Re: Workstation security question

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 06/04/02 

From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Kit" <kit@smallfoxx.com>, <jradtke@admin1.umaryland.edu>, <focus-ms@securityfocus.com>
Date: Tue, 4 Jun 2002 14:54:28 -0400

Administrative accounts can be subjected to account lockout using passprop
(applies over the network only and if the account is locked out, local logon
will be required to unlock it).

Laura
----- Original Message -----
From: "Kit" <kit@smallfoxx.com>
To: <jradtke@admin1.umaryland.edu>; <focus-ms@securityfocus.com>
Sent: Tuesday, June 04, 2002 11:56 AM
Subject: RE: Workstation security question

> The main issue is that someone can sit and plug away at the Administrator
> password indefinitely since the account can't be locked or disabled.
>
> Now, the other question is what does it gain them? Well, they can then
use
> it to install programs to watch users of that computer, observer their
> traffic proceedings, key log their usage, and use gain access to the
domain
> as a user that logs into.
>
> Also, Local Administrator passwords are often not unique to that machine,
so
> they could probably use it to become god of any other workstations with
the
> same admin password.
>
> Since your campus is behind the firewall, you only have to worry about
those
> that are using computers or have access to the network then. If you are
> lucky enough to somehow be able to prevent anyone but your IT staff from
> being admins on the local machines (unfortunately, I've never seen that in
> an EDU), that will helpfully limit the initial jump point. However, if
you
> have dorms, lab workstations with users as admins, or open ports for
people
> to place personal machines that exist behind the firewall, any of those
> could be used to attempt to brute force the password.
>
> That leaves you with 2 options with the account itself:
> * Regularly remotely change the local admin password on all the machines.
> You could script this or buy a TPU.
> * Disable the local admin accounts.
> * For 2000, see MSKB article Q281140
> * For NT, you'll need a TPU. Can't remember any off the top of my head
> but I know the existed. Many also negated any support from Microsoft.
>
> You do have a couple of networking things you can do to help limit the
risk:
> * As you mentioned, put host-based firewalls on the clients
> * Install internal firewalls and IDS's between your servers and sensitive
> networks and the hostile networks(read: networks you and your
administrative
> staff do not have complete and sole administrative authority over)
>
> Education networks are always MUCH more difficult to secure then a
corporate
> network due to the diverse structure of the networks and good-ol'
politics,
> but these are just some ways you can help to make it more secure.
>
>
> HTH,
> -Kit
>
> -----Original Message-----
> From: jradtke@admin1.umaryland.edu [mailto:jradtke@admin1.umaryland.edu]
> Sent: Tuesday, June 04, 2002 8:00 AM
> To: focus-ms@securityfocus.com
> Subject: Workstation security question
>
>
>
>
> We have a LAN with a mix of Win2000 and WinNT4 (phasing out the NT4)
> workstations.
>
> The only local user account on the workstation is the admin account. The
> local admin account has no rights on the domain. Users are authenticated
> through their domain accounts.
>
> We have a campus wide firewall.
>
> Should we be concerned enough about someone hacking into the workstations
> and then tapping into our servers to put software based firewalls at each
> workstation.
>
> I would like to thank all of you in advance.
>
> Jason
>
>

Relevant Pages

  • Re: Dish ordered to stop transmitting DNS
    ... MLB Extra Innings in the RV if we have it in the house. ... networks which is better than the real locals. ... Direct has written to Good Sam, I have a copy of the letter, stating that they would not turn off a major league sports subscription for an RVer if the RVer had a residential account and just wanted to be able to watch some games when "camping". ... One for when we are in the house (where they would only provide Harlingen locals) and one for when we are in the RV where I would get distant networks but would have to fight for baseball if I could get it at all. ...
    (rec.outdoors.rv-travel)
  • Re: Tim fm CT & DTV
    ... DTV Packages - (NOTE - For RV disregard local networks) ... They offered me their receiver and antenna. ... I'm not clear on how I get a Directv card if I am not a subscriber ... when they cancelled the original account and wrote the new HD account. ...
    (rec.outdoors.rv-travel)
  • Re: Tim fm CT & DTV
    ... DTV Packages - (NOTE - For RV disregard local networks) ... They offered me their receiver and antenna. ... I'm not clear on how I get a Directv card if I am not a subscriber ... when they cancelled the original account and wrote the new HD account. ...
    (rec.outdoors.rv-travel)
  • Re: Permission Problems
    ... I did try to delete the account and add a new one. ... The 2 folders that can not be accessed are ... You mention the "Domain Admin" did this ... Today a new employee took over an old workstation and had the Domain ...
    (microsoft.public.windows.server.sbs)
  • Re: Setup Problem
    ... log into your workstation using your SBS credentials until you join ... And yes when you first install the os it asks you for the admin ... and it will not "show" you the admin account on that screen. ...
    (microsoft.public.windows.server.sbs)