removing domain admin daily id's

  • Thread starter Thread starter John M
  • Start date Start date
J

John M

We are doing a security project here, that removes domain admin from our
daily login id's. It's been suggested that we run our admin tools and id's
on Metaframe, because they don't want us using runas on our desktops.
Metaframe worries me a little because there are other non-admin people using
the same system, and who knows what they are doing..
So I guess my question is, if one MF session got a virus of some kind can it
interact with any of the other sessions? So if I'm on as an admin, and user
b picks something up, can the user b session get into my session?
Has anyone else had to do this, and what did you do?

Thanks
John
 
Hi John,

I am a bit puzzled by the proposed solution: running as domain admin on MF
is not much better than running as domain admin on your desktop -- as you
could compromise both. MF environments are usually better controlled than
desktops but as long as you are a domain admin (hence local admin on the
box) you are both vulnerable to malware and can mess up the box yourself.
b picks something up, can the user b session get into my session?
Click to expand...

I think that the problem is more ther other way around: you, logged as as
admin, are more liley to pick up something and damage the system, not users
running with limited privileges.

The answer to your other question is yes, a kernel mode virus can hijack any
session -- tricky but it can be done.

The real difference I see is restricting the usage of the privilege account
for tasks that really require it: do you really need to run IE or Outlook
while logged in as Domain Admin? forcing you to use a second account,
perhaps on a clean machine, is somehwat better, but not that much.

cheers,

Marco
 
so basically I'm trying to figure out if using runas on my desktop or
running a metaframe session as domain is the same thing or is one better
than the other

Marco said:
Hi John,

I am a bit puzzled by the proposed solution: running as domain admin on MF
is not much better than running as domain admin on your desktop -- as you
could compromise both. MF environments are usually better controlled than
desktops but as long as you are a domain admin (hence local admin on the
box) you are both vulnerable to malware and can mess up the box yourself.
b picks something up, can the user b session get into my session?
Click to expand...

I think that the problem is more ther other way around: you, logged as as
admin, are more liley to pick up something and damage the system, not users
running with limited privileges.

The answer to your other question is yes, a kernel mode virus can hijack any
session -- tricky but it can be done.

The real difference I see is restricting the usage of the privilege account
for tasks that really require it: do you really need to run IE or Outlook
while logged in as Domain Admin? forcing you to use a second account,
perhaps on a clean machine, is somehwat better, but not that much.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]

----
John M said:
We are doing a security project here, that removes domain admin from our
daily login id's. It's been suggested that we run our admin tools and id's
on Metaframe, because they don't want us using runas on our desktops.
Metaframe worries me a little because there are other non-admin people
using
the same system, and who knows what they are doing..
So I guess my question is, if one MF session got a virus of some kind can
it
interact with any of the other sessions? So if I'm on as an admin, and
user
b picks something up, can the user b session get into my session?
Has anyone else had to do this, and what did you do?

Thanks
John
Click to expand...
Click to expand...
 
technically there is little difference, unless you can somewhat guarantee
that the MF boxes are more secure than your desktop. My guess is that they
want you to use a different machines because sysadmins can, and often do,
break company policies are their PCs are the least secure .. hence running
from a "clean" box has its advantages.

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----


John M said:
so basically I'm trying to figure out if using runas on my desktop or
running a metaframe session as domain is the same thing or is one better
than the other

Marco said:
Hi John,

I am a bit puzzled by the proposed solution: running as domain admin on
MF
is not much better than running as domain admin on your desktop -- as you
could compromise both. MF environments are usually better controlled than
desktops but as long as you are a domain admin (hence local admin on the
box) you are both vulnerable to malware and can mess up the box yourself.
So if I'm on as an admin, and user
b picks something up, can the user b session get into my session?
Click to expand...

I think that the problem is more ther other way around: you, logged as as
admin, are more liley to pick up something and damage the system, not users
running with limited privileges.

The answer to your other question is yes, a kernel mode virus can hijack any
session -- tricky but it can be done.

The real difference I see is restricting the usage of the privilege account
for tasks that really require it: do you really need to run IE or Outlook
while logged in as Domain Admin? forcing you to use a second account,
perhaps on a clean machine, is somehwat better, but not that much.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]

----
John M said:
We are doing a security project here, that removes domain admin from
our
daily login id's. It's been suggested that we run our admin tools and id's
on Metaframe, because they don't want us using runas on our desktops.
Metaframe worries me a little because there are other non-admin people
using
the same system, and who knows what they are doing..
So I guess my question is, if one MF session got a virus of some kind can
it
interact with any of the other sessions? So if I'm on as an admin, and
user
b picks something up, can the user b session get into my session?
Has anyone else had to do this, and what did you do?

Thanks
John
Click to expand...
Click to expand...
Click to expand...
 
ok thanks for the advice

Marco said:
technically there is little difference, unless you can somewhat guarantee
that the MF boxes are more secure than your desktop. My guess is that they
want you to use a different machines because sysadmins can, and often do,
break company policies are their PCs are the least secure .. hence running
from a "clean" box has its advantages.

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----


John M said:
so basically I'm trying to figure out if using runas on my desktop or
running a metaframe session as domain is the same thing or is one better
than the other

Marco said:
Hi John,

I am a bit puzzled by the proposed solution: running as domain admin on
MF
is not much better than running as domain admin on your desktop -- as you
could compromise both. MF environments are usually better controlled than
desktops but as long as you are a domain admin (hence local admin on the
box) you are both vulnerable to malware and can mess up the box yourself.

So if I'm on as an admin, and user
b picks something up, can the user b session get into my session?

I think that the problem is more ther other way around: you, logged as as
admin, are more liley to pick up something and damage the system, not users
running with limited privileges.

The answer to your other question is yes, a kernel mode virus can
Click to expand...
hijack
any
session -- tricky but it can be done.

The real difference I see is restricting the usage of the privilege account
for tasks that really require it: do you really need to run IE or Outlook
while logged in as Domain Admin? forcing you to use a second account,
perhaps on a clean machine, is somehwat better, but not that much.

cheers,

Marco

--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]

----
We are doing a security project here, that removes domain admin from
our
daily login id's. It's been suggested that we run our admin tools and id's
on Metaframe, because they don't want us using runas on our desktops.
Metaframe worries me a little because there are other non-admin people
using
the same system, and who knows what they are doing..
So I guess my question is, if one MF session got a virus of some kind can
it
interact with any of the other sessions? So if I'm on as an admin, and
user
b picks something up, can the user b session get into my session?
Has anyone else had to do this, and what did you do?

Thanks
John
Click to expand...
Click to expand...
Click to expand...
 
Back
Top