derek
@derek@infosec.pub
- Comment on How do I make a domain account on Windows have administrative privelleges to use a particular app? 1 week ago:
There’s some good advice in the comments already and I think you’re on the right track. I’d like to add a few suggestions and outline how I think about the problem.
Ask if the vendor has installation administrator guides, whitepaper, training material, etc. If yes: ask that they send it to you. You may also be able to find these on the vendor’s website, customer portal, or a public knowledgebase / PDF repo.
I would want to know three things.
- How do users authenticate through the application?
- What are all of the ways users may access the application (local only, remote desktop, LAN only, full server/client model)?
- Does the vendor have any prescribed solutions for defining who has access to the application, at what privilege level, with access to what features?
i.e. What parts of the user access, authenticate, authorize pipeline do application admins or system admins have control over and how can we exercise that control?
Based on some context I assume this is installed on a Windows machine, that the app is reading from Active Directory using RADIUS or LDAP for user auth, and that people are physically logging into the machine.
If this is the only method of authentication then I would gate the application with a second account for each employee who requires access for business reasons defined in their job description (or as close as you can get to that level of justification - some orgs never get there). You can then control who has access to the machine via group policy. Once logged in the user can launch the application with their second account (which would have the required admin access) via “Run as…” or whatever other methods you’d prefer. No local admins logging in directly and yet an application which users can launch as admin. Goal achieved.
This paradigm lets us attempt balancing security concerns with user pain. The technically literate and daringly curious will either already know or soon discover they can leverage this privilege to install software and make some changes to the system. The additional friction, logging, and 1:1 nature of the account structure makes abusing this privilege less attractive and more easily auditable if someone does choose the fool’s path.
I can imagine more complex set ups within these constraints but they require more work for the same or worse result.
Ideally you run the app with a service account and user permissions are defined via Security Groups whose level of access is tied to application features instead of system privs. There are other reasonable schemes. This one is box standard and a decent default sans other pressures.
If other methods of auth are available (like local, social, cloud, etc) then you’ll have more decent options. I would define the security objectives for application access, define the user access objectives from the Organization’s perspective, and then plot each solution against those two axes (napkin graphs - nothing serious). Whichever of the top three is the least administratively burdensome is then selected as my first choice for implementation with the other two as alternatives.
An aside: unless there is only one reasonable choice most folks find one option insufficient, two options difficult to decide between, and four options as having one option too many - whenever possible, if another party’s buy-in is desired, present either three options or three variations on one option. This succeeds even when the differences are superficial, especially when the subject is technical, and 2x if the project lead is ignorant of the particulars. People like participating.
I’d then propose these options to my team/direct report/client, decide on a path forward together, and plan the rest from there. There’s more to consider (again dependent on org maturity) but this is enough to get the project oriented and off the ground.
Regarding FOSS alternatives: you’re likely locked in with the vendor’s proprietary software for monitoring the cameras. There are exceptions but most commercial security system companies don’t consider interoperability when designing their service offerings. It might be worth investigating but I’d be surprised if you find any third party solutions for monitoring the vendor’s cameras which doesn’t require either a forklift replacement of hardware, flashing all of the existing hardware, or getting hacky with the gear/software.
I hope this helps! <3
- Comment on Looking for answers 1 week ago:
Your statement is too vague to convey an actionable suggestion. I’m intrigued by the thought you seem to be hinting at. Would you expand on this, include a recommended method, and reason about why it’s an alternative to violence?
- Comment on If we're living in a simulation, why would the simulation creators allow the sims to ponder and speculate whether or not they live in a simulation? 1 week ago:
Not necessarily. You’re correct that we cannot account for intention. Neither cam we assert whether we ourselves are simulated or not. Even if we can prove this reality is simulated we cannot be sure if we are part of the simulation or inserted into it (a la The Matrix) from our current position.
- Comment on Another of God's cruel tricks. 5 weeks ago:
Make a container out of isomalt. Shatter it. Eat the pieces. Laugh in god’s face.
- Comment on How do I get over fear of cooking? 5 weeks ago:
I haven’t experienced what you’re describing. Previous experience suggests exposure is the next step for you. If a cooking class isn’t feasible right now then start with watching some videos online (best if they’re home cooks - you want to watch common cooking of foods you like to eat).
You’re not trying to memorize anything or learn hard skills during this time. You’re only trying to become more familiar with people working in a kitchen so it doesn’t feel as alien and maybe not quite as scary.
Do that regularly for a while. If it’s too much for you: dial it back. You do want to push your boundaries but only when you’re feeling ok about it. Small wins will turn into more small wins and eventually you might be interested in trying to cook something.
If that happens, and I suspect it will, know that it is OK to start cautiously and take your time learning how to use the oven and stove top. Try turning a burner on with no pan or pot on top. Let it get hot. Turn it off. Let it cool down. Repeat that across a few days if the first one helps you.
Once you’re comfortable you should do that practice again and add water to a pan until its half full. Once the burner is hot: place your pan of water on top of the stove burner. Let the water come to a boil. Remove the pan from the stove top. Let the pan and water cool down. Note how much water is missing (some of it will have steamed away while boiling). Add that much water back to the pan and practice this again.
You can build your experiences, step by step, with safe extensions and new footholds, until you’re feeling confident about cooking something with the boiling water. You’re going to boil an egg!
Complete your practice again but instead of taking the water off right after it boils: leave it on the burner for 6 minutes. Then remove it and let it cool. Success? Do that again using a pot instead of a pan. Pot half full of water. Grab a serving spoon or similar item. Once the water comes to a boil:
- Lower the burner temperature to half / medium. The water should be moving and steamy but the bubbles should be very gentle or cease. Dropping the egg into actively boiling water may cause the egg to crack prematurely.
- Use the serving spoon to gently place the egg in the center of the boiling water.
- Wait six minutes.
- Remove the pot of water from the burner.
- Turn the burner off.
- Use the serving spoon to lift the egg out of the hot water.
- Run the egg under cold water (this helps it from over cooking and helps make peeling easier).
- Enjoy your egg.
You can absolutely boil any kind of pasta, lots of vegetables, and almost all starchy foods. Boiling is very safe because the water regulates the temperature for us. So long as there is water in the pot the pot is unable to meaningfully exceed 100 degrees Celsius (the boiling point of water / ~212F). It is very difficult to burn anything or start a fire while boiling water.
Best of luck my friend.
- Comment on What is the food eaten in Close Encounters during the infamous mashed potato scene? 2 months ago:
Toss a message at Scott Reeder (Scott Prop and Roll). I’d bet money he either knows folks who worked that set or knows someone who knows someone. I’ve no idea if he’d respond but he seems chill like that.