July 9th, 2002 11:44 PM
don't get caught with your floppy out....
floppies are much a thing of the past but they are still an often overlooked entry point
this is most important in a networked corporate situation...and the specifics apply to nt/wk/xp systems. linux users can extrapolate and win9x people...well..you're so insecure...why bother
note: your screw ups are your own...don't blame me...especially if your messing with AD...hehe
2] "i just brought in some pictures from home...i didn't know i had a virus..i'm really sorry it sent out that confidential memo..really"
"This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.
You do not need to know the old password to set a new one. "
3] unsecured access point is a baaad thing...you could lose trade secrets, passwords...anynumber of things
You have a variety of options.
1] The most secure is to simply remove the drive altogether. I have a stack of 3.5 drives in my parts closet. No one on my network needs floppy access so i make sure they can't.
2] have floppies in locking cases on servers
Middleware - the BIOS
1] set the boot sequence to c: only. this will NOT prevent someone from accessing the drive once the system has started but if you have strong password security it will help prevent exploits as in #3 above. Note it's important to password protect your BIOS to make it hard for someone to boot to the BIOS setup and change the settings back to a: C: etc...of course unless you have a locked case, someone can open the case and disconnect the battery to erase the BIOS...
2] aside: while you are in the BIOS, disabling the floppy seek on boot setting will speed up your boot sequence. it will NOT provide any additonal security.
Software - OS level
1] Disable floppy drive in Device Manager (requires admin rights)
2] you can also "share" the drive and set permissions to admins only
these 2 work ok if you have a few systems but requires you to visit each station. for larger networks and/or lazy admins...
3] set a group policy via Active Directory
- active directory users and computers
- right click on your domain
- select properties/group policy/edit
- user configuration/windows explorer
- hide these specified drives in My Computer a: enabled
- prevent access to drives from my computer a: enabled
- next gp refresh the drives will be inaccessible
except for actually removing the drives, there are likely ways around all of these hints, however they will substanitally increase the amount of time it takes to compromise your systems...and sometimes that's enough.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
July 9th, 2002 11:52 PM
Nice title, quite original
July 9th, 2002 11:53 PM
Re: don't get caught with your floppy out....
*BIG grin* that was just funny
Nice shot Zigar.
The ark was built by amatures...
The Titanic was built by professionals.
July 10th, 2002 01:08 AM
This is really useful, and clearly stated. Thanks!
[gloworange]The Owls Are Not What They Seem[/gloworange]