Re: Locking down workstation

["James" <james () tuksfm co za>]

The problem with that is that if you lock up all your workstations, doing
simple things across the network could become rather difficult, especially
if your users are not administrators on the workstations where there profile
is loaded to.

They might need to do something accross the network and then find that they
are unable to because of the security on the workstations.

What you are saying does make sense I agree, but there are factors that you
have to keep in mind before doing so, esp. as your workstations are most
probably Microsoft based workstations.

I once set permissions on one of the w2k workstations so that users only had
read access to everything except their own personal directory. Once I had
done this on about 3 machines users started complaining that they couldn't
do simple things because they didn't have the correct privelages to certain
system files... (You know what windows can be like when it's angry)

Anyway, the point is, is that if you're firewall is set up properly, and you
are always applying the latest bug fixes, you shouldn't need to have tight
security accross the rest of the network (depending on the size and other
things too). Obviously there will be cases where it is necessary, but on a
smaller network where users need to access other machines for various
reasons tight security is going to hinder you.

For example I control a network of a radio station. We run software that
needs to be able to communicate with sister software on other workstations.
Then we have a workstation for the phone system, a workstation running a
database, broadcast software, accounting software, and then just the basics.
Users also need to be able to copy files with ease from the PC in the one
studio to the PC in the other. I could with much time and effort set up each
machine with just the ports open that they require to be open, but then
because some users need admin privs on a certain machine, they install
something, bugger up the machine, and then you have to do everything again.
At the end of the day if your network has to perform a lot of different
functions and users have a lot of requests, as the LAN admin you'll just be
shooting yourself in the foot.!!

My thoughts on the topic. Please someone correct me if I'm wrong..!!

_James


----- Original Message -----
From: "Mada Dulate" <madadulate () hotmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, June 10, 2003 11:04 PM
Subject: Locking down workstation


> hey all,
>
> I've learned a lot from this list (thank you) but I've tried to lurk a
bit,
> expected this issue to come up before I posted.  Time's up.
>
> Firewalls are certainly a good practice, hopefully getting better, but if
> I'm really concerned with security and as a responsible netizen looking to
> stem the spread of disease, don't I want to do the best I can to close up
> unused ports and services on every destop in my network.
>
> I admit I don't really know the implications of this from an
administrator's
> point of view, and I don't know how to audit this, but the reading I've
> stumbled on is very directed at server strategy.
>
> This is more to open a discussion than a personal request.  All responses
> can be directed to the list.
>
> Thanks!
>
> Mada
>
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
> --------------------------------------------------------------------------
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------