Tuesday, August 01, 2006

Consultants - Beware

I was gob-smacked yesterday, dealing with a third party for one of customers.

Without going into too much depth, my customer purchased a package from this 3rd party.

However it appears that security just doesn't matter with this company.

All of the users will need Admin rights (WHY??) well it just can't run without it, and it doesn't matter!!!!!

Next to the query of why the last rule on the firewall is Deny (everything)

and for the question of is there not an allow any rule. This was really the end of the whole thing. You tell me you have these rules set up on firewalls you set up that say if it doesn't match the rules layed out then let the traffic in and out. What is the point of having a firewall.

As for the admin rights, when explaining to them that the biggest reason is that users should not need admin rights to work, and up until their package was installed they didn't. If users have admin rights, before you know what is going on you end up with issues everywhere, viruses, Trojans etc. All installed because the user could. "well that is why you have anti-virus".

Beware these idiots are out there, and they are probably at a network near you.

If the company you use for IT support has a firewall rule that say allow all (or any) line up the firing squad. Ask them to show you the next time they are in!!!

No comments: