Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing workstations from IT guys

from [rohnskii] Network Security [Permanent Link]
Subject: Re: Securing workstations from IT guys
Date: 26 Nov 2007 22:19:20 -0000 
Others have already made most of the appropriate suggestions, so lets take a 
look at some of the issues associated with your original ideas:

<snip>
Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the day.
2. Change all Local Admin passwords so that even IT helpdesk/other doesn't
know them.
3. Advise HR guys to assign passwords to their excel/word files.
4. Do not create shares off c drive giving 'everyone' access.
</snip>

#1- PC Shutdown has limited value against an IT insider because some newer 
PC/NIC combinations allow the PC to be powered on from the network to allow 
administrative work, ie patching.  Shutting down, or at least enabling & 
password locking the screensaver will prevent casual passer-by's (ie janitor) 
from using PC to steal info.  I don't think that anyone has mentioned yet that 
anyone with physical access to a PC can easily bypass the basic Windows 
password protection (another very good reason for not allowing local storage of 
sensitive data).

Also, I read an article about a company that implemented a policy and procedure 
to remotely (from the network) shut down all company PC's after work hours.  
They did it as a cost saving measure, estimated to save them tens of thousands 
of dollars a year in electricity alone.

#2 If IT does not know the local admin password, how can they do their job, 
patching & maintaining the PC.  Realistically, there shouldn't be any HR 
related applications that absolutely require end users to use the Admin ID to 
do their job.  And there is no other reason for user to know admin password.

#3 Using M$ Excel / Word passwords is ineffective.  Their implementation of 
encryption is very weak.  There are many tools for cracking them available on 
the internet.  Again, that type of password is only adequate protection from 
the "average" user, not from an informed thief, whether they work in IT or not.


An option I haven't seen mentioned yet is to store the sensitive documents 
offline.  Put them on a device that can easily be unplugged, ie a USB drive and 
lock them up at night.  If it is off line, no one (authorized or not) can 
access it.  Note, it has to be securely locked up because average office desks 
and file cabinets can be picked in no time flat.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: hax.tor, Rivest, Philippe
Next by Date:  Re: Bee Strategy Helps Servers Run More Sweetly, scott
Previous by Thread:  Re: Securing workstations from IT guys, krymson
Next by Thread:  Re: RE: Securing workstations from IT guys, kurt . kessler
Indexes:  [Date] [Thread] [Top] [All Lists]