THE OFFICIAL BLOG OF THE SBS "DIVA"

So does everyone in your network use the same rights of access?  Is everyone a domain admin?  Obviously not.. or I hope not anyway... so you probably have some that when you set them up on the server you gave them just plain user rights.. so they don't have the abilty to log in via RWW. 

Hang on.... you mean you give everyone the right to RWW?  That's perfectly fine if they need rights... but what if they don't need the right for remote access?  There are folks in my office that don't and won't ever remote in from home.. so I set them up as a normal user on the server.  Then when I've used the wizard to connect them to the server, I flip them to non administrator on the local machine.

If I haven't deemed them worthy of remote access to the network..maybe they are the first ones to pull back admin rights on the desktop?

So what if you want to bamm up your paranoia one step more... and even before Vista's UAC hits us you want to take that Remote Web Workplace user back to non admin rights as well... it can be done merely by having that Administrator on the local workstation flip the user rights from "Administrator" to "Remote Desktop User" rights.

Are we ready to flip everyone to non admin rights right here and now?

No, I'd argue not.  Not as long as there are crappy apps out there that need some hacking up...

Now there are those of you that will say "oh but look at the security track record of Windows.. 95... 98..."... gimme a break.  Those OS's are dead.  The only OS that I consider to be a valid OS in my network is Windows XP sp2 anyway.  Anything else is not acceptable. The same is true for a 'track record'.  The only record is the here and now.  And regardless of what Sophos (who interestingly enough is one of the few Mac Antivirus vendors around) thinks of the relative merit of Macs in home settings, the reality is the threat level of each ..while granted is different... the real reality is that the devil is in the deployment details.

While viruses can run on machines with non admin setup, the reality of the threat model and the low hanging fruit attacks means that most attacks are banging on social engineering, malware that rely on IE (and sometimes these days Firefox) with admin rights and other means of entrance.  If you have security policies and communication...that is the key to security.  Not technology ...not another operating system... not anything other than a good 2x4 and enforcement of that 2x4.

It's about policies and procedures that will make us secure... and I don't care what operating system you pick.. if any of them are not properly deployed...properly managed.... properly patched (which is why patch management is key) all bets are off, folks.

Am I 'real world' in my view?  I'd argue I am.  I'm a customer that tries as best as I can to ensure that I balance the business needs of the office with the security needs.  But if we constantly look to some new operating system to solve our security needs whether that's Macintosh, an Linux distro or heck.. even Vista...we have a rude awakening coming.

Security is about policy..it's about enforcement.. it's about the process... and it's not about the technology.  So the sooner we stop looking to technology to solve our security needs the better off we are.

Windows 95, 98 etc.....  was an appropriate operating system for the threats and risks of the network that it was on "AT THAT TIME".  It's no longer appropriate.

So when someone says "Look at their security track record"... I'd say yeah.. go look at it... for the risks and threats of the world at that time those operating systems were appropriate.

They aren't now.

Neither is giving everyone Admin rights..or not blocking certain attachments..or not having patch management in place... or not having an acceptable use policy... or not having encryption on mobile laptops... or....

...well you get the idea.  One OS does not make me secure.

It's my paranoia, my risk analysis I do...it's my policies and procedures... it's all of it...but it's not just one thing... and certainly...not just technology.....