Solved

Leaving administrator logged in but terminal locked.....

Posted on 2006-11-09
11
1,075 Views
Last Modified: 2008-02-01
Just a general question.

I am wondering if there are any know security issues when leaving the administrator account logged in but the the terminal locked (by using windows key + L) when using Windows Server 2003???

Thanks
0
Comment
Question by:amerretz
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17912110
not that i have an issue with....i often leave my servers "locked"
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17912310
Same, infact I have servers that MUST be like this to run custom (horrible) applications

-red
0
 
LVL 14

Expert Comment

by:inbarasan
ID: 17912368
You need to sure that you are locking the terminal. You may also set the Screen saver policy to lock the system if it is idle for about 5mins. This way you can make sure that system will locked after 5 min even if you forget to do it. This is extra caution since it is going to Administrator.

Note :
But if you are choosing screen saver choose one that doesn't consume more CPU cycles. Because we had issue in our production environment where Screen saver use to consume abt 80% cpu cycle since it was custom built one. But the one's which comes with OS by default are OK.

Reducing screen saver idle below 5 min some times will annoy the users/admins who are working on the server.because it will get locked while they are thinking to do something.

Hope this helps you
0
 

Author Comment

by:amerretz
ID: 17912988
THanks for all your responses guys. I too have to leave the administrator account logged in due to horrible applications (DB engine) that don't run as a service.

I only ask as I have a client which seems to think its a security risk to leave the administrator logged in to the server even though the terminal is locked.

Just confirming my thoughts before I get back to him. I don't see it as a risk!
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17913109
Locking the server is MORE secure than leaving it logged out.

Any monkey (assuming the server is misconfigured, and allows users to log on to it) can log in to the server, but only domain admins can unlock it if a domain admin is logged in :)

-red

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:amerretz
ID: 17913294
Is there any issue of rouge processes running easier if the administrator account is left logged in but locked?

Thank you.
0
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 200 total points
ID: 17914028
Yes, there a many security opportunities for attacks to occur on a machine that will assume the rights of the logged in user.  Microsoft tries to combate these monthly by releasing security updates... If you read through the security updates, the vulnerability, many times, is that the attacker of the system gets the same rights as the logged in user...  

I don't agree with this statement: "Locking the server is MORE secure than leaving it logged out."  

In my opinion, there is some risk by staying logged in.  However, the risk is minimal.  I would say, log out of a machine if possible... if you must stay logged into a machine, at least make sure that it is patched to the latest level and you have turned off as many uneeded services as possible.

0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 200 total points
ID: 17914076
An issue? If it is a rouge process that runs only from an logged on console. But that also means that it would ALSO run if just logged in to manage the server and not locked. The locking does not change that.
Security measures should be taken to prevent that from happening. If you have such an issue, then it's already far to late. Logged on or not.
Also, there are many many exploits that don't need a logged on console, which just run as service. Again, you also must prevent those.
Just eliminating a locked console is like sticking your head in the sand and hoping that nothing bad happens.
It does not add any level of security and, as -red mentioned, is more secure in some cases.
I can understand your client's concern if he as just a PC user, who has no idea of architectures. To him it would seam logical. He would think that a PC is only 'working' once logged on. But a lot of things are not what they seem to be, especially if you are not a specialist.
E.g I don't make any assumptions about cars any more. I love cars but am not a specialist. Once had a clunky noice whenever I used the brakes. Turned out that it had nothing to do with the brakes but with the engine suspension. I know, silly story, but you get the idea.

J.
0
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 100 total points
ID: 17920480
Let me qualify that,

Locking the server is MORE secure than leaving it logged out, assuming the domain is configured incorrectly (allowing any user to log on to a DC, it happens, especially with Terminal Services) AND physical access to the server is possible.

Of course, the other end of that is anyone could just RDP to the server, so I will withdraw that statement entirely.  That'll teach me for not thinking :)

-red

0
 

Author Comment

by:amerretz
ID: 17921259
Thanks for all the input from everyone. It seems as though there is no hard and fast way to truely combat all security risk, either through services holes or logged on privillage exploits. I guess I will pass on your advice and let the client decide how mission critical their data really is!

One can only try their best to combat all know sercurity exploits in a windows system, but there seems to be a never ending group of people who wish to cause havok. Sure keeps you on your toes.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 17933146
lol Red...
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Learn about cloud computing and its benefits for small business owners.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now