Security Basics mailing list archives
Re: Securing workstations from IT guys
From: cc <cc () belfordhk com>
Date: Thu, 29 Nov 2007 09:49:39 +0800
WALI wrote::
It's a catch 22 situation and I need to make our Windows Xp workstations appropriately secure. Secure from rogue Helpdesk personnel as well as network admins. The HR guys are complaining that their 'offer' letters to prospective employees and some of the CVs that they recieve are finding their way into unwanted hands. I suspect both HR application vulnerability, for which I am undertaking some vulnerability analysis but I also need to protect the PCs that belong to Dept. of HR employees from rogue IT guys.
I think this vulnerability issue is the *least* of your problems. Your main problem is 'personnel' issue. Since you have not mentioned who you are in relation to either parties, and since you've already made your decision on 'rogue' entities, then you have a personnel issue. This suspected 'HR application vulnerability' is something that should be considered but not as important as getting your personnel issues ironed out. No amount of securing will help if the weakest link in the security is the human element. I'm really not particularly clear on your situation. How are these 'offers' being sent? How did the HR guys know that the stuff they are receiving are also being received by 'unwanted hands'? Now since this is an internal issue, I won't probe further. You just need to be clear as to what is *really* going on. If you are tasked to getting to the bottom of this, do it carefully.
Here are the basics of what I intend to do: 1. Advise all HR users to shutdown their PC before they leave for the day. 2. Change all Local Admin passwords so that even IT helpdesk/other doesn't know them. 3. Advise HR guys to assign passwords to their excel/word files. 3. Do not create shares off c drive giving 'everyone' access.
Policy issues notwithstanding, you need to really consider why you need a IT helpdesk. It is my understanding that the IT personnel/network admin should (my opinion here) have the most access to all things. How is the IT personnel supposed to help *anyone* if the person doesn't have access to the necessary requirements to fix whatever problems they have. Who sets up the security accesses? Who sets up the audits? If it isn't the IT guys, then who? The issue is whether you trust them. If you don't trust them, don't hire them.
But...because they are all connected to Windows 2003 domain, I still risk someone from domain admin group to be able to start C$/D$ share and browse into their c: drive, what should I do?
Have you discovered how these offers were reaching 'unwanted' hands? And whose 'unwanted' hands did they reach to? Are you sure it's an HR application vulnerability? 1) Consider your jurisdiction in this matter. You are tasked with a vulnerability assessment. Nowhere in your post did you say you had jurisdiction over finding the leaks. It seems from my reading that you are interested in finding out who the perpetrators are. 2) Sanitize all HR machines from trojans/viruses/vulnerabilities. 3) Severely reprimand/fire those who are associated with these leaks. (When you find out). 4) Rethink your policies on computer usage and file sharing. 5) Rethink your personnel policies and their purpose. If you disable the IT help desk/ network admin 's ability to fix computer/network issues, what is the purpose of their existence? IF it is ok with your company, I certainly am interested in knowing the results of your find. It is worth learning from this. While the company that I work for isn't big, it has its share if issues but not to the extent of what you're describing. Just my $0.02. Edmund
Current thread:
- RE: Securing workstations from IT guys, (continued)
- RE: Securing workstations from IT guys Frary, Brock (Nov 29)
- RE: Securing workstations from IT guys Nick Vaernhoej (Nov 29)
- RE: Securing workstations from IT guys Craig Wright (Nov 29)
- Re: Securing workstations from IT guys Mark Owen (Nov 29)
- Re: Securing workstations from IT guys Patrick J Kobly (Nov 29)
- RE: Securing workstations from IT guys Vandenberg, Robert (Nov 28)
- Re: Securing workstations from IT guys Brad Bendily (Nov 27)
- RE: Securing workstations from IT guys Petter Bruland (Nov 27)
- RE: Securing workstations from IT guys Ramsdell, Scott (Nov 27)
- RE: Securing workstations from IT guys Craig Wright (Nov 28)
- RE: RE: Securing workstations from IT guys David Gillett (Nov 27)
- Re: Securing workstations from IT guys Michael R. Martinez (Nov 28)
- Re: FW: Securing workstations from IT guys Jan Heisterkamp (Nov 29)