Sign in with
Sign up | Sign in
Your question

Screen saver doesn't secure Workstation

Last response: in Windows XP
Share
Anonymous
March 22, 2005 3:23:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Network of W2KSBS and Novell. I am using the "On resume, Password Protect"
on the screen saver tab of "Display Properties". Screen saver invokes and
requires that the user logs in and it authenticates against NDS. This is
good for most cases, but I have to lock down the CFO's PC and since several
members of the IT staff have access to change passwords on Novell and W2KSBS
servers, they can change the Novell or W2KSBS password and then login as that
user with the password that they just created. I have search the internet
and the Win XP newsgroups for a solution and there doesn't appear to be one.

Everytime you turn around Microsoft say they are working on the security of
its products, yet it doesn't allow for a lockdown of a PC via a screen saver
password that doesn't you a network server password that could be changed by
an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup and
restart passwords.

Does anyone have any suggestions?
Anonymous
March 22, 2005 5:45:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HOW TO: Create a Desktop Shortcut that Locks a Windows Workstation
http://support.microsoft.com/default.aspx?scid=kb;en-us;314969

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/window...

-------------------------------------------------------------------------------------------

"CMTITMGR" wrote:

| Network of W2KSBS and Novell. I am using the "On resume, Password Protect"
| on the screen saver tab of "Display Properties". Screen saver invokes and
| requires that the user logs in and it authenticates against NDS. This is
| good for most cases, but I have to lock down the CFO's PC and since several
| members of the IT staff have access to change passwords on Novell and W2KSBS
| servers, they can change the Novell or W2KSBS password and then login as that
| user with the password that they just created. I have search the internet
| and the Win XP newsgroups for a solution and there doesn't appear to be one.
|
| Everytime you turn around Microsoft say they are working on the security of
| its products, yet it doesn't allow for a lockdown of a PC via a screen saver
| password that doesn't you a network server password that could be changed by
| an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup and
| restart passwords.
|
| Does anyone have any suggestions?
Anonymous
March 22, 2005 11:49:50 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"CMTITMGR" <CMTITMGR@discussions.microsoft.com> wrote in message
news:A20BB9F8-ADEE-4C6E-968F-92FE6F1FF4B3@microsoft.com...
> Network of W2KSBS and Novell. I am using the "On resume, Password
> Protect"
> on the screen saver tab of "Display Properties". Screen saver invokes and
> requires that the user logs in and it authenticates against NDS. This is
> good for most cases, but I have to lock down the CFO's PC and since
> several
> members of the IT staff have access to change passwords on Novell and
> W2KSBS
> servers, they can change the Novell or W2KSBS password and then login as
> that
> user with the password that they just created. I have search the internet
> and the Win XP newsgroups for a solution and there doesn't appear to be
> one.
>
> Everytime you turn around Microsoft say they are working on the security
> of
> its products, yet it doesn't allow for a lockdown of a PC via a screen
> saver
> password that doesn't you a network server password that could be changed
> by
> an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup
> and
> restart passwords.
>
> Does anyone have any suggestions?

Yes -- you need to understand that if you have IT staff with high enough
rights then there is nothing you can do.
This is just basic security; in that you must trust those individuals that
you give elevated privileges to.
If you do not trust them then they should not be in a position where they
can exercise their elevated rights over sensitive areas.
Obviously you have the forensic evidence of the password change event and if
you are monitoring your event logs properly you would be alerted to a
password change of an important account and that should hopefully be an
alarm bells ringing event if this has happened without proper authorization
etc.
Also there is education in that if a user is to leave their workstation for
some time they should logoff - of course this does not mitigate this attack
as all you have is a properly privileged user changing a password and
logging on as that persons account - there is no way to stop this expect
through the use of system such as 2 part authentication where even with a
changes password the admin could not logon as you without your smart card -
of course as an admin they can change the login policy to allow then to
login without the card - do you see the point here ?
Appropriately privileged accounts allow you to do things that are security
issues - you therefore must trust them.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"CMTITMGR" <CMTITMGR@discussions.microsoft.com> wrote in message
news:A20BB9F8-ADEE-4C6E-968F-92FE6F1FF4B3@microsoft.com...
> Network of W2KSBS and Novell. I am using the "On resume, Password
> Protect"
> on the screen saver tab of "Display Properties". Screen saver invokes and
> requires that the user logs in and it authenticates against NDS. This is
> good for most cases, but I have to lock down the CFO's PC and since
> several
> members of the IT staff have access to change passwords on Novell and
> W2KSBS
> servers, they can change the Novell or W2KSBS password and then login as
> that
> user with the password that they just created. I have search the internet
> and the Win XP newsgroups for a solution and there doesn't appear to be
> one.
>
> Everytime you turn around Microsoft say they are working on the security
> of
> its products, yet it doesn't allow for a lockdown of a PC via a screen
> saver
> password that doesn't you a network server password that could be changed
> by
> an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup
> and
> restart passwords.
>
> Does anyone have any suggestions?
!