[wplug] OT: "Enough" security

Jonathan Billings jsbillings at gmail.com
Mon May 16 10:21:48 EDT 2005 

On 5/16/05, Michael Smith <michael at smith-li.com> wrote:
> I've been interested for some time in the personal responsibility
> ramifications of I.T. security. Should a home user be held responsible
> for attacks launched from his zombie computer based on the fact that he
> didn't (know to) secure it properly?

Recently, we've been thinking about this where I work.  We have
several support categories for windows systems.  The two important
ones are "Full Windows Support" and "Network Only" (summarize titles).
 We push out updates to the fully supported systems because they are
bound to the windows domain.  We can reboot, install new software and
manage those systems.

We haven't been pushing out updates to the network only systems, even
though many of them are bound to the domain.  The questions is --
should we push out the fixes even though they aren't paying for
software support?  We realize that a system that's broken into on the
local network is a hazard to security, and would end up causing more
work.  However, since the system isn't under software support, if the
update broke something we'd have to fix it.  Should we force users to
be sysadmins of their own windows systems?  We think that's how we're
going to do it.

The campus folks, who have several orders of magnitude more windows
systems to deal with, have a good policy.  When you authenticate to
the network, a simple check is run to make sure you aren't obviously
running a hacked system.  If you are, you don't get a network
connection.  Also, if your system starts scanning, spamming or
behaving suspiciously, your network connection is terminated.  If your
network bandwidth is exceeded, your network connection is terminated.

So we have a fairly heavy-handed approach, as demonstrated by the
campus facilities, and a somewhat more lenient approach, which we are
considering.

As for running linux, we have a supported environment which we control
very tightly.  Users can make modifications and install random
hardware, but we only promise support of our base environment.  It's a
lot simpler for us to manager our environment than dozens of
customized OSs, so it makes sense for the unix side.  But windows
doesn't always fit into that same mentality.


-- 
  Jonathan Billings
jsbillings at gmail.com

More information about the wplug mailing list