Security Basics mailing list archives

Re: Securing workstations from IT guys

From: rohnskii () gmail com
Date: 26 Nov 2007 22:19:20 -0000

Others have already made most of the appropriate suggestions, so lets take a look at some of the issues associated with
your original ideas:

<snip>
Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the day.
2. Change all Local Admin passwords so that even IT helpdesk/other doesn't
know them.
3. Advise HR guys to assign passwords to their excel/word files.
4. Do not create shares off c drive giving 'everyone' access.
</snip>

#1- PC Shutdown has limited value against an IT insider because some newer PC/NIC combinations allow the PC to be
powered on from the network to allow administrative work, ie patching. Shutting down, or at least enabling & password
locking the screensaver will prevent casual passer-by's (ie janitor) from using PC to steal info. I don't think that
anyone has mentioned yet that anyone with physical access to a PC can easily bypass the basic Windows password
protection (another very good reason for not allowing local storage of sensitive data).

Also, I read an article about a company that implemented a policy and procedure to remotely (from the network) shut
down all company PC's after work hours. They did it as a cost saving measure, estimated to save them tens of thousands
of dollars a year in electricity alone.

#2 If IT does not know the local admin password, how can they do their job, patching & maintaining the PC.
Realistically, there shouldn't be any HR related applications that absolutely require end users to use the Admin ID to
do their job. And there is no other reason for user to know admin password.

#3 Using M$ Excel / Word passwords is ineffective. Their implementation of encryption is very weak. There are many
tools for cracking them available on the internet. Again, that type of password is only adequate protection from the
"average" user, not from an informed thief, whether they work in IT or not.

An option I haven't seen mentioned yet is to store the sensitive documents offline. Put them on a device that can
easily be unplugged, ie a USB drive and lock them up at night. If it is off line, no one (authorized or not) can
access it. Note, it has to be securely locked up because average office desks and file cabinets can be picked in no
time flat.

Current thread:

RE: Securing workstations from IT guys, (continued)
- - - RE: Securing workstations from IT guys Craig Wright (Nov 29)
    - Re: Securing workstations from IT guys Mark Owen (Nov 29)
    - Re: Securing workstations from IT guys Patrick J Kobly (Nov 29)
    - RE: Securing workstations from IT guys Vandenberg, Robert (Nov 28)
  - Re: Securing workstations from IT guys Brad Bendily (Nov 27)
    - RE: Securing workstations from IT guys Petter Bruland (Nov 27)
  - RE: Securing workstations from IT guys Ramsdell, Scott (Nov 27)
    - RE: Securing workstations from IT guys Craig Wright (Nov 28)
- Re: Securing workstations from IT guys cc (Nov 29)
- Re: Securing workstations from IT guys krymson (Nov 26)
- Re: Securing workstations from IT guys rohnskii (Nov 26)
- Re: RE: Securing workstations from IT guys kurt . kessler (Nov 27)
  - RE: RE: Securing workstations from IT guys David Gillett (Nov 27)
- Re: Re: Securing workstations from IT guys bert . knabe (Nov 27)
- Re: Securing workstations from IT guys Bob (Nov 28)
- Re: Securing workstations from IT guys stuff (Nov 28)
- FW: Securing workstations from IT guys Nick Vaernhoej (Nov 28)
  - Re: Securing workstations from IT guys Michael R. Martinez (Nov 28)
  - Re: FW: Securing workstations from IT guys Jan Heisterkamp (Nov 29)
    - RE: FW: Securing workstations from IT guys Worrell, Brian (Nov 29)
    - RE: FW: Securing workstations from IT guys Craig Wright (Nov 29)

(Thread continues...)