Re: Need advice on limiting login's by users
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Mar 2009 15:53:56 -0400
Mike - some random thoughts:
That res kit tool should work, but consider this. Let's say you create one or more local (not domain) accounts for the summer workers to use for e-mail or whatever. Now someone involved in sharing mp3s or whatever logs in with that account you thought was safe and had no domain access, and ends up installing a trojan or virus on that machine through some action they consider innocent. Even though you may have taken precautions to prevent the person from accessing domain resources, I think you put your network at risk by allowing "strangers" any access whatsoever to your production domain.
I have a guest wireless network that is isolated from our production LAN. For guests who don't have laptops of their own, I have an inexpensive XP laptop that's locked down with the Shared Computer Toolkit. They connect through the guest network. So what I would propose is to take some number of those shared PCs and dedicate them solely to workers who don't require their own accounts on your domain. Lock them down and isolate them from your production network however you have to - you could even put in a separate Internet connection just for a little workgroup created for this purpose (or a standalone PC). The Shared Computer Toolkit has been upgraded since I built that laptop - you might want to look into it and see what you think.
"Mike in Nebraska" <Mike_in_Nebraska@xxxxxxxxxxxxxxxx> wrote in message news:F7FA013F-CB69-4E2A-84DA-A7D16D4CCB81@xxxxxxxxxxxxxxxx
Running SBS 2003 Premium. Workstations a mix of WinXP Pro SP3 and Vista Business SP1.
=================
I've got what I perceive as a problem; every year during Spring and Summer we get a bunch of undergrad and grad students in do do work for us, or complete their theses. We have a bunk house for them to live in with wireless access. However, some of the kids don't bring laptops so they ask their staff sponsor to let them on one of our PC's so they can check email, etc. We have 4 PC's in a work room for projects, temp staff, etc. and the staff member will take them in and login with their login info and go back to work, leaving the kid alone.
While I can't pinpoint a problem in the network due strictly to this practice, I still am very much against it. I am firm in our staff meetings about the security risks, but they just smile and ignore me.
I'd rather not wait for an "I told you so" moment as I'll be the one to clean up the mess.
I did some searching and found an old tool called LimitLogin utility http://support.microsoft.com/kb/237282 as part of the Windows 2000 Kit.
Any comments on this or other tools? My thought is to restrict the staff to one "active" login at a time to prevent the above practice. In other words, they'd have to log out of a PC before they could login to another.
TIA,
--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a conservation non-profit (501 (c)(3)) organization
Wood River, NE
.
- Follow-Ups:
- Re: Need advice on limiting login's by users
- From: Mike in Nebraska
- Re: Need advice on limiting login's by users
- References:
- Need advice on limiting login's by users
- From: Mike in Nebraska
- Need advice on limiting login's by users
- Prev by Date: Re: Need advice on limiting login's by users
- Next by Date: Re: Need advice on limiting login's by users
- Previous by thread: Re: Need advice on limiting login's by users
- Next by thread: Re: Need advice on limiting login's by users
- Index(es):
Relevant Pages
|
