RE: Securing workstations from IT guys

["Weir, Jason" <jason.weir () nhrs org>]

We don't allow saving any documents to workstation drives.  All docs are
stored on the network, allowing us to more easily control the permission
set.

This being said, to effectively do their jobs the IT staff needs to have
access to everything.  You have personnel problems if you cannot keep
your IT staff from snooping where they should not..

-Jason



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Sunday, November 25, 2007 1:24 PM
To: security-basics
Subject: Securing workstations from IT guys


It's a catch 22 situation and I need to make our Windows Xp workstations

appropriately secure. Secure from rogue Helpdesk personnel as well as 
network admins.
The HR guys are complaining that their 'offer' letters to prospective 
employees and some of the CVs that they recieve are finding their way
into 
unwanted hands. I suspect both HR application vulnerability, for which I
am 
undertaking some vulnerability analysis but I also need to protect the
PCs 
that belong to Dept. of HR employees from rogue IT guys.

Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the
day.
2. Change all Local Admin passwords so that even IT helpdesk/other
doesn't 
know them.
3. Advise HR guys to assign passwords to their excel/word files.
3. Do not create shares off c drive giving 'everyone' access.

But...because they are all connected to Windows 2003 domain, I still
risk 
someone from domain admin group to be able to start C$/D$ share and
browse 
into their c: drive, what should I do?

Also, it's easy to crack open xls/doc passwords, what else can be done?

Alternatively, Is there an auditing on PC that can be enabled to
track/log 
incoming connections to C$ and pop up and alert whenever someone tries
it 
out from a remote machine.

Pls advise!!