RE: Securing workstations from IT guys - topic orginator

["Ramsdell, Scott" <Scott.Ramsdell () cellnethunt com>]

WALI,

I wrote this at a previous position to kill a worm that was connecting
to the admin shares:

< start of VBS >

On Error Resume Next

Dim arrComputers()
inisize = 0
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\KillSharesOn.txt", 1)

Do Until objFile.AtEndOfStream

   ReDim Preserve arrComputers(iniSize)
   arrComputers(iniSize) = objFile.ReadLine
   iniSize = iniSize + 1
  
Loop

objFile.Close

For NDX = 0 to (inisize-1)

strComputer = arrComputers(NDX)

Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer &
"\root\cimv2")
Set colShares = objWMIService.ExecQuery _
    ("SELECT * FROM Win32_Share WHERE Name = 'C$' OR Name = 'D$' OR Name
= 'Admin$' OR Name = 'Print$' OR Name = 'IPC$'")
    For Each objShare in colShares
        objShare.Delete
    Next

Next

< end of VBS >

The above reads from the file c:\KillSharesOn.txt.  Obviously, whoever
runs this will need to have admin access on the boxes.  The admin shares
are recreated at boot.  Some software (circa 1995) relies on connections
to the admin shares rather than using RPC, and will break after the
above is run.

Kind Regards,

Scott Ramsdell
CISSP CCNA MSCE

Security Network Engineer


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Sunday, December 02, 2007 1:06 AM
To: security-basics
Subject: Re: Securing workstations from IT guys - topic orginator

Thank for the replies guys and I am amazed at the responses I recieved. 
Would like especially thank the following guys and their sustantive 
suggestion, this in no way implies that other's well less substantive
but 
it's just that I would highlight those that might work in my scenario.

* marc owen -  for his suggestion of secure admin delegation model
* Cory capps -  for his/her suggestion of deploying a DC with EFS keys.
I 
was wondering if deployment of a Windows 2003 DC with IPSEC security be
any 
helpful?
* Tremain Lea - for suggesting username99 option.
* Krymson for highlighting some simple areas that might have been 
overlooked.
* Kurt Buff - for sugesting deployment of SNARE. I feel it might be
helpful 
and make a great central logging place.
* Kurt Kesslar - for suggesting the deployment of absolute minimal
rights 
for IT Staff. Would get back to him for more insights into such design.
* Bert Knabe - again for his suggestion of deploying and monitor
shortname 
accounts and company wide deployed solution, but would love to know 
specifics.
* Scott - for bringing into fore the possibility of one of our Exchange 
admins, who might be abusing email servers.
* Craig Wright's - AGULP Model
* Big Joe Jenkins - The idea of each of our IT admin sign on an AUP and
NDA 
is a valid suggestion and I have already initiated that.
* Micheal Martinez - suggests that we design and formulate a document
for 
appropriate controls.

There was one more thing which I thought someone would throw some more
light 
upon:

1. Disabling default C$/D$/Admin$ shares upon startup on all HR
workstations 
that join the domain. Would this have any adverse effect on the way the
HR 
employees work?

2. Creating a separate domain for HR employees and establishing an 
administrative boundry, assigning only 1-2 well trusted network admins, 
rights on this domain?

It' s a bit hard to find the erring network admin and bring him to book
at 
this point in time, but all I can (as an IT security admin) do is
strengthen 
the controls for making things a bit harder in the future.

Thanks again for all the suggestions.
Rgds


----- Original Message ----- 
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
To: "security-basics" <security-basics () securityfocus com>
Sent: Monday, November 26, 2007 8:31 PM
Subject: RE: Securing workstations from IT guys


Hello,

Give them a share on a file server and set up some file access auditing.
You find this in the same area as the NTFS permissions.
http://support.microsoft.com/kb/310399
Access will be tracked in the event viewer.
With domain admins you can't do much to keep them out (unless money and
staffing is of no concern), but you can audit their access to files.

Here there are files being audited, Snare then forwards event entries to
Kiwi which in turn emails staff on certain criteria. For example, an
email alert goes out when a log entry contains X AND Y.
X being the file/folder name and Y being a user or group in active
directory. Simple but works.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Sunday, November 25, 2007 12:24 PM
To: security-basics
Subject: Securing workstations from IT guys

It's a catch 22 situation and I need to make our Windows Xp workstations

appropriately secure. Secure from rogue Helpdesk personnel as well as
network admins.
The HR guys are complaining that their 'offer' letters to prospective
employees and some of the CVs that they recieve are finding their way
into
unwanted hands. I suspect both HR application vulnerability, for which I
am
undertaking some vulnerability analysis but I also need to protect the
PCs
that belong to Dept. of HR employees from rogue IT guys.

Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the
day.
2. Change all Local Admin passwords so that even IT helpdesk/other
doesn't
know them.
3. Advise HR guys to assign passwords to their excel/word files.
3. Do not create shares off c drive giving 'everyone' access.

But...because they are all connected to Windows 2003 domain, I still
risk
someone from domain admin group to be able to start C$/D$ share and
browse
into their c: drive, what should I do?

Also, it's easy to crack open xls/doc passwords, what else can be done?

Alternatively, Is there an auditing on PC that can be enabled to
track/log
incoming connections to C$ and pop up and alert whenever someone tries
it
out from a remote machine.

Pls advise!!



This electronic transmission is intended for the addressee (s) named
above. 
It contains information that is privileged, confidential, or otherwise 
protected from use and disclosure. If you are not the intended recipient
you 
are hereby notified that any review, disclosure, copy, or dissemination
of 
this transmission or the taking of any action in reliance on its
contents, 
or other use is strictly prohibited. If you have received this
transmission 
in error, please notify the sender that this message was received in
error 
and then delete this message.
Thank you.