Security & Trade Secrets
by Ray Robert
System Administrator
Oregon Board of Medical Examiners
June 9, 2004
The Legislature requires that state agencies use a particular Citrix application to submit budget information. But Citrix' Web client does not run on our agency's W2K workstations unless the user is promoted to a local administrator.
Apparently the application is attempting to access an area of the registry or file system or exercise a privilege that our Windows security template doesn't normally permit to users. No other applications are affected.
The State Cyber Security office lectures me, "[T]his is not a State Cyber Security issue but an internal agency systems administration issue." Apparently, Citrix argues that this is a trade secret, although they are willing to sell consulting time to the State to "debug" the template.
I know where BizNix comes down on the issue. But what about PANUG? Is this a security issue? More generally, what are the obligations of a software publisher?
Feedback to this Article
Russell S. Washington, CCSE, CCSA, NCSA responds:
Organizations both private and public have not only the right but an obligation to responsibly manage their own internal systems. In the case of either, responsibility stems from the need to protect organizational assets from unauthorized destruction or modification, whether intentional or not.
The key to handling these concerns is the imposition of access control. A statement by any party that all users in the organization be granted Administrator (translation: root) access over *anything* amounts to demanding the removal of access control, and immediately makes it an organizational security question rather than a technical one.
With this in mind, no vendor, Citrix or otherwise, has any business dictating organizational security policy to its customers. If the vendor comes back with "well then it just won't work," or "we can bill you for it," I suppose that is their option. But were it in the large organization that I work with today, I think I can fairly state that in your shoes, we would be climbing the food chain of our contacts at Vendor X and putting them on notice that they needed to find a less presumptuous resolution, lest they risk being eventually replaced by a vendor who had not forgotten that it is fundamentally improper for them to dictate internal, and therefore sovereign, security policy to their clients who have their own obligations to execute asset protection.
Ed Sawicki - Tailored Computers responds:
It sounds like this is a user application and not a system admin tool. If so, anyone with basic security skills knows that user applications should not run as a privileged user. So, yes, this is a security issue and I'd go so far as to call it a serious bug.
However, this is just one of many similar security bugs in the Windows world. For example, most Windows users think it's OK to download a security scanner program that's implemented as an Active-X control from the Internet. What can you do when the users, the managers, and the vendors don't grasp the concepts - the danger?
Job Cacka responds:
Recently, I attended a free seminar at OGI. The subject was Application Security and Threat Modeling. First of all, most of the subject material was above my level of comprehension. There is one point that has stuck with me however. Ben Hickman mentioned that for about six months he had been running all applications at a user level, and this increased his overall level of security by forcing the application to conform to his security profile.
He said there were many applications that took much tweaking to execute at this level, and he only had encountered one program that required administrator level access to operate. His point was that by restricting himself to user level access he forced his security profile to work for all applications, or remove the application.
It is obvious to me that the software publisher is obligated to provide a program that fits your security profile. An IT manager would be playing the fool to allow software to work outside this policy. IMHO, Either change the software or change the policy, and if the policy makes sense obviously change the software. Even if the software is mandated by the government organization, it will just take longer to implement the change. There is no excuse for sloppy programming (MS?).
The program that required administrator level access? WinAmp.