Holes in my security - advice needed

The network is 2003 standard servers and one W2K server. All users are XP
Pro. All users are joined to the domain.

Except:
One user bought a laptop with Vista Home on it. It is used at home by
children and then brought into work and plugged into the network. It was
also given the printer drivers. It cannot be joined to the network and I
have no control over it. I do not know if it has up-to-date antivirus.

One Mac desktop that was just brought in one day and plugged in.

Company policy is XP Pro machines only and they must be joined to the domain.

I need information to present to management on why having computers just
plugged into the network is dangerous.
--
Thanks, Steve

"SteveP" <(E-Mail Removed)> wrote in message
news:6D5CCEF8-C345-4D38-84CC-(E-Mail Removed)...
> The network is 2003 standard servers and one W2K server. All users are XP
> Pro. All users are joined to the domain.
>
> Except:
> One user bought a laptop with Vista Home on it. It is used at home by
> children and then brought into work and plugged into the network. It was
> also given the printer drivers. It cannot be joined to the network and I
> have no control over it. I do not know if it has up-to-date antivirus.
>
> One Mac desktop that was just brought in one day and plugged in.
>
> Company policy is XP Pro machines only and they must be joined to the domain.
>
> I need information to present to management on why having computers just
> plugged into the network is dangerous.

I don't know what to say. It would be like trying to explain what the color blue
looks like.
If they don't understand why it is bad,...then how did the company policy get
put in place that says, "Company policy is XP Pro machines only and they must be
joined to the domain"? That would be the whole point of that policy,...if they
aren't going to enforce that policy then get rid of it and let the LAN be a
free-for-all, because your Policies have no "teeth",..they have no authority.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

It's difficult, if not impossible, to protect the company from itself. Yet,
I will be blamed if there is an attack, infection or theft of corporate and
client information. It worries me a lot.

I can talk over their heads about man in the middle attacks and virus's.

Other IT people must have found ways to present the danger to their
employeer and enforce IT policy for the good of the company? Suggestions,
please?
--
Thanks, Steve


"Phillip Windell" wrote:

>
> "SteveP" <(E-Mail Removed)> wrote in message
> news:6D5CCEF8-C345-4D38-84CC-(E-Mail Removed)...
> > The network is 2003 standard servers and one W2K server. All users are XP
> > Pro. All users are joined to the domain.
> >
> > Except:
> > One user bought a laptop with Vista Home on it. It is used at home by
> > children and then brought into work and plugged into the network. It was
> > also given the printer drivers. It cannot be joined to the network and I
> > have no control over it. I do not know if it has up-to-date antivirus.
> >
> > One Mac desktop that was just brought in one day and plugged in.
> >
> > Company policy is XP Pro machines only and they must be joined to the domain.
> >
> > I need information to present to management on why having computers just
> > plugged into the network is dangerous.
>
> I don't know what to say. It would be like trying to explain what the color blue
> looks like.
> If they don't understand why it is bad,...then how did the company policy get
> put in place that says, "Company policy is XP Pro machines only and they must be
> joined to the domain"? That would be the whole point of that policy,...if they
> aren't going to enforce that policy then get rid of it and let the LAN be a
> free-for-all, because your Policies have no "teeth",..they have no authority.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft, or
> anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"SteveP" <(E-Mail Removed)> wrote in message
news:7985F434-F919-4729-9293-(E-Mail Removed)...
> It's difficult, if not impossible, to protect the company from itself. Yet,
> I will be blamed if there is an attack, infection or theft of corporate and
> client information. It worries me a lot.
>
> I can talk over their heads about man in the middle attacks and virus's.

Just tell them that people will being in infected machines and spead it all over
the LAN. You don't have to get any more complicated than that.

> Other IT people must have found ways to present the danger to their
> employeer and enforce IT policy for the good of the company? Suggestions,
> please?

There is no "mature" and affordable solution for preventing users from bringing
laptops and plugging them in willy-nilly all over the place.

There is a new standard (802.1x? I forget) where a machine is authorized by
having the switch they connect to use a RADIUS server to authorize them before a
address is given over DHCP. It requires very exspensive switches with this
ability,...it also requires a RADIUS Server. It pretty much mirrors to a
certain extent what happens with some secured Wireless Systems before the user
is allowed to operate over the Wireless Access Point.

The other option is to stop using DHCP.

The other option is to not have unused wall jacks left "live",...unplug them
from the switches.

In the end what you have is a social problem, a behavoral problem, and a [human]
management problem,....*not* a technical problem. So you have to treat it that
way. If management won't support your actions with simple enough explainations
that they can understand,...then you have already lost the war and it is time to
go work somewhere else rather than patiently wait for the inevitable "blame" and
"firing" that will eventually occur to you.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

Interesting.

You are right. The network is good, I have a human management problem.

It is just a matter of time before the network is attacked from within
and/or infected. It's frustrating.

I was hoping for a list of things that could occur and present it in a
document to upper management.
--
Thanks, Steve


"Phillip Windell" wrote:

> "SteveP" <(E-Mail Removed)> wrote in message
> news:7985F434-F919-4729-9293-(E-Mail Removed)...
> > It's difficult, if not impossible, to protect the company from itself. Yet,
> > I will be blamed if there is an attack, infection or theft of corporate and
> > client information. It worries me a lot.
> >
> > I can talk over their heads about man in the middle attacks and virus's.
>
> Just tell them that people will being in infected machines and spead it all over
> the LAN. You don't have to get any more complicated than that.
>
> > Other IT people must have found ways to present the danger to their
> > employeer and enforce IT policy for the good of the company? Suggestions,
> > please?
>
> There is no "mature" and affordable solution for preventing users from bringing
> laptops and plugging them in willy-nilly all over the place.
>
> There is a new standard (802.1x? I forget) where a machine is authorized by
> having the switch they connect to use a RADIUS server to authorize them before a
> address is given over DHCP. It requires very exspensive switches with this
> ability,...it also requires a RADIUS Server. It pretty much mirrors to a
> certain extent what happens with some secured Wireless Systems before the user
> is allowed to operate over the Wireless Access Point.
>
> The other option is to stop using DHCP.
>
> The other option is to not have unused wall jacks left "live",...unplug them
> from the switches.
>
> In the end what you have is a social problem, a behavoral problem, and a [human]
> management problem,....*not* a technical problem. So you have to treat it that
> way. If management won't support your actions with simple enough explainations
> that they can understand,...then you have already lost the war and it is time to
> go work somewhere else rather than patiently wait for the inevitable "blame" and
> "firing" that will eventually occur to you.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft, or
> anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

> It's difficult, if not impossible, to protect the company from itself.
> Yet,
> I will be blamed if there is an attack, infection or theft of corporate
> and
> client information. It worries me a lot.

I would do a audit of the information on the network. Classify the
information into categories ranging Information needed to be kept from the
public (Social Security numbers, private business info that needs to be kept
out of competitors hands, Info that if released to the public would damage
the company's credibility and profitability) Information that needs to be
kept from other departments ( Wages, Social Security numbers, etc) and
information that is created for the public (Info released on the website,
etc.).

This over all audit will allow you to know first *if* there is sensitive
info on the network, where it is, how much there is, and who has access.

Then you can go to the powers that be and show them how much data is on
their network that is covered by HIPPA or Sarbanes Oxley. If they put some
teeth in their policies, this overall audit will allow you to know where the
data resides on your network that needs the most protection and you can
target your efforts accordingly.

If they still refuse to put some teeth in their own policy after that CYOA.
Find another job or have them sign off on a letter that states you informed
them of the possible security hole and the data that they store on their
network. It's possible that their data can be intercepted and modified,
deleted or copied, or just read to get an unfair advantage.

hth
DDS


"SteveP" <(E-Mail Removed)> wrote in message
news:7985F434-F919-4729-9293-(E-Mail Removed)...
> It's difficult, if not impossible, to protect the company from itself.
> Yet,
> I will be blamed if there is an attack, infection or theft of corporate
> and
> client information. It worries me a lot.
>
> I can talk over their heads about man in the middle attacks and virus's.
>
> Other IT people must have found ways to present the danger to their
> employeer and enforce IT policy for the good of the company? Suggestions,
> please?
> --
> Thanks, Steve
>
>
> "Phillip Windell" wrote:
>
>>
>> "SteveP" <(E-Mail Removed)> wrote in message
>> news:6D5CCEF8-C345-4D38-84CC-(E-Mail Removed)...
>> > The network is 2003 standard servers and one W2K server. All users are
>> > XP
>> > Pro. All users are joined to the domain.
>> >
>> > Except:
>> > One user bought a laptop with Vista Home on it. It is used at home by
>> > children and then brought into work and plugged into the network. It
>> > was
>> > also given the printer drivers. It cannot be joined to the network and
>> > I
>> > have no control over it. I do not know if it has up-to-date antivirus.
>> >
>> > One Mac desktop that was just brought in one day and plugged in.
>> >
>> > Company policy is XP Pro machines only and they must be joined to the
>> > domain.
>> >
>> > I need information to present to management on why having computers
>> > just
>> > plugged into the network is dangerous.
>>
>> I don't know what to say. It would be like trying to explain what the
>> color blue
>> looks like.
>> If they don't understand why it is bad,...then how did the company policy
>> get
>> put in place that says, "Company policy is XP Pro machines only and they
>> must be
>> joined to the domain"? That would be the whole point of that
>> policy,...if they
>> aren't going to enforce that policy then get rid of it and let the LAN be
>> a
>> free-for-all, because your Policies have no "teeth",..they have no
>> authority.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or
>> anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>>

May I ask how to run the audit?

2003 standard server SP2. I have a primary domain controller DC1.
--
Thanks, Steve


"Danny Sanders" wrote:

> > It's difficult, if not impossible, to protect the company from itself.
> > Yet,
> > I will be blamed if there is an attack, infection or theft of corporate
> > and
> > client information. It worries me a lot.
>
> I would do a audit of the information on the network. Classify the
> information into categories ranging Information needed to be kept from the
> public (Social Security numbers, private business info that needs to be kept
> out of competitors hands, Info that if released to the public would damage
> the company's credibility and profitability) Information that needs to be
> kept from other departments ( Wages, Social Security numbers, etc) and
> information that is created for the public (Info released on the website,
> etc.).
>
> This over all audit will allow you to know first *if* there is sensitive
> info on the network, where it is, how much there is, and who has access.
>
> Then you can go to the powers that be and show them how much data is on
> their network that is covered by HIPPA or Sarbanes Oxley. If they put some
> teeth in their policies, this overall audit will allow you to know where the
> data resides on your network that needs the most protection and you can
> target your efforts accordingly.
>
> If they still refuse to put some teeth in their own policy after that CYOA.
> Find another job or have them sign off on a letter that states you informed
> them of the possible security hole and the data that they store on their
> network. It's possible that their data can be intercepted and modified,
> deleted or copied, or just read to get an unfair advantage.
>
> hth
> DDS
>
>
> "SteveP" <(E-Mail Removed)> wrote in message
> news:7985F434-F919-4729-9293-(E-Mail Removed)...
> > It's difficult, if not impossible, to protect the company from itself.
> > Yet,
> > I will be blamed if there is an attack, infection or theft of corporate
> > and
> > client information. It worries me a lot.
> >
> > I can talk over their heads about man in the middle attacks and virus's.
> >
> > Other IT people must have found ways to present the danger to their
> > employeer and enforce IT policy for the good of the company? Suggestions,
> > please?
> > --
> > Thanks, Steve
> >
> >
> > "Phillip Windell" wrote:
> >
> >>
> >> "SteveP" <(E-Mail Removed)> wrote in message
> >> news:6D5CCEF8-C345-4D38-84CC-(E-Mail Removed)...
> >> > The network is 2003 standard servers and one W2K server. All users are
> >> > XP
> >> > Pro. All users are joined to the domain.
> >> >
> >> > Except:
> >> > One user bought a laptop with Vista Home on it. It is used at home by
> >> > children and then brought into work and plugged into the network. It
> >> > was
> >> > also given the printer drivers. It cannot be joined to the network and
> >> > I
> >> > have no control over it. I do not know if it has up-to-date antivirus.
> >> >
> >> > One Mac desktop that was just brought in one day and plugged in.
> >> >
> >> > Company policy is XP Pro machines only and they must be joined to the
> >> > domain.
> >> >
> >> > I need information to present to management on why having computers
> >> > just
> >> > plugged into the network is dangerous.
> >>
> >> I don't know what to say. It would be like trying to explain what the
> >> color blue
> >> looks like.
> >> If they don't understand why it is bad,...then how did the company policy
> >> get
> >> put in place that says, "Company policy is XP Pro machines only and they
> >> must be
> >> joined to the domain"? That would be the whole point of that
> >> policy,...if they
> >> aren't going to enforce that policy then get rid of it and let the LAN be
> >> a
> >> free-for-all, because your Policies have no "teeth",..they have no
> >> authority.
> >>
> >> --
> >> Phillip Windell
> >> www.wandtv.com
> >>
> >> The views expressed, are my own and not those of my employer, or
> >> Microsoft, or
> >> anyone else associated with me, including my cats.
> >> -----------------------------------------------------
> >>
> >>
> >>
>
>
>

> May I ask how to run the audit?

Interviews of the department heads.

Ask questions.

What would be the ramifications to the company if this file/folder were
somehow made available to the public?
To another department?

Answers should range from: nothing, it's already on the website or that was
in the news last year, to "that would cost us a lot of business" or that
would ruin us.

If you don't get any "that would cost us a lot of business" or that would
ruin us, maybe they don't need to worry all that much about security.

If you do get some answers that indicate there would be a problem if some
folders got to the public, make note a concentrate on explaining the
ramifications of those folders getting out.

hth
DDS


"SteveP" <(E-Mail Removed)> wrote in message
news:570E47E0-DFED-446A-BB5F-(E-Mail Removed)...
> May I ask how to run the audit?
>
> 2003 standard server SP2. I have a primary domain controller DC1.
> --
> Thanks, Steve
>
>
> "Danny Sanders" wrote:
>
>> > It's difficult, if not impossible, to protect the company from itself.
>> > Yet,
>> > I will be blamed if there is an attack, infection or theft of corporate
>> > and
>> > client information. It worries me a lot.
>>
>> I would do a audit of the information on the network. Classify the
>> information into categories ranging Information needed to be kept from
>> the
>> public (Social Security numbers, private business info that needs to be
>> kept
>> out of competitors hands, Info that if released to the public would
>> damage
>> the company's credibility and profitability) Information that needs to be
>> kept from other departments ( Wages, Social Security numbers, etc) and
>> information that is created for the public (Info released on the website,
>> etc.).
>>
>> This over all audit will allow you to know first *if* there is sensitive
>> info on the network, where it is, how much there is, and who has access.
>>
>> Then you can go to the powers that be and show them how much data is on
>> their network that is covered by HIPPA or Sarbanes Oxley. If they put
>> some
>> teeth in their policies, this overall audit will allow you to know where
>> the
>> data resides on your network that needs the most protection and you can
>> target your efforts accordingly.
>>
>> If they still refuse to put some teeth in their own policy after that
>> CYOA.
>> Find another job or have them sign off on a letter that states you
>> informed
>> them of the possible security hole and the data that they store on their
>> network. It's possible that their data can be intercepted and modified,
>> deleted or copied, or just read to get an unfair advantage.
>>
>> hth
>> DDS
>>
>>
>> "SteveP" <(E-Mail Removed)> wrote in message
>> news:7985F434-F919-4729-9293-(E-Mail Removed)...
>> > It's difficult, if not impossible, to protect the company from itself.
>> > Yet,
>> > I will be blamed if there is an attack, infection or theft of corporate
>> > and
>> > client information. It worries me a lot.
>> >
>> > I can talk over their heads about man in the middle attacks and
>> > virus's.
>> >
>> > Other IT people must have found ways to present the danger to their
>> > employeer and enforce IT policy for the good of the company?
>> > Suggestions,
>> > please?
>> > --
>> > Thanks, Steve
>> >
>> >
>> > "Phillip Windell" wrote:
>> >
>> >>
>> >> "SteveP" <(E-Mail Removed)> wrote in message
>> >> news:6D5CCEF8-C345-4D38-84CC-(E-Mail Removed)...
>> >> > The network is 2003 standard servers and one W2K server. All users
>> >> > are
>> >> > XP
>> >> > Pro. All users are joined to the domain.
>> >> >
>> >> > Except:
>> >> > One user bought a laptop with Vista Home on it. It is used at home
>> >> > by
>> >> > children and then brought into work and plugged into the network.
>> >> > It
>> >> > was
>> >> > also given the printer drivers. It cannot be joined to the network
>> >> > and
>> >> > I
>> >> > have no control over it. I do not know if it has up-to-date
>> >> > antivirus.
>> >> >
>> >> > One Mac desktop that was just brought in one day and plugged in.
>> >> >
>> >> > Company policy is XP Pro machines only and they must be joined to
>> >> > the
>> >> > domain.
>> >> >
>> >> > I need information to present to management on why having computers
>> >> > just
>> >> > plugged into the network is dangerous.
>> >>
>> >> I don't know what to say. It would be like trying to explain what the
>> >> color blue
>> >> looks like.
>> >> If they don't understand why it is bad,...then how did the company
>> >> policy
>> >> get
>> >> put in place that says, "Company policy is XP Pro machines only and
>> >> they
>> >> must be
>> >> joined to the domain"? That would be the whole point of that
>> >> policy,...if they
>> >> aren't going to enforce that policy then get rid of it and let the LAN
>> >> be
>> >> a
>> >> free-for-all, because your Policies have no "teeth",..they have no
>> >> authority.
>> >>
>> >> --
>> >> Phillip Windell
>> >> www.wandtv.com
>> >>
>> >> The views expressed, are my own and not those of my employer, or
>> >> Microsoft, or
>> >> anyone else associated with me, including my cats.
>> >> -----------------------------------------------------
>> >>
>> >>
>> >>
>>
>>
>>

Got it.

Thank you both for ideas with my problem.
--
Thanks, Steve


"Danny Sanders" wrote:

> > May I ask how to run the audit?
>
> Interviews of the department heads.
>
> Ask questions.
>
> What would be the ramifications to the company if this file/folder were
> somehow made available to the public?
> To another department?
>
> Answers should range from: nothing, it's already on the website or that was
> in the news last year, to "that would cost us a lot of business" or that
> would ruin us.
>
> If you don't get any "that would cost us a lot of business" or that would
> ruin us, maybe they don't need to worry all that much about security.
>
> If you do get some answers that indicate there would be a problem if some
> folders got to the public, make note a concentrate on explaining the
> ramifications of those folders getting out.
>
> hth
> DDS
>
>
> "SteveP" <(E-Mail Removed)> wrote in message
> news:570E47E0-DFED-446A-BB5F-(E-Mail Removed)...
> > May I ask how to run the audit?
> >
> > 2003 standard server SP2. I have a primary domain controller DC1.
> > --
> > Thanks, Steve
> >
> >
> > "Danny Sanders" wrote:
> >
> >> > It's difficult, if not impossible, to protect the company from itself.
> >> > Yet,
> >> > I will be blamed if there is an attack, infection or theft of corporate
> >> > and
> >> > client information. It worries me a lot.
> >>
> >> I would do a audit of the information on the network. Classify the
> >> information into categories ranging Information needed to be kept from
> >> the
> >> public (Social Security numbers, private business info that needs to be
> >> kept
> >> out of competitors hands, Info that if released to the public would
> >> damage
> >> the company's credibility and profitability) Information that needs to be
> >> kept from other departments ( Wages, Social Security numbers, etc) and
> >> information that is created for the public (Info released on the website,
> >> etc.).
> >>
> >> This over all audit will allow you to know first *if* there is sensitive
> >> info on the network, where it is, how much there is, and who has access.
> >>
> >> Then you can go to the powers that be and show them how much data is on
> >> their network that is covered by HIPPA or Sarbanes Oxley. If they put
> >> some
> >> teeth in their policies, this overall audit will allow you to know where
> >> the
> >> data resides on your network that needs the most protection and you can
> >> target your efforts accordingly.
> >>
> >> If they still refuse to put some teeth in their own policy after that
> >> CYOA.
> >> Find another job or have them sign off on a letter that states you
> >> informed
> >> them of the possible security hole and the data that they store on their
> >> network. It's possible that their data can be intercepted and modified,
> >> deleted or copied, or just read to get an unfair advantage.
> >>
> >> hth
> >> DDS
> >>
> >>
> >> "SteveP" <(E-Mail Removed)> wrote in message
> >> news:7985F434-F919-4729-9293-(E-Mail Removed)...
> >> > It's difficult, if not impossible, to protect the company from itself.
> >> > Yet,
> >> > I will be blamed if there is an attack, infection or theft of corporate
> >> > and
> >> > client information. It worries me a lot.
> >> >
> >> > I can talk over their heads about man in the middle attacks and
> >> > virus's.
> >> >
> >> > Other IT people must have found ways to present the danger to their
> >> > employeer and enforce IT policy for the good of the company?
> >> > Suggestions,
> >> > please?
> >> > --
> >> > Thanks, Steve
> >> >
> >> >
> >> > "Phillip Windell" wrote:
> >> >
> >> >>
> >> >> "SteveP" <(E-Mail Removed)> wrote in message
> >> >> news:6D5CCEF8-C345-4D38-84CC-(E-Mail Removed)...
> >> >> > The network is 2003 standard servers and one W2K server. All users
> >> >> > are
> >> >> > XP
> >> >> > Pro. All users are joined to the domain.
> >> >> >
> >> >> > Except:
> >> >> > One user bought a laptop with Vista Home on it. It is used at home
> >> >> > by
> >> >> > children and then brought into work and plugged into the network.
> >> >> > It
> >> >> > was
> >> >> > also given the printer drivers. It cannot be joined to the network
> >> >> > and
> >> >> > I
> >> >> > have no control over it. I do not know if it has up-to-date
> >> >> > antivirus.
> >> >> >
> >> >> > One Mac desktop that was just brought in one day and plugged in.
> >> >> >
> >> >> > Company policy is XP Pro machines only and they must be joined to
> >> >> > the
> >> >> > domain.
> >> >> >
> >> >> > I need information to present to management on why having computers
> >> >> > just
> >> >> > plugged into the network is dangerous.
> >> >>
> >> >> I don't know what to say. It would be like trying to explain what the
> >> >> color blue
> >> >> looks like.
> >> >> If they don't understand why it is bad,...then how did the company
> >> >> policy
> >> >> get
> >> >> put in place that says, "Company policy is XP Pro machines only and
> >> >> they
> >> >> must be
> >> >> joined to the domain"? That would be the whole point of that
> >> >> policy,...if they
> >> >> aren't going to enforce that policy then get rid of it and let the LAN
> >> >> be
> >> >> a
> >> >> free-for-all, because your Policies have no "teeth",..they have no
> >> >> authority.
> >> >>
> >> >> --
> >> >> Phillip Windell
> >> >> www.wandtv.com
> >> >>
> >> >> The views expressed, are my own and not those of my employer, or
> >> >> Microsoft, or
> >> >> anyone else associated with me, including my cats.
> >> >> -----------------------------------------------------
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

"Danny Sanders" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Then you can go to the powers that be and show them how much data is on their
> network that is covered by HIPPA or Sarbanes Oxley.

Yes, exactly. I thought of that a short while after I sent the last post.
Sarbanes Oxley made huge difference in how serious they took things around here
where I am.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------