Home page logo

basics logo Security Basics mailing list archives

Re: Securing workstations from IT guys
From: Tremaine Lea <tremaine () gmail com>
Date: Mon, 26 Nov 2007 12:23:28 -0700

It sounds like you have generic domain admin accounts - I'd change that immediately, and create what are called 99 accounts. Normally a user would log in with user.name which provides them with the usual domain user privileges. If they require domain privileges for any reason, they need to log in with username99. This change in addition to detailed logging will create accountability and tracking that can be used to enforce policy.

As someone else has suggested, do not allow users to store sensitive documents locally. These documents should be stored on a separate server that requires authentication. Logging accesses to HR documents would clearly be a good idea to track changes and ownership.

Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"

On 25-Nov-07, at 11:24 AM, WALI wrote:

It's a catch 22 situation and I need to make our Windows Xp workstations appropriately secure. Secure from rogue Helpdesk personnel as well as network admins. The HR guys are complaining that their 'offer' letters to prospective employees and some of the CVs that they recieve are finding their way into unwanted hands. I suspect both HR application vulnerability, for which I am undertaking some vulnerability analysis but I also need to protect the PCs that belong to Dept. of HR employees from rogue IT guys.

Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the day. 2. Change all Local Admin passwords so that even IT helpdesk/other doesn't know them.
3. Advise HR guys to assign passwords to their excel/word files.
3. Do not create shares off c drive giving 'everyone' access.

But...because they are all connected to Windows 2003 domain, I still risk someone from domain admin group to be able to start C$/D$ share and browse into their c: drive, what should I do?

Also, it's easy to crack open xls/doc passwords, what else can be done?

Alternatively, Is there an auditing on PC that can be enabled to track/log incoming connections to C$ and pop up and alert whenever someone tries it out from a remote machine.

Pls advise!!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]