SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Sharing


Sharing

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)

Group: Administrators
Points: 64487 Visits: 19117
Comments posted to this topic are about the item Sharing

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Zarko Jovanovic
Zarko Jovanovic
SSC-Addicted
SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)SSC-Addicted (466 reputation)

Group: General Forum Members
Points: 466 Visits: 190
My friend uses some open source tool that locks the workstation if your bluetooth enabled cell phone moves out of (bluetooth) range!

I found some software that does the same thing for 15 US$

I can see this as mandatory practice in some companies :-)

Of course, bluetooth devices are not found in most workstation computer, but USB bluetooth "dongle" is about 25 US$.
Andy sql
Andy sql
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1649 Visits: 1315
At my last work place, the Sys Admins implemented a new policy such that any workstation left unattended for 5 minutes would automatically lock, and then show the screensaver.

That REALLY annoyed some people! For example, you could be reading a document on-screen, and if you didn't move the mouse or hit a key for 5 minutes, your workstation would lock.

It was a real pain for the reception staff, who generally had to unlock their workstation whenever a customer walked in.

However, the reasons behind the move were sound, and people fairly quickly adapted to the change.

As for shared accounts, generally a big no-no.

My view is that the sooner we start using Smart Cards (or some other 2-factor authentication) the better. Take your card with you when you leave your workstation, and it automatically locks. I like the idea of using bluetooth on the mobile phone, that is clever.

I will admit to still running my workstation as a member of the local Administrators group though.

Andy
gwardell
gwardell
Forum Newbie
Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)

Group: General Forum Members
Points: 9 Visits: 34
Hi,

I found it just plain stupid that a company would release software that would not run as a regular user, requiring it to be an administrator account just to print. And I wouldn't have believed it if it hadn't happened to one of my clients, and it was software from a big name company to boot.

So what's a sys admin to do? Make everyone that used that software an administrator of course.

Then, later on, somehow a virus got in and spread through the network because of those demonstrator accounts.

Sheesh.
Lou Ortega
Lou Ortega
Grasshopper
Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)

Group: General Forum Members
Points: 22 Visits: 34
The last two software companies I've worked for have had programs that required local Administrative access.

This was obviously a problem to any client that had any form of Network security policy in place. The work around in both cases was:

1) Install the application under the Admin account
2) Give the limited user(s) permissions to specific folders and registry keys needed to run the program

Not sure if there is a better way -

Lou
gwardell
gwardell
Forum Newbie
Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)

Group: General Forum Members
Points: 9 Visits: 34
lortega (3/21/2008)


1) Install the application under the Admin account
2) Give the limited user(s) permissions to specific folders and registry keys needed to run the program


I thought about this; it wasn't folders, the problem was registry keys. In my case the software vendor refused to tell me which keys and what access was needed. All they would say was an administrative account.

Not helpful at all.
Lou Ortega
Lou Ortega
Grasshopper
Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)Grasshopper (22 reputation)

Group: General Forum Members
Points: 22 Visits: 34
Unbelievable. Talk about being irresponsible and negligent.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)

Group: Administrators
Points: 64487 Visits: 19117
I wish someone would sue over this, not necessarily requiring admin rights, but not disclosing them. It would be a good way to force some disclosure.

I got told this by Dynamics (before they were MS), saying they needed "sa" rights. When I queried further, I realized the guy on the phone had no idea what was needed. He was a tech support guy, not a developer.

So I did some testing and discovered they needed SA rights (SQL 7) to add a new user to the system. We decided DBAs would add the login and the application would then see it. So they had to send an email for new accounting people. Worked great.

There are some trace tools, used to be some at sysinternals, that might help you figure out what rights are needed.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Andy sql
Andy sql
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1649 Visits: 1315
Absolutely, ProcessMonitor from SysInternals (now part of the Microsoft, err, family) will help you figure out what permissions are required. The vast majority of problems are permissions to one or two specific keys in the registry.
Jack Corbett
  Jack Corbett
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19078 Visits: 14900
I worked at a paper mill and we used shared accounts for the production floor personnel. They were using thin-clients and citrix published apps with restricted permissions. For any other position in the company you had a personal login. As far as locking the workstation, too many places I have been have not put that in a policy and admins were leaving their PC's open.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search