EBAY and AMAZON
Jimmy Hess
mysidia at gmail.com
Tue Jun 12 12:20:09 UTC 2012
On 6/12/12, Keith Medcalf <kmedcalf at dessus.com> wrote:
>> Windows security sucks.
>
> The real problem with Windows is that there exist folks who believe that it
> is, or can be, secured. They believe the six-colour glossy, the Gartner
[snip]
Well, they are right. Windows can be secured.
The problem is it It won't be secured in practice. Because that's too hard,
and truly securing Windows will be rejected by the user, because many
applications used in practice are not implemented securely on the platform.
Users of Windows endpoints require functions such as Web Browsers, Flash,
their favorite Office applications, PDF Viewers, and remote share access.
>You would be surprised at the number of Fortune 500 companies that lock-down their >policies into deliberately insecure settings, and refuse to permit more secure settings.
>..
This is because, while you would expect IT to understand the
importance of security. "Lock Down" has a perception of security
attached to it.
In practice, "Lock-Down Policies" and standardization have nothing
positive to do with security, but IT convenience, and reducing
support costs, by attempting to enforce a standardized endpoint
experience.
They can lead to less security if done without extra security review.
Hopefully they also include a backup/imaging system to recover,
when the lock-down policy makes it break, however.
> This is, unfortunately, a typical reaction which arises from a failure to
> carry out proper root-cause analysis. The root cause of the issue is not
> "thumb drives", "baby fingernail drives", or whatever removable media type.
The windows shell is to blame, but you can provide an alternate shell
that doesn't do that "magical executable code insertion" stuff
and disable Explorer.
--
-JH
More information about the NANOG
mailing list