top | item 32559017

(no title)

conioh | 3 years ago

> I can steal the network, change the registry, simply delete their binaries, update shared dlls, or any number of other easy hacks to get them offline.

That's a bold claim. Mostly incorrect, but bold. A proper Windows endpoint protection software's Registry filter will prevent you from modifying its Registry data; its filesystem minifilter will prevent you from modifying its files; its EXEs will use the Windows mitigation policy that loads only Microsoft-signed DLLs; its connection with its management server will be encrypted and signed with known keys/certifications (rather than trusting everything from the Windows Certificate Store), etc.

An admin can still bypass all of that with enough effort but it's not nearly as trivial as you say. What is trivial that you can't actually do the things you said and it's common knowledge (in the field).

discuss

horsawlarway|3 years ago

It IS trivial. Period.

If you don't want people to modify the machine - don't give them admin access.

If you give them admin access... don't assume they won't modify the machine.

For comparison - I worked software security for 5 years dealing with fortune 100 banks. I have zero faith in the industry. It's mostly a shell game for liability.

I can absolutely do the things I mentioned above. At best, it's a discussion of how hard I'll have to work. So again... this is basically a "hey - you're about to violate company policy" notice.