Re: Password Protected Screen Saver and Administrative Password

• Previous message: Miroslaw Slawek Chorazy: "Re: SAM encripted with syskey"
• Maybe in reply to: Tom Milliner: "Password Protected Screen Saver and Administrative Password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <tom.milliner@verizon.net>, <focus-ms@securityfocus.com>
Date: Wed, 9 Feb 2005 12:38:28 -0800

In line:

----- Original Message -----
From: "Tom Milliner" <tom.milliner@verizon.net>
To: "'Thor (Hammer of God)'" <thor@hammerofgod.com>;
<focus-ms@securityfocus.com>
Sent: Wednesday, February 09, 2005 12:03 PM
Subject: RE: Password Protected Screen Saver and Administrative Password

> That is exactly what I am saying.
>
> GoToMyPc allows this vendor to easily setup access to their
> clients' servers. The GoToMyPc is very simple to setup and
> by-pass firewalls (therefore, users could easily set this up
> on their desktop in order to access their desktop from home).
>
> At any rate, the vendor uses GoToMyPc, which is password
> protected and reasonably secure.
>
> The server in question is a member server which must be
> connected to the domain. It does have user accounts. I
> suppose I can try to setup a domain user other than the
> domain administrator to logon to it, and then the screen
> saver password would belong to that domain user. I may
> try this.

This is your best bet, and solves your problems. Make sure you give the
user "log on locally" rights, as this is a server, and by default, a domain
user won't be able to log on to the console.

> Normally, for ease of use, I logon to all 7 servers as the
> domain administrator. They all run 24x7 and serve in
> different capacities. The one used by the vendor is a
> Windows 2000/SQL 2000 box which runs our membership
> and accounting databases. The idea of logging on as a
> normal user (with special permissions, perhaps) may
> present some interesting challenges (I'm wondering if it
> will work...maybe I can test it on a weekend).

Unfortunately, many vendor solutions require local admin permissions to run
properly. Paragon for example, a real estate package you may be aware of
(given your business) is one of these. Very poor programming, but that's
the reality of it (hahaha-pun intended). Normally in these cases, where a
local user needs admin access to run a program, I'd have RunAs set up, but
that prob won't work for you here. Even if you have to make the domain user
a member of that box's local admin group, it would be far better than what
you're doing now. The best practice is to create a user that only has the
minimum permissions needed to perform the task. It may take a few more
minutes to create the account properly, but your security posture is far
better.

>>From a simplicity standpoint, it would help if there was
> a separate and distinct screen-saver password available.
> For instance, let's say the screen-saver is locked, but the
> administrator is away and simply needs a consultant to
> perform a task on the server. I'd want to give the
> consultant a non-administrator password for that type of
> task.

Ain't gonna happen in the same interactive session, as it shouldn't from a
security standpoint. The closest functionality is RunAs, which you should
use if possible. Ideally, you would not have admin accounts logged onto the
console in the first place on any of the other servers: you would log in and
out as needed. Password protected screen savers are not a good replacement
for the logon process as things like password lockout are not implemented
there, but that's another story.

t

>
> Tom Milliner, CPA, MCSE
> Director of Network Services
> MetroTex Assc of Realtors
> 8201 N. Stemmons Frwy
> Dallas, TX 75247
> www.dfwrealtors.com
> mail to: tomm@dfwrealtors.com
> (214) 540-2741
>
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> Sent: Wednesday, February 09, 2005 12:42 PM
> To: tom.milliner@verizon.net; focus-ms@securityfocus.com
> Subject: Re: Password Protected Screen Saver and Administrative Password
>
> I think the suggestion of a local admin was for the remote vendor, not
> the
> trusted co-worker... It is hard to tell, as the request is somewhat
> confusing...
>
> If I understand correctly, you log into the member server as the domain
> administrator, letting the screen saver lock after 60 minutes since it
> is in
> a common area. You have a remote vendor that uses GoToMyPC to perform
> maintenance on your server, but you do not want to give them the domain
> admin password-- rather, you want them to have to ask first, allowing
> you to
> track access, even though when you unlock the screen, they have full
> access
> to not only the member server, but the rest of your entire network as a
> domain administrator. When you are not there, you want to have a
> different
> person, the "trusted co-worker" unlock the screen for the vendor, but
> you
> don't want him to have the domain admin password either-- rather, you
> want
> him to be a normal user, but unlock the password locked screen saver to
> resume the domain administrator interactive logon session.
>
> Is this really what you are saying?
>
> T
>
>
> ----- Original Message -----
> From: "Tom Milliner" <tom.milliner@verizon.net>
> To: "'Patton Roub'" <proub@state.wy.us>; <focus-ms@securityfocus.com>
> Sent: Tuesday, February 08, 2005 6:11 PM
> Subject: RE: Password Protected Screen Saver and Administrative Password
>
>
>> The vendor has a lot of customers and routinely uses
>> GoToMyPC for support. In an ideal world for the vendor,
>> there would be no password protected screen-saver to
>> deal with. In other words, they could log on as needed
>> (different time zones) to do maintenance. The screen-
>> saver actually is a disruption to them, but since the
>> server is in a common area, I use it. I also use it
>> so that I can keep track of the vendor's maintenance
>> (if something breaks after they log on, then I may
>> want to call them)...they have to ask us to unlock the
>> screen-saver.
>>
>> When I am not there, a trusted co-worker needs to be
>> able to unlock the screen-saver.
>>
>> I am not understanding the suggestions to make the
>> trusted co-worker a local administrator. Since the
>> server is a domain member server, I logon as the
>> domain administrator. Then it goes to password
>> protected screen-saver after 60 minutes of inactivity.
>> I know it needs an administrator's password to unlock
>> the screen-saver. I have assumed that meant my domain
>> administrator password instead of a local administrator
>> password. I will test this tomorrow at work.
>>
>>
>>
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Miroslaw Slawek Chorazy: "Re: SAM encripted with syskey"
• Maybe in reply to: Tom Milliner: "Password Protected Screen Saver and Administrative Password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]