Re: Securing workstations from IT guys

[cc <cc () belfordhk com>]

WALI wrote::
> It's a catch 22 situation and I need to make our Windows Xp workstations
> appropriately secure. Secure from rogue Helpdesk personnel as well as
> network admins.
> The HR guys are complaining that their 'offer' letters to prospective
> employees and some of the CVs that they recieve are finding their way
> into unwanted hands. I suspect both HR application vulnerability, for
> which I am undertaking some vulnerability analysis but I also need to
> protect the PCs that belong to Dept. of HR employees from rogue IT guys.

I think this vulnerability issue is the *least* of your problems.
Your main problem is 'personnel' issue.

Since you have not mentioned who you are in relation to either
parties,  and since you've already made your decision on 'rogue'
entities, then you have a personnel issue.  This suspected
'HR application vulnerability' is something that should be
considered but not as important as getting your personnel
issues ironed out.

No amount of securing will help if the weakest link in the
security is the human element.

I'm really not particularly clear on your situation.  How
are these 'offers' being sent?  How did the HR guys know
that the stuff they are receiving are also being received
by 'unwanted hands'?  Now since this is an internal issue,
I won't probe further.  You just need to be clear as to
what is *really* going on.  If you are tasked to getting
to the bottom of this, do it carefully.

> Here are the basics of what I intend to do:
> 1. Advise all HR users to shutdown their PC before they leave for the day.
> 2. Change all Local Admin passwords so that even IT helpdesk/other
> doesn't know them.
> 3. Advise HR guys to assign passwords to their excel/word files.
> 3. Do not create shares off c drive giving 'everyone' access.

Policy issues notwithstanding, you need to really consider
why you need a IT helpdesk.  It is my understanding that
the IT personnel/network admin should (my opinion here)
have the most access to all things.   How is the IT
personnel supposed to help *anyone* if the person doesn't
have access to the necessary requirements to fix whatever
problems they have.  Who sets up the security accesses?
Who sets up the audits?  If it isn't the IT guys, then
who?

The issue is whether you trust them.  If you don't trust them,
don't hire them.


> But...because they are all connected to Windows 2003 domain, I still
> risk someone from domain admin group to be able to start C$/D$ share and
> browse into their c: drive, what should I do?

Have you discovered how these offers were reaching 'unwanted' hands?
And whose 'unwanted' hands did they reach to?  Are you sure it's
an HR application vulnerability?

1) Consider your jurisdiction in this matter.  You are tasked with
   a vulnerability assessment.  Nowhere in your post did you say
   you had jurisdiction over finding the leaks.  It seems from
   my reading that you are interested in finding out who the
   perpetrators are.
2) Sanitize all HR machines from trojans/viruses/vulnerabilities.
3) Severely reprimand/fire those who are associated with these leaks.
   (When you find out).
4) Rethink your policies on computer usage and file sharing.
5) Rethink your personnel policies and their purpose.  If you disable
   the IT help desk/ network admin 's ability to fix computer/network
   issues, what is the purpose of their existence?

IF it is ok with your company, I certainly am interested in knowing
the results of your find.  It is worth learning from this.  While
the company that I work for isn't big, it has its share if issues
but not to the extent of what you're describing.


Just my $0.02.

Edmund