Security Basics mailing list archives
RE: Locking down workstation
From: "dave" <dave () netmedic net>
Date: Wed, 11 Jun 2003 18:16:15 -0400
Try: Securit-e-Lok at http://www.securit-e-doc.com/products/products.asp http://www.securit-e-doc.com/products/securitelok.asp They have profiles for all workstation and server configurations whether they are standalone or part of a domain. It only takes about 20 minutes per machine. They have software that id FIPS-140 approved and surpasses the NIST, NSA and Common Criteria guidelines. Dave -----Original Message----- From: James [mailto:james () tuksfm co za] Sent: Wednesday, June 11, 2003 02:19 To: security-basics () securityfocus com Subject: Re: Locking down workstation The problem with that is that if you lock up all your workstations, doing simple things across the network could become rather difficult, especially if your users are not administrators on the workstations where there profile is loaded to. They might need to do something accross the network and then find that they are unable to because of the security on the workstations. What you are saying does make sense I agree, but there are factors that you have to keep in mind before doing so, esp. as your workstations are most probably Microsoft based workstations. I once set permissions on one of the w2k workstations so that users only had read access to everything except their own personal directory. Once I had done this on about 3 machines users started complaining that they couldn't do simple things because they didn't have the correct privelages to certain system files... (You know what windows can be like when it's angry) Anyway, the point is, is that if you're firewall is set up properly, and you are always applying the latest bug fixes, you shouldn't need to have tight security accross the rest of the network (depending on the size and other things too). Obviously there will be cases where it is necessary, but on a smaller network where users need to access other machines for various reasons tight security is going to hinder you. For example I control a network of a radio station. We run software that needs to be able to communicate with sister software on other workstations. Then we have a workstation for the phone system, a workstation running a database, broadcast software, accounting software, and then just the basics. Users also need to be able to copy files with ease from the PC in the one studio to the PC in the other. I could with much time and effort set up each machine with just the ports open that they require to be open, but then because some users need admin privs on a certain machine, they install something, bugger up the machine, and then you have to do everything again. At the end of the day if your network has to perform a lot of different functions and users have a lot of requests, as the LAN admin you'll just be shooting yourself in the foot.!! My thoughts on the topic. Please someone correct me if I'm wrong..!! _James --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Locking down workstation Mada Dulate (Jun 10)
- Re: Locking down workstation Jimi Thompson (Jun 11)
- Scanner Software Question Louie (Jun 11)
- RE: Scanner Software Question Marc Maiffret (Jun 11)
- RE: Scanner Software Question Louie (Jun 12)
- Re: Scanner Software Question compguruman (Jun 17)
- RE: Scanner Software Question security (Jun 17)
- RE: Scanner Software Question James L. Harrison (Jun 17)
- RE: Scanner Software Question Marc Maiffret (Jun 11)
- RE: Locking down workstation Des Ward (Jun 11)
- Re: Locking down workstation James (Jun 11)
- RE: Locking down workstation dave (Jun 11)
- Re: Locking down workstation Dana Epp (Jun 11)
- Re: Locking down workstation Brad Mills (Jun 11)
- <Possible follow-ups>
- Re: Locking down workstation Chris Berry (Jun 11)
- RE: Locking down workstation Thomas F Parham (Jun 11)
- RE: Locking down workstation David Gillett (Jun 11)
- Re: Locking down workstation Paul Pepper (Jun 11)