1) Create a WorkstationAdmin who has admin privileges on workstations
(local admin), and NOT on servers, active directory, network folders, etc...
This will ensure, if the password is compromised, that only your
workstations will be at risk.
2) If you have several OUs and several Local Administrators/Supervisors,
create different WorkstationAdmins.
Again: the lowest number of machines compromised in case someone will
get this password.
3) Change this password(s) EVERY DAY. Or every hour.
A question from my side, now.
How many times these operations are performed every day???
Everyday operations have to be easy and fast. In this case, I suggest
you to give your Supervisors a wide range of "freedom".
Otherwise you'll get a call everytime a normal maintenance operation is
performed on a remote, lonely and unuseful machine (something you don't
want to happen).
It's better to have 5 workstations compromised every year - that need to
be reinstalled - than 50 calls every day.
How many workstations/LocalAdmins do you have???
Is there a REAL security risk in your environment? Who can be really
dangerous for you? If you're at risk, and you have to protect sensible
information, you'll need to give up on usability, and go for the
security (i.e. change LocalAdmins passwords everyday).
If you don't have something really important to protect... c'mon, just
make LocalAdmin life easy.
If you're managing 10.000 machines in a high school, what data are you
trying to protect on every single workstation? PPT files for the art
teacher and some stupid videos downloaded from students?? ;-)
Let them play, and mess up!
It could be nice to have a final report on this question...
Something that will put together all these suggestions and try to line
out a security model (from very weak to very strong) for different
security needs.
Hope this helped.
Davide
Boris Skoblo wrote:
>
>>> Hi All,
>>>
>>> There is a usual situation: on normal users computers ( W2k and
>>> Winxp ) an administrator should perform an administrative actions
>>> (for example, with help RunAs) thus the administrative password is
>>> entered. Do exist a potential possibility that on the user's computer
>>> there is keylogger.
>>>
>>>
>>> What ways to perform administrative operations exist, thus not
>>> endangering disclosure the administrative password? There are some
>>> limitations:
>>>
>>> 1. usage of smarts-cards and others hardvare devices are not
>>> applicable .
>>>
>>> 2. performed operations cannot be delegated for various reasons
>>>
>>> 3. keylogger is custom designed and any of existing protective
>>> software yet does not find out it
>>>
>>> ------------------------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------
What about something like:
1) Create a WorkstationAdmin who has admin privileges on workstations
(local admin), and NOT on servers, active directory, network folders, etc...
This will ensure, if the password is compromised, that only your
workstations will be at risk.
2) If you have several OUs and several Local Administrators/Supervisors,
create different WorkstationAdmins.
Again: the lowest number of machines compromised in case someone will
get this password.
3) Change this password(s) EVERY DAY. Or every hour.
A question from my side, now.
How many times these operations are performed every day???
Everyday operations have to be easy and fast. In this case, I suggest
you to give your Supervisors a wide range of "freedom".
Otherwise you'll get a call everytime a normal maintenance operation is
performed on a remote, lonely and unuseful machine (something you don't
want to happen).
It's better to have 5 workstations compromised every year - that need to
be reinstalled - than 50 calls every day.
How many workstations/LocalAdmins do you have???
Is there a REAL security risk in your environment? Who can be really
dangerous for you? If you're at risk, and you have to protect sensible
information, you'll need to give up on usability, and go for the
security (i.e. change LocalAdmins passwords everyday).
If you don't have something really important to protect... c'mon, just
make LocalAdmin life easy.
If you're managing 10.000 machines in a high school, what data are you
trying to protect on every single workstation? PPT files for the art
teacher and some stupid videos downloaded from students?? ;-)
Let them play, and mess up!
It could be nice to have a final report on this question...
Something that will put together all these suggestions and try to line
out a security model (from very weak to very strong) for different
security needs.
Hope this helped.
Davide
Boris Skoblo wrote:
>
>>> Hi All,
>>>
>>> There is a usual situation: on normal users computers ( W2k and
>>> Winxp ) an administrator should perform an administrative actions
>>> (for example, with help RunAs) thus the administrative password is
>>> entered. Do exist a potential possibility that on the user's computer
>>> there is keylogger.
>>>
>>>
>>> What ways to perform administrative operations exist, thus not
>>> endangering disclosure the administrative password? There are some
>>> limitations:
>>>
>>> 1. usage of smarts-cards and others hardvare devices are not
>>> applicable .
>>>
>>> 2. performed operations cannot be delegated for various reasons
>>>
>>> 3. keylogger is custom designed and any of existing protective
>>> software yet does not find out it
>>>
>>> ------------------------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]