RE: Windows 2000 security
From: Mike Curry (mikec@gjonas.com)Date: 08/09/02
- Previous message: jrd@gerdesas.com: "Re: Sidewinder firewalls"
- Maybe in reply to: Marcus James: "Windows 2000 security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mike Curry <mikec@gjonas.com> To: "'Snow, Corey'" <csnow@deltadentalwa.com>, 'Marcus James' <marcus01@post.com> Date: Fri, 9 Aug 2002 15:58:20 -0400
Make life easier... download a copy of Baseline Security from Microsoft. It
does most of the work for you, then all you have to do is tweak.
Here is there description...
As part of Microsoft's Strategic Technology Protection Program, and in
response to direct customer need for a streamlined method of identifying
common security misconfigurations, Microsoft has developed the Microsoft
Baseline Security Analyzer (MBSA). Version 1.0 of MBSA includes a graphical
and command line interface that can perform local or remote scans of Windows
systems. MBSA runs on Windows 2000 and Windows XP systems and will scan for
missing hotfixes and vulnerabilities in the following products: Windows NT
4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and
5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and
Office 2000 and 2002. MBSA creates and stores individual XML security
reports for each computer scanned and will display the reports in the
graphical user interface in HTML.
Here is the link...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/Tools/MBSAhome.asp
-----Original Message-----
From: Snow, Corey [mailto:csnow@deltadentalwa.com]
Sent: August 8, 2002 5:37 PM
To: 'Marcus James'
Cc: security-basics@securityfocus.com
Subject: RE: Windows 2000 security
> I have a simple question (I think). I am trying to secure a W2K
> professional workstation on a W2K network. I have hardened the box
> based on an ISF security checklist. However, I want to make sure
> that:
>
> 1) The domain administrator cannot login remotely
> 2) Nobody including, domain admin, can login from the console, except
> the owner of the box
>
If the machine is a member of a domain, you cannot do this (disallow the
domain admin from doing anything), at least not permanently. The
"Administrator" account of the windows domain of which a machine is a member
can bypass any security settings on the system, or change them at will using
various methods (Group Policy, etc). You may be able to prevent members of
the "Domain Administrators" *group* from doing anything, but "Administrator"
(or whatever it's been renamed to, if you did that) bypasses anything or can
take ownership of anything. They've got the ultimate trump card.
Any security settings in a Windows 2000 domain are managed at the domain
controller. If the domain admin wished, he or she could set the privileges
he or she wanted and apply them to every machine in the domain. Domain
member machines will override local settings with domain-level settings,
regardless of whether domain-level settings tighten or loosen security.
The only way to do what you're wanting to do is to make the machine a
standalone box- not a member of a domain at all. But you shouldn't need to-
in what circumstances should the domain adminstrator be disallowed from
logging onto a box within the domain he or she is ostensibly in control of?
Corey M. Snow- csnow@deltadentalwa.com
I don't speak for my employer.
#########################################################
The information contained in this e-mail and subsequent attachments may be
privileged,
confidential and protected from disclosure. This transmission is intended
for the sole
use of the individual and entity to whom it is addressed. If you are not
the intended
recipient, any dissemination, distribution or copying is strictly
prohibited. If you
think that you have received this message in error, please e-mail the sender
at the above
e-mail address.
#########################################################
- Previous message: jrd@gerdesas.com: "Re: Sidewinder firewalls"
- Maybe in reply to: Marcus James: "Windows 2000 security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
