SMB Nation I was re-enforced with the notion that human nature will
trump security best practices time and time again. While sitting in the
hallway in the Microsoft Conference Center with Susan Bradley, preparing for our talk on securing Small Business Server, I was using her TabletPC to make a change to a slide.
I was explaining to her the fastest way to show that someone is
TYPICALLY running with least privilege is by clicking on the time/date
control on the task bar. You will only be able to get the “change”
dialog if you have those privileges (which typically only admin
accounts have). As I was saying this, and expecting the double click to
fail… up pops the dialog.
Susan doesn't run with least privilege on her own machine!!!!! Will
wonders ever cease??? The diva that runs so many posts on least
privilege does not herself do it on her TabletPC. Her reasoning?
Because she is lazy. That shocked me. It shows how even those who KNOW
about least privilege don't always use it. As I dug deeper, what she
seemed to really mean was she felt the risks weren't that great because
she doesn't connect it to a domain, and some currently configured apps
would be difficult to reset (ie: Thunderbird, installed with an admin
profile). I then asked the next logical question… “do you even let it
touch the corporate network”? When she said “yes”… I said that's
it… its all over. Domain or not… she is a conduit of potential risk
to her corporation.
Then our presentation started. We entered the Kodiak room and
started with all the introductions. Then Susan, willing to admit her
mistake, told me to “out her” on stage. And then everyone had a laugh
at her expense. It came close… I almost picked up the “Susan 2×4″…
but then I reflected a bit deeper. This could have been me. It could
have been you. It could be anybody.
What can we learn here? Well first off, I think this incident shows
how the need for an easy to use LUA in Windows Vista has never been
more prevailant. The fact Susan was running as admin because it was to
cumbersome to change it is inexcusable. We all know that Susan, as both
a SBS and Security MVP, GETS what has to be done. But in her focus to
get her work done day to day… humanity trumped best practices.
Secondly, I think this shows how layered security on ALL hosts on a
network has to be considered… especially with ingress and egress
filters. Her TabletPC was a conduit of potential risk. She had it on
vile network backbones while in Vegas, and then went and plugged that
into her corporate network. Who knows what she could have brought along
with her. Ensuring that machine has NO privileges to touch anything on
the corporate net could mitigate against this risk.
And finally, it was a wake up call. As security professionals we cannot just TALK THE TALK. We have to WALK THE WALK.
So Susan, here is my challenge to you. IMMEDIATELY create a new
limited account on your TabletPC called “Bonehead”. Then create a
shortcut on the desktop, point it to Thunderbird and set it up to run
with the credentials of your “Susan” administrator. It is a short term
fix for everything else until you can properly reinstall Thunderbird
and move your mail spool over. At the same time, it will reduce the
other risks you expose to yourself by making the rest of the system run
with least privilege. Then, I want you to read this article by a fellow MVP and convert your bloody harddisk to NTFS. Get rid of that FAT32 crap.
Fix your TabletPC before you plug it into another network. You know better.
You have two weeks before the MVP summit. You're lucky I won't be there
to check on you. Maybe a fellow MVP can do that for me 🙂
[Dana Epp's ramblings at the Sanctuary]