March 21, 2008 at 11:44 am
I used to change the mouse at someone's workstation if they left it unlocked. I worked at one place where the accounting group left computers unlocked and we in IT would go around and lock computers and they would have to call us and get us to tell them what the password was. It always amazed me that they thought it was no big deal. Eventually our company was broken into and all of the accounting laptops were stollen and none of them had been locked.
I usually keep the databases locked pretty tightly until I know the user's level. At one of my jobs I had a user delete data and I tightened their security. They turned around and started logging in as the web user which had a certain amount of rights to insert and delete data. I'm not sure how the developer did it, but he deleted an entire table; not just the data but the structure as well. Fortunately I had a backup and could restore, but we still lost an hour or two of data.
March 21, 2008 at 12:23 pm
We each have our own account. When I leave my workstation even just for a few minutes to get coffee, I have to lock it. Otherwise if my boss or the security people finds it unlock, I will be in trouble.
That actually bothers me. No one can enter to my company without a security pass. If I leave my workstation unlock, is someone going to use it to destroy the system? Unfortunately the security department makes sure I cannot do that. I can only access development database. So what is the big deal to lock the workstation? Someone will use it to do something evil? It comes to a point that I feel even we work in the same company, we don't even trust ourselves anymore.
March 21, 2008 at 12:36 pm
Loner (3/21/2008)
That actually bothers me. No one can enter to my company without a security pass. If I leave my workstation unlock, is someone going to use it to destroy the system? Unfortunately the security department makes sure I cannot do that. I can only access development database. So what is the big deal to lock the workstation? Someone will use it to do something evil? It comes to a point that I feel even we work in the same company, we don't even trust ourselves anymore.
Think of it as a protection for you more than for the company. If your workstation is left unlocked, then you are responsible for anything done under your username! That means legally responsible! It is well and good to be trusting, but it does you no good after your name is dragged through the mud!
----------------------------------------------------------------------------
"No question is so difficult to answer as that to which the answer is obvious." - George Bernard Shaw
March 21, 2008 at 1:23 pm
I work for a health care organization. Unfortunately security, especially computer security, is becoming more and more important in our society. In the last 10 or so years Microsoft has gone from model of default installations of its products of being "everything enabled" to "everything disabled", which is how so many security vulnerabilities have been discovered in Microsoft products. It is a little bit more work having to enable Named Pipes and TCP/IP for Remote Connections on new SQL Server 2005 installs, but there are fewer "back doors" left unopened in SQL 2005, than SQL 2000.
Shared accounts are generally a bad idea from an auditing perspective.
A couple of our vendors are logging in as one specific user, when in reality is can be anyone from their company. When issues occur from that login, *NO ONE* confesses to the mistake. I.T. is fighting with Management to force a 1-to-1 login ration for all vendors so that we know who did what and when.
We have had staff terminated for allowing other people to access information computer systems on the same login. One example is that User1 and User2 sit next to each other and have access to an Application. User1 was already logged in to the Application. User2 didn't want to "bother" with logging in, and asked User1 to let User2 access some information, on an issue that User2 was working on. User1 moved aside, and let User2 access the system. Unfortunately the data that was accessed was Protected Health Information that User1 had no business viewing, but User2 did. In the eyes of an auditor, User1 illegally accessed information on that Application. The end result is that one employee was fired and the other was severely reprimanded.
Just my observations,
"Key"
MCITP: DBA, MCSE, MCTS: SQL 2005, OCP
March 22, 2008 at 1:23 am
Damon Wilson (3/21/2008)
Unfortunately the data that was accessed was Protected Health Information that User1 had no business viewing, but User2 did.
Ahh, if user1 was not authorized to view, why was his account allowed access in the first place. To me that sounds more like a rights problem than a usage problem?
Also, if user2 thought it to much "trouble" to log on himself, that points of another problem. If we really want people to use security properly, we need to make it easier to use it than bypass it. True, in the long term it isn't, but it has to feel easier in the short time when it counts.
March 24, 2008 at 6:47 am
I think he got User1 and User2 mixed up somewhere in the middle...
March 24, 2008 at 8:24 am
I think I did get User1 and User2 jumbled up a bit. The bottom line is that the people involved knew that the system was monitored for unauthorized data access, and neither user exercised good judgement about security with regard to their login.
"Key"
MCITP: DBA, MCSE, MCTS: SQL 2005, OCP
March 24, 2008 at 12:18 pm
We have a policy against account sharing, but there is nothing in place to prevent the users from doing it.
It is a practice in some departments for a user to log into our HRMS system at several workstations to let temps do their assigned tasks because they do not want to go through the effort of having accounts created for someone that is only going to be there a couple of days.
March 24, 2008 at 12:30 pm
Shannon Toms (3/24/2008)
We have a policy against account sharing, but there is nothing in place to prevent the users from doing it.It is a practice in some departments for a user to log into our HRMS system at several workstations to let temps do their assigned tasks because they do not want to go through the effort of having accounts created for someone that is only going to be there a couple of days.
Policies only work if they get support from the top on down. It seems that if that is a common practice to get temps to do routine functions then you could create a generic account for temps to use that had very limited functionality, i.e.: Data Entry only. Post the generic username and login on the monitor of the computer(s) that the temps use and educate everyone else on the dangers of letting temps use their logins. I realize that this idea will cause severe miocardial infarctions amongst the majority if DBA's, but if you can't get support from upper management to enforce policies, then you have to try to minimize the risk the best you can!
----------------------------------------------------------------------------
"No question is so difficult to answer as that to which the answer is obvious." - George Bernard Shaw
March 25, 2008 at 2:00 am
gwardell (3/21/2008)
Hi,I found it just plain stupid that a company would release software that would not run as a regular user, requiring it to be an administrator account just to print. And I wouldn't have believed it if it hadn't happened to one of my clients, and it was software from a big name company to boot.
So what's a sys admin to do? Make everyone that used that software an administrator of course.
Then, later on, somehow a virus got in and spread through the network because of those demonstrator accounts.
Sheesh.
I also encountered this problem. What I did and not sure if it will work all the time is, login as the admin, upgrade the limited user to admin. Log out and let the user log in. Install the software and demote the user again as a limited user. It worked for me everytime I tried it.
Futher, as someone else said, lock the door behind you when you leave the desk. How easy is it to just Ctrl/Alt/Delete and lock your workstation. And do not share accounts. There is always uncertainty of who did what.
:-PManie Verster
Developer
Johannesburg
South Africa
I can do all things through Christ who strengthens me. - Holy Bible
I am a man of fixed and unbending principles, the first of which is to be flexible at all times. - Everett Mckinley Dirkson (Well, I am trying. - Manie Verster)
March 25, 2008 at 7:45 am
It's easy to CTRL-ALT-DEL, but think about how many times you might respond to a question and the person says, "hey, come look at this" and your workstation is open. Even when most of us had the habit of doing this, we'd forget at times and people were watching for that 5 minute window before the screen saver clicked on.
Like many things with security, it's not that hard, but you definitely have to build the habit. And that usually takes a penalty or two.
March 26, 2008 at 2:41 am
@Loner, the major assumption you're making is that the threat to your company's data comes from outside. It's amazing how many threats come from inside the company (disgruntled employees, people about to leave, those seeing a way of exploiting their situation etc.), with plenty of sources believing these internal threats to be in the majority.
As a more general comment, I've just come back off holiday and read through this whole thread, and, apart from a couple of oblique references, there's been nothing about policies. By that, I don't mean GPOs, but a book of words, published by HR, that states what is and is not acceptable behaviour. The reason I mention this is that, until the company decides on its boundaries, you can't do any policing 'cos there's nothing to enforce. In other words, it should be the company enforcing the rules, using the IT department simply as a means to do it.
Semper in excretia, suus solum profundum variat
Viewing 12 posts - 16 through 26 (of 26 total)
You must be logged in to reply to this topic. Login to reply