Solved

Leaving administrator logged in but terminal locked.....

Posted on 2006-11-09
11
1,080 Views
Last Modified: 2008-02-01
Just a general question.

I am wondering if there are any know security issues when leaving the administrator account logged in but the the terminal locked (by using windows key + L) when using Windows Server 2003???

Thanks
0
Comment
Question by:amerretz
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17912110
not that i have an issue with....i often leave my servers "locked"
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17912310
Same, infact I have servers that MUST be like this to run custom (horrible) applications

-red
0
 
LVL 14

Expert Comment

by:inbarasan
ID: 17912368
You need to sure that you are locking the terminal. You may also set the Screen saver policy to lock the system if it is idle for about 5mins. This way you can make sure that system will locked after 5 min even if you forget to do it. This is extra caution since it is going to Administrator.

Note :
But if you are choosing screen saver choose one that doesn't consume more CPU cycles. Because we had issue in our production environment where Screen saver use to consume abt 80% cpu cycle since it was custom built one. But the one's which comes with OS by default are OK.

Reducing screen saver idle below 5 min some times will annoy the users/admins who are working on the server.because it will get locked while they are thinking to do something.

Hope this helps you
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:amerretz
ID: 17912988
THanks for all your responses guys. I too have to leave the administrator account logged in due to horrible applications (DB engine) that don't run as a service.

I only ask as I have a client which seems to think its a security risk to leave the administrator logged in to the server even though the terminal is locked.

Just confirming my thoughts before I get back to him. I don't see it as a risk!
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17913109
Locking the server is MORE secure than leaving it logged out.

Any monkey (assuming the server is misconfigured, and allows users to log on to it) can log in to the server, but only domain admins can unlock it if a domain admin is logged in :)

-red

0
 

Author Comment

by:amerretz
ID: 17913294
Is there any issue of rouge processes running easier if the administrator account is left logged in but locked?

Thank you.
0
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 200 total points
ID: 17914028
Yes, there a many security opportunities for attacks to occur on a machine that will assume the rights of the logged in user.  Microsoft tries to combate these monthly by releasing security updates... If you read through the security updates, the vulnerability, many times, is that the attacker of the system gets the same rights as the logged in user...  

I don't agree with this statement: "Locking the server is MORE secure than leaving it logged out."  

In my opinion, there is some risk by staying logged in.  However, the risk is minimal.  I would say, log out of a machine if possible... if you must stay logged into a machine, at least make sure that it is patched to the latest level and you have turned off as many uneeded services as possible.

0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 200 total points
ID: 17914076
An issue? If it is a rouge process that runs only from an logged on console. But that also means that it would ALSO run if just logged in to manage the server and not locked. The locking does not change that.
Security measures should be taken to prevent that from happening. If you have such an issue, then it's already far to late. Logged on or not.
Also, there are many many exploits that don't need a logged on console, which just run as service. Again, you also must prevent those.
Just eliminating a locked console is like sticking your head in the sand and hoping that nothing bad happens.
It does not add any level of security and, as -red mentioned, is more secure in some cases.
I can understand your client's concern if he as just a PC user, who has no idea of architectures. To him it would seam logical. He would think that a PC is only 'working' once logged on. But a lot of things are not what they seem to be, especially if you are not a specialist.
E.g I don't make any assumptions about cars any more. I love cars but am not a specialist. Once had a clunky noice whenever I used the brakes. Turned out that it had nothing to do with the brakes but with the engine suspension. I know, silly story, but you get the idea.

J.
0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 100 total points
ID: 17920480
Let me qualify that,

Locking the server is MORE secure than leaving it logged out, assuming the domain is configured incorrectly (allowing any user to log on to a DC, it happens, especially with Terminal Services) AND physical access to the server is possible.

Of course, the other end of that is anyone could just RDP to the server, so I will withdraw that statement entirely.  That'll teach me for not thinking :)

-red

0
 

Author Comment

by:amerretz
ID: 17921259
Thanks for all the input from everyone. It seems as though there is no hard and fast way to truely combat all security risk, either through services holes or logged on privillage exploits. I guess I will pass on your advice and let the client decide how mission critical their data really is!

One can only try their best to combat all know sercurity exploits in a windows system, but there seems to be a never ending group of people who wish to cause havok. Sure keeps you on your toes.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 17933146
lol Red...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question