[4415] in WWW Security List Archive
Re: Win3.1/Win95 desktop security?
daemon@ATHENA.MIT.EDU (Geoffrey Leeming)
Fri Feb 14 05:58:54 1997
To: Per Weisteen <Per.Weisteen@hda.hydro.com>
From: Geoffrey Leeming <geoffrey@indiciis.com>
Cc: BVE <bve@quadrix.com>, kev-rhea@mail.zynet.co.uk,
www-security@ns2.rutgers.edu
Date: Fri, 14 Feb 1997 09:03:28 +0100
Errors-To: owner-www-security@ns2.rutgers.edu
At 09:28 AM 14/2/97 +0100, Per Weisteen wrote:
>Geoffrey Leeming wrote:
>> AviBoKs lets you set privileges on a per-file basis, so all one has to do is
>> remove write privs to the sys config files, and hey presto! Users can no
>> longer REM out the command to load AviBoKs and thus bypass system security
>> in its entirety. I believe that Stoplock can do the same, but I've never
>> administered it so I'm not sure.
>
>What stops me in popping up Norton Diskutil or any similar products and
>changing file access privs ? IMHO there is nothing that seriously stops
>me in doing whatever I want on a essensially DOS based system.
Remove user ability to load new software onto the system, and
Remove access privileges to anything like Norton Diskutil.
Allow sys administrators to load software for users if given a business case
and appropriate authorisation from a line manager.
Sounds draconian, but as it also:
* supports software licensing compliance (legal requirement, difficult to
manage)
* supports company-standard PC setup (makes Help Desk support simpler)
* limits spread of viruses (stops download of untrustworthy software)
* limits use of company IT resources for unauthorised purposes (e.g. games)
* limits software conflicts in unstable operating systems (by avoiding those
horrible memory conflicts caused by that badly written piece of shareware
that you find so useful),
it is actually a very common IT control in business. It's not elegant, but
it works.
Geoffrey Leeming 0171 592 3007 - Office Direct Dial
Consultant 0171 836 0567 - Fax
Indicii Salus Ltd. 0956 844 168 - Mobile
