Re:Height of paranoia

["reflect ocean" <reflect.ocean () gmail com>]

Have you considered to take measures that are more related to physical
access to those workstations? Have you considered to activate
login/logout information in the event viewer?


On Wed, Aug 27, 2008 at 10:55 AM, WALI <hkhasgiwale () gmail com> wrote:
> It's a given that all workstations have XP firewall enabled, an enterprise grade antivirus and Windows defender 
> installed. I am the security guy.
>
> The need is that there are a couple top management executives that have highly confidential data/emails residing on 
> their desktops, and quite a few times, the information seems to have leaked out.
>
> Discounting the 'word of mouth' of their secretaries or the end recipients of that information, I want to take as 
> many precautions from the IT security perspective as possible and even bring our domain admins and helpdesk personnel 
> into the realm of doubt.
>
> We have a Windows 20003/exchange 2003 environment of about a 2000 users. Here's what I have thought:
>
> 1. If I detach these executive PCs from the domain. Mails will stop landing in MS Outlook. Is there a way around? 
> Also DNS security doesn't register any PC unless it's joined to a domain. I thought of this to make it out of bounds 
> by system/domain admins. I have a feeling that their port 3389 gets accessed when they aren't around.
>
> 2. Alternatively, create a private vlan on the core switch and make these PCs as it's members. Put an ACL and deny 
> everything except ports required to authenticate to AD and exchange and few other web applications. Monitor port 
> memberships regularly.
>
> 3. How to secure their emails from exchange admins (it's the height, I know).
>
> Pls advise!!