Protecting internal resources

  • Thread starter Thread starter Darren Jones
  • Start date Start date
D

Darren Jones

Two questions:

1. Is there a way to force dial in users to change their
passwords at next logon?

2. Are there any additional steps for protecting internal
resources from dial in users that are not employees of the
company?

I'm assuming the answer to number 2 is to follow the
normal practices for securing data. Am I correct in this
one?
 
Darren Jones said:
Two questions:

1. Is there a way to force dial in users to change their
passwords at next logon?
Click to expand...

Change password at next login perhaps?
2. Are there any additional steps for protecting internal
resources from dial in users that are not employees of the
company?
Click to expand...

How do non-employees dial in? Do they have an account
in your domain?

General rule: Access to domain resources requires domain
authentication (perhaps through a trusted domain authenticaing.)

Remove all references to "Everyone" (substitute something more
sensible -- at worst "Authenticated Users" or better is specific
groups).

Make a group, e.g., non-Employees or Contractors etc., and use
this to give them the precise permissions necessary for their work
in support of your company.

If necessary use these groups to DENY access to sensitive resources.
I'm assuming the answer to number 2 is to follow the
normal practices for securing data. Am I correct in this
one?
Click to expand...

Sort of - the "normal" practice is that most people set permissions
badly. Do it 'right' instead: grant precisely the permissions needed
to the exact groups who need them and NO MORE.

It is too easy to say, "Everyone" or "Authenticated Users" or "Users"
"change".

Instead use "Accountants", "Engineers", "Support", "AustinEmployees";
whatever makes sense but some specific group where the answer to
the following question will be a DEFINITE "YES":

"Is it Ok that everyone IN THAT GROUP be able to use this access?"
(no exceptions)

If you cannot get a clear "yes" to this question from both Business Users
and other Admins then you need a new group.

Most people don't build such groups, place these groups in a local
group at the resource (server or domain) and then grant access to the
resource through the local group.

Also note that as of Win2000, DialUp users can be explicitly allowed
and denied access as a class. This was added to the "Special Groups"
so it requires no action by the Admins to put people in there.

Note: "Special Groups" could better be called "Automatic Groups" as
the behavior is for the Operating System to dynamically add users to
the group based on the TYPE of access (Even "dynamic" would be a
better name.)
 
Back
Top