RE: Windows Vista Power Management & Local Security Policy
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: RE: Windows Vista Power Management & Local Security Policy
- From: "Good Securitypractice" <goodsecuritypractice@xxxxxxxxx>
- Date: Wed, 23 Jul 2008 13:16:06 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=8WVTQ45V6fLz1uoCZZUeKPA8rtI3O9C1PnP32lZNSiU=; b=H7NRekYeA94xgy+XwAxJAY+87ksHZNdkyVRxpLNRq2WzxWxgf6M5rXvLcc6SVoVfR8 v6XYdgVP4e+7NsEivcCUWC0hmD7VEIbhgSVDj5O0ChyPmeCcaeWlDtah/YlR/b1mOgkx PbQ4PaLjEr7sN/nhJ6Bg65N1VXEMMc+COWqqg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=rOYS52T0fHFvTr5EfSUSXd6e2r7KGSls4ObHdywnHIIgYuBvadS9VIZbeqDbwTdz+j CQ6ilm1VHq+5EMGXRdVMJA5B8w2ZraXnSG/fSlV1oa/IaVk0v+hNxtAKJwVyFFmZkbMT 6oQXom8KlcVGftY/ZlmNwQXGVkQJMwV6zXpY0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
People in this discussion have been focusing on the technical aspects
rather than the people aspect.
The current power management system is MUCH more secure because people
do not have to be given an account on the machine for them to shut it
down.
This is helpful when an admin can not get to a machine that has to be
gracefully shutdown because of an impending power outage or
thunderstorms. This can be a home computer, a computer in a dorm
room, a server in a hosting environment etc.
This is also very helpful in a kiosk environment where no one at the
place can be trusted with usernames and passwords to the computer.
As an example the computer operators in our server room do not have a
username or password on the servers but can gracefully bring them down
by pressing the power button. Not having a username and password
shared amongst multiple operators or giving multiple operators access
to a server is not a good security practice either, especially on
sensitive computers.
Some people will say physical access is enough to compromise security
but we have cameras that record any unauthorized physical tampering.