March 21, 2008 at 1:38 am
My friend uses some open source tool that locks the workstation if your bluetooth enabled cell phone moves out of (bluetooth) range!
I found some software that does the same thing for 15 US$
I can see this as mandatory practice in some companies 🙂
Of course, bluetooth devices are not found in most workstation computer, but USB bluetooth "dongle" is about 25 US$.
March 21, 2008 at 2:47 am
At my last work place, the Sys Admins implemented a new policy such that any workstation left unattended for 5 minutes would automatically lock, and then show the screensaver.
That REALLY annoyed some people! For example, you could be reading a document on-screen, and if you didn't move the mouse or hit a key for 5 minutes, your workstation would lock.
It was a real pain for the reception staff, who generally had to unlock their workstation whenever a customer walked in.
However, the reasons behind the move were sound, and people fairly quickly adapted to the change.
As for shared accounts, generally a big no-no.
My view is that the sooner we start using Smart Cards (or some other 2-factor authentication) the better. Take your card with you when you leave your workstation, and it automatically locks. I like the idea of using bluetooth on the mobile phone, that is clever.
I will admit to still running my workstation as a member of the local Administrators group though.
Andy
March 21, 2008 at 3:17 am
Hi,
I found it just plain stupid that a company would release software that would not run as a regular user, requiring it to be an administrator account just to print. And I wouldn't have believed it if it hadn't happened to one of my clients, and it was software from a big name company to boot.
So what's a sys admin to do? Make everyone that used that software an administrator of course.
Then, later on, somehow a virus got in and spread through the network because of those demonstrator accounts.
Sheesh.
March 21, 2008 at 7:36 am
The last two software companies I've worked for have had programs that required local Administrative access.
This was obviously a problem to any client that had any form of Network security policy in place. The work around in both cases was:
1) Install the application under the Admin account
2) Give the limited user(s) permissions to specific folders and registry keys needed to run the program
Not sure if there is a better way -
Lou
March 21, 2008 at 8:15 am
lortega (3/21/2008)
1) Install the application under the Admin account
2) Give the limited user(s) permissions to specific folders and registry keys needed to run the program
I thought about this; it wasn't folders, the problem was registry keys. In my case the software vendor refused to tell me which keys and what access was needed. All they would say was an administrative account.
Not helpful at all.
March 21, 2008 at 8:18 am
Unbelievable. Talk about being irresponsible and negligent.
March 21, 2008 at 8:47 am
I wish someone would sue over this, not necessarily requiring admin rights, but not disclosing them. It would be a good way to force some disclosure.
I got told this by Dynamics (before they were MS), saying they needed "sa" rights. When I queried further, I realized the guy on the phone had no idea what was needed. He was a tech support guy, not a developer.
So I did some testing and discovered they needed SA rights (SQL 7) to add a new user to the system. We decided DBAs would add the login and the application would then see it. So they had to send an email for new accounting people. Worked great.
There are some trace tools, used to be some at sysinternals, that might help you figure out what rights are needed.
March 21, 2008 at 9:06 am
Absolutely, ProcessMonitor from SysInternals (now part of the Microsoft, err, family) will help you figure out what permissions are required. The vast majority of problems are permissions to one or two specific keys in the registry.
March 21, 2008 at 9:10 am
I worked at a paper mill and we used shared accounts for the production floor personnel. They were using thin-clients and citrix published apps with restricted permissions. For any other position in the company you had a personal login. As far as locking the workstation, too many places I have been have not put that in a policy and admins were leaving their PC's open.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
March 21, 2008 at 9:11 am
Policy here is to lock before you leave the workstation. IT Security has notified people when they are in violation.
The only shared account is a service account or application account to a SQL Server that is locked into the application.
We are not encouraged to share. It is dangerous, silly, unsafe, and some actions taken when you are in another persons account could and often are illegal.
Just think about this for a few minutes, if your company has a policy of no tolerance for porn, ebay, or political campaigning and you leave your computer open such that anyone could access anything on the internet you are in very deep trouble, and could loose your job without knowing what hit you.
Mom told me as a little kid, "lock the door behind you". She was right.
Not all gray hairs are Dinosaurs!
March 21, 2008 at 9:20 am
All of our company computers use a GPO that locks the computer after 20 minutes of non-use. I'd like to lower the time to 5 minutes but it's an uphill fight.
We don't allow shared accounts, but I know users share their passwords, impossible to prevent. Most of our users have restricted user accounts, and I give permission to folders if possible for applications that need it.
Personally I use an admin account on my computer. I'm responsible for the network and if I mess it up I'll fire myself:D!
March 21, 2008 at 9:25 am
AndyD (3/21/2008)
At my last work place, the Sys Admins implemented a new policy such that any workstation left unattended for 5 minutes would automatically lock, and then show the screensaver.
It also gives people a 5 minute window to cause trouble if you do actually leave your desk.
I'm sure many of the people reading these posts are already aware of this but I just found out recently myself so I imagine there are a few that may benefit...the Windows key + 'L' combination will lock your windows computer immediately.
March 21, 2008 at 9:26 am
No doubt shared accounts are a danger to both the company and the user! Our policy is no shared access except though apps. It is a firing offense.
----------------------------------------------------------------------------
"No question is so difficult to answer as that to which the answer is obvious." - George Bernard Shaw
March 21, 2008 at 10:07 am
Shared accounts can be problematic at times, but only if the apps are configured to use the cached credentials, which are a vulnerabiliity in and of themselves.
The problem is - not every industry can or should tolerate a 2-4 minute loss of time when a shared terminal is switched from one user to the next. Think healthcare - do you REALLY want the nurse to spend four minutes logging the machine on, and then loggin into to the 3-6 apps she might need to be in, while you're, say, bleeding from the neck?
The problem often becomes that the alternatives force you into a deal with the deal (damned if you do and damned if you don't). And quite honestly - most of the alternatives aren't great.
We actually spent some time working with an ER, so that they can use shared creds on the OS. The shared creds have little to no authority (just logging in). The "switching" happens with a USB dongle and a resident program, pulling your creds from it. The underlying program then uses the "log on as" type functionality to pass your creds to the apps. We built it ourselves because we couldn't find a cost-effective (or for that matter - just plain effective) way to do all of that in a way that fit our model.
It's not perfect, and ultimately is a kludge, but it's a kludge saving them almost 4 minutes each time. The switch takes 12 secs in most cases.
The software out there IMO is much to rigid for some industries and needs some work before it's adoptable.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Viewing 15 posts - 1 through 15 (of 26 total)
You must be logged in to reply to this topic. Login to reply