Security of data on MLS computers

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
User avatar
mkmurray
Senior Member
Posts: 3233
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

#21

Post by mkmurray »

RussellHltn wrote:I don't know, but Vista compliance may force an issue. From what I'm hearing, Vista does NOT like data being stored in the Program Files directory. (It shouldn't have been done from Win2k on, but now MS is getting a bit nasty about it by remapping writes to different locations.)
Here is a blog post I wrote about this very issue called the Vista Virtual Store: http://miguelito928.spaces.live.com/Blo ... !190.entry
jdlessley
Community Moderators
Posts: 8723
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#22

Post by jdlessley »

RussellHltn and mkmurray point out an interesting development issue for some distant time. I don’t think the Church will be migrating to Vista any time soon. Until then the issue of having the MLS program require all users to have administrator privileges is a double edged sword. The program deals with and stores sensitive personal privacy data and should be a secure program. I won’t debate whether it is or isn’t. But then the front door is left open to this data for potential hackers who inherit administrator privileges once in the logged on user account when a computer with this sensitive data is connected to a network and then also to the internet (I’m sure there are many threads touching on the issue of hackers being able to get through both a hardware firewall and a software firewall).

This flies in the face of good, logical, security practice – and I’m sure it doesn’t have to be this way.
russellhltn
Community Administrator
Posts: 31345
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#23

Post by russellhltn »

mkmurray wrote:Here is a blog post I wrote about this very issue called the Vista Virtual Store: http://miguelito928.spaces.live.com/Blo ... !190.entry
Looks like it will drive some programmers batty. :)

There's some variable that should make doing the right thing fairly easy. For example storing the data under %ALLUSERSPROFILE% should get around the permissions issues and provide a consistent place for the data.

I suspect the biggest reason why admin access is requested for MLS users is because of the updates that are pushed down during send/receive. It may be difficult to get a package to do something like RUNAS so it can install updates.
jdlessley
Community Moderators
Posts: 8723
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#24

Post by jdlessley »

[/quote]I suspect the biggest reason why admin access is requested for MLS users is because of the updates that are pushed down during send/receive. It may be difficult to get a package to do something like RUNAS so it can install updates.[/quote]

Then how does Symantec and other commercial products do it for their programs? My antivirus updates just fine while logged onto a standard 'user' account.
jdlessley
Community Moderators
Posts: 8723
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#25

Post by jdlessley »

RussellHltn wrote:I suspect the biggest reason why admin access is requested for MLS users is because of the updates that are pushed down during send/receive. It may be difficult to get a package to do something like RUNAS so it can install updates.

Then how does Symantec and other commercial programs do it? Their antivirus program updates just fine while I am logged onto a general 'user' account. I am sure MLS could be programmed to do the same thing.
russellhltn
Community Administrator
Posts: 31345
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#26

Post by russellhltn »

jdlessley wrote:Then how does Symantec and other commercial programs do it? Their antivirus program updates just fine while I am logged onto a general 'user' account. I am sure MLS could be programmed to do the same thing.
Updating a virus definition file is a different thing. I'm talking about updating the program itself.

It can be done. Either though something like RUNAS (which requires that SLC know the login/password that will work on every machine), or though a service that runs as SYSTEM. But it's not easy. A more likely possibility is though LANDesk.
lajackson
Community Moderators
Posts: 10360
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

#27

Post by lajackson »

RussellHltn wrote:It can be done.
I do know that in the early days of MLS, some very messy things happened if a user did not login to the OS using an administrative login, and then MLS tried to download an update. Essentially, MLS was not smart enough to know that the update had not taken place, and just went merrily on its way until it either crashed or the data corrupted.
jdlessley
Community Moderators
Posts: 8723
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#28

Post by jdlessley »

RussellHltn wrote:Updating a virus definition file is a different thing. I'm talking about updating the program itself.

It can be done. Either though something like RUNAS (which requires that SLC know the login/password that will work on every machine), or though a service that runs as SYSTEM. But it's not easy. A more likely possibility is though LANDesk.

The updates Symantec and others do go farther than just definition files. I've seen second level , or minor, update changes to the program through their update process while logged into a general user account.
russellhltn
Community Administrator
Posts: 31345
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#29

Post by russellhltn »

I checked my machine at work. There's no less then 5 running services and two stopped ones. All of them run as "local system".

But I'll bet Symantec's beta test is probably bigger then the church's entire deployment. It can be done, but it's not always easy. Update via LANDesk is probably easier to do.
User avatar
childsdj
Member
Posts: 258
Joined: Wed Feb 07, 2007 9:51 am

#30

Post by childsdj »

RussellHltn wrote:I checked my machine at work. There's no less then 5 running services and two stopped ones. All of them run as "local system".

But I'll bet Symantec's beta test is probably bigger then the church's entire deployment. It can be done, but it's not always easy. Update via LANDesk is probably easier to do.

The LANDesk solution is the best option, but not yet feasible as it will not work over dial up connections. The more units that go to high speed the better. This will begin to allow LANDesk to work as it is supposed to from a central management perspective, including software delivery.
Post Reply

Return to “Clerk Computers”