Firewall Wizards mailing list archives

RE: Stanford break in

From: Richard.Bertolett () ci austin tx us
Date: Thu, 22 Apr 2004 09:20:27 -0500

All,
In Windows administration, single-workstation authentication is possible, as
it is an attribute of the user account.  This could possibly be scripted
with VB script, but there is a gotcha.  In a Domain-type environment (NT4
Domains, NT5.x Active Directory), there has to be some sort of computer
naming schema, for the WMI interface to look for.  In some enterprises, the
naming is done based on the user name, and this would enable the scripting
to work most of the time. But if the computer naming is done based on
computer site/floor/department location or perhaps computer serial number,
the mapping of user ID to computer ID becomes considerably more difficult.
I know it possible in Novell NDS, but here again, the actual implementation
contributes its own complexities.

Add to this the Layer [8] political realities of (a) users sometimes just
start using different machines, and it seems IT admins are the last to find
out, (b) in any central office-branch office organization, there seem to
proliferate any number of 'smart users' that want to login to other machines
to help their users, and (c) the usual under-staffedness of IT departments
within any given organization, there never seems to be enough time to
administer this kind of thing - automatically or manually - when the admins
are busy recovering borked servers, adding new user groups for workgroup
access to files, yada yada.  You can see that this, while a good idea,
becomes so terribly manual as to be mostly unworkable.

IMHO.

Cheers,
Rick Bertolett
Austin Water Utility

Authenticate with the server, but only allow access to one workstation.
I've never had to do this on a large scale, is it as time consuming as
it seems that it might be or are there tools that make this easier?

I'm not sure about the degree of administrative difficulty, hopefully
someone with Windows admin experience can answer that.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Stanford break in, (continued)
- - - RE: Stanford break in R. DuFresne (Apr 22)
    - RE: Stanford break in Carric Dooley (Apr 23)
    - RE: Stanford break in Victor Williams (Apr 23)
    - Re: Stanford break in mlh (Apr 23)
    - Re: Stanford break in Luca Berra (Apr 23)
  - Re: Stanford break in Chuck Vose (Apr 22)
    - Re: Stanford break in Adam Shostack (Apr 22)
    - Re: Stanford break in Carric Dooley (Apr 23)
    - Passwords (was: Stanford break in) Ben Nagy (Apr 23)
  - Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
  - RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
  - RE: Stanford break in Paul D. Robertson (Apr 23)
    - RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Stewart, John (Apr 23)
  - Re: Stanford break in Adam Shostack (Apr 23)
  - Re: Stanford break in Bennett Todd (Apr 23)
    - Re: Stanford break in Paul D. Robertson (Apr 23)

(Thread continues...)