From: Mike Groh (listsmikegroh.net)
Date: Mon Feb 07 2005 - 23:46:13 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The workstation admin idea sounds good to me. I want to do it in my
network. Is there a way to easily push this policy to the workstations.
Win2k3 server (AD) and XP workstations? I'm assuming it would involve
GPO but I have very little experience with it.

Thank You,

-Mike

d.pignaemail.it wrote:

> Hi Boris
>
> What about something like:
>
> 1) Create a WorkstationAdmin who has admin privileges on workstations
> (local admin), and NOT on servers, active directory, network folders,
> etc...
> This will ensure, if the password is compromised, that only your
> workstations will be at risk.
>
> 2) If you have several OUs and several Local
> Administrators/Supervisors, create different WorkstationAdmins.
> Again: the lowest number of machines compromised in case someone will
> get this password.
>
> 3) Change this password(s) EVERY DAY. Or every hour.
>
>
> A question from my side, now.
>
> How many times these operations are performed every day???
>
> Everyday operations have to be easy and fast. In this case, I suggest
> you to give your Supervisors a wide range of "freedom".
> Otherwise you'll get a call everytime a normal maintenance operation
> is performed on a remote, lonely and unuseful machine (something you
> don't want to happen).
> It's better to have 5 workstations compromised every year - that need
> to be reinstalled - than 50 calls every day.
>
> How many workstations/LocalAdmins do you have???
>
> Is there a REAL security risk in your environment? Who can be really
> dangerous for you? If you're at risk, and you have to protect sensible
> information, you'll need to give up on usability, and go for the
> security (i.e. change LocalAdmins passwords everyday).
> If you don't have something really important to protect... c'mon, just
> make LocalAdmin life easy.
>
> If you're managing 10.000 machines in a high school, what data are you
> trying to protect on every single workstation? PPT files for the art
> teacher and some stupid videos downloaded from students?? ;-)
> Let them play, and mess up!
>
>
> It could be nice to have a final report on this question...
> Something that will put together all these suggestions and try to line
> out a security model (from very weak to very strong) for different
> security needs.
>
> Hope this helped.
> Davide
>
>
>
> Boris Skoblo wrote:
>
>>
>>>> Hi All,
>>>>
>>>> There is a usual situation: on normal users computers ( W2k and
>>>> Winxp ) an administrator should perform an administrative actions
>>>> (for example, with help RunAs) thus the administrative password is
>>>> entered. Do exist a potential possibility that on the user's computer
>>>> there is keylogger.
>>>>
>>>>
>>>> What ways to perform administrative operations exist, thus not
>>>> endangering disclosure the administrative password? There are some
>>>> limitations:
>>>>
>>>> 1. usage of smarts-cards and others hardvare devices are not
>>>> applicable .
>>>>
>>>> 2. performed operations cannot be delegated for various reasons
>>>>
>>>> 3. keylogger is custom designed and any of existing protective
>>>> software yet does not find out it
>>>>
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>>
>
>
>
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
>
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]