RE: Password Protected Screen Saver and Administrative Password

From: Tom Milliner (tom.milliner_at_verizon.net)
Date: 02/09/05

  • Next message: Olaf Reitmaier: "Re: SAM encripted with syskey"
    To: "'Thor (Hammer of God)'" <thor@hammerofgod.com>, <focus-ms@securityfocus.com>
    Date: Wed, 9 Feb 2005 14:03:41 -0600
    
    

    That is exactly what I am saying.

    GoToMyPc allows this vendor to easily setup access to their
    clients' servers. The GoToMyPc is very simple to setup and
    by-pass firewalls (therefore, users could easily set this up
    on their desktop in order to access their desktop from home).

    At any rate, the vendor uses GoToMyPc, which is password
    protected and reasonably secure.

    The server in question is a member server which must be
    connected to the domain. It does have user accounts. I
    suppose I can try to setup a domain user other than the
    domain administrator to logon to it, and then the screen
    saver password would belong to that domain user. I may
    try this.

    Normally, for ease of use, I logon to all 7 servers as the
    domain administrator. They all run 24x7 and serve in
    different capacities. The one used by the vendor is a
    Windows 2000/SQL 2000 box which runs our membership
    and accounting databases. The idea of logging on as a
    normal user (with special permissions, perhaps) may
    present some interesting challenges (I'm wondering if it
    will work...maybe I can test it on a weekend).

    From a simplicity standpoint, it would help if there was
    a separate and distinct screen-saver password available.
    For instance, let's say the screen-saver is locked, but the
    administrator is away and simply needs a consultant to
    perform a task on the server. I'd want to give the
    consultant a non-administrator password for that type of
    task.

    Tom Milliner, CPA, MCSE
    Director of Network Services
    MetroTex Assc of Realtors
    8201 N. Stemmons Frwy
    Dallas, TX 75247
    www.dfwrealtors.com
    mail to: tomm@dfwrealtors.com
    (214) 540-2741
     

    -----Original Message-----
    From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
    Sent: Wednesday, February 09, 2005 12:42 PM
    To: tom.milliner@verizon.net; focus-ms@securityfocus.com
    Subject: Re: Password Protected Screen Saver and Administrative Password

    I think the suggestion of a local admin was for the remote vendor, not
    the
    trusted co-worker... It is hard to tell, as the request is somewhat
    confusing...

    If I understand correctly, you log into the member server as the domain
    administrator, letting the screen saver lock after 60 minutes since it
    is in
    a common area. You have a remote vendor that uses GoToMyPC to perform
    maintenance on your server, but you do not want to give them the domain
    admin password-- rather, you want them to have to ask first, allowing
    you to
    track access, even though when you unlock the screen, they have full
    access
    to not only the member server, but the rest of your entire network as a
    domain administrator. When you are not there, you want to have a
    different
    person, the "trusted co-worker" unlock the screen for the vendor, but
    you
    don't want him to have the domain admin password either-- rather, you
    want
    him to be a normal user, but unlock the password locked screen saver to
    resume the domain administrator interactive logon session.

    Is this really what you are saying?

    T

    ----- Original Message -----
    From: "Tom Milliner" <tom.milliner@verizon.net>
    To: "'Patton Roub'" <proub@state.wy.us>; <focus-ms@securityfocus.com>
    Sent: Tuesday, February 08, 2005 6:11 PM
    Subject: RE: Password Protected Screen Saver and Administrative Password

    > The vendor has a lot of customers and routinely uses
    > GoToMyPC for support. In an ideal world for the vendor,
    > there would be no password protected screen-saver to
    > deal with. In other words, they could log on as needed
    > (different time zones) to do maintenance. The screen-
    > saver actually is a disruption to them, but since the
    > server is in a common area, I use it. I also use it
    > so that I can keep track of the vendor's maintenance
    > (if something breaks after they log on, then I may
    > want to call them)...they have to ask us to unlock the
    > screen-saver.
    >
    > When I am not there, a trusted co-worker needs to be
    > able to unlock the screen-saver.
    >
    > I am not understanding the suggestions to make the
    > trusted co-worker a local administrator. Since the
    > server is a domain member server, I logon as the
    > domain administrator. Then it goes to password
    > protected screen-saver after 60 minutes of inactivity.
    > I know it needs an administrator's password to unlock
    > the screen-saver. I have assumed that meant my domain
    > administrator password instead of a local administrator
    > password. I will test this tomorrow at work.
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Olaf Reitmaier: "Re: SAM encripted with syskey"