I was planning to bring you Security 101: Part 3 today, wrapping up our intro to the MS SDL and looking forward to some more contemporary developments, and that's all simmering away quite nicely on that burner at the back; but this rather embarrassing (for me) little gem just cried out to be shared first.
Last week I was having some trouble trying to use Remote Desktop to get some work done from home. It simply didn't work at all. Having just switched from Virgin Media to Sky Broadband, I let my suspicions fall on my new wireless router. A more than cursory search of the forums seemed to bear this out, with many people apparently reporting a sudden cessation of RDP functionality immediately on switching to Sky.
Still, Sky for their part denied blocking anything other than a few server types. Also, more than one colleague reported experiencing no such difficulty with the Sky router.
Then our illustrious IT Department, which I would describe not so much as "continually improving" recently, more "maturing in a pubescent thunderclap", heard of my difficulty, and as we all have come to expect, solved it in a few milliseconds by pointing at the PC and incanting "Klaatu, barada, nikto". This, I am reliably informed, translates as "You have disabled, Remote Desktop, you plonker."
I hadn't, not exactly; but by some update mechanism as yet unidentified, whether Microsoft's or ours, it had indeed recently become disabled on my PC. Once re-enabled it worked perfectly, which was all very fine, and certainly embarrassing enough already, had that been the point of this sorry tale.
Fetch Me My Donkey's Ears
What was much, much worse than this, was what IT discovered when testing my newly re-enabled RDP, which could be loosely phrased as, "Did I say plonker? Not strong enough. You have never had anti-virus on this machine."
At this point IT withdrew, to let my conscience and me reflect on what we had learned here today. Obviously, I could display my loyalty and commitment to the company, by protecting this highly sensitive secret, that the appointed security researcher had been unmasked as a complete fraud. It wasn't too late to
- install AV,
- put my hands in my pockets,
- whistle insousiantly, and
- walk away,
But just look at the security collander described above. What if someone else was to log on to my PC (perfectly legitimately, using their own network credentials), and perform a slightly risky operation on the web, assuming that the local machine was fully protected? Or, what about the flagrant disregard of my much trumpeted Security Strategy? After all I must have ignored a notification to install the correct AV software, incorrectly and unsafely assuming that was something already done for me by others, in preparing this PC for first use.
Well, at least I put that part right, and pronto.
Q: What more can I say?