General discussion

Locked

Admin Password: Securing Workstations

By jon ·
I have about 30 computers for which used a Linux based boot disk to hack into the user database to change the Administrator password. Now, to truly secure my workstations on a Windows based network, I would take the following steps. Can you help me think of things that I'm missing?

1. Prevent physical access to the chassis.
2. Remove floppy drive.
3. Password protect bios.
4. Disable Optical booting
5. Implement Group Policy
6. Re-direct user folders and delte roaming Cache at logoff.
7. Physically secure workstation.

If it's as easy as booting to a linux disk to change the admin password, then the system is not secure IMHO.

Should I do anything else to secure my workstations? Have I gone overboard?

What other risks will I encounter?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by HAL 9000 Moderator In reply to Admin Password: Securing ...

You are making a Rod for your own Back by attempting to do this as what's going to happen the next time that the Password becomes corrupt or it gets changes without someone notifying you?

What you have to remember is that while it may be easy for you to drop in a Live Linux CD and Boot from that and then change Passwords this is something that the average end user can not do so it really isn't a problem.

But if you want you can leave the Floppy in Place and set BIOS to boot off the HDD ONLY so that will bypass the Boot From Floppy and Optical options you just have the one option in BIOS to boot from the HDD as a first option and all the other options disabled.

As for making it impossible to have physical access to the chassis you can always seal them with a locking device of some description. Most new chassis have a sealing tab sticking out the back that you can put a locking device through to prevent tampering.

For 5 & 6 this is done at the Server and is a standard setup for any Windows Domain.

7 is the hardest one I once filled in the power plug with Epoxy Glue to suit a customers request for a Totally Secure Workstation but of course while it looked nice it was unusable.

Yes you have gone way OVERBOARD here the Live Linux are a great Tech Tool that are indispensable to every tech but honestly I've yet to find any end user capable of actually finding an ISO of one to download let alone knowing how to use it once they have it given to them from a Disc Cover on a Mag or something similar.

The main risks that you will encounter is that when something does go wrong you will have effectively locked yourself out of the system and it will be time consuming to get back in to correct the problems.

By the way Windows and Security should never be used in the same sentence unless you expect any decent Tech to fall to the floor laughing.

Col

Collapse -

by cmiller5400 In reply to Admin Password: Securing ...

I would be more worried about securing the server than a workstation. All files that users create should be stored on a server, if security of the files is nessicary, then use EFS on the files so that only the user and the domain admin and any recovery agents specified have access to the file. Therefore, you only need to worry about access to the device through the network and physically locking it up somewhere unaccessable to users.

Collapse -

by Former Big Iron Guy In reply to Admin Password: Securing ...

Uhhh, seems to me that you forgot to deal with USB and Firewire devices, and logins over the network... You have gone just a little over the top.
I'd look at doing less of your stuff and more of:
a. User education on security
b. Acceptable use policies
c. Audting, forensics, IDS, log analysis.

It is never the technology, it is always the people.
-h

Collapse -

by jon In reply to Admin Password: Securing ...

Nobody will ever change the password, so that's not a problem. I have done a fairly good job of securing everything from what I can tell. Thanks for the help.

Collapse -

by Spencerdoot In reply to Admin Password: Securing ...

to by pass a system you first must get as much information as you can if you do not know like the area code or the street name or the town you r sos or $%%^#% out of luck

Sin.
dr. know

Collapse -

by Spencerdoot In reply to Admin Password: Securing ...

Make a system that is found in the microsoft tools of help.

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums