Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Password Protected Screen Saver and Administrative Password

from [Tom Milliner] Network Security [Permanent Link]
Subject: RE: Password Protected Screen Saver and Administrative Password
Date: Wed, 9 Feb 2005 14:03:41 -0600 
That is exactly what I am saying. 

GoToMyPc allows this vendor to easily setup access to their
clients' servers.  The GoToMyPc is very simple to setup and
by-pass firewalls (therefore, users could easily set this up
on their desktop in order to access their desktop from home).

At any rate, the vendor uses GoToMyPc, which is password
protected and reasonably secure.

The server in question is a member server which must be
connected to the domain.  It does have user accounts.  I
suppose I can try to setup a domain user other than the
domain administrator to logon to it, and then the screen
saver password would belong to that domain user.  I may
try this.

Normally, for ease of use, I logon to all 7 servers as the
domain administrator.  They all run 24x7 and serve in 
different capacities.  The one used by the vendor is a
Windows 2000/SQL 2000 box which runs our membership
and accounting databases.  The idea of logging on as a
normal user (with special permissions, perhaps) may 
present some interesting challenges (I'm wondering if it
will work...maybe I can test it on a weekend).


From a simplicity standpoint, it would help if there was

a separate and distinct screen-saver password available.
For instance, let's say the screen-saver is locked, but the
administrator is away and simply needs a consultant to
perform a task on the server.  I'd want to give the 
consultant a non-administrator password for that type of
task.


Tom Milliner, CPA, MCSE
Director of Network Services
MetroTex Assc of Realtors
8201 N. Stemmons Frwy
Dallas,  TX  75247
www.dfwrealtors.com
mail to: tomm@dfwrealtors.com
(214) 540-2741
 

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com] 
Sent: Wednesday, February 09, 2005 12:42 PM
To: tom.milliner@verizon.net; focus-ms@securityfocus.com
Subject: Re: Password Protected Screen Saver and Administrative Password

I think the suggestion of a local admin was for the remote vendor, not
the 
trusted co-worker... It is hard to tell, as the request is somewhat 
confusing...

If I understand correctly, you log into the member server as the domain 
administrator, letting the screen saver lock after 60 minutes since it
is in 
a common area.  You have a remote vendor that uses GoToMyPC to perform 
maintenance on your server, but you do not want to give them the domain 
admin password-- rather, you want them to have to ask first, allowing
you to 
track access, even though when you unlock the screen, they have full
access 
to not only the member server, but the rest of your entire network as a 
domain administrator.  When you are not there, you want to have a
different 
person, the "trusted co-worker" unlock the screen for the vendor, but
you 
don't want him to have the domain admin password either-- rather, you
want 
him to be a normal user, but unlock the password locked screen saver to 
resume the domain administrator interactive logon session.

Is this really what you are saying?

T


----- Original Message ----- 
From: "Tom Milliner" <tom.milliner@verizon.net>
To: "'Patton Roub'" <proub@state.wy.us>; <focus-ms@securityfocus.com>
Sent: Tuesday, February 08, 2005 6:11 PM
Subject: RE: Password Protected Screen Saver and Administrative Password



The vendor has a lot of customers and routinely uses
GoToMyPC for support.  In an ideal world for the vendor,
there would be no password protected screen-saver to
deal with.  In other words, they could log on as needed
(different time zones) to do maintenance.  The screen-
saver actually is a disruption to them, but since the
server is in a common area, I use it.  I also use it
so that I can keep track of the vendor's maintenance
(if something breaks after they log on, then I may
want to call them)...they have to ask us to unlock the
screen-saver.

When I am not there, a trusted co-worker needs to be
able to unlock the screen-saver.

I am not understanding the suggestions to make the
trusted co-worker a local administrator.  Since the
server is a domain member server, I logon as the
domain administrator.  Then it goes to password
protected screen-saver after 60 minutes of inactivity.
I know it needs an administrator's password to unlock
the screen-saver.  I have assumed that meant my domain
administrator password instead of a local administrator
password.  I will test this tomorrow at work.






---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Password Protected Screen Saver and Administrative Password, Thor (Hammer of God)
Next by Date:  Re: SAM encripted with syskey, Olaf Reitmaier
Previous by Thread:  Re: Password Protected Screen Saver and Administrative Password, Thor (Hammer of God)
Next by Thread:  Re: Password Protected Screen Saver and Administrative Password, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]