Groups vs. Computer Management - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Groups vs. Computer Management

  1. #11
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    thehorse13,
    Now, let's not even get into the various security issues of people installing vulnerable versions of real player, winamp, etc., especially when they end up on disk images
    That's why we have each user on our network set to limited accounts. They can't install squat (and we like it that way). Sure, we get grumbles but, at least the network stays clean.

    I've been using my method as of late (for quick Admin tasks) and it's working fairly well. I don't need much in the way of remote administration because the farthest user computer is about a 200 foot walk. I have taken what you said under consideration though and plan on reviewing security policies comes Tuesday morning. (yeah, I'm taking Monday off damnit, I need it)

    What security policies do you feel should take priority? Domain policy? DC policy? Local policy on each user computer? I'm not really looking for a tutorial here, just a recommendation for which policy would have the farthest reaching effects. I'm guessing by default, the Domain/DC policies would obviously be the most potent but, I'm not a huge fan of messing with system wide security policy for trivial admin tasks. Again, thanks for the replies.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    LOL. Answering this question is much like when my buddy used to lift the hood of his 1971 GTO and ask me what he should fix first. Heh.

    Anyway, the first thing you need to look at is your corporate security policy. This should be where your company's high level objectives, goals and beliefs should be noted. Hanging off this policy should be your procedures, baselines and guidelines. Within that you'll find (more than likely) the policy you need to look for. There should be a place where verbage exists on how AD is to be managed. If you don't find what you're looking for down here, go up the tree towards the more general policy statements. This is also a good way to spot problems or conflicts in your policies even though you're not out to do that specifically.

    In the end, my advice to you is to read and understand *all* of the policies at your company then go off and make your final call. There is nothing worse than implementing something that works well only to find out that a technicality in a policy renders it void. It's also a good way to find yourself sidelined when a promotion comes along.

    Enough info? If not, hit me up on IRC or such.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    ShagDevil ,

    My advice is to start from the bottom and work up. Ask what the person needs to do their job?

    Also, at a higher level, which groups/networks whatever actually need to be connected by anything other than internal mail and the telephone?



    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #14
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    1971 GTO.....drooool. The only thing I like better from '71 is a Chevelle.
    Anyways,
    I think I have a good game plan formulated now. I'll see over the coming weeks how everything turns out. You know, with all this technology these days...it's amazing how I still do most of my planning with pencil & paper. I pretty much learned that from my programming days....yeah, you guessed it, flow charts.
    Thanks again for everyone's input on the matter.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #15
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    Originally posted here by thehorse13
    Before I ask my questions, I want you to know that I'm asking for informational purposes, not to put you on the hot seat.

    Now, when you say that you have a third party remote control app listening on each workstation, do all of them have the same credentials for sign in? I nearly choked a few admins for this.

    Next, you mentioned that you run the su.exe program when you login remotely. By your description, it sounds like the local user has rights to execute that app. Is this the case?

    More or less, I rained fire down from the sky on poor desktop management practices. The biggest issue I came across is end users having rights to install any app they like. When you look back to our policy, they have no need to do this because we only support the core business apps. If you look at our helpdesk calls, 60% are for apps that are outside the supported suite. Now, let's not even get into the various security issues of people installing vulnerable versions of real player, winamp, etc., especially when they end up on disk images.

    So again, I always use policy and requirements as my weapon of choice. Then I move on to the technical specifics.
    The 3rd party remote control app that we use, utilizes AD credentials to remote in. We have a group for remote access and if you are in that group for that OU you can access the PC's in that OU.

    Once you remote into the PC, the user does have access to open the SU application. This application again authenticates against the DC's to see if you are an administrator or not. If you are then you login with your Domain rights and can install apps etc. This includes basic applications like 5250 emulators or word.

    In short the user can launch the application but without domain admin capability can't do anything. They also don't have access to log into the remote application.

    Am I missing some issues here I should look into? I mean I know our security is FAR from exceptional... usability is way higher on our corporate security guidelines than security seems to be. I cringe at some of the issues but after making my recommendations there is only so much I can do.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Originally posted here by Spyrus
    The 3rd party remote control app that we use, utilizes AD credentials to remote in. We have a group for remote access and if you are in that group for that OU you can access the PC's in that OU.

    Once you remote into the PC, the user does have access to open the SU application. This application again authenticates against the DC's to see if you are an administrator or not. If you are then you login with your Domain rights and can install apps etc. This includes basic applications like 5250 emulators or word.

    In short the user can launch the application but without domain admin capability can't do anything. They also don't have access to log into the remote application.

    Am I missing some issues here I should look into? I mean I know our security is FAR from exceptional... usability is way higher on our corporate security guidelines than security seems to be. I cringe at some of the issues but after making my recommendations there is only so much I can do.
    I was curious simply because I bitched at our admins for doing this process using cleartext protocols. I handed them their domain admin credentials after running a very simple network tool. When they fixed that, I did it again using a keylogger installed using an end user's AD account. After that, they took away most of the horribleness I complained about. LOL. That's all you're missing.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    Originally posted here by thehorse13
    I was curious simply because I bitched at our admins for doing this process using cleartext protocols. I handed them their domain admin credentials after running a very simple network tool. When they fixed that, I did it again using a keylogger installed using an end user's AD account. After that, they took away most of the horribleness I complained about. LOL. That's all you're missing.

    --Th13
    LOL-- Is that all?!?! I really wish I had a larger impact on the security in our corporation as a whole. I by no means consider myself an expert... In fact if you look at the grand scheme of security I look at myself as a novice. I just take the time to look into different aspects. I understand the gaping holes we have with various applications and with even the core structures like our AD security. Our remote application (remotely anywhere) allows for encrypted connection... on that same note 3/4 of the machines aren't setup to use encrypted. We also have another server that uses 5250 connection (ill let you figure out what it is) and I don't believe that is encrypted either. It should be using ssh instead but noone wants to set that up.

    Will a keylogger pickup a remote sessions keystrokes? I can't say i have ever tested it or thought about it.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  8. #18
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Keyloggers typically pick up local keystrokes, not remote sessions.

    Terminal 5250 is just another horrible mainframe emulation such as erma 3270. I have tons of that crap spread around my environment. Do you use ACF2? It's a horrible mainframe security suite. If you want to kill yourself, go play with it.

    We had the same issue but then our C level folks allowed us to rewrite our policies which now include consiquences for bad actions. We've also switched over to a risk based model simply because using the strict list model, we cannot cover every situation that we come into contact with.
    OK, I'm starting to run off with the thread. Sorry, now back to our regularly scheduled program.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •