Security Basics mailing list archives
Re: Securing workstations from IT guys
From: rohnskii () gmail com
Date: 26 Nov 2007 22:19:20 -0000
Others have already made most of the appropriate suggestions, so lets take a look at some of the issues associated with your original ideas: <snip> Here are the basics of what I intend to do: 1. Advise all HR users to shutdown their PC before they leave for the day. 2. Change all Local Admin passwords so that even IT helpdesk/other doesn't know them. 3. Advise HR guys to assign passwords to their excel/word files. 4. Do not create shares off c drive giving 'everyone' access. </snip> #1- PC Shutdown has limited value against an IT insider because some newer PC/NIC combinations allow the PC to be powered on from the network to allow administrative work, ie patching. Shutting down, or at least enabling & password locking the screensaver will prevent casual passer-by's (ie janitor) from using PC to steal info. I don't think that anyone has mentioned yet that anyone with physical access to a PC can easily bypass the basic Windows password protection (another very good reason for not allowing local storage of sensitive data). Also, I read an article about a company that implemented a policy and procedure to remotely (from the network) shut down all company PC's after work hours. They did it as a cost saving measure, estimated to save them tens of thousands of dollars a year in electricity alone. #2 If IT does not know the local admin password, how can they do their job, patching & maintaining the PC. Realistically, there shouldn't be any HR related applications that absolutely require end users to use the Admin ID to do their job. And there is no other reason for user to know admin password. #3 Using M$ Excel / Word passwords is ineffective. Their implementation of encryption is very weak. There are many tools for cracking them available on the internet. Again, that type of password is only adequate protection from the "average" user, not from an informed thief, whether they work in IT or not. An option I haven't seen mentioned yet is to store the sensitive documents offline. Put them on a device that can easily be unplugged, ie a USB drive and lock them up at night. If it is off line, no one (authorized or not) can access it. Note, it has to be securely locked up because average office desks and file cabinets can be picked in no time flat.
Current thread:
- RE: Securing workstations from IT guys, (continued)
- RE: Securing workstations from IT guys Craig Wright (Nov 29)
- Re: Securing workstations from IT guys Mark Owen (Nov 29)
- Re: Securing workstations from IT guys Patrick J Kobly (Nov 29)
- RE: Securing workstations from IT guys Vandenberg, Robert (Nov 28)
- Re: Securing workstations from IT guys Brad Bendily (Nov 27)
- RE: Securing workstations from IT guys Petter Bruland (Nov 27)
- RE: Securing workstations from IT guys Ramsdell, Scott (Nov 27)
- RE: Securing workstations from IT guys Craig Wright (Nov 28)
- Re: Securing workstations from IT guys cc (Nov 29)
- Re: Securing workstations from IT guys krymson (Nov 26)
- Re: Securing workstations from IT guys rohnskii (Nov 26)
- Re: RE: Securing workstations from IT guys kurt . kessler (Nov 27)
- RE: RE: Securing workstations from IT guys David Gillett (Nov 27)
- Re: Re: Securing workstations from IT guys bert . knabe (Nov 27)
- Re: Securing workstations from IT guys Bob (Nov 28)
- Re: Securing workstations from IT guys stuff (Nov 28)
- FW: Securing workstations from IT guys Nick Vaernhoej (Nov 28)
- Re: Securing workstations from IT guys Michael R. Martinez (Nov 28)
- Re: FW: Securing workstations from IT guys Jan Heisterkamp (Nov 29)
- RE: FW: Securing workstations from IT guys Worrell, Brian (Nov 29)
- RE: FW: Securing workstations from IT guys Craig Wright (Nov 29)