Here come hypervisors you can trust
Virtualisation has always bothered me. This is perhaps an odd statement to make; after all, I am personally responsible for virtualising thousands of servers.
But the truth of it lies in the special status the IT community has ascribed to hypervisors.
When we nerds talk about virtualisation, especially with relation to servers, we don’t talk about loading an operating system onto a server, we load a hypervisor. It’s a dangerous distinction and one that often leads systems administrators up a dark path of forgetting that a hypervisor is just as much of a security risk as any other operating system.
Indeed, hypervisors should be considered a bigger security risk than the traditional bare-metal operating system for the simple reason that we have become reliant upon them to host dozens, or even hundreds, of virtual machines per physical server.
Yet by and large, we tend to neglect the hypervisor, trusting it to just work. …..
Putting all of Your Eggs in One Basket – or How NOT to do Layoffs
The recent story about Jason Cornish, a disgruntled employee of pharmaceutical company Shionogi is getting a lot of attention this week. In a nutshell, he resigned after a dispute with management, and was kept on as a consultant for a few months after.The story then goes that he logged into the network remotely ie – VPNd in using his legitimate credentials, then logged into a “secret vSphere console” Id call “foul” on that one – there would be no reason to have a “secret” console – my guess is he used the actual corporate vCenter console or used a direct client against ESX, which you can download from any ESX server, so he had rights there as well then proceeded to delete a large part of the company infrastructure 88 servers in the story I read. The company was offline for “a number of days”, and Jason is now facing charges.This diary isnt about the particulars of this case, its much more of a common occurrence than you might think. Well talk a bit about what to do, a bit about what NOT to do, and most important, wed love to hear your insights and experiences in this area.First of all, my perspective …Separation of duties is super-critical. Unless you are a very small shop, your network people shouldnt have your windows domain admin account, and vice versa. In a small company this can be a real challenge – if youve only got 1 or two people in IT, we generally see a single password that all the admins have. Separation of duties is simple to do in vmWare vSphere – for instance, you can limit the ability to create or delete servers to the few people who should have that right. If you have web administrators or database administrators who need access to the power button, you can give them that and ONLY that.
via ISC Diary | Putting all of Your Eggs in One Basket – or How NOT to do Layoffs.
Google bypasses admin controls with latest Chrome IE
Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft’s browser into a Google browser – letting users install the plug-in even when they don’t have administrator privileges on their machines.
The new version runs a “helper process” when IE starts up that can then load the Chrome Frame plug-in when it’s requested, and you don’t need admin privileges to do so. “Yay for clever technical hacks that help users circumvent ossified IT bureaucracy,” said one commenter on href=”http://news.ycombinator.com/item?id=2674583″ target=”_blank”>Hacker News. But admins aren’t likely to feel the same.
Google is well aware of this. But the company says that if admins don’t like it, they can use separate admin Google tools to stop it from happening…….
Google bypasses admin controls with latest Chrome IE • The Register.
TechNet Blogs: March 2011 Security Bulletin Webcast Q&A
March 2011 Security Bulletin Webcast Q&A
Hosts: Dustin Childs, Sr. Security Program Manager, MSRC
Jerry Bryant, Group Manager, Response Communications
Website: TechNet/security
Chat Topic: March 2011 Security Bulletin Release
Date: Wednesday, March 9, 2011
via TechNet Blogs.
Cleaning house
There are times as a security professional you have to roll up the sleeves and get your hands dirty to make sure some of the basics are applied to the environment we’re looking after. As a common example, most of us have had to patch the odd Windows machine, or three, to help out a friend to make sure they’re safe and up to date from the various nasties out there.
What happens when you’re presented with forty seven Windows XP computers: all networked, in a Windows workgroup, have varying levels of patches installed, hardly any internet connectivity and a limited time frame to get them to a current patch level? Now throw in every machine is infected and the infections is causing embarrassing and crippling problems to the users.
Here’s my solution; if you have a better one, or helpful pointers, feel free to
comment.
When you try to install RSAT (Remote Server Administration Tools for Windows 7) on Windows 7 SP1, you will get this error message: “This update is not applicable to your computer”.
I suppose quite a few IT pros have waited for the Windows 7 service pack 1 before they upgraded from Windows XP or Vista. I am afraid that many will have their first negative experience with Windows 7 shortly thereafter. RSAT (Remote Server Administration Tools for Windows 7) certainly belongs to the first tools every Windows admin installs. Unfortunately, RSAT can’t be installed on Windows 7 SP1.
* To annoy admins is not a wise strategy if you want an operating system to be adopted quickly by businesses.