In line:
----- Original Message -----
From: "Tom Milliner" <tom.milliner@verizon.net>
To: "'Thor (Hammer of God)'" <thor@hammerofgod.com>;
<focus-ms@securityfocus.com>
Sent: Wednesday, February 09, 2005 12:03 PM
Subject: RE: Password Protected Screen Saver and Administrative Password
That is exactly what I am saying.
GoToMyPc allows this vendor to easily setup access to their
clients' servers. The GoToMyPc is very simple to setup and
by-pass firewalls (therefore, users could easily set this up
on their desktop in order to access their desktop from home).
At any rate, the vendor uses GoToMyPc, which is password
protected and reasonably secure.
The server in question is a member server which must be
connected to the domain. It does have user accounts. I
suppose I can try to setup a domain user other than the
domain administrator to logon to it, and then the screen
saver password would belong to that domain user. I may
try this.
This is your best bet, and solves your problems. Make sure you give the
user "log on locally" rights, as this is a server, and by default, a domain
user won't be able to log on to the console.
Normally, for ease of use, I logon to all 7 servers as the
domain administrator. They all run 24x7 and serve in
different capacities. The one used by the vendor is a
Windows 2000/SQL 2000 box which runs our membership
and accounting databases. The idea of logging on as a
normal user (with special permissions, perhaps) may
present some interesting challenges (I'm wondering if it
will work...maybe I can test it on a weekend).
Unfortunately, many vendor solutions require local admin permissions to run
properly. Paragon for example, a real estate package you may be aware of
(given your business) is one of these. Very poor programming, but that's
the reality of it (hahaha-pun intended). Normally in these cases, where a
local user needs admin access to run a program, I'd have RunAs set up, but
that prob won't work for you here. Even if you have to make the domain user
a member of that box's local admin group, it would be far better than what
you're doing now. The best practice is to create a user that only has the
minimum permissions needed to perform the task. It may take a few more
minutes to create the account properly, but your security posture is far
better.
From a simplicity standpoint, it would help if there was
a separate and distinct screen-saver password available.
For instance, let's say the screen-saver is locked, but the
administrator is away and simply needs a consultant to
perform a task on the server. I'd want to give the
consultant a non-administrator password for that type of
task.
Ain't gonna happen in the same interactive session, as it shouldn't from a
security standpoint. The closest functionality is RunAs, which you should
use if possible. Ideally, you would not have admin accounts logged onto the
console in the first place on any of the other servers: you would log in and
out as needed. Password protected screen savers are not a good replacement
for the logon process as things like password lockout are not implemented
there, but that's another story.
t
Tom Milliner, CPA, MCSE
Director of Network Services
MetroTex Assc of Realtors
8201 N. Stemmons Frwy
Dallas, TX 75247
www.dfwrealtors.com
mail to: tomm@dfwrealtors.com
(214) 540-2741
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: Wednesday, February 09, 2005 12:42 PM
To: tom.milliner@verizon.net; focus-ms@securityfocus.com
Subject: Re: Password Protected Screen Saver and Administrative Password
I think the suggestion of a local admin was for the remote vendor, not
the
trusted co-worker... It is hard to tell, as the request is somewhat
confusing...
If I understand correctly, you log into the member server as the domain
administrator, letting the screen saver lock after 60 minutes since it
is in
a common area. You have a remote vendor that uses GoToMyPC to perform
maintenance on your server, but you do not want to give them the domain
admin password-- rather, you want them to have to ask first, allowing
you to
track access, even though when you unlock the screen, they have full
access
to not only the member server, but the rest of your entire network as a
domain administrator. When you are not there, you want to have a
different
person, the "trusted co-worker" unlock the screen for the vendor, but
you
don't want him to have the domain admin password either-- rather, you
want
him to be a normal user, but unlock the password locked screen saver to
resume the domain administrator interactive logon session.
Is this really what you are saying?
T
----- Original Message -----
From: "Tom Milliner" <tom.milliner@verizon.net>
To: "'Patton Roub'" <proub@state.wy.us>; <focus-ms@securityfocus.com>
Sent: Tuesday, February 08, 2005 6:11 PM
Subject: RE: Password Protected Screen Saver and Administrative Password
The vendor has a lot of customers and routinely uses
GoToMyPC for support. In an ideal world for the vendor,
there would be no password protected screen-saver to
deal with. In other words, they could log on as needed
(different time zones) to do maintenance. The screen-
saver actually is a disruption to them, but since the
server is in a common area, I use it. I also use it
so that I can keep track of the vendor's maintenance
(if something breaks after they log on, then I may
want to call them)...they have to ask us to unlock the
screen-saver.
When I am not there, a trusted co-worker needs to be
able to unlock the screen-saver.
I am not understanding the suggestions to make the
trusted co-worker a local administrator. Since the
server is a domain member server, I logon as the
domain administrator. Then it goes to password
protected screen-saver after 60 minutes of inactivity.
I know it needs an administrator's password to unlock
the screen-saver. I have assumed that meant my domain
administrator password instead of a local administrator
password. I will test this tomorrow at work.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
