Home page logo

basics logo Security Basics mailing list archives

Re: Securing workstations from IT guys
From: rohnskii () gmail com
Date: 26 Nov 2007 22:19:20 -0000

Others have already made most of the appropriate suggestions, so lets take a look at some of the issues associated with 
your original ideas:

Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the day.
2. Change all Local Admin passwords so that even IT helpdesk/other doesn't
know them.
3. Advise HR guys to assign passwords to their excel/word files.
4. Do not create shares off c drive giving 'everyone' access.

#1- PC Shutdown has limited value against an IT insider because some newer PC/NIC combinations allow the PC to be 
powered on from the network to allow administrative work, ie patching.  Shutting down, or at least enabling & password 
locking the screensaver will prevent casual passer-by's (ie janitor) from using PC to steal info.  I don't think that 
anyone has mentioned yet that anyone with physical access to a PC can easily bypass the basic Windows password 
protection (another very good reason for not allowing local storage of sensitive data).

Also, I read an article about a company that implemented a policy and procedure to remotely (from the network) shut 
down all company PC's after work hours.  They did it as a cost saving measure, estimated to save them tens of thousands 
of dollars a year in electricity alone.

#2 If IT does not know the local admin password, how can they do their job, patching & maintaining the PC.  
Realistically, there shouldn't be any HR related applications that absolutely require end users to use the Admin ID to 
do their job.  And there is no other reason for user to know admin password.

#3 Using M$ Excel / Word passwords is ineffective.  Their implementation of encryption is very weak.  There are many 
tools for cracking them available on the internet.  Again, that type of password is only adequate protection from the 
"average" user, not from an informed thief, whether they work in IT or not.

An option I haven't seen mentioned yet is to store the sensitive documents offline.  Put them on a device that can 
easily be unplugged, ie a USB drive and lock them up at night.  If it is off line, no one (authorized or not) can 
access it.  Note, it has to be securely locked up because average office desks and file cabinets can be picked in no 
time flat.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]