Controls for client machines

From: paulroper (anonymous_at_discussions.microsoft.com)
Date: 05/11/04 

Date: Tue, 11 May 2004 02:16:03 -0700

Hi there, I am a relatively inexperienced IT Auditor for the health service
in England. Each of our hospitals has its own network and these vary from
NT, 2000 to 2003. Our server rooms have a high level of physical protection
however our client machines could easily be accessed by a member of the
public. I cannot do anything about this - its the nature of the
organisation.

I am trying to assess the risks that this causes to local data files and network security in general.

I have been reading material and this suggests the following:

For NT workstations it would be possible to use a NTFSDOS boot disk to
extract the SAM file from the workstation. LC4 could then be used to crack
to the local administrator account password. For these workstations I intend
to recommend that all confidential files are stored on fileservers and that
the service pack with SYSKEY is applied.

For 2000 Professional/XP Pro workstations a boot disk is available that
allows the password of any local account to be set. As all users logon to
the domain, only administrator and guest account should be stored in the
workstation's SAM. For these workstations I intend to recommend that the
BIOS is amended so that the machine boots only from the HDD. The BIOS
should then be password protected. I will also recommend users take
advantage of EFS.

I would appreciate any comments/critisms on my intended recommendations.
Are there ways to circuvent my suggestions (I know it may be possible to
reset BIOS passwords).
Also, after auditing laptops I realised that users could logon using the
domain account while disconnected from the network. I assume there must be
a hash of the user's domain password stored on the laptop. I cannot locate
these doamin accounts in the SAM. Are there any tools which can recover the
hashed domain account passwords from client machines?

Relevant Pages

  • Re: Possible inside security breach
    ... By default "authenticated users" can add up to ten workstations to a domain which ... means that ANYONE that know a logon/password for a domain account can add a ... ipsec policy to use for network communications restricted to only domain ... > who connect via a VPN. ...
    (microsoft.public.win2000.security)
  • Re: Controls for client machines
    ... floppy - cd drive or at least not able to boot from is a good first step ... For these workstations I ... > allows the password of any local account to be set. ... > domain account while disconnected from the network. ...
    (microsoft.public.security)
  • cant connect to CUPS printer from XP home
    ... I have a Debian/Sarge server ... Both workstations are able to connect to the network shares and print to ... corresponding account on the server using Samba. ...
    (comp.os.linux.security)
  • Re: domain cache credential corrupted
    ... using a domain account on a workstation or member server, ... administrator account. ... Then you login try to login using the domain ... since you did not mention plugging the network back in, ...
    (microsoft.public.security)
  • Re: Total Docs value dropped dramatically
    ... Is it possible that the account the user is using to access the network ... This would account for the discrepancy. ... > feild under IS in the MMC on all our workstations always ... > was displaying 40,000 the other day is now displaying just ...
    (microsoft.public.inetserver.indexserver)