Re: Securing workstations from IT guys

1) If the workstations are joined to the domain, the default security
settings place 'yourdomain\Domain Admins' as members of the local
Administrators group. With that kind of access, it's very simple to
grab the hashes of the local accounts and crack them.

2) Group Policy can operate through the computer's account to effect
changes - this is a definite way to make changes to many settings on
the machine.

I suggest installing a syslog client on the workstations in question
that casts eventlog entries to a machine under your control and
turning up the audit policy to maximum. The client I'm familiar with
is the SNARE client from www.intersectalliance.com - it works really
well.

However, if you can't trust your admins, fire them.

On Nov 25, 2007 10:24 AM, WALI <hkhasgiwale@xxxxxxxxx> wrote:
It's a catch 22 situation and I need to make our Windows Xp workstations
appropriately secure. Secure from rogue Helpdesk personnel as well as
network admins.
The HR guys are complaining that their 'offer' letters to prospective
employees and some of the CVs that they recieve are finding their way into
unwanted hands. I suspect both HR application vulnerability, for which I am
undertaking some vulnerability analysis but I also need to protect the PCs
that belong to Dept. of HR employees from rogue IT guys.

Here are the basics of what I intend to do:
1. Advise all HR users to shutdown their PC before they leave for the day.
2. Change all Local Admin passwords so that even IT helpdesk/other doesn't
know them.
3. Advise HR guys to assign passwords to their excel/word files.
3. Do not create shares off c drive giving 'everyone' access.

But...because they are all connected to Windows 2003 domain, I still risk
someone from domain admin group to be able to start C$/D$ share and browse
into their c: drive, what should I do?

Also, it's easy to crack open xls/doc passwords, what else can be done?

Alternatively, Is there an auditing on PC that can be enabled to track/log
incoming connections to C$ and pop up and alert whenever someone tries it
out from a remote machine.

Pls advise!!




Relevant Pages

  • Re: How To Enabling a Password Policy
    ... > passwords is on the system configuration side not the ... limited testing running this on a Win2K Pro workstation to force admins ... to change their passwords over X days old (set on PDC). ... ::Avoid admins whose accounts are set never to expire. ...
    (microsoft.public.win2000.security)
  • Re: 2003 Domain Admins in NT4 Domain
    ... it seems that you only add the 2003\Domain Admins ... admin rights on a workstation in the NT4 domain. ... After adding these two groups into NT4's workstation's local Administrators ... >workstations are actually using a different DNS server. ...
    (microsoft.public.windows.server.migration)
  • Domain Global Groups in Workstation Local Admin Groups
    ... I want to create Global security groups, and populate the workstations local ... My problem is that I only want our functional software admins to have admin ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Problem using ADMT to migrate computer accounts
    ... Workstations in DOMAIN1 ... workstations) will only contain global group DOMAIN1\Domain Admins, ... a local group to contain another local group. ... > Below is a copy of the agent log. ...
    (microsoft.public.windows.server.migration)
  • Re: Problem using ADMT to migrate computer accounts
    ... >workstations) will only contain global group DOMAIN1 ... \Domain Admins, and NOT ... >a local group to contain another local group. ... Administrators group to each ...
    (microsoft.public.windows.server.migration)