com> wrote: > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Thursday, 18 April 2013 6:08 AM > To: NT System Admin Issues > Subject: Re: On the subject of security... > >> If that's the case, then he didn't make his point at all clear. > ... >> True again - and again unremarkable. My point is that you have to use the >> same methods to >> protect unprivileged accounts as you do root/administrator. >> ... >> That's the import of my remarks about screensavers, FDE, not caching >> passwords >> for web sites in browsers, etc. - it's all about protecting the data; that >> which resides >> on the machine, and that which resides on teh intarwebs. > > If anyone's being unclear here, I think it's you. > > My reading of your comments is that a lot of your suggestions are geared > towards preventing access to the system.
A lot - but not all of. > All your suggestions about encrypting disks, having screen savers etc. are > overkill if all my data is burnt to CDs. I'm better off investing in a safe > to house them. If all of your data is burned to CD, you still have to stick that CD into your reader, and if your machine is compromised, it will still be read and exfiltrated. >Additionally, if my only PC is the one sitting in my living room, then when >someone has got access to that machine (by breaking into my house), then a >lack of password protected screensaver, or the fact that the password to the >machine is on the bottom of the keyboard, is probably the least of my problems. True. But they are pretty much required on a laptop that you actually take out of the house, not so? And, if you're going to practice that kind of security on your laptop, it's far easier to keep in the habit of doing it on all of your machines - and nearly mandatory if you have kids who have physical access, I might add > Security is about managing risk: identify what the threats are, and the > mitigate, transfer, accept etc. Security is not a checklist of technologies > and processes. You manage your risks with those technologies and processes, though, don't you? >> I protect all of my accounts, privileged or not, in the same ways, and >> have been doing so for so long that it's completely natural to me. It >> just feels unnatural not to do so. >> >> No running executables from untrusted sources, turn off scripting in >> my browsers, view all email as plain text, no remembering/caching of >> passwords in browsers, using a unique password per web site and per >> other accounts, regular clearing of cookies, no linking of accounts >> between web sites, running current AV, no browsing with elevated >> accounts, laptops have full disk encryption, etc., etc., etc. > > Without an evaluation of risks, this would be a complete waste of time for > most people IMHO. Sure - if you don't browse the Internet, share USB sticks, etc., you probably don't need to do those things. > I run as an admin on my personal machine. I don't bother reading all mail in > "plain text", and I don’t full disk encrypt all my machines, and I don't > clear my cookies. I've got better things to do with my time, and if I focus > on protecting my identity and data instead, I'm probably just as likely as > you to be "safe". So, care to share how you protect your identity and data without any technologies or processes? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
