Fire whoever is doing the snooping. Enforce a policy that prohibits
use of the local administrator account (change local password) and
force the helpdesk personal to authenticate with their own accounts to
do administrative maintenance by creating a new domain group, adding
them to that group, and give that group local admin rights on the
machines. Alternatively, create a new account with local admin rights
for each user and have them log in with that when needed. Strip away
all domain/enterprise administrator rights away from everyone and
entrust the account to a System/Network Administrator. This is
someone you absolutely HAVE to trust in this kind of environment. The
administrator should log in with his own, basic account and elevate to
Administrator rights only when needed. Enable auditing on the local
machines and the file server and you will have a basic access log with
a username and time/date stamp for all audit enabled files.
Additionally audit active directory and local machine users/groups to
monitor improper account escalation or created accounts.
Documents should be stored on the server with ACL structured to permit
only those authorized, locking out IT help desk (this excludes the
Network Administrator.) Documents that must be stored locally, such
as remote environment machines, laptops, etc, should be stored in a
folder with the Encryption attribute set. This will limit access to
the owner of the machine and the Network Administrator. If you
absolutely cannot trust the Administrator, you should fire him and
hire a new one with a NDA signed.
Alternatively, if you're on a budget or restricted on options, you may
encrypt the documents with a reliable encryption program. I recommend
AxCrypt as it is opensource, trusted, and supports direct application
opening on double clicking an encrypted file (open encrypted excel
file and AxCrypt will automatically decrypt and open document in
excel.) AxCrypt is available freely at
http://www.axantum.com/AxCrypt/.
On Nov 25, 2007 1:24 PM, WALI <hkhasgiwale@gmail.com> wrote:
It's a catch 22 situation and I need to make our Windows Xp workstations
appropriately secure. Secure from rogue Helpdesk personnel as well as
network admins.
The HR guys are complaining that their 'offer' letters to prospective
employees and some of the CVs that they recieve are finding their way into
unwanted hands. I suspect both HR application vulnerability, for which I am
undertaking some vulnerability analysis but I also need to protect the PCs
that belong to Dept. of HR employees from rogue IT guys.
Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the day.
2. Change all Local Admin passwords so that even IT helpdesk/other doesn't
know them.
3. Advise HR guys to assign passwords to their excel/word files.
3. Do not create shares off c drive giving 'everyone' access.
But...because they are all connected to Windows 2003 domain, I still risk
someone from domain admin group to be able to start C$/D$ share and browse
into their c: drive, what should I do?
Also, it's easy to crack open xls/doc passwords, what else can be done?
Alternatively, Is there an auditing on PC that can be enabled to track/log
incoming connections to C$ and pop up and alert whenever someone tries it
out from a remote machine.
Pls advise!!
--
Mark Owen
