Solved

Logon Locally Windows 2000

Posted on 2004-03-25
14
217 Views
Last Modified: 2013-12-04
Hi

We have a lot of old pool laptops that have been upgraded to windows 2000.  They do not have network cards or modems/cables.  We currently have a situation where people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on to it whilst at home.

While we could enable the guest logon this is very insecure.  We have also considered creating a local policy (on each laptop) with a generic password.  As these laptops never go on the network there is no way of changing the password for this generic account on the laptop so raises a security risk when people leave which is potentially often.  How do you all do this?  Surely anyone with pool home laptops must have this problem.

I have a couple of off the wall ideas but I don't think there is anything out there that does it, please tell me if anyone know different.

1.  Have a policy on a floppy disk that has a user account enabled.  Possibly with an expirey password account of 3 attempts.

2.  Have a security token (we do use these for dialling in) that could somehow be authenticated locally.

As I said they are off the wall suggestions but maybe someone has an answer pleeeeeease.

Thanks

T-y
0
Comment
Question by:T-y
  • 4
  • 3
  • 3
  • +3
14 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10676020
You said:  
 >>They do not have network cards or modems/cables<<

but then you said:
>>people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on <<

Er, how?
0
 

Author Comment

by:T-y
ID: 10676059
The latops have to be brought to us, we can set them up on the network.  This is not a problem for people that work in the same office, but not for people that work 20 miles away.

0
 
LVL 6

Expert Comment

by:DanniF
ID: 10676066
Exactly, very confusing.

I understand this as if you have a Network configuration but no Network?

Please explain...
0
 
LVL 6

Expert Comment

by:DanniF
ID: 10676075
Sry, scrap that....

Hmmm, and will these users never use Network resources?

If so, then why bother with putting them on the network?

0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10676228
I think I need further clarification...

>>As these laptops never go on the network there is no way of changing the password <<

If I'm hearing (haha - reading) you correctly...
The users can only use the laptops disconnected from any network (no modem or NIC).
Occasionally, they'll forget their password - which raises a concern for you.  Apparently they're part of a domain, but "not", so since there's no network connection, you cannot reset their account in the domain (what good would it do? <rhetorical>).  So how to get past this hurdle?  
If you open the guest account, you're concerned about...what?  That they'll use it, or that if it gets into the hands of someone else, it will be compromised?  You don't want to create a seperate account as this is a security risk...why?  When you say 'people leave which is potentially often' - do you mean your concern becomes that they'll take the laptop and run?

I don't think either of your suggestions would do it.  I think you'd be better off implementing the accounts with a "password never expires", but yet account does expire after say, 90 days.  They would be required to bring it in every 90 days to have you reset it in order to keep it running.  But - if you're concerned about theft - There's not much in wiping a hard drive and starting over, let alone picking up a PCMCI NIC or modem from ebay...

Have I traveled too far down the wrong path here or what?
0
 

Author Comment

by:T-y
ID: 10676265
No they don't ever go on the network *UNLESS* we need to cache their profile.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:T-y
ID: 10676356
Sorry I don't seem to have made myself very clear.  Lets try again.

The laptops would not normally go on the network, there is no need to they are generally used for just word processing.  We currently make them bring in the laptop to us, we connect it to the network, they log on, their account is cached - bingo.  Yes we could add them as a local user, but for pool laptops where you could technically have 50/60 people logging on, we can't have 50/60 local users that would be a waste of resources.

The problem with guest account and generic accounts is

a)Someone with enough nounce could do damage and hack.

b)There is no accountability if a generic/guest account is used.  You then get into the realms of Data Protection problems.

The problem of it being stolen is not really an issue, because if they do, they won't need the username and password.

Also bringing the laptops in every 90 days is a huge administration problem, we are talking about 1000+ laptops.  And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

Maybe we just asking too much.
0
 
LVL 6

Expert Comment

by:DanniF
ID: 10676429
OK,

If i get this right, the user does not have any means to connect to the network, he has to bring the laptop to you for his first log on?

So when you say:
And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

You mean that the users forget to bring you the laptop to log on?

To cache a profile, yes this is the only way I know of..... Still kinda confused though....

Are we talking about 50 people who all have seperate profiles, storing data on ONE laptop?

A pooled laptop for that many people can not be used to store their data as well? And what do they do when they return the laptop?

I really don't see the security risk on a shared laptop as I don't see 50 users with all their data on the same laptop........

Please correct me if I'm way off....


0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10676562
I, personally, think you're reaching here.  That's a LOT of people to share a laptop...
If accountability is the problem -why not allow them dial-in/network access?  Just drop a policy locally that prevents Internet access, if that's your concern...
0
 

Author Comment

by:T-y
ID: 10676649
Yes we are talking *potentially* 50 people, its pooled laptops from a department so anyone can use the laptop.  You only need two people to use the same laptop before you run into Data Protection problems if they can both acess the same data.

The thing is if they are logging on locally they have to put the data on the laptop.  Yes it gets transferred to a floppy before they can use it back at their desk, but how many 'users' do you know that do good housekeeping and clean up after themselves.

But this still comes back to how do we authenticate that someone is for real without having a cached profile.  Yes generic passwords/accs work but are not the most secure.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10681215
Cached Logon Information is written in registry
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q172/9/31.asp&NoWebContent=1

But that not all of it - to figure out what's really written when doing a cached logon, then save a regfile before doing a cached logon and after doing a cached logon. Probably also something in HKCU and HKUS

If you can find out what to change in a reg-file from HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\... or where ever cached logon writes, then make the reg-fil and send it to the computer 20 miles away from you

It cant be audited by regmon, but maybe placing it in HKLM\Software\Microsoft\Windows\Current Version\Run might help.
http://www.sysinternals.com/ntw2k/source/regmon.shtml

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open


0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10698315
So, you have these LT's joined to  domain or AD., so that is why you need to cache the logons. You want to beable to keep everyones settings and files seperated with permissions, and also have accountability with the event log's so each user should have their own account on the LT's that way you can keep thier files seperate, and the event log's will document who is doing what when.

I say, let them be stand-alone, in a work-group, you can script addding as many users as you want to each laptop, all in the "users" group on the LT's that will lock them down quite a bit, and they will not be able to view each others  my doc's folders etc... When you set the users up on the LT with a script, all the same pass, you can have it place the check mark for "user must change pass at next logon" so that no one can view the others account because the pass will then need to be changed. I'm sure you user's can remember 2 passwords, because if the get a different laptop next week that they haven't signed on to, they will need to use the default pass, then change it to their standard password.

Scripting can be done with the "net user" and "net accounts" commands, by default, change pass at next logon is already turn on i believe.
M$ scripting page has lot's of stuff that can be modifed to do this also:
http://www.microsoft.com/technet/community/scriptcenter/user/scrug92.mspx
http://www.microsoft.com/technet/community/scriptcenter/default.mspx
-rich
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11468861
PAQed - no points refunded (of 250)

CetusMOD
Community Support Moderator
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now