<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3314" name=GENERATOR>
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=#ffffff>
<DIV><FONT face=Arial size=2>-----BEGIN PGP SIGNED MESSAGE-----<BR>Hash:
SHA1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Appeal to them with language that they understand.
Since they don't seem to<BR>be as technical as you are, appeal to them with a
financial and/or legal<BR>liability argument. Managers understand liability and
the bottom line.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>- ----- Original Message ----- <BR>From: Daniel
Sichel <BR>To: <A
href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</A>
<BR>Sent: Thursday, May 22, 2008 12:51 PM<BR>Subject: [Full-disclosure] Need
some help with management</FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>My management here wants to put a server on our LAN, not administered
by us<BR>(the IT department) and use a share on it to serve files and data to
our<BR>workstations. They do not understand why having a server with a
file share<BR>that is NOT part of our secure infrastructure represents a threat
to the<BR>computers accessing it. Keep in mind this is an all Windows network.
Sooo,<BR>if you guys can succinctly explain why having a trusted computer trust
an<BR>untrusted computer is a problem, that would be helpful. Keep in mind we
are<BR>talking to management here. It’s kind of like trying to explain why,
when<BR>you are in the United States, it’s a bad idea to drive on the left
hand<BR>side of the road. It’s just so basic it’s not documented anywhere.
So,<BR>please help me explain why netbios and file shares on machines not
within<BR>your network are bad ideas.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)</DIV>
<DIV> </DIV>
<DIV>Network Engineer</DIV>
<DIV> </DIV>
<DIV>Ponderosa Telephone (559) 868-6367</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>-
---------------------------------------------------------------------------<BR>-
-----</DIV>
<DIV> </DIV>
<DIV><BR>_______________________________________________<BR>Full-Disclosure - We
believe in it.<BR>Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>Hosted
and sponsored by Secunia - <A
href="http://secunia.com/">http://secunia.com/</A></DIV>
<DIV> </DIV>
<DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP Desktop 9.6.2 (Build 2014) -
not licensed for commercial use: <A
href="http://www.pgp.com">www.pgp.com</A></DIV>
<DIV> </DIV>
<DIV>wj8DBQFINbscSGIRT5oVahwRAtbUAJsHjlOzn3WqAIO5k1EMJ8Y6ywWNoACgrBxV<BR>MyCkC2BZGDS5l2R7HMAwR8k=<BR>=NbUq<BR>-----END
PGP SIGNATURE-----<BR></FONT></DIV></BODY></HTML>