![]() ![]() ![]() If you use a domain account (because you need to access domain resources), it should be a unique account just for the actual user. To mitigate exposure, use an "admin" account that local to the PC, not a domain account. If you choose to do this, NEVER use domain admin credentials. The other problem is that the application runs in the other user's context, meaning that when you go to save downloaded files from IE, IE will access resources as the other user, not the actual user. The problem is that the other user's credentials are cached in the user's profile, which provides an avenue of privilege escalation for other applications. It is possible to create a shortcut that uses cached credentials of another user (such as a user with admin rights).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |