locked
Wondering person RRS feed

  • Question

  • I have an individual at a work place that continues to get into different computer and server, How can i lock it so they can't hack in?
    Thursday, August 27, 2009 4:58 PM

Answers

  • That's a question that deserves a bigger answer than I think could be adequately communicated here in a forum answer.  It's not just a technology solution; it's also an issue of training, company policy (and enforcement).  Why is that person still employed at that workplace?  (Or are YOU that person?  :)

    For a basic starting point around what Microsoft can offer with regards to security, you can start here:  http://www.microsoft.com/security/

    For more answers to Client Security specifically, you could go to this forum: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/threads
    For Windows Server Security: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

    But I'd be interested to hear from any of the IT Managers here:  Do you have any recommendations for what to do from an HR, Security Policy perspective?

    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:37 PM
    Friday, August 28, 2009 1:08 PM
  • Hello,

    as Kevin stated, this belongs to your policies in the company, how to handle access. Also the users must be aware of using secure passwords and how to handle/store them.

    Without a security guard on each office door, checking the allowance for entry and accessing the machine, i think you can not prevent this.

    For our more secure network we are switching to thin clients and use smartcards for accessing as first level with PIN and then you also have the second level with the user login.

    For the servers, how can a normal user access the server room? This is physical room security, so lock the doors and let only admins acces them. To prevent remote access from a client, lock the machines down with CD/DVD/USB closing, so they can not bring in any external tools like VNC etc. Remote desktop you can block within the OS itself via GPO file restrictions and only allow it for admins again.

    You will not find any technical solution, that will do this kind of control and teaching of users for you.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:37 PM
    Saturday, August 29, 2009 1:02 PM
  • I agree with the things that Kevion has aldready pointed out and would point out 4 specific things that I find most helpful when dealing with "internal" security issues.
     
    1) Make sure that you are aware of, and implementing to the best of your abilities, the Principle of Least Privilege to User Accounts (LUA). This should keep users from connecting to workstations and servers that they should not be. An excellent tool to help make LUA work is ProcessExplorer in the Sysinternal Suite found here: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx . It is extremely useful for showing an administrator what access a user needs on their local machine without giving them local admin privileges.

    2)Use Access-based Enumeration (ABE) on nad servers that have file shares. ABE can be downloaded here: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en if you are using Windows Server 2003, and is built into the OS if you are running Windows Server 2008. This will allow users to only see those shares that they have permission to access. It is much harder to "break into" that which you cannot see.

    3) Consider enabling and configuring IPSec on as many servers as possible. Many essential backend servers, partiocularly Exchange and SQL, can be set to only allow connections from other servers that require connections to function thereby securing them from users at their workstations. As a part of this look into locking out any unnecessary ports (only allow SQL connections on a SQL Server etc, be sure to take into account all services on a server if doing this as things like Reporting Services can change what ports are necessary).

    4) Last, I would highly suggest redirecting your user directories to your servers. This makes it so that even if someone "hacks into" their neighbors C$ share by use of administrator privilege, there is little to no information there of any value. If you have taken steps 1-3 above then the only person who sees the user shares on the server are the actual users who own the shares.

    Steps 1,2 and 4 are very easily done in a Microsoft client server environment and should be a part of any server infrastructure plan. IPSec is more complicated to setup at first, but will pay you back with large security increases in a short time.

    I hope that helps you get started,
    Tim
    Tim Vander Kooi
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:37 PM
    Saturday, August 29, 2009 1:30 PM

All replies

  • That's a question that deserves a bigger answer than I think could be adequately communicated here in a forum answer.  It's not just a technology solution; it's also an issue of training, company policy (and enforcement).  Why is that person still employed at that workplace?  (Or are YOU that person?  :)

    For a basic starting point around what Microsoft can offer with regards to security, you can start here:  http://www.microsoft.com/security/

    For more answers to Client Security specifically, you could go to this forum: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/threads
    For Windows Server Security: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

    But I'd be interested to hear from any of the IT Managers here:  Do you have any recommendations for what to do from an HR, Security Policy perspective?

    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:37 PM
    Friday, August 28, 2009 1:08 PM
  • Hello,

    as Kevin stated, this belongs to your policies in the company, how to handle access. Also the users must be aware of using secure passwords and how to handle/store them.

    Without a security guard on each office door, checking the allowance for entry and accessing the machine, i think you can not prevent this.

    For our more secure network we are switching to thin clients and use smartcards for accessing as first level with PIN and then you also have the second level with the user login.

    For the servers, how can a normal user access the server room? This is physical room security, so lock the doors and let only admins acces them. To prevent remote access from a client, lock the machines down with CD/DVD/USB closing, so they can not bring in any external tools like VNC etc. Remote desktop you can block within the OS itself via GPO file restrictions and only allow it for admins again.

    You will not find any technical solution, that will do this kind of control and teaching of users for you.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:37 PM
    Saturday, August 29, 2009 1:02 PM
  • I agree with the things that Kevion has aldready pointed out and would point out 4 specific things that I find most helpful when dealing with "internal" security issues.
     
    1) Make sure that you are aware of, and implementing to the best of your abilities, the Principle of Least Privilege to User Accounts (LUA). This should keep users from connecting to workstations and servers that they should not be. An excellent tool to help make LUA work is ProcessExplorer in the Sysinternal Suite found here: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx . It is extremely useful for showing an administrator what access a user needs on their local machine without giving them local admin privileges.

    2)Use Access-based Enumeration (ABE) on nad servers that have file shares. ABE can be downloaded here: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en if you are using Windows Server 2003, and is built into the OS if you are running Windows Server 2008. This will allow users to only see those shares that they have permission to access. It is much harder to "break into" that which you cannot see.

    3) Consider enabling and configuring IPSec on as many servers as possible. Many essential backend servers, partiocularly Exchange and SQL, can be set to only allow connections from other servers that require connections to function thereby securing them from users at their workstations. As a part of this look into locking out any unnecessary ports (only allow SQL connections on a SQL Server etc, be sure to take into account all services on a server if doing this as things like Reporting Services can change what ports are necessary).

    4) Last, I would highly suggest redirecting your user directories to your servers. This makes it so that even if someone "hacks into" their neighbors C$ share by use of administrator privilege, there is little to no information there of any value. If you have taken steps 1-3 above then the only person who sees the user shares on the server are the actual users who own the shares.

    Steps 1,2 and 4 are very easily done in a Microsoft client server environment and should be a part of any server infrastructure plan. IPSec is more complicated to setup at first, but will pay you back with large security increases in a short time.

    I hope that helps you get started,
    Tim
    Tim Vander Kooi
    • Marked as answer by Kevin Remde Sunday, May 23, 2010 1:37 PM
    Saturday, August 29, 2009 1:30 PM
  • wah thats old..

    Guowen Su
    Cisco Certified Network Associate
    Cisco Certified Internetwork professional - MPLS
    Certified Information Systems Security Professional
    Microsoft Partner Network 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator:Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Certified Ethical Hacker
    Computer Hacking Forensics Investigator
    Certified Sonicwall Security Administrator
    Microsoft Geeks

    Tuesday, June 19, 2012 2:45 AM