Go | New | Find | Notify | Tools | Reply | |
Nullus Anxietas |
Your opinion differs from that of every last knowledgeable, competent IT individual I've ever known. IRL or on the 'net. Bar none. Yes: Including MS-Win Admins I've known. I have to believe we're talking about different things and cannot connect. So I'm just going to drop it. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
quarter MOA visionary |
You know ensigmatic you take everything so seriously. It's not like I am recommending to put your dick in a light socket to test if it is live. Just saying that everyone doesn't have to to lock their computer down for dear life to the nth degree in every case. And if you do .... fine. Sure there are risks like everything in life. The only thing I fear is Ransomeware, other that that there hasn't been another virus that I have not handled. I am also saying to use common sense and yes we are still at risk. But if wearing masks and getting 3 jabs make you safer then have at it (that was a joke, btw). | |||
|
| Nullus Anxietas |
I do take computer security seriously. Very seriously. There are people who know you're a computer and network professional seeing you claim it's ok to run with Admin/root privileges all the time and think "Well, if smschulz says it's ok, it must be ok, because he's an expert." It is not, in my experienced opinion, and that of every other experienced, knowledgeable computer and networking professional I've ever known, ok.
Not running with Admin/root privs when you do not need to is not "lock[ing] their computer down to the Nth degree," it's simply employing safe computing practices.
Sure there are. And you can never be 100% safe, no matter what you do. But not regularly running as root/Admin is like always following all four rules of gun safety every time: If one fails or you slip up on one, the others will save you.
You know of zero-day exploits, right? I had one get loose on my network, once. The user actually followed all the rules, but zero-day. While it did get loose on the network: It wasn't able to actually infect any machines and it was easily-stopped because it wasn't able to infect any machines. It wasn't able to infect any machines because nobody was running with Admin rights.
Yes, I know. There are things about which I have precious little sense of humor. Gun safety is one of them. Computer and network security is another. I also always wear safety glasses when operating power tools of any kind or when swinging a hammer. (Had a close friend lose an eye, swinging a hammer, when a nail rebounded right into his eye.) I don't joke around about shop safety, either. I should wear a mask more often when creating saw and metal dust, though  In fact: In the brief time I was still admin'ing MS-Win servers, and had membership in one-or-another popular MS-Win forum--I recall not which, I recall one common recommendation was to never even use a browser on an MS-Win server. I challenge you to wander into any venue consisting primarily of computer and network admins and suggest it's ok to commonly operate your computer with Admin/root privileges--web browsing, reading your email, opening MS-Office and Adobe docs, etc. Please let me know when and where you're going to do that. I would like to watch  "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
Member |
I am told by my IT department that prevention of root level admin credential program installation by outside agents is protection. I don’t know if this helps prevent ransomware or similar, but I hope it would. ------- Trying to simplify my life... | |||
|
| Nullus Anxietas |
I'm not even certain just what this means. There are various certificates installed on the machine. Probably many of them at the "system" level, read-only for non-Admin-privileged access. Perhaps it is those to which they refer? (I'm way out-of-date on MS-Windows.)
<waggles hand> Yes and no. It will not protect files to which your user i.d. has write access. It will protect those files to which your specific user i.d. does not. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
Seeker of Clarity |
But it might protect the entire machine from having the ransomware malware application successfully installed on it. Thus preventing all files from the risk.  | |||
|
| Nullus Anxietas |
That's essentially what I wrote. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| probably a good thing I don't have a cut |
I have only ever had the one account on all my PCs. Never had a problem. | |||
|
Baroque Bloke |
Re: “It sounds like you use a non-privileged account and step up through CLI to Admin?” You’re mostly correct. Definitely CLI in my user account, but sudo doesn’t give you mere admin privileges – a command preceded by “sudo” is blessed with root (superuser) privileges. Powerful, and potentially dangerous. Invoking sudo prompts me to think carefully about the effects that the root-blessed command might have. Serious about crackers | |||
|
| Nullus Anxietas |
A couple corrections: 1. root, in Unix/Linux/Mac OS X, is roughly equivalent to Administrator in MS-Windows. There are differences. root gives one absolute, unfettered control over local resources, Administrator has constraints. This is regarded as both a security advantage for MS-Win and a PITA, depending upon one's perspective 2. sudo allows one to assume any user's identity using the "-u" command-line option. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
His Royal Hiney |
I tried having a separate admin account but it got too bothersome and somewhat confusing. I have my critical financial files in a hidden volume on my hard drive. I have Acronis for virus, malware, and ransomware protection. I have several back ups to both clouds and physical locations that I disconnect when I'm not backing up or mirroring. "It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946. | |||
|
| Nullus Anxietas |
How is it "somewhat confusing?" Changes to the system require root/Admin access. Changes to user-owned content do not. The "too bothersome" thing: Do you find it too bothersome to secure your other belongings? How is the vital data you maintain on your computer different than any of your other valued possessions? I'm not trying to berate you. I"m trying to make a point
That won't help you. Ramsomware will find them, anyway. We have a saying in the computer security field: "Security by obscurity is no security at all."
Anti-virus and malware software is only marginally effective, at best, because the stuff is primarily reactive, rather than proactive. My security stance back when I was employed: AV and anti-malware software came in dead last as a protective measure. In the twenty-five years I ran I.T. we never once suffered a significant problem. In fact: There were a number of years we ran no AV or anti-malware software at all, because it was either ineffective or caused as many problems as it solved.
If, by "disconnect," you mean by turning them off in software, rather than physically disconnecting them: That won't save you either. Particularly if you commonly run with elevated privileges. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Peace through superior firepower  |
Because he's not setting himself up in this forum as the be all, end all computer guru. You need to cool it. | |||
|
W07VH5 |
That is a common saying and probably true for big targets but for the common homeowner obscurity is also often encouraged. Move your SSH port off of 22 because most scripts will scan for it there. Call your admin account “games” or something unimportant while making the account with the name “admin” have zero privileges. It’s sort of like locking your car. If someone wants in they will smash your window but they’d rather find an unlocked car nearby. A hidden volume isn’t really a fix unless it’s encrypted and backed up locally and off-site. However, it’s better than nothing. Won’t help with ransomware. | |||
|
member |
Modify that line and you can sudo without being prompted for your password. %accountname ALL=(ALL) NOPASSWD: ALL When in doubt, mumble | |||
|
| Baroque Bloke |
Thanks for that info Henry. But it seems as though that would be a security risk. And, by default, after giving my PW, I can then “sudo” for several minutes with no need to re-enter my PW. That’s usually plenty of time. BTW - The no-PW-required interval can be changed in /etc/sudoers. Serious about crackers | |||
|
| member |
No more so than sudo itself. You need to be sure of what you are doing when you invoke sudo to begin with. BTW, are you editing sudoers with a text editor, or the built-in tool visudo? The latter is recommended, but requires basic knowledge of vi. When in doubt, mumble | |||
|
| Baroque Bloke |
Serious about crackers | |||
|
| member |
I'm not so fortunate to have the Touch ID button. My primary use of sudo is in shell scripts, so the NOPASSWD option comes in very handy. Also, not even root can change or install anything in /System or /System/Library (plus other normally hidden system folders) on the two latest iterations of macOS. When in doubt, mumble | |||
|
| Member |
I use both PC and Mac the same way: single user account with Admin rights. I’m comfortable with that risk because I use a VPN for my router, have antivirus and antimalware software, and regularly update and patch. I also have a limited number of trusted sites I go to. I also have a Linux box on its own network and elevate using sudo only when I need to, and if I know I need to go somewhere on the dirty internet I run an amnesiac distro/LiveUSB (TAILS) anyway. This may be contrary to best practices, but it’s simple enough for me to manage. Please support the SF "Help Mike!" campaign to raise legal fees for a 72 year old Texas teacher and hobby rancher who had 6 forgotten 9mm rounds in his checked luggage leaving T&C and faced 12 years in prison and $50k legal fees at https://fundrazr.com/b2KZgc. | |||
|
| Powered by Social Strata | Page 1 2 3 |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024