Actually with Bit9 Parity even if they have Admin rights, I believe they can't run the software if its not on the whitelist. Therefore the (l)user can't bypass. At least in our demo they couldn't.
Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, December 15, 2008 8:35 PM To: NT System Admin Issues Subject: Re: Most vulnerable apps of 2008 On Mon, Dec 15, 2008 at 5:49 PM, Andy Ognenoff <andyognen...@gmail.com> wrote: > One of their criteria is that the apps on the list can't be managed with > WSUS. Isn't that a reason to use another tool besides (or in addition to) > WSUS rather than not use the application in question? I was more surprised to find out that Microsoft Systems Management Server is now a "free Enterprise tool". (Page 1, "Criteria" list, item #6.) More seriously: Several of their identified "worsts" come with their own self-update tools. Since this list seems to assume it is okay for lusers to install and manage their own software (aside: WTF?!?), why isn't it okay to use those self-update tools? The strange thing is, this company (Bit9) doesn't appear to sell update management tools. Their chief -- if not only -- product is an "Application Whitelisting" tool. (Kind of like the Software Restrictions Policies built-in to MS Windows, but with more capabilities and a pre-loaded list of signatures.) I'm guessing they set out to craft a situation where you couldn't use Software Restriction Policies (due to allowing lusers running all sorts of arbitrary random crap; see above) but still wanted centralized management of the applications they can run. Of course, I have to ask, why not just solve the real problem rather than bolting on a solution that a determined luser could prolly bypass anyway (they have admin rights, remember). Also interesting is the fact that a stack smash with code injection isn't necessarily going to show up on the radar of their product anyway. That doesn't tamper with the files on disk; it just modifies the in-memory image. So the bad guys can still do bad nasty things in the unpatched application. I'm not impressed. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
