Security Basics mailing list archives
Re: Securing workstations from IT guys
From: Bert Knabe <bert.knabe () lubbockonline com>
Date: Mon, 26 Nov 2007 13:32:34 -0600
I agree that locking IT out of workstations isn't the answer. Our parent company doesn't lock us out of workstations, but they have a tight monitoring system in place that may not prevent improper behavior directly, but can track it to it's source pretty quickly once it occurs.
Bert Knabe Technician Lubbock Avalanche-Journal 806-766-2158 On Nov 26, 2007, at 10:12 AM, Weir, Jason wrote:
We don't allow saving any documents to workstation drives. All docs are stored on the network, allowing us to more easily control the permissionset.This being said, to effectively do their jobs the IT staff needs to haveaccess to everything. You have personnel problems if you cannot keep your IT staff from snooping where they should not.. -Jason -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of WALI Sent: Sunday, November 25, 2007 1:24 PM To: security-basics Subject: Securing workstations from IT guysIt's a catch 22 situation and I need to make our Windows Xp workstationsappropriately secure. Secure from rogue Helpdesk personnel as well as network admins. The HR guys are complaining that their 'offer' letters to prospective employees and some of the CVs that they recieve are finding their way intounwanted hands. I suspect both HR application vulnerability, for which Iam undertaking some vulnerability analysis but I also need to protect the PCs that belong to Dept. of HR employees from rogue IT guys. Here are the basics of what I intend to do: 1. Advise all HR users to shutdown their PC before they leave for the day. 2. Change all Local Admin passwords so that even IT helpdesk/other doesn't know them. 3. Advise HR guys to assign passwords to their excel/word files. 3. Do not create shares off c drive giving 'everyone' access. But...because they are all connected to Windows 2003 domain, I still risk someone from domain admin group to be able to start C$/D$ share and browse into their c: drive, what should I do?Also, it's easy to crack open xls/doc passwords, what else can be done?Alternatively, Is there an auditing on PC that can be enabled to track/log incoming connections to C$ and pop up and alert whenever someone tries it out from a remote machine. Pls advise!!
Current thread:
- Securing workstations from IT guys WALI (Nov 26)
- RE: Securing workstations from IT guys Weir, Jason (Nov 26)
- Re: Securing workstations from IT guys Bert Knabe (Nov 26)
- RE: Securing workstations from IT guys Nick Vaernhoej (Nov 26)
- Re: Securing workstations from IT guys James Alcasid (Nov 26)
- Re: Securing workstations from IT guys Tremaine Lea (Nov 26)
- Re: Securing workstations from IT guys Mark Owen (Nov 26)
- Re: Securing workstations from IT guys Kurt Buff (Nov 27)
- RE: Securing workstations from IT guys Lim Ming Wei (Nov 27)
- RE: Securing workstations from IT guys Depp, Dennis M. (Nov 27)
- Re: Securing workstations from IT guys Liam Jewell (Nov 27)
- Re: Securing workstations from IT guys Mark Owen (Nov 27)
- RE: Securing workstations from IT guys Erin Carroll (Nov 27)
- RE: Securing workstations from IT guys Depp, Dennis M. (Nov 27)
- RE: Securing workstations from IT guys Weir, Jason (Nov 26)