Re: Linux client in Windows Domain (Security Advice)
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Mon, 13 Aug 2007 21:00:44 +0100
Jason wrote:
I am responsible for the Network. The buck stops with me so if there is a disaster it's my ass on the line but yes, we report to the overall head of IT.
The user using the linux machine is part of our IT team and has full admin rights (Domain Admin) on the system as he would generally act as a back up to me in my absence. The machine should never have been introduced to the network in the first place however it was introduced when I was on leave with the backing of the head of IT who was not aware of the possible issues. I have since had a meeting with the head of IT to express my concerns and it's basically my call as to whether the machine stays or goes.
I'm not comfortable being responsible for a network that has a machine that sits out side my control, mainly because I have limited knowledge of Linux but I'm prepared to hear both sides of the argument hence my quest for knowledge here.
My main worries are the lack of antivirus protection and general security of our network.
For a system to work, power and responsibility must match. You cannot
reasonably be held responsible for something you have no power over. In
your place, I'd probably banish the machine to the SBS external NIC
network. Presumably admin work can be carried out from there as well as
from any remote location. There should be no real need for a Linux
admin workstation to live on the LAN. It's not as if it would be
involved with roaming profiles or be a potential RWW target. I'd be
surprised if it was set up to logon to the domain: while that can be
done, it is (intentionally) a pain. I'd assume admin is done by RDP
to the SBS and workstations, and this can be set up in the SBS firewall.
Viruses are not a problem. While they can be written as easily as for
Windows, and some have been as proofs of concept, I don't believe any
have ever propagated in the wild. Not even one. Considerable respect
for root privileges and a marked lack of email clients which will
execute attachments are the reasons. All of the clients I've used can
be configured not to render any html tags at all. Worms have propagated,
and old worms never die, they lurk in corners of the Internet forever.
The first ever worm was a Unix one, and it's probably still out there
somewhere. A very rudimentary firewall, even one of Leythos' legendary
NAT routers, will keep them out.
As I said, I think the only important current threat is to SSH, and that
can be completely avoided by the use of key pairs rather than password
authentication. Exploits for various web browsers, including Firefox,
occasionally surface, but they are of the DOS and information-stealing
varieties, and are not machine-threatening. I'd only worry about the
security of this machine if it was publicly serving active web content,
or exposing private network services to the Net, both of which seem
unlikely. On the other hand, if your LAN security policies would forbid
the connection of an arbitrary Windows installation not made or
administered by you, or subject to domain policies, then there's no
reason to allow this machine inside.
.
- References:
- Prev by Date: Re: Swing Migration - Companyweb
- Next by Date: Re: RDC printing via vpn
- Previous by thread: Re: Linux client in Windows Domain (Security Advice)
- Next by thread: Re: Linux client in Windows Domain (Security Advice)
- Index(es):
Relevant Pages
|
