[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Security question

Posted on 2004-04-01
10
Medium Priority
?
340 Views
Last Modified: 2013-12-04
I have a question about a problem we are having and need rectified.  I am NOT a sysadmin, I am a programmer/DBA, so I will try to give you as much information about this as I can.  I apologize in advance if I miss something.

We need a generic login to one computer, with rights assigned to one program, one printer and 3 folders.  Our sysadmin is fighting this for some reason (I was not part of the conversation), but we are the only IT people in the building and I was asked for a solution for this.  

The OS for that particular computer is Windows 2000 Professional.  We also have XP licenses available.  We are running Windows Server 2000.  My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.  Does anyone here have a better solution?  Are there problems with mine?  How can this hurt us from a security standpoint? (This will ONLY be accessed internally).  Being that I am not an expert in hardware/networking, I appreciate all the help you can give me.

Thanks.  Please let me know if you have any questions.

IPT
0
Comment
Question by:iptrader
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10734603
Well you could leave the machine off the domain completely if security was an issue......or like you said restrict the user account to only being able to log onto that machine (as well as removing it from the Domain Users group)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10734756
Well it is a security risk, because even if the computer is inside the company's firewall, virus/spyware/trojans/backdoor and other malware could attack the computer through the firewall on port 80 (http-usage on internet connections).

Automatic Logon to Windows NT, 2000 and XP
http://www.winguides.com/registry/display.php/13/

Plugging Custom Security into Windows 2000
http://www.developer.com/tech/article.php/10923_629311_1

Enhancing the Security of a Windows CE Device
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnce30/html/winsecurity.asp


Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10734757
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:trywaredk
ID: 10734765
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp#portlist

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Internet Storm Center - Input portnumber and press GO
http://isc.incidents.org/port_details.html?port=

IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/

IIS-vulnerability MS03-007
      Here's Microsoft's warning - Impact of vulnerability: RUN CODE OF ATTACKERS CHOICE:
      http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp

      But they only talks about IIS (Internet Information Server). Here some more stuff about this problem:
      http://www.nextgenss.com/papers/ms03-007-ntdll.pdf

      As you can see, they warn about this for every Windows 2000 workstation and server, even if the don't run IIS. Problem is, that attacker can run code through port 80 that you use to gain access to internet.
      If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from http://www.trendmicro.com/en/products/global/enterprise.htm

The Distributed Reflection DoS Attack
http://grc.com/dos/drdos.htm

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/ 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan

How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10734772
Downloading and Using the Security Configuration Manager Tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245216

Stress Tools to Test Your Web Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure
http://support.microsoft.com/default.aspx?scid=kb;en-us;324892

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp

Maximum Windows 2000 Security
http://www.bookpool.com/.x/rmpdj26gor/sm/0672319659

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10735998
If this is the question...
1 user needs access to 1 program, 1 printer and a few folders. Place the account in the "Users" group or "Guests" group.
Use NTFS folder permissions to lock down the folders the account can access. If this account only needs to run certain programs, that are installed already
then Guest or User privledges should do the trick. The IP whether static or dhcp, makes no security difference.
The printer can also have permissions assinged to it, to only allow this one account access. This account could be a local account or domain. Local will
assure that it can't be used on another computer, if it is a domain, then you'll have to do as you have done, restrict the pc's it can be used on, and maybe even the hours
it can be used.

There is nothing wrong with the way you have it now. There are always best practices to follow:
Patch your system's regularly, schedule  AV updates daily, and scan's daily. Do not run as an administrator all the time. Use RunAs to temporarily "up" your privs. Runas
is just like sudo in Unix systems. Audit your event log's and change your passwords often.

Reguardless of if the PC is part of a domain or not, as long as it's on your lan, it is a risk to some degree. You could lock the PC down even further with group policies or local policies, but making
that login in the  guest or "users" group will limit THAT ACCOUNT's ability to do much else on that PC. Don't join it to the domain if it's truly standalone, but if the printer is shared off of the
domain contoller or server, besure to give your account the rights to access it.
GL!
-rich
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10736197
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10736254
For internal use only, you have no need for TCP/IP, and NetBios is fine. The easiest thing to do is ensure everyone has same ID and password on that system as they normally use, things work out better that way.  Have the machine boot up standalone, and don't bother to expire passwords, let users coordinate that part with their other machines.

> We need a generic login to one computer

Generic has problem of being both too easy to guess, and to leak, and leaves no trackability. You each should still like to know and be accountable for what you each to, so imo still to unique IDs, it'll also help a debug process if only one of you has a particular problem, and in meantime, no one should be able to trick the machine to do something different, such as generic email, or printing 'strange' hardcopy from generic ID. Make sure the queue list can properly help you identify your own stuff, (and identify which of your peers is the real hog without having to pay a visit to output tray and wait for them to show up).

Don't let anyone else use the computer, and I think just lifting any existing restrictions from program should do the trick for you.  While admin may think I disagree, I probably agree more with them than you. Possibly, it will work better by placing the few of you into a select group of 'power user' and only let members of that group access the subdirectories required. That should satisfy protecting of strangers. Do NOT succumb to temptation of putting up shares, that is all too easy to fail some vulnerability.
0
 
LVL 24

Accepted Solution

by:
SunBow earned 1200 total points
ID: 10736615
richrumble> Use NTFS folder permissions
yes

> then Guest or User privledges should do the trick.

probably not guest, but something close to it could work, yet my reservations precede. Why not power user among friends

> The IP whether static or dhcp, makes no security difference

agreed, but as above, I don't think IP is needed either

>  if it is a domain

I'd leave it out of domain

> You could lock the PC down even further

probably more trouble than is worth, aside from group restictions

> There is nothing wrong with the way you have it now.

This part I miss. What is the current method, if any, was less clear to me
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10752096
Iptrader stated:
My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.

Probably done with UserManager for domains, or AD policy. Then NTFS is how the restrictions were added.  (assumed)
Placing the account in the Guests group, would work if the permissions were set correctly for the folders and programs needed to run.
Agreed, locking down the PC further would be a more trouble than it's worth, hence the Guests group recomendation, as it's locked down pretty good to begin with.
-rich
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question