removing domain admin daily id's

Archived from groups: microsoft.public.win2000.security (More info?)

We are doing a security project here, that removes domain admin from our
daily login id's. It's been suggested that we run our admin tools and id's
on Metaframe, because they don't want us using runas on our desktops.
Metaframe worries me a little because there are other non-admin people using
the same system, and who knows what they are doing..
So I guess my question is, if one MF session got a virus of some kind can it
interact with any of the other sessions? So if I'm on as an admin, and user
b picks something up, can the user b session get into my session?
Has anyone else had to do this, and what did you do?

Thanks
John

Archived from groups: microsoft.public.win2000.security (More info?)

so basically I'm trying to figure out if using runas on my desktop or
running a metaframe session as domain is the same thing or is one better
than the other

"Marco" <tired.of.spam@hotmail.com> wrote in message
newsKAOPa0xEHA.3224@TK2MSFTNGP14.phx.gbl...
> Hi John,
>
> I am a bit puzzled by the proposed solution: running as domain admin on MF
> is not much better than running as domain admin on your desktop -- as you
> could compromise both. MF environments are usually better controlled than
> desktops but as long as you are a domain admin (hence local admin on the
> box) you are both vulnerable to malware and can mess up the box yourself.
>
> >> So if I'm on as an admin, and user
> > b picks something up, can the user b session get into my session?
>
> I think that the problem is more ther other way around: you, logged as as
> admin, are more liley to pick up something and damage the system, not
users
> running with limited privileges.
>
> The answer to your other question is yes, a kernel mode virus can hijack
any
> session -- tricky but it can be done.
>
> The real difference I see is restricting the usage of the privilege
account
> for tasks that really require it: do you really need to run IE or Outlook
> while logged in as Domain Admin? forcing you to use a second account,
> perhaps on a clean machine, is somehwat better, but not that much.
>
> cheers,
>
> Marco
>
> --
> Free five computers' license for NeoExec for Active Directory
> [ www.neovalens.com ]
>
> ----
> "John M" <sdkfj@microsoft.com> wrote in message
> news:uHWHz8zxEHA.1404@TK2MSFTNGP11.phx.gbl...
> > We are doing a security project here, that removes domain admin from our
> > daily login id's. It's been suggested that we run our admin tools and
id's
> > on Metaframe, because they don't want us using runas on our desktops.
> > Metaframe worries me a little because there are other non-admin people
> > using
> > the same system, and who knows what they are doing..
> > So I guess my question is, if one MF session got a virus of some kind
can
> > it
> > interact with any of the other sessions? So if I'm on as an admin, and
> > user
> > b picks something up, can the user b session get into my session?
> > Has anyone else had to do this, and what did you do?
> >
> > Thanks
> > John
> >
> >
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

ok thanks for the advice

"Marco" <tired.of.spam@hotmail.com> wrote in message
news:eO%23kb80xEHA.1308@TK2MSFTNGP09.phx.gbl...
> technically there is little difference, unless you can somewhat guarantee
> that the MF boxes are more secure than your desktop. My guess is that they
> want you to use a different machines because sysadmins can, and often do,
> break company policies are their PCs are the least secure .. hence running
> from a "clean" box has its advantages.
>
> Marco
>
> --
> Free five computers' license for NeoExec for Active Directory
> [ www.neovalens.com ]
> ----
>
>
> "John M" <sdkfj@microsoft.com> wrote in message
> newszvdAg0xEHA.1392@TK2MSFTNGP14.phx.gbl...
> > so basically I'm trying to figure out if using runas on my desktop or
> > running a metaframe session as domain is the same thing or is one better
> > than the other
> >
> > "Marco" <tired.of.spam@hotmail.com> wrote in message
> > newsKAOPa0xEHA.3224@TK2MSFTNGP14.phx.gbl...
> >> Hi John,
> >>
> >> I am a bit puzzled by the proposed solution: running as domain admin on
> >> MF
> >> is not much better than running as domain admin on your desktop -- as
you
> >> could compromise both. MF environments are usually better controlled
than
> >> desktops but as long as you are a domain admin (hence local admin on
the
> >> box) you are both vulnerable to malware and can mess up the box
yourself.
> >>
> >> >> So if I'm on as an admin, and user
> >> > b picks something up, can the user b session get into my session?
> >>
> >> I think that the problem is more ther other way around: you, logged as
as
> >> admin, are more liley to pick up something and damage the system, not
> > users
> >> running with limited privileges.
> >>
> >> The answer to your other question is yes, a kernel mode virus can
hijack
> > any
> >> session -- tricky but it can be done.
> >>
> >> The real difference I see is restricting the usage of the privilege
> > account
> >> for tasks that really require it: do you really need to run IE or
Outlook
> >> while logged in as Domain Admin? forcing you to use a second account,
> >> perhaps on a clean machine, is somehwat better, but not that much.
> >>
> >> cheers,
> >>
> >> Marco
> >>
> >> --
> >> Free five computers' license for NeoExec for Active Directory
> >> [ www.neovalens.com ]
> >>
> >> ----
> >> "John M" <sdkfj@microsoft.com> wrote in message
> >> news:uHWHz8zxEHA.1404@TK2MSFTNGP11.phx.gbl...
> >> > We are doing a security project here, that removes domain admin from
> >> > our
> >> > daily login id's. It's been suggested that we run our admin tools and
> > id's
> >> > on Metaframe, because they don't want us using runas on our desktops.
> >> > Metaframe worries me a little because there are other non-admin
people
> >> > using
> >> > the same system, and who knows what they are doing..
> >> > So I guess my question is, if one MF session got a virus of some kind
> > can
> >> > it
> >> > interact with any of the other sessions? So if I'm on as an admin,
and
> >> > user
> >> > b picks something up, can the user b session get into my session?
> >> > Has anyone else had to do this, and what did you do?
> >> >
> >> > Thanks
> >> > John
> >> >
> >> >
> >>
> >>
> >
> >
>
>