'RE: Agentless but local admin solution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    RE: Agentless but local admin solution
From:       "Todd Towles" <toddtowles () brookshires ! com>
Date:       2004-01-28 16:33:07
Message-ID: 001e01c3e5bc$692aa280$e903010a () msad ! brookshires ! net
[Download RAW message or body]

Installing Windows updates would need a full admin account (I believe),
hence the problem of a agentless Windows solution.

-----Original Message-----
From: John Mitropoulos [mailto:MITROPJ@co.mecklenburg.nc.us] 
Sent: Wednesday, January 28, 2004 7:10 AM
To: Patch Management Mailing List
Subject: RE: Agentless but local admin solution

How is this different from the local Administrator or recovery
Administrator account? Assuming this account is not disabled, I
seriously doubt every single server or client at an installation has a
different password for this account.
 

Assuming the attacker would need to know the username and password in
order to extend the compromise further, Can this not be mitigated by
strong encryption + strong passwords (15+ character)?
 
Can this not also be mitigated by granting the "patch user" only the
rights required to check for and install patches? (Power User equiv?)
 
--john--
 

>>> erik@foundstone.com 1/27/2004 2:38:56 PM >>>

This is my first post here, but I would like to be sure everyone is
aware of the INSANE amount of risk you assume if you, "create a local
account on each target that is admin equivalent. For ease of
administration, the account and password should be the same on all
targets."
 
Not to mention the difficulty you will have managing these accounts in
a secure manner, if I compromise one server with ANY type of remote
attack, I will be able to compromise ALL OTHER SERVERS.
 
You have been warned.
 
 
 
-------------------------------------------

Erik Pace Birkholz - CISSP, MCSE
Principal Consultant Emeritus
Foundstone, Inc.
2003 Network Computing Editor's Choice:
http://www.networkcomputing.com/1412/1412f23.html
Read SPECIAL OPS and mount an assault to eradicate network negligence
today. www.SpecialOpsSeries.com
--------------------------------------------
 
---
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.o


---
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic