Securing NT workstations

dinger

Originally posted in Admin(Oops ;-)
Hi Guys
Looking for some info etc. on locking down a few NT4 workstations. (As in disabiling control panel etc.)Any sites or aps out there that are useful? Looking for something that will create a default profile and that will just involve exporting the profile to another machine instead of editing registries. The machines are networked but are not in a domain and we don't use NT Server either. Had a quick look at the Management Console plugin but not sure if this is the way to go??

flamegrill

i here www.google.com is good for most things. try it and see.

BNC

Have you not tried Policy Editor?

dinger

<font face="Verdana, Arial" size="2">Originally posted by BNC:
Have you not tried Policy Editor?</font>

I was under the impression that policy Editor was only advalible with NT Server. Exactly what I was looking for.
Thanks

BNC

Policy Editor is fairly handy, once you've used it a couple of times. Have a play with it on a test machine first so you get a feel for it and you dont make a bags of a live machine.

I know a guy who managed to completely lockdown the system and was unable to undo any of the restrctions.

---

How do I set a laser printer to stun?

dinger

Unfortunatly with some of our users the more locked down the better. Remoted into a station to-day and a guy was playing pinball. It was worth it though because when I rang him to ask him what his top score was the game was over pretty quick. Big brother and all that;-)
Thanks again BNC.

Ste.phen

*gasp* oh no.... not PINBALL!
Maybe you shouldn't have installed it? :P

---

--
.sdrawkcab dootsrednu tub sdrawrof devil si efiL

dinger

<font face="Verdana, Arial" size="2">Originally posted by Igy:
*gasp* oh no.... not PINBALL!
Maybe you shouldn't have installed it? :P


</font>

Maybe I didn't!

Hobbes

<font face="Verdana, Arial" size="2">Originally posted by dinger:
Remoted into a station to-day and a guy was playing pinball.</font>

You really want to be very careful doing stuff like that. Unless you have written permission to do that sort of thing it is a dismissable offense.

While the company has rights to know what the employees are up to, IS or Admins don't by default. All it takes is one p1ssed off user to complain to the right people and you would be out on your ear.

Also you have the danger of alienating yourself from the people who work there and effecting the mindset of how people work (Basically a person is more likely to be happy and work longer for free if they are relaxed in work rather then expected to be working every second).

yankinlk

?...back in the real world...

[qoute](Basically a person is more likely to be happy and work longer for free if they are relaxed in work rather then expected to be working every second). [/qoute]

what exactly do you mean "for free"...are they not employed ie earning a paycheck?


Nice 1 Dinger! I done the same thing in Dell all the time. We used a proggy to take control of pc's all the time to fix problems remotely for people. We would ring first and let them know we were going to do it (if they had a phone)

but the pc's on the floor/warehouse/production usually had no phone. Basically those pc's were the property of the department that bogght them, not the user. so installing pinball on them would have been the dismissable offence matey. the user is lucky mr. I.S. here has a sense of humor and didn't ring up his boss.

Hobbes you havent a clue what it's like working in IS, the most hated department, the first to get the blame, the last to get recognition.

when you get a job supporting over 1000 users (losers) breaking systems and forgeting passwords for systems you are responsible, come back to me and tell me what you think is right and wrong.

JustHalf

BOFH! Keep 'em on their toes, that's what *I* say.

BNC

We used to the the same with the remote thing. We supported about 300 users all over Europe remotely from Dublin. The machines were to be left on 24/7 and we had full access, this was to necesitate any maintenance i.e. patches etc. There was one time we were doing an update in the evening on a system in France, and the guy was looking at porn!
If the machine is the property of the business and is only meant to be used for business use then Admins IS have the right to enter that machine.

LoLth

yeah, my network would be perfect if it wasn't for those damn users

Ever think that if it weren't for users forgetting their passwords and breaking things, you wouldn't have a job? Or at least there wouldn't be as many jobs.

How about setting up in-house training in computer basics so that they don't make simple mistakes anymore or can actually fix things without panicking.

About looking at people's PCs, the computer is the property of the company, and it is usually part of the job to monitor network traffic. In my case I had to look at the Novell console every now and then and make sure no-one was doing anything dodgy. I was supposed to report them to head office without warning.

Never did, but let the user know that I was supposed to and that what they were looking at was a big no-no.

JustHalf

Your job could always be to make sure you get paid; and if you don't, do something happen that could in no way be related to you that brings the entire network down.

Ah, bliss!

Draco

<font face="Verdana, Arial" size="2">Originally posted by yankinlk:
?...back in the real world...
what exactly do you mean "for free"...are they not employed ie earning a paycheck?

Hobbes you havent a clue what it's like working in IS, the most hated department, the first to get the blame, the last to get recognition.
</font>

By free I assume hobbes mean people are more willing to stay on after offical work times rather than leave exactly at 5. Good will goes along way. I certainly don't get paid for any over time I do, but I am willing to do some for free becuase of the the good atmosphere in my place of work.
Also, while the company may own your PC, people must be informed by law that they are being monitered. Since a person could turn around and sue the company for invasion of privacy, tou have to be careful what you actually do.
As for Hobbes not having a clue, he has alot more of a clue than you think.

Draco

<font face="Verdana, Arial" size="2">Originally posted by Hobbes:
Well I'm not sure about that. It's company property and they have the full right to what they want. In fact it's amazing how far they can go.
</font>

They can. You *must* be informed if there is a possiblity that your PC or e-mail will be monitored. It has now become a standard clause in contracts.

dinger

Originally posted by Hobbes:
You really want to be very careful doing stuff like that. Unless you have written permission to do that sort of thing it is a dismissable offense.

I am well aware of the laws and always seek permission. The fact of the matter is these guys are using an important operational system which is built for a specific purpose which is not for playing games. Any extra load on the system can have huge afects on our business and there is a strict policy on what they can and can't do. Any IT section worth its salt have these policys and they are their for a reason.

yankinlk

<font face="Verdana, Arial" size="2">Originally posted by Hobbes:
>What if it wasn't pinball he was playing and instead he was typing a confidential letter that later gets leaked? Who do you think is the first they will blame? Someone spying on others peoples machines without thier knowledge or the permission of the company or someone playing pinball, who do you think they will fire first?
</font>

Take it easy Hobbes, that is clearly not the situation being discussed here, I.S. doesnt have the time or the interest to spy on people...the machine being watched aint for personla use, or even letter writing, its for an operator to push a few buttons, and definetly not play or install pinball. Don't invent situations to justify an incorrect argument.

<font face="Verdana, Arial" size="2">Originally posted by Hobbes:
>
In fact an IS guy in my place got fired for doing pretty much what you suggested.

IS is not the security department.</font>

Hmmm, details would be nice to that story. No one is claiming IS to be security, except when IS is looking after production machines. ever heard of downtime, i very much doubt you have worked in a manufacturing environment. IS rules the roost in manufacturing because there would be no jobs if the assembly process is stopped by a stupid/lazy/slacker user trying to install programs on workstations.

<font face="Verdana, Arial" size="2">Originally posted by Hobbes:
>

Well calling your customers loosers is certainly one thing you want to drop right off. </font>

They aint my customers, I would prefer if they were all replaced by machines/computers. I dont like people - I have no use for them. They only get in the way.

LoLth

wow! I bet they *love* you!

Hobbes

Take it easy Hobbes, that is clearly not the situation being discussed here,

But it is the situation. He didn't know he was playing pinball until he was spying on him. He was spying without the guys permission otherwise the person wouldn't of been playing pinball. no?

Anyway it wasn't until later he pointed out it was a console and not a users machine. Btw pinball comes installed by default in windows.

Hmmm, details would be nice to that story.

An IS person was logging into peoples machines and installing monitoring software or copying stuff off peoples machines. He was caught by a few people (myself included).

Some of the groups here have Trap machines, normally designed to catch possible virus outbreaks but occasionally it catches people who shouldn't be doing things. IS are not computer security here (even though they have the power to take your machine/network away) so IS Security (a seperate department) investigated it and fired the guy.

I believe he used the same argument as well.

i very much doubt you have worked in a manufacturing environment.

Actually I have and amazing as it sounds I do know what the word downtime means. It doesn't mean it justifies you spying on people.

They aint my customers,

Yes they are. If you work in IS then your customers are the people who work in that company and need you to ensure everything is running. Calling them loosers is probably not going to win you a lot of friends and if you IS department is any way good they will probably have feedback forms they mail to thier customers.

[added]

To get back to my original point. It wasn't that he was spying on them, it is that if you are going to spy make dam sure you have it in writing that your allowed to.


[This message has been edited by Hobbes (edited 31-07-2001).]

yankinlk

[qoute]Take it easy Hobbes, that is clearly not the situation being discussed here,
But it is the situation. He didn't know he was playing pinball until he was spying on him. He was spying without the guys permission otherwise the person wouldn't of been playing pinball. no?

Anyway it wasn't until later he pointed out it was a console and not a users machine. Btw pinball comes installed by default in windows. [/qoute]

but it ISN'T the situation here. The machine he logged into (read: not spyed into) was a console and not a personal machine that should not have been used for personal reasons. period. end of story.

remote control of a pc does not equal spying m8. you are the only one equating it with spying.

if a rogue I.S. person is installing software in order to control a pc remotely "because he can" and not in accordance with the rest of the I.S. Department then that also is in no way similar to this story.

Draco

<font face="Verdana, Arial" size="2">Originally posted by yankinlk:
remote control of a pc does not equal spying m8. you are the only one equating it with spying</font>

It does if you can see what other users are doing without their knowledge.

yankinlk

only if two conditions are met:
1) only if you are a total moron user because the program will alert the user with an audible tone and open a window, and an icon in system tray...also the movement of the mouse by IS personell would be a clear giveaway, duh.

2) an IS person is not in the business of watching other losers playing pinball - im guessing your man was logging on remotely to check something and discovered quite by accident this user playing pinball, get a grip people.

Thats like saying people in IS would remember your pitiful passwords and try and read your mail...we dont remmeber them becasue 1)your mail is probably boring anyway 2)remembering 50 passwords a day is hard

I love the users who ask, "i cant think of a password, make one up for me..."

or better

Hobbes

1) only if you are a total moron user because the program will alert the user with an audible tone

Heh, and you say I make assumptions on what setup they have? There are a large number of remote control tools out on the market. Nearly all of them have a quiet mode option (No warning your being viewed and doesn't touch keyboard/mouse).

an IS person is not in the business of watching other losers playing pinball

Quite true, however the point was the user (not loser) was being spied apon. Spying implies watching a person without thier knowledge of it happening. I'm pretty sure if they got a warning like you said they would he wouldn't of had to ring up now?

I'm really not going to continue arguing symantics with you. Quite simply if your doing that sort of thing you would just better be sure that you have some kind of authorisation in writing, saying "I'm IS" doesn't give you the right to spy on machines that people would be using without thier knowledge.

yankinlk

i dont agree. he was never being spied upon. he didnt target this user, he was just doing his job and this clod happened to be on the machine playing pinball. read it again, its fairly clear.

i will not concede that remote control = spying.

Draco

<font face="Verdana, Arial" size="2">Originally posted by LoLth:
How about setting up in-house training in computer basics so that they don't make simple mistakes anymore or can actually fix things without panicking.
</font>

HAH! Most people will forget everything within minutes of you telling them. I swear to god, I've written out step by baby step instructions for people on how to change a password and they can't follow them. I've gone over and showed them how do do it, and they still can't remeber. Also, a little knowledge is very dangerous - I've found that people end up messing things up even more when they try and use their own knowledge to fix things...

Hobbes

>what exactly do you mean "for free"...are >they not employed ie earning a paycheck?

Yes they are. When I mean for free a person who enjoys thier work will tend to work longer thus bringing your costs down then someone who is just in it for the money and will probably do a 9-5 job.

Excessive slacking is a problem but someone who meets or exceeds thier requirements I certainly wouldn't penalise if I caught them playing pinball.

Yanknik, there is a BIG difference getting a persons permission to remote control thier machine and accessing thier machine without thier knowledge. What if it wasn't pinball he was playing and instead he was typing a confidential letter that later gets leaked? Who do you think is the first they will blame?

Someone spying on others peoples machines without thier knowledge or the permission of the company or someone playing pinball, who do you think they will fire first?

In fact an IS guy in my place got fired for doing pretty much what you suggested.

IS is not the security department.

>Hobbes you havent a clue what it's like >working in IS, the most hated department, >the first to get the blame, the last to get >recognition.

Actually yes I do.

>when you get a job supporting over 1000 >users (losers) breaking systems

Well calling your customers loosers is certainly one thing you want to drop right off.

Hobbes

<font face="Verdana, Arial" size="2">Originally posted by Draco:
Also, while the company may own your PC, people must be informed by law that they are being monitered. Since a person could turn around and sue the company for invasion of privacy, tou have to be careful what you actually do.</font>

Well I'm not sure about that. It's company property and they have the full right to what they want. In fact it's amazing how far they can go.

However just because the company has the right does not mean an IS department or your boss has a right by default to spy on people.