Re: Password Protected Screen Saver and Administrative Password

From: Raoul Armfield (armfield_at_amnh.org)
Date: 02/09/05

  • Next message: Tom Milliner: "RE: Password Protected Screen Saver and Administrative Password"
    Date: Wed, 09 Feb 2005 15:21:35 -0500
    To: tom.milliner@verizon.net
    
    

    Tom Milliner wrote:
    > The vendor has a lot of customers and routinely uses
    > GoToMyPC for support. In an ideal world for the vendor,
    > there would be no password protected screen-saver to
    > deal with. In other words, they could log on as needed
    > (different time zones) to do maintenance. The screen-
    > saver actually is a disruption to them, but since the
    > server is in a common area, I use it. I also use it
    > so that I can keep track of the vendor's maintenance
    > (if something breaks after they log on, then I may
    > want to call them)...they have to ask us to unlock the
    > screen-saver.

    Why let it go to a screensaver. Surely you are not using this server as
    a workstation. Get in the habit of logging out when you are done this
    way the vendor can log in whenever they need to. If you have proper
    auditing enabled you can track when he has logged in and logged off.

    >
    > When I am not there, a trusted co-worker needs to be
    > able to unlock the screen-saver.

    Does your co-worker have his own admin level account. Again for
    auditing purposes this is best practice. You should not be using the
    administrator account for general use of the server.

    >
    > I am not understanding the suggestions to make the
    > trusted co-worker a local administrator. Since the
    > server is a domain member server, I logon as the
    > domain administrator. Then it goes to password
    > protected screen-saver after 60 minutes of inactivity.
    > I know it needs an administrator's password to unlock
    > the screen-saver. I have assumed that meant my domain
    > administrator password instead of a local administrator
    > password. I will test this tomorrow at work.
    >

    Earlier you said that you have it go to the protected screensaver after
    60 minutes of inactivity but that it is in a public place. In this case
    it is not the vendor you need to worry about but anyone that walks by
    within those 60 minutes. At the very least you should drastically
    reduce the timeout period particularly since you are logged in using a
    domain admin account. If someone starts using the server they have god
    access to the entire domain. What if they change the password? Now you
    as the admin are locked out of your own domain.

    >
    >
    > Tom Milliner, CPA, MCSE
    > 2404 Summer Place Dr.
    > Irving, TX 75062
    > (214) 540-2741
    > tom.milliner@verizon.net
    >
    > -----Original Message-----
    > From: Patton Roub [mailto:proub@state.wy.us]
    > Sent: Tuesday, February 08, 2005 6:22 PM
    > To: focus-ms@securityfocus.com; tom.milliner@verizon.net
    > Subject: Re: Password Protected Screen Saver and Administrative Password
    >
    > Is this a Windows 2000 Server or Windows Server 2003? If it
    > is, then you should consider terminal services in maintenance
    > mode. It requires no additional license purchases (two are free)
    > and your vendor can connect without going through a fourth
    > party's server equipment (GoToMyPC)(trusted?/untrusted?)
    > to get there. They would log in as themselves (event logging
    > good) and their access rights can be controlled. In terminal
    > services, they also would not see your screen saver as they
    > would have their own session/desktop/etc.
    >
    > Patton Roub, BSEE, MCSE
    > proub@state.wy.us
    >
    >
    >
    >
    >
    >>>>"Tom Milliner" <tom.milliner@verizon.net> 2/7/2005 8:07:04 PM >>>
    >
    >
    >
    > Does someone know a way to allow a normal user to
    > release a server password protected screen-saver
    > without giving the user the administrator password?
    >
    > I need this so that third-party support can access
    > our server via GoToMyPC when I am not there. The
    > password protected screen-saver blocks them from
    > remote access to fix problems. I cannot always be
    > on-site to assist by supplying the screen-saver
    > password.
    >
    >
    > Tom Milliner, CPA, MCSE
    > tom.milliner@verizon.net
    >
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >
    >

    -- 
    Raoul Armfield
    Support Specialist
    IT-Call Center
    armfield at amnh dot org
    American Museum of Natural History
    Central Park West at 79th Street
    New York, New York 10024-5192
    (212) 313-7258
    5152 1277 A04B 04C2 BBE4
    3EE8 8369 3541 8B93 42DA
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Tom Milliner: "RE: Password Protected Screen Saver and Administrative Password"

    Relevant Pages