Screen saver doesn't secure Workstation

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Network of W2KSBS and Novell. I am using the "On resume, Password Protect"
on the screen saver tab of "Display Properties". Screen saver invokes and
requires that the user logs in and it authenticates against NDS. This is
good for most cases, but I have to lock down the CFO's PC and since several
members of the IT staff have access to change passwords on Novell and W2KSBS
servers, they can change the Novell or W2KSBS password and then login as that
user with the password that they just created. I have search the internet
and the Win XP newsgroups for a solution and there doesn't appear to be one.

Everytime you turn around Microsoft say they are working on the security of
its products, yet it doesn't allow for a lockdown of a PC via a screen saver
password that doesn't you a network server password that could be changed by
an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup and
restart passwords.

Does anyone have any suggestions?
2 answers Last reply
More about screen saver doesn secure workstation
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    HOW TO: Create a Desktop Shortcut that Locks a Windows Workstation
    http://support.microsoft.com/default.aspx?scid=kb;en-us;314969

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User
    Microsoft Newsgroups

    Get Windows XP Service Pack 2 with Advanced Security Technologies:
    http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

    -------------------------------------------------------------------------------------------

    "CMTITMGR" wrote:

    | Network of W2KSBS and Novell. I am using the "On resume, Password Protect"
    | on the screen saver tab of "Display Properties". Screen saver invokes and
    | requires that the user logs in and it authenticates against NDS. This is
    | good for most cases, but I have to lock down the CFO's PC and since several
    | members of the IT staff have access to change passwords on Novell and W2KSBS
    | servers, they can change the Novell or W2KSBS password and then login as that
    | user with the password that they just created. I have search the internet
    | and the Win XP newsgroups for a solution and there doesn't appear to be one.
    |
    | Everytime you turn around Microsoft say they are working on the security of
    | its products, yet it doesn't allow for a lockdown of a PC via a screen saver
    | password that doesn't you a network server password that could be changed by
    | an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup and
    | restart passwords.
    |
    | Does anyone have any suggestions?
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "CMTITMGR" <CMTITMGR@discussions.microsoft.com> wrote in message
    news:A20BB9F8-ADEE-4C6E-968F-92FE6F1FF4B3@microsoft.com...
    > Network of W2KSBS and Novell. I am using the "On resume, Password
    > Protect"
    > on the screen saver tab of "Display Properties". Screen saver invokes and
    > requires that the user logs in and it authenticates against NDS. This is
    > good for most cases, but I have to lock down the CFO's PC and since
    > several
    > members of the IT staff have access to change passwords on Novell and
    > W2KSBS
    > servers, they can change the Novell or W2KSBS password and then login as
    > that
    > user with the password that they just created. I have search the internet
    > and the Win XP newsgroups for a solution and there doesn't appear to be
    > one.
    >
    > Everytime you turn around Microsoft say they are working on the security
    > of
    > its products, yet it doesn't allow for a lockdown of a PC via a screen
    > saver
    > password that doesn't you a network server password that could be changed
    > by
    > an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup
    > and
    > restart passwords.
    >
    > Does anyone have any suggestions?

    Yes -- you need to understand that if you have IT staff with high enough
    rights then there is nothing you can do.
    This is just basic security; in that you must trust those individuals that
    you give elevated privileges to.
    If you do not trust them then they should not be in a position where they
    can exercise their elevated rights over sensitive areas.
    Obviously you have the forensic evidence of the password change event and if
    you are monitoring your event logs properly you would be alerted to a
    password change of an important account and that should hopefully be an
    alarm bells ringing event if this has happened without proper authorization
    etc.
    Also there is education in that if a user is to leave their workstation for
    some time they should logoff - of course this does not mitigate this attack
    as all you have is a properly privileged user changing a password and
    logging on as that persons account - there is no way to stop this expect
    through the use of system such as 2 part authentication where even with a
    changes password the admin could not logon as you without your smart card -
    of course as an admin they can change the login policy to allow then to
    login without the card - do you see the point here ?
    Appropriately privileged accounts allow you to do things that are security
    issues - you therefore must trust them.


    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "CMTITMGR" <CMTITMGR@discussions.microsoft.com> wrote in message
    news:A20BB9F8-ADEE-4C6E-968F-92FE6F1FF4B3@microsoft.com...
    > Network of W2KSBS and Novell. I am using the "On resume, Password
    > Protect"
    > on the screen saver tab of "Display Properties". Screen saver invokes and
    > requires that the user logs in and it authenticates against NDS. This is
    > good for most cases, but I have to lock down the CFO's PC and since
    > several
    > members of the IT staff have access to change passwords on Novell and
    > W2KSBS
    > servers, they can change the Novell or W2KSBS password and then login as
    > that
    > user with the password that they just created. I have search the internet
    > and the Win XP newsgroups for a solution and there doesn't appear to be
    > one.
    >
    > Everytime you turn around Microsoft say they are working on the security
    > of
    > its products, yet it doesn't allow for a lockdown of a PC via a screen
    > saver
    > password that doesn't you a network server password that could be changed
    > by
    > an IT staff with high enough rigths. NOTE: PC is locked by a BIOS bootup
    > and
    > restart passwords.
    >
    > Does anyone have any suggestions?
Ask a new question

Read More

Windows XP