B1/2 and untrustworthy admins
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
B1/2 and untrustworthy admins
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM
- Subject: B1/2 and untrustworthy admins
- From: Paul Leach <paulleMICROSOFT.COM>
- Date: Fri, 27 Mar 1998 18:03:17 -0800
- Comments: To: Steve Birnbaum <sbirnSECURITY.ORG.IL>
- Reply-To: Paul Leach <paulleMICROSOFT.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
> ----------
> From: Steve Birnbaum[SMTP:sbirnSECURITY.ORG.IL]
> Reply To: Steve Birnbaum
> Sent: Friday, March 27, 1998 3:18 PM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Re: NT Screen Saver Password Protect Bug
>
> > However, it is an UNSOLVABLE problem, and so
> > fixing one instance is useless and can only lead to a false sense of
> > security.
>
> I never thought I'd find myself agreeing with Paul, but stranger
> things have happened (though not many <g>).
>
Wow. :-)
> NT is not B1 or B2 rated. I haven't heard about it being rated C2 with
> a NIC. So why are people sitting here comparing it to such systems?
>
> If you want such a system, go talk to Argus systems or some other
> vendor who'se OS meets your security requirements.
>
> As long as the admin is a superuser, what differences does it make
> *HOW* he is able to use your account? If it's not one way, it's another.
>
> Forget software, maybe the keyboard is specially wired to record
> your keystrokes and send them via a wireless transmitter to a receiving
> device on the admin's desk? Go find that in your audit log.
>
> Like Paul said, if you can't trust the admin don't touch the computer.
>
Just wondering, but how would B1 or B2 help in the case under discussion?
If I remember correctly, they will add mandatory access controls, and some
protection against covert channels, and so on. But there's still a person
who has the authority to install the code that enforces those policies, and
if that that person installs code that has been suitably modified, then it
won't enforce them.
> You can make it so that more than one person is required to do this, but
> again, in the case that we're talking about, the whole environment is
> untrusted (or at least less trusted than the main environment) -- so why
> wouldn't all of the needed people be assumed to be in collusion.
>
Paul
