Solved

Security question

Posted on 2004-04-01
10
321 Views
Last Modified: 2013-12-04
I have a question about a problem we are having and need rectified.  I am NOT a sysadmin, I am a programmer/DBA, so I will try to give you as much information about this as I can.  I apologize in advance if I miss something.

We need a generic login to one computer, with rights assigned to one program, one printer and 3 folders.  Our sysadmin is fighting this for some reason (I was not part of the conversation), but we are the only IT people in the building and I was asked for a solution for this.  

The OS for that particular computer is Windows 2000 Professional.  We also have XP licenses available.  We are running Windows Server 2000.  My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.  Does anyone here have a better solution?  Are there problems with mine?  How can this hurt us from a security standpoint? (This will ONLY be accessed internally).  Being that I am not an expert in hardware/networking, I appreciate all the help you can give me.

Thanks.  Please let me know if you have any questions.

IPT
0
Comment
Question by:iptrader
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Well you could leave the machine off the domain completely if security was an issue......or like you said restrict the user account to only being able to log onto that machine (as well as removing it from the Domain Users group)
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Well it is a security risk, because even if the computer is inside the company's firewall, virus/spyware/trojans/backdoor and other malware could attack the computer through the firewall on port 80 (http-usage on internet connections).

Automatic Logon to Windows NT, 2000 and XP
http://www.winguides.com/registry/display.php/13/

Plugging Custom Security into Windows 2000
http://www.developer.com/tech/article.php/10923_629311_1

Enhancing the Security of a Windows CE Device
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnce30/html/winsecurity.asp


Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp#portlist

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Internet Storm Center - Input portnumber and press GO
http://isc.incidents.org/port_details.html?port=

IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/

IIS-vulnerability MS03-007
      Here's Microsoft's warning - Impact of vulnerability: RUN CODE OF ATTACKERS CHOICE:
      http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp

      But they only talks about IIS (Internet Information Server). Here some more stuff about this problem:
      http://www.nextgenss.com/papers/ms03-007-ntdll.pdf

      As you can see, they warn about this for every Windows 2000 workstation and server, even if the don't run IIS. Problem is, that attacker can run code through port 80 that you use to gain access to internet.
      If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from http://www.trendmicro.com/en/products/global/enterprise.htm

The Distributed Reflection DoS Attack
http://grc.com/dos/drdos.htm

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan

How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Downloading and Using the Security Configuration Manager Tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245216

Stress Tools to Test Your Web Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure
http://support.microsoft.com/default.aspx?scid=kb;en-us;324892

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp

Maximum Windows 2000 Security
http://www.bookpool.com/.x/rmpdj26gor/sm/0672319659

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
If this is the question...
1 user needs access to 1 program, 1 printer and a few folders. Place the account in the "Users" group or "Guests" group.
Use NTFS folder permissions to lock down the folders the account can access. If this account only needs to run certain programs, that are installed already
then Guest or User privledges should do the trick. The IP whether static or dhcp, makes no security difference.
The printer can also have permissions assinged to it, to only allow this one account access. This account could be a local account or domain. Local will
assure that it can't be used on another computer, if it is a domain, then you'll have to do as you have done, restrict the pc's it can be used on, and maybe even the hours
it can be used.

There is nothing wrong with the way you have it now. There are always best practices to follow:
Patch your system's regularly, schedule  AV updates daily, and scan's daily. Do not run as an administrator all the time. Use RunAs to temporarily "up" your privs. Runas
is just like sudo in Unix systems. Audit your event log's and change your passwords often.

Reguardless of if the PC is part of a domain or not, as long as it's on your lan, it is a risk to some degree. You could lock the PC down even further with group policies or local policies, but making
that login in the  guest or "users" group will limit THAT ACCOUNT's ability to do much else on that PC. Don't join it to the domain if it's truly standalone, but if the printer is shared off of the
domain contoller or server, besure to give your account the rights to access it.
GL!
-rich
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
For internal use only, you have no need for TCP/IP, and NetBios is fine. The easiest thing to do is ensure everyone has same ID and password on that system as they normally use, things work out better that way.  Have the machine boot up standalone, and don't bother to expire passwords, let users coordinate that part with their other machines.

> We need a generic login to one computer

Generic has problem of being both too easy to guess, and to leak, and leaves no trackability. You each should still like to know and be accountable for what you each to, so imo still to unique IDs, it'll also help a debug process if only one of you has a particular problem, and in meantime, no one should be able to trick the machine to do something different, such as generic email, or printing 'strange' hardcopy from generic ID. Make sure the queue list can properly help you identify your own stuff, (and identify which of your peers is the real hog without having to pay a visit to output tray and wait for them to show up).

Don't let anyone else use the computer, and I think just lifting any existing restrictions from program should do the trick for you.  While admin may think I disagree, I probably agree more with them than you. Possibly, it will work better by placing the few of you into a select group of 'power user' and only let members of that group access the subdirectories required. That should satisfy protecting of strangers. Do NOT succumb to temptation of putting up shares, that is all too easy to fail some vulnerability.
0
 
LVL 24

Accepted Solution

by:
SunBow earned 300 total points
Comment Utility
richrumble> Use NTFS folder permissions
yes

> then Guest or User privledges should do the trick.

probably not guest, but something close to it could work, yet my reservations precede. Why not power user among friends

> The IP whether static or dhcp, makes no security difference

agreed, but as above, I don't think IP is needed either

>  if it is a domain

I'd leave it out of domain

> You could lock the PC down even further

probably more trouble than is worth, aside from group restictions

> There is nothing wrong with the way you have it now.

This part I miss. What is the current method, if any, was less clear to me
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Iptrader stated:
My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.

Probably done with UserManager for domains, or AD policy. Then NTFS is how the restrictions were added.  (assumed)
Placing the account in the Guests group, would work if the permissions were set correctly for the folders and programs needed to run.
Agreed, locking down the PC further would be a more trouble than it's worth, hence the Guests group recomendation, as it's locked down pretty good to begin with.
-rich
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now