• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1088
  • Last Modified:

Leaving administrator logged in but terminal locked.....

Just a general question.

I am wondering if there are any know security issues when leaving the administrator account logged in but the the terminal locked (by using windows key + L) when using Windows Server 2003???

Thanks
0
amerretz
Asked:
amerretz
  • 3
  • 3
  • 2
  • +3
3 Solutions
 
Jay_Jay70Commented:
not that i have an issue with....i often leave my servers "locked"
0
 
redseatechnologiesCommented:
Same, infact I have servers that MUST be like this to run custom (horrible) applications

-red
0
 
inbarasanCommented:
You need to sure that you are locking the terminal. You may also set the Screen saver policy to lock the system if it is idle for about 5mins. This way you can make sure that system will locked after 5 min even if you forget to do it. This is extra caution since it is going to Administrator.

Note :
But if you are choosing screen saver choose one that doesn't consume more CPU cycles. Because we had issue in our production environment where Screen saver use to consume abt 80% cpu cycle since it was custom built one. But the one's which comes with OS by default are OK.

Reducing screen saver idle below 5 min some times will annoy the users/admins who are working on the server.because it will get locked while they are thinking to do something.

Hope this helps you
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
amerretzAuthor Commented:
THanks for all your responses guys. I too have to leave the administrator account logged in due to horrible applications (DB engine) that don't run as a service.

I only ask as I have a client which seems to think its a security risk to leave the administrator logged in to the server even though the terminal is locked.

Just confirming my thoughts before I get back to him. I don't see it as a risk!
0
 
redseatechnologiesCommented:
Locking the server is MORE secure than leaving it logged out.

Any monkey (assuming the server is misconfigured, and allows users to log on to it) can log in to the server, but only domain admins can unlock it if a domain admin is logged in :)

-red

0
 
amerretzAuthor Commented:
Is there any issue of rouge processes running easier if the administrator account is left logged in but locked?

Thank you.
0
 
NJComputerNetworksCommented:
Yes, there a many security opportunities for attacks to occur on a machine that will assume the rights of the logged in user.  Microsoft tries to combate these monthly by releasing security updates... If you read through the security updates, the vulnerability, many times, is that the attacker of the system gets the same rights as the logged in user...  

I don't agree with this statement: "Locking the server is MORE secure than leaving it logged out."  

In my opinion, there is some risk by staying logged in.  However, the risk is minimal.  I would say, log out of a machine if possible... if you must stay logged into a machine, at least make sure that it is patched to the latest level and you have turned off as many uneeded services as possible.

0
 
PowerITCommented:
An issue? If it is a rouge process that runs only from an logged on console. But that also means that it would ALSO run if just logged in to manage the server and not locked. The locking does not change that.
Security measures should be taken to prevent that from happening. If you have such an issue, then it's already far to late. Logged on or not.
Also, there are many many exploits that don't need a logged on console, which just run as service. Again, you also must prevent those.
Just eliminating a locked console is like sticking your head in the sand and hoping that nothing bad happens.
It does not add any level of security and, as -red mentioned, is more secure in some cases.
I can understand your client's concern if he as just a PC user, who has no idea of architectures. To him it would seam logical. He would think that a PC is only 'working' once logged on. But a lot of things are not what they seem to be, especially if you are not a specialist.
E.g I don't make any assumptions about cars any more. I love cars but am not a specialist. Once had a clunky noice whenever I used the brakes. Turned out that it had nothing to do with the brakes but with the engine suspension. I know, silly story, but you get the idea.

J.
0
 
redseatechnologiesCommented:
Let me qualify that,

Locking the server is MORE secure than leaving it logged out, assuming the domain is configured incorrectly (allowing any user to log on to a DC, it happens, especially with Terminal Services) AND physical access to the server is possible.

Of course, the other end of that is anyone could just RDP to the server, so I will withdraw that statement entirely.  That'll teach me for not thinking :)

-red

0
 
amerretzAuthor Commented:
Thanks for all the input from everyone. It seems as though there is no hard and fast way to truely combat all security risk, either through services holes or logged on privillage exploits. I guess I will pass on your advice and let the client decide how mission critical their data really is!

One can only try their best to combat all know sercurity exploits in a windows system, but there seems to be a never ending group of people who wish to cause havok. Sure keeps you on your toes.
0
 
NJComputerNetworksCommented:
lol Red...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now