Date: Thu, 8 Nov 2001 10:42:48 -0500 From: Kutulu <kutulu@kutulu.org> To: Anthony Atkielski <anthony@atkielski.com> Cc: "Andrew C. Hornback" <achornback@worldnet.att.net>, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <20011108104248.D10218@pr0n.kutulu.org> In-Reply-To: <003901c1682e$26a0a0d0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 08, 2001 at 09:19:55AM %2B0100 References: <00e201c167d4$474ad9e0$6600000a@columbia> <003901c1682e$26a0a0d0$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 08, 2001 at 09:19:55AM +0100, Anthony Atkielski wrote: > Andrew writes: > > > > b) Calling the sysadmin and pretending to be his > > > boss and convince him to open a hole. > > > > Most organizations require something like that in > > writing, or at least as part of a face to face > > conversation. That negates this loophole. > > I've never encountered an organization that has a policy like that, but my > personal policy is along those lines. If any manager wants me to compromise One of the few things my company seems to do completely right all the time, is implement good person-to-person security policy. In order to get anything changed on our firewall or systems, we need to provide the VP and both net. eng. maangers a Visio diagram and accompaying justification of what machines, ports, directions, purposes, etc. need to be opened. It's a royal pain in the keester when all I want is to open FTP for an hour to let a contractor send us something, but I certainly know enough to realize it's better than the alternatives, and not complain too much :) > > If a secretary does this, they need to be fired, > > period. > > In some organizations (many, in fact), she might be fired for _not_ doing it, as > few people understand the risk to security that doing something like this > represents, and they would interpret her refusal as a lack of team spirit or > cooperation or some such. Our company used to have this problem: everyone at level one on the internal corp. help desk has full admin rights to the Novell network. They would get in trouble for making unauthorized changes when unimportant people (me) asked, but also get reprimanded when important people (VPs of other departments) asked and were told to fill out change reqs. Finally their manager put an authorization code on the admin tools, so they need managerial authorization to make those changes. At first it was annoying, but in the end everyone was happier, safer, and more secure. --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108104248.D10218>