RE: Workstation security question
From: Kit (kit@smallfoxx.com)Date: 06/04/02
- Previous message: H C: "Re: Workstation security question"
- In reply to: jradtke@admin1.umaryland.edu: "Workstation security question"
- Next in thread: Laura A. Robinson: "Re: Workstation security question"
- Next in thread: Marcus Ballance: "Re: Workstation security question"
- Reply: Laura A. Robinson: "Re: Workstation security question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kit" <kit@smallfoxx.com> To: <jradtke@admin1.umaryland.edu>, <focus-ms@securityfocus.com> Date: Tue, 4 Jun 2002 10:56:46 -0500
The main issue is that someone can sit and plug away at the Administrator
password indefinitely since the account can't be locked or disabled.
Now, the other question is what does it gain them? Well, they can then use
it to install programs to watch users of that computer, observer their
traffic proceedings, key log their usage, and use gain access to the domain
as a user that logs into.
Also, Local Administrator passwords are often not unique to that machine, so
they could probably use it to become god of any other workstations with the
same admin password.
Since your campus is behind the firewall, you only have to worry about those
that are using computers or have access to the network then. If you are
lucky enough to somehow be able to prevent anyone but your IT staff from
being admins on the local machines (unfortunately, I've never seen that in
an EDU), that will helpfully limit the initial jump point. However, if you
have dorms, lab workstations with users as admins, or open ports for people
to place personal machines that exist behind the firewall, any of those
could be used to attempt to brute force the password.
That leaves you with 2 options with the account itself:
* Regularly remotely change the local admin password on all the machines.
You could script this or buy a TPU.
* Disable the local admin accounts.
* For 2000, see MSKB article Q281140
* For NT, you'll need a TPU. Can't remember any off the top of my head
but I know the existed. Many also negated any support from Microsoft.
You do have a couple of networking things you can do to help limit the risk:
* As you mentioned, put host-based firewalls on the clients
* Install internal firewalls and IDS's between your servers and sensitive
networks and the hostile networks(read: networks you and your administrative
staff do not have complete and sole administrative authority over)
Education networks are always MUCH more difficult to secure then a corporate
network due to the diverse structure of the networks and good-ol' politics,
but these are just some ways you can help to make it more secure.
HTH,
-Kit
-----Original Message-----
From: jradtke@admin1.umaryland.edu [mailto:jradtke@admin1.umaryland.edu]
Sent: Tuesday, June 04, 2002 8:00 AM
To: focus-ms@securityfocus.com
Subject: Workstation security question
We have a LAN with a mix of Win2000 and WinNT4 (phasing out the NT4)
workstations.
The only local user account on the workstation is the admin account. The
local admin account has no rights on the domain. Users are authenticated
through their domain accounts.
We have a campus wide firewall.
Should we be concerned enough about someone hacking into the workstations
and then tapping into our servers to put software based firewalls at each
workstation.
I would like to thank all of you in advance.
Jason
- Previous message: H C: "Re: Workstation security question"
- In reply to: jradtke@admin1.umaryland.edu: "Workstation security question"
- Next in thread: Laura A. Robinson: "Re: Workstation security question"
- Next in thread: Marcus Ballance: "Re: Workstation security question"
- Reply: Laura A. Robinson: "Re: Workstation security question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
