[unisog] - data tool

J. Oquendo sil at infiltrated.net
Tue May 12 12:05:33 GMT 2009


Paul FM wrote:
> The only sure way is to have an administrator run a machine with the file 
> share (Windows or Samba) who is in the group of people who need access.
>
>
> Keep in mind that having administrative control of any of the machines 
> involved (authentication server, file server, or client) effectively gives 
> the sysadmin a path to access the data.  It is very easy (just one exammple) 
> to use cygwin tools to start a xterminal to a specific machine when a user 
> logs in - this can be done without actually installing the cygwin tools - you 
> can cause this either by modifying the run key on the client, or changing the 
> user's login script on the authentication server).  And of course - if you 
> set up the server and file share, could easily get at the data (even an 
> encrypted data share can have a backdoor added when it is created).  Even 
> OpenAFS (which would be able to serve your needs) suffers from all these 
> basic security issues.
>
>
> To get around some of the above security issues, yOu could use A windows 
> Terminal server to host the data - then all access to the data would have to 
> be by interactive login to that Server - of course it would have to be 
> dedicated for only that purpose (you would only need licenses for the 
> individual users using the WTS and authentication could be self contained). 
> But you would still need a trusted administrator to run it (preferably 
> someone in the group with help from a regular administrator).  However, 
> getting a keylogger (program or hardware) on any of the client machines could 
> still get a user and password needed to log into the Terminal Server.
>
>
> If this is a real absolutely secure requirement - you would need a room, that 
> only the users are even allowed to enter, of isolated computers (no network 
> connections except to each other) with a file server (and one of the users 
> would have to run all the machines).  Note: this could even be done with 
> Windows 98 - as the security is completely controlled by physical access.
>
>
>
> Christoph Sprongl wrote:
>   
>> Hi,
>>
>> looking for a tool either encryption or good ACLs unfortunatly for a
>> Microsoft env., to make sure that only a specific group can share
>> documents.
>> Objective is that a sysadmin is really not able to look into the data.
>>
>> TrueCrypt encrypts containers, only one person can access the data.
>>  FreeOTFE does have problems if data got accessed parallel -> data corrupt.
>>
>> Any ideas more than welcome!
>>
>> christoph
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>>     
>
>   

True Crypt or any other form of encryption mechanism is your
best bet to stop them from viewing data - granted the system
administrator doesn't plan a keystroke logger, capture the
key and pry. However, I've seen no mention from anyone else
on the subject, but auditing (log records) and accountability
go a long way as well.

You can't however, define accountability as giving a harsh
pointer finger screaming "don't do that" else no one would
take it seriously. Think about that for a second; you speed,
you get pulled over, an officer points his finger "if you
speed again!" and this type of outcome occurs every time you
speed; you can't expect much out of it. You'd learn that in
the end, nothing will come out of it. So what do you do?
You speed, maybe even faster next time, after all, you already
know what's the worst that will likely happen.

On another note, if you can't place an extreme level of trust
and accountability in your senior system administrators, than
you may have bigger issues to contend with other than data
accessibility - backdoors anyone?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E



More information about the unisog mailing list