Glass Houses ...
Very interesting post on Ed Brill's blog recently, though I don't think this is as unique to any one platform as Ed wants you to believe. This is just as easy to do in Domino as it is in Google and comes down to the management of security policies.
How many organizations out there are dutifully managing ACLs using groups? If an unknowing admin were to add say, the "Everyone" group to a group that was nested, at some level, inside the "LocalDomainAdmins" group, how long would it take you to discover that? How many apps would be affected? How long had it been since the change was made? My guess is that there are very few people who would have even known that it happened, let alone, what the damage was.
A deep understanding of the contents of ALL (yes I said all) the groups in your address book is incredibly important. However knowing the effect a group has on the access to applications (mail included) is even more important. The problem is being able to quickly learn what the effective access is to your applications at all times. This can be a full time job and very difficult to do on a regular basis. Just knowing that a group was changed is one thing. Knowing what effect that had is what is really important.
Exactly this issue is what led to the creation of Teamstudio's Admin Suite of solutions. If you are having difficulty knowing who changed what and when, who has access (really!) to which applications, you are not alone. Feel free to give us a call, or contact me directly at craig_schumann@teamstudio.com. I would be happy to show you how we can help.
How many organizations out there are dutifully managing ACLs using groups? If an unknowing admin were to add say, the "Everyone" group to a group that was nested, at some level, inside the "LocalDomainAdmins" group, how long would it take you to discover that? How many apps would be affected? How long had it been since the change was made? My guess is that there are very few people who would have even known that it happened, let alone, what the damage was.
A deep understanding of the contents of ALL (yes I said all) the groups in your address book is incredibly important. However knowing the effect a group has on the access to applications (mail included) is even more important. The problem is being able to quickly learn what the effective access is to your applications at all times. This can be a full time job and very difficult to do on a regular basis. Just knowing that a group was changed is one thing. Knowing what effect that had is what is really important.
Exactly this issue is what led to the creation of Teamstudio's Admin Suite of solutions. If you are having difficulty knowing who changed what and when, who has access (really!) to which applications, you are not alone. Feel free to give us a call, or contact me directly at craig_schumann@teamstudio.com. I would be happy to show you how we can help.
Category Notes Threats
| Permalink |
|
|
|
|
|
Comments
Posted by Ed Brill At 05:35:08 PM On 09/21/2009 | - Website - |
---* Bill
Posted by Bill At 03:51:07 AM On 09/22/2009 | - Website - |
Posted by Scott Johnsen At 06:55:45 AM On 09/22/2009 | - Website - |