The workstation admin idea sounds good to me. I want to do it in my
network. Is there a way to easily push this policy to the workstations.
Win2k3 server (AD) and XP workstations? I'm assuming it would involve
GPO but I have very little experience with it.
Thank You,
-Mike
d.pigna@email.it wrote:
Hi Boris
What about something like:
1) Create a WorkstationAdmin who has admin privileges on workstations
(local admin), and NOT on servers, active directory, network folders,
etc...
This will ensure, if the password is compromised, that only your
workstations will be at risk.
2) If you have several OUs and several Local
Administrators/Supervisors, create different WorkstationAdmins.
Again: the lowest number of machines compromised in case someone will
get this password.
3) Change this password(s) EVERY DAY. Or every hour.
A question from my side, now.
How many times these operations are performed every day???
Everyday operations have to be easy and fast. In this case, I suggest
you to give your Supervisors a wide range of "freedom".
Otherwise you'll get a call everytime a normal maintenance operation
is performed on a remote, lonely and unuseful machine (something you
don't want to happen).
It's better to have 5 workstations compromised every year - that need
to be reinstalled - than 50 calls every day.
How many workstations/LocalAdmins do you have???
Is there a REAL security risk in your environment? Who can be really
dangerous for you? If you're at risk, and you have to protect sensible
information, you'll need to give up on usability, and go for the
security (i.e. change LocalAdmins passwords everyday).
If you don't have something really important to protect... c'mon, just
make LocalAdmin life easy.
If you're managing 10.000 machines in a high school, what data are you
trying to protect on every single workstation? PPT files for the art
teacher and some stupid videos downloaded from students?? ;-)
Let them play, and mess up!
It could be nice to have a final report on this question...
Something that will put together all these suggestions and try to line
out a security model (from very weak to very strong) for different
security needs.
Hope this helped.
Davide
Boris Skoblo wrote:
Hi All,
There is a usual situation: on normal users computers ( W2k and
Winxp ) an administrator should perform an administrative actions
(for example, with help RunAs) thus the administrative password is
entered. Do exist a potential possibility that on the user's computer
there is keylogger.
What ways to perform administrative operations exist, thus not
endangering disclosure the administrative password? There are some
limitations:
1. usage of smarts-cards and others hardvare devices are not
applicable .
2. performed operations cannot be delegated for various reasons
3. keylogger is custom designed and any of existing protective
software yet does not find out it
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
