RE: Securing workstations from IT guys

["Craig Wright" <Craig.Wright () bdo com au>]

So I have to ask the question, why are all the "admins" running as full
admin?

A backup operator does necessarily not need restore privileges and
certainly does not need add users to the domain.

Windows is VERY granular. Assign rights to groups. Use the AGULP model

In the AGULP model, rights and permissions should only be granted to the
local group. Not to users.

AGULP
        Create unique user accounts.
        Organize (domain) Users into Global Groups.
        Place Global groups in to Universal Groups
        Add the Universal and / or Global Groups to the Local Groups
        Assign permissions to the Local Groups

Assign based on Roles. Minimise what you give as rights - do not use the
default admin user.

Regards,
Dr Craig Wright (GSE-Compliance)



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ramsdell, Scott
Sent: Wednesday, 28 November 2007 8:08 AM
To: Lim Ming Wei; WALI; security-basics
Subject: RE: Securing workstations from IT guys

WALI,

Many list members have contributed valuable suggestions for securing the
PCs.

This, to me, however appears to be an issue with the email system's
security controls, or an abuse of admin privs on the email server.

That would be a much easier location to copy items "sent" and "received"
by the HR dpt.


Kind Regards,

Scott Ramsdell
CISSP CCNA MSCE


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lim Ming Wei
Sent: Monday, November 26, 2007 9:14 PM
To: 'WALI'; 'security-basics'
Subject: RE: Securing workstations from IT guys

Use encryption program to encrypt those files.  Password function in the
normal MS Word application does not help.  If you have problem
installing
the program.  You might want to consider saving the file in an
alternative
storage media such as a USB Thumb drive. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of WALI
Sent: Monday, November 26, 2007 2:24 AM
To: security-basics
Subject: Securing workstations from IT guys

It's a catch 22 situation and I need to make our Windows Xp workstations

appropriately secure. Secure from rogue Helpdesk personnel as well as 
network admins.
The HR guys are complaining that their 'offer' letters to prospective 
employees and some of the CVs that they recieve are finding their way
into 
unwanted hands. I suspect both HR application vulnerability, for which I
am 
undertaking some vulnerability analysis but I also need to protect the
PCs 
that belong to Dept. of HR employees from rogue IT guys.

Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the
day.
2. Change all Local Admin passwords so that even IT helpdesk/other
doesn't 
know them.
3. Advise HR guys to assign passwords to their excel/word files.
3. Do not create shares off c drive giving 'everyone' access.

But...because they are all connected to Windows 2003 domain, I still
risk 
someone from domain admin group to be able to start C$/D$ share and
browse 
into their c: drive, what should I do?

Also, it's easy to crack open xls/doc passwords, what else can be done?

Alternatively, Is there an auditing on PC that can be enabled to
track/log 
incoming connections to C$ and pop up and alert whenever someone tries
it 
out from a remote machine.

Pls advise!!