RE: Locking down workstation

["dave" <dave () netmedic net>]

Try:   Securit-e-Lok at http://www.securit-e-doc.com/products/products.asp

http://www.securit-e-doc.com/products/securitelok.asp

They have profiles for all workstation and server configurations whether
they are standalone or part of a domain.

It only takes about 20 minutes per machine. They have software that id
FIPS-140 approved and surpasses the NIST, NSA and Common Criteria
guidelines.



Dave



 

-----Original Message-----
From: James [mailto:james () tuksfm co za] 
Sent: Wednesday, June 11, 2003 02:19
To: security-basics () securityfocus com
Subject: Re: Locking down workstation

The problem with that is that if you lock up all your workstations, doing
simple things across the network could become rather difficult, especially
if your users are not administrators on the workstations where there profile
is loaded to.

They might need to do something accross the network and then find that they
are unable to because of the security on the workstations.

What you are saying does make sense I agree, but there are factors that you
have to keep in mind before doing so, esp. as your workstations are most
probably Microsoft based workstations.

I once set permissions on one of the w2k workstations so that users only had
read access to everything except their own personal directory. Once I had
done this on about 3 machines users started complaining that they couldn't
do simple things because they didn't have the correct privelages to certain
system files... (You know what windows can be like when it's angry)

Anyway, the point is, is that if you're firewall is set up properly, and you
are always applying the latest bug fixes, you shouldn't need to have tight
security accross the rest of the network (depending on the size and other
things too). Obviously there will be cases where it is necessary, but on a
smaller network where users need to access other machines for various
reasons tight security is going to hinder you.

For example I control a network of a radio station. We run software that
needs to be able to communicate with sister software on other workstations.
Then we have a workstation for the phone system, a workstation running a
database, broadcast software, accounting software, and then just the basics.
Users also need to be able to copy files with ease from the PC in the one
studio to the PC in the other. I could with much time and effort set up each
machine with just the ports open that they require to be open, but then
because some users need admin privs on a certain machine, they install
something, bugger up the machine, and then you have to do everything again.
At the end of the day if your network has to perform a lot of different
functions and users have a lot of requests, as the LAN admin you'll just be
shooting yourself in the foot.!!

My thoughts on the topic. Please someone correct me if I'm wrong..!!

_James





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------