Fiest thing is that you DO NOT give the admin password to the user of
the workstation. If they do not like this...stiff. You setup rights
for that user on the NT machine based on what they are likely to
need. Delete the guest user, set the file permisions so that the user
can not delete key files, and give them full access only to the home
section of their drive.
You can than scan the workstation over the network as root, loggin as
root without letting the user know, restrict the user from copying
"UnAuthorized software" to the machine etc.
In many cases it is not even desirable to give a workstation user
control over the printers. If you do this you may find them using the
$5 a page color laser that only marketing is ment to have access to.
Basically give the user what they need for the job, and no more, as I
have not met a user yet who will not try and get all he/she can from
the system (ie games etc), even if this goes against system security.
Most users do not give a F*%K re security until they lose a file or
it effects them.
Craig
> Leonard Miyata wrote:
> >
> > As far as NTFS and (isolated host) C2 ratings, one of the requirements
> > is no floppy drive. Unlike the DOS file system (FAT16), NTFS does
> > support multiple user access control bindings. I understand that there
> > exists a DOS utility to read NTFS partitions. If you have access to the
> > NT machine, you reboot with a DOS system floppy disk, and with this
> > utility, you can bypass all NT file access control
> >
> > Personal Opinions provided by
> > Leonard Miyata
> > aka leonard @
geminisecure .
com
> > Gemini Computers Inc.
> >
> > On Wed, 25 Sep 1996, Chris Pugrud wrote:
> >
> > > Close on the C2 rating. NT was rated with NTFS and requires it. What
> > > the rating excluded was networking. Although, there has been a lot of
> > > noise on here lately that C2 does not cover or include networking. I'll
> > > leave that to the pundits.
> > >
> > > Chris
> > >
> > > >-----Original Message-----
> > > From: Joseph S. D. Yao [SMTP:jsdy @
cospo .
osis .
gov]
> > > Sent: Wednesday, September 25, 1996 1:09 PM
> > > To: dckinder @
ahcbsd1 .
ovnet .
com
> > > Cc: Firewalls Mailing list
> > > Subject: Re: NT Security
> > > > Date: Fri, 6 Sep 1996 15:28:07 +0000
> > > > From: dckinder @
ahcbsd1 .
ovnet .
com
> > > > Subject: NT Security
> > > ...
> > > > So far, however, I have been unable to obtain technical information
> > > > on NT-based security questions. I would like to be able to have at
> > > > least a journeyman's understanding of this subject as well.
> > > >
> > > > If somebody could direct me to a website or a book or other source of
> > > > information that deals specifically with NT security, I would
> > > > appreciate it.
> > >
> > > When I was putting together some material a couple of years ago, the
> > > only source was a few pages out of the huge (and expensive) four-volume
> > > Microsoft administrators' reference manual. A quick Web search does
> > > turn up:
> > >
> > > Trusted Systems' Windows NT Security textbook
> > > http://somarsoft.com/security.htm
> > >
> > > and other sporadic network resources. Just enter "Windows NT security"
> > > to Alta Vista and watch the resources pop up.
> > >
> > > Much has been made of NT's "C2" certification. I've heard that it was
> > > certified without the standard NT file system; and with that file
> > > system, it can't be certified. Beware.
> > >
> > > --
> > > Joe Yao jsdy @
cospo .
osis .
gov - Joseph S. D. Yao
> > > COSPO Computer Support EMT-A/B
> > > -----------------------------------------------------------------------
> > > PLEASE ... send or Cc: all "COSPO Computer Support" mail to
> > > sys-adm @
cospo .
osis .
gov
> > >
> > >Our company is just moving to NT. In the past, when we audited
> workstations, it was relatively easy to review the users hard drive for
> unsupported software or non company use of resources by using DOS
> utilities such as PC TOOLS or NORTON.
>
> Now that a workstation can be secured with a password and NTFS I had
> presumed that booting from a floppy and using DOS utilities to scan the
> hard drive would not work.
>
> Occasionally, we would audit a pc without the knowledge of the user thus
> we would not know the password.
>
> What utility programs would permit an auditor to scan and view in text
> format, an entire hard drive including NT File Systems? Will these also
> permit the restoration and viewing of deleted files. If files are
> password protected or NT encrypted, are you aware of any utilities that
> will permit the viewing of the contents of these files?
>
> Stewart Shinewald
>
,'~``. \|/ ,'``~.
(-o=o-) (@ @) ,(-o=o-),
+--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+
| |
| Soon, we may all be staring at our computers, wondering |
| whether they're staring back. |
| |
| [Network Admin For WPA Business Products. aka doshai >;-) ] |
| .oooO http://pip.com.au/~doshai/ Oooo. |
| ( ) Oooo. .oooO ( ) |
+-----\ (----( )-------oooO-Oooo--------( )--- ) /---------+
\_) ) / \ ( (_/
(_/ \_)
Key fingerprint = 2D F4 54 BB B4 EA F1 E7 B6 DE 48 92 FC 8D FF 49
Send a message with the subject "send pgp-key" for a copy of my key.
(if I want to give it to you)
|
|
