![]() ![]() That said, we went through this in the WinXP days, and by Win7 it was a pretty hard no in a lot of cases, and it turns out that very very few people need to be installing anything. You can approve from a vendor certificate, or we do it from a local "Install" folder and things in there get elevated and logged. I'd get something like Privilege Manager or Policy Pak or Beyond Trust Privilege manager and provide a logged and managed way to elevate installers. or go find a company that more closely aligns to your own view of business need and risk acceptance. many of them might allow you to personally sleep better at night, but if the business has identified a legitimate business need and accepted the risk you have a choice to make: Wash your hands and put the solution in place. There's other ways to skin this particular cat. There's an acknowledgement that if a system exists, it's not perfectly secure and so you take every step possible to ensure that when something bad finally does happen, you know what, how, when, where and potentially why. To a certain extent this is how the most secure environments work. And you keep controls in place to minimize the fallout when something goes wrong. You give the user the ability to perform the work. ![]() ![]() The install prompts for elevation, the elevation is logged, shows up in the audit, and an alert goes out to whomever needs to know. What would be the best way to allow a user to update an specific softwareĪ separate account and full auditing AND alerting specifically on any use of that account. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |