If you are allowing employees to add new WLANs, then why worry about
GoToMyPC? You've got much bigger problems.

Check out Simple Nomad's talk (ppt and movie included) about hacking
WiFi clients.
http://www.shmoocon.org/speakers.html#simple

Your firewall isn't going to do a thing to stop you from being
compromised. Attacking the wireless clients is enough. Desktop
firewalls can help, but MiTM attacks can still be quite successful.

Also, I'd suggest telling your Windows folks that there are very few
apps that require Administrator access. If all the app needs to do is
write a few registry keys or files, use the free tools from
sysinternals.com to profile its behavior and then change the ACLs
(perhaps through a group policy). Running as power user doesn't help,
as a power user is just someone who hasn't made themselves a full
administrator yet.

It sounds like you need to explain the idea that a firewall is not all
that makes up a secure network to your upper management.

- Chris

On 4/7/06, Jim Seymour wrote:
>
> "Paul D. Robertson" wrote:
> >
> > You can control what software an employee can install, that's getting
> > easier/better in a Windows environment.

> [snip]
>
> Nice in theory. Doesn't appear to work in practice. We have, for
> example, employees that must be able to add new WLANs when they're on
> the road. Lack of "Administrator" access apparently precludes this.
> Ran into another one today. Volo View (an AutoCAD viewer application)
> insists on trying to modify the system registry. So if the end-user
> doesn't have "Admin," or at least "Power User," rights: No go. The
> list goes on and on. Suffice it to say, we tried, we really, really
> tried (and we're still trying) to limit end-user access as much as
> possible. But success has proven elusive. (Note: I'm not the 'doze
> guru. I'm going by what little I know and what those who are supposed
> to know tell me.)

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards