Is this info right??

Hi ppl
Im new here and so forgive me if i have crossed posted.
I work for a childrens services organisation here in the uk and have become concerned over the lack of security on the workstations at work and asked our IT head if it was OK for the workstations to boot from the A: C: D: and USB:?
and wether it was a good idea for users to be able to access the setup menu on the workstations? If there had been key logging or other malware found on the PC's? And lastly why collegues were allowed to install thier own software? and shouldnt we be doing something following the theft of two of the workstations to change passwords etc.
The reply i got was that i shouldnt worry because there is a firewall.
Should i be worried or am i over reacting??

Any advice greafully recived, many thanks in advance
themode2k [at] yahoo.co.uk

 

Welcome to the forums Themode2k,

If that really was the reply, then your concern is justified because your administrator appears ignorant about current security risks and is most likely of questionable competence to be placing faith on one item ("the firewall") which only addresses a single type of threat.

Firewalls filter network traffic and can make it harder (but by no means impossible) for an outsider to access your network. They will however do nothing to stop a user compromising their PC, by visiting a malicious webpage or running a download or email attachment from questionable sources (P2P notably - many "cracks" offered there will contain malware).

Firewalls can also do nothing to prevent a malicious user from installing something like a keylogger themselves - and it sounds from your post that everyone has local Administrator access which means that none of the machines on your network can be properly trusted. Boot order is of lesser importance, but this should be tightened up also (and BIOS passwords enabled to stop it from being changed back).

In fact, if your organisation is handling sensitive data (on children...?) then USB memory sticks (and portable media players) should be considered a potential security risk (see Disable USB memory devices in Windows... for one way of dealing with this - physically sealing up USB/Firewire/memory card sockets is the most secure approach if the risk is considered high enough).

If your administrator wants to have proper security (and make their own life easier) they need to take the following steps:

• Block anyone from running as local Administrator - make their accounts limited user only if possible, power user only if necessary.
• Create, from scratch, a "standard" setup containing Windows plus updates and any programs commonly used by your organisation. Use SysPrep to make this suitable for cloning to other systems.
• Make an image of this setup (using software like Acronis TrueImage or Drive Snapshot) and restore the image to every other computer (after first identifying and backing up any critical data present) - this is crucial to ensure that any malware present on those machines is wiped out. The image can then be used in future as a quicker method of cleaning compromised systems, though it should be updated periodically.
• Review what security software is installed - as well as the existing firewall (presumably only present at your network entry point), a personal firewall and anti-virus software should be installed on each computer. More specific recommendations can be found in the related forums here but for your administrator's purposes, products offering more centralised control (updates, handling of alerts and rules, etc) may be necessary. Such software will likely cost more but if your organisation is a charity, it may be able to negotiate a discount.
• Once "basic" security concerns are addressed, more advanced ones can be considered (like gluing up those USB ports...) but they should be taken as part of an overall security policy, including physical (e.g. office access) and personnel (e.g. staff vetting) issues.

Microsoft's Deconstructing Common Security Myths article provides some useful ideas and principles (though I don't agree with all of them) and should provide a useful starting point.

 

Many thanks for the prompt reply!
I think I may have opened a can of worms here. I know very little about computers and even less about networks. But his reply to me seemed not to ring true for the reasons you give above. Is it also normal in other orgs or companies that you can log on to more than one workstation at the same time? I cant see the logic in that either and collegues have to DL and install updates by following a web address in an email? it seems that this is fraught with danger?
I have checked with collegues and it would appear that this situation exists across the whole network. As i understand it from your reply it would seem that know one knows who is logged on or what they are accessing. We do have a site blocker installed which stops ppl playing the lottery, bars adult sites and the like, but the number of blocks has risen dramatically and the number of viruses has increased. I guess that my real concern is that unaurthorised ppl are or could potenially have access to very sensitive client information?! ****...

regards

themode2k

 

This is something that can be controlled via Windows' Group Policies - it sounds like these would benefit from tightening up also.

Well, this has to be considered a possibility - malware certainly can track user activity, including passwords entered on sensitive sites (e.g. banks, online stockbrokers, etc). This is where a top-end virus scanner should come into play, but no scanner can guarantee to detect or remove established malware (due to the possibility of it using a rootkit to hide itself) hence the advice above to create a new image and wipe existing systems with it. If done properly, this should guarantee a clean start.

If your group is handling sensitive personal information in the UK, then it must by law have a Data Controller (see the Information Commissioner's For Organisations page for details). You should report your concerns to that person as well as whoever is responsible for network administration.

 

Thanks again chum,

regards

Bill