@thomas-pondant said in Lending admin password to someone: can anyone who has temporary admin access to the command line start another process with admin privileges from the command line?:

But what if he starts Internet Explorer from the command line (to which he has admin access thanks to Ronnie) instead of via the GUI, could he run IE as administrator?

The UAC should take control again if I've closed out of IE previously. The same procedure will be required. If I'm the admin, it should ask if I want to allow it and I just choose yes. If Wes, were to try it, it should present him with a dialog box to provide admin credentials.

Hey Thomas,

I didn't forget about you! I have been out of the office for a bit. The last one we have to talk about is VPNs and TLS. When we think about HTTPS remember that this protocol encrypts the communication between a web browser and a server.

So take for instances a quick little diagram:

0_1533910780200_Screen Shot 2018-08-10 at 10.14.06 AM.png

In this diagram we have User01 needs to access a public website, so how to we make it to where a user traversing a public network can connect to our company's website in a secure manner that protects the confidentiality, integrity and availability of the communication, we implement HTTPS which uses the security layer today of TLS.

0_1533911732920_Screen Shot 2018-08-10 at 10.35.00 AM.png

Note the DMZ here, the first (external) firewall allows for public access to our company's internal resources which in this case is the company website. So what does this do for us?

What does this do?

1 - Allows access to our internal resources
2 - Does not expose our internal network to the outside world when accessing the company website
3 - Allows the customer confidentiality of the communication - via HTTPS-based encryption
4 - Allows for integrity of the communication as there is a certificate exchange/validation of the web server.
5 - Encrypts ```web-based`` communication or HTML-based communications.

What doesn't this do?

1 - Allow for access from a public network (Internet) to the internal network for authorized users
2 - Provide authentication, authorization or auditing of those external to internal connections for authorized users

So what can we do to allow authorized users or employees access to internal company resources. For example Remote User 01 works from home 3 days out of the week. This user also needs access to her work files stored in a centralized file server located on the internal company network.0_1533913795231_Screen Shot 2018-08-10 at 11.09.35 AM.png

We could (please do not....lol) do this

1 - Place the web application server in the DMZ
2 - Place the file server in the DMZ

0_1533914034897_Screen Shot 2018-08-10 at 11.13.39 AM.png

As I am sure you are aware this presents a major security risk:

The web application and file server are now exposed to the public (and all the bad actors)
Authentication and authorization has to be performed, which in this case will expose the user database to the public (and all the bad actors)
Sensitive information is now exposed to the public
....and more

This is not a solution. So we need to:
1 - Keep these resources protected inside the company's internal network
2 - Implement a remote access technology that will allow for public access to internal resources that are not limited to web-based technologies such as HTTPS.
3 - Allow for the implementation of authentication, authorization and auditing.

This is where HTTPS is not a viable option because while it does allow for an encrypted communication between a web browser and a web server but lacks the other attributes we need. So insert ```VPN`` technologies.

VPNs allow us to:

1 - Connect to internal resources over existing public networks
2 - Connections appear as though the remote user is connected to the physical network
3 - Do not expose internal resources to those public networks
4 - Authentication can be performed by implementing technologies like RADIUS, TACACS+, Diameter
5 - Protect the user database from exposure to the public and bad actors
6 - Provide confidentiality to sensitive internal data through application of strong encryption.
7 - Allows for connections to and utilization of resources that do not use HTTPS (such as FTP, SSH, LDAP, SMB, NFS to name a few)

When we implement the VPN technologies we get these and more benefits. To the end user it looks like they are connected to the LAN and can access resources (not just HTTPS or web-based technologies)

0_1533916466588_Screen Shot 2018-08-10 at 11.51.11 AM.png

And VPNs security layer can be TLS!

I hope this helps @Thomas-Pondant

@thomas-pondant,

Every user account is set as a standard user account, even the administrator account on a computer. This action prevents any user including the administrator from remaining logged on and unknown programs to run in the background as the administrator with administrative privileges.

So when you create an account and make him/her an administrator, it give his account the privilege to elevate privileges for administrative tasks. He simply has to consent that he is the one requesting the elevating privileges. This is behavior of the UAC with someone who is part of the administrators group.

If a user isn't a member of the administrators group, then if he attempts a task that requires administrative privileges, he will have to provide credentials from a user who is a member of the administrators group. This is the behavior of the UAC with someone that is a standard user account.

Thomas,

Great questions !!

Let's start with DLNA and what it is used for. Ronnie already gave you an idea of what DLNA does, here is a little bit more detail:

DLNA separates multimedia devices into 10 certified classes subdivided into three broad categories: Home Network Devices (PCs, TVs, AV receivers, game consoles), Mobile Handheld Devices (smartphones, tablets, digital cameras), and Home Infrastructure Devices (routers and hubs).

A device’s class is determined by its functional capabilities—whether it stores, controls, or plays media—rather than the type of product it is. So it’s possible (even common) for a device to fall into more than one class. Some DLNA-certified TVs, for example, can be classified as both a Digital Media Player—meaning it can locate and play media from other devices—and a Digital Media Renderer—because media can be pushed to it by an external controlling device.

The DLNA specification defines only a handful of audio and video formats it supports. Common formats like MP3 audio, MP4 video, Windows Media Audio, and Windows Media Video 9 are all included. However, DLNA devices don’t support Windows Media Video 10, the MKV or AVI containers, or FLAC lossless audio. DLNA also defines certain types of “profiles,” so some MP4 files might not be supported depending on their resolution, bitrate, and other details. Device creators can’t add support for these because that would violate the DLNA specification. Not all local media files will work. Some DLNA server software will transcode media on the fly from an unsupported format to a DLNA-compliant one — they have to do this because that’s the only way you could stream such files with DLNA.

DLNA also must involve files. You can’t use DLNA to stream the contents of your screen from one device to another, as you can do with Apple’s AirPlay, Google’s Chromecast, or the Miracast wireless display standard. You can’t play a game on a device and stream the output of your display to another device, give a presentation, or mirror your display for any other reason.

So, in terms of what DLNA is and what it does, it serves up local media and makes it available. The security issue(s) associated with allowing it are really centered around the concerns that the broadcasted metadata about the information DLNA is serving up, and where it resides pose. In general terms, turning off ALL services that are not actively used / required is a security best practice to help harden a system / device and to reduce the available attack surface for someone looking to do harm. It would make sense for you to remove support for any of those protocols or services that will not be used for this reason, but also because they pose ongoing risks due to the potential for unknown vulnerabilities that may be exploited at some point.

I hope that helps... :)

Cheers,

Adam

If you are asking what I think you're asking. Yes, sort of.

What it does really is separate them and treat the server nodes as an extension of a namespace, so the node becomes an identical copy of each other. If one node fails, you simply replace it and join it and everything in the namespace is replicated to an identical root folder / share with that name.

That's probably a somewhat simplistic view but you wouldn't for example lose your permission because the primary node failed, as long as you keep up with your replication and make sure it hasn't failed to replicate something across to one of the 'partners'.

That's very helpful @Ben-Coyle , many thanks :+1: +1:

Re Journal of physical security link, the site appears to be down but the papers are available on Slideshare here: http://www.slideshare.net/noham1887/documents

@D.-Rogers Thaks for those - some great mindmaps there. The SANS poster is pretty good for showing potential attack vectors to people too :+1:

Ben,
Thanks for sharing with the team! It motivates us, as we're beginning to record the series for the newer SY0-401 exams. The ITProTV team congratulates and celebrates with you on your certification achievement! Well Done!
Cordially,
Ronnie Wong
Host, ITProTV