On Thu, Jan 20, 2011 at 11:52 AM, Rudi Ahlers <Rudi at softdux.com> wrote: > On Thu, Jan 20, 2011 at 6:44 PM, Tom H <tomh0665 at gmail.com> wrote: >> >> You clearly work in an insecure environment. > > By who's definition? The fact that you're PC is connected to the > internet place you in the same environment :) Yes, we've all heard the joke that the only secure computer is one that is turned off. But my comment was not meant as a joke. By insecure, I mean that you don't mind that employee masquerades as another on your company's network. You therefore have no security and no accountability. >> No one should have access to anyone else's login. I have no admin >> privileges over my desktop. If I need something installed or >> uninstalled, I have to ask the Windows desktop support team who'll >> access my box remotely after I accept their request to a access my box >> in a popup on my screen. Of course, the Windows server support team >> can access my roaming profile on their boxes but (I presume since this >> is what we do and I don't know any of them to ask them) they'd have to >> justify that access. > > Yes, IT staff on a Windows Domain can access everyone's accounts, > without their passwords or consent. Does it make it more secure? Yes. > And No. IT staff can go rouge as well, just bear that in mind. Reminds > me of a previous company I used to work for many years ago. > > Some of the IT admin scanned all incoming mail, especially if they > contained any attachments. They casually copied whatever attachments > they wanted to their own desktops, which was more often move clips, > cracked games, music, pr0n, etc. > Do you think management knew about this? Nope. > > Is it less safe than your environment? Really? Can you honestly tell > me this doesn't happen in your company? You're confusing, as you have throughout this thread, an employee assuming someone's logon/identity on the network with an administrator accessing data on the servers that they manage. No one can or should be able to logon to the network with someone else's credentials. We have, AFAIK, two security teams that go through server logs and support tickets to reconcile them and to check that we aren't logging to boxes that we aren't supposed to have logged on to, checking whether we used su or sudo for a valid reason, and what we commands we've run while logged on. So we can't just go through data, confidential or otherwise, out of curiosity or with some bad intentions. So, no, there's no such activity on our network. Eleven years ago, I worked at a firm where the Exchange admins used to copy all the attachments that dealers and brokers received and burn DVDs for themselves, their friends, and for sale (!) with any porn-related files. There's no way that this is still happening. >> There's absolutely no reason to "access a PC of a staff member who is >> busy", that's terrible practice; and there's absolutely no way that >> anyone should know anyone else's password (a punishable violation of >> IT policy in our environment). > > True, and that's not what I said either. > > Both the OP and I am trying to say that sometimes you need to get onto > a PC when the user is not actually there. So why would you not want them to have password-locked screensavers. You either want to access that employees account or you want to access data on that computer by switching users. I've already covered the former and the latter simply shows that you're keeping data locally rather than on a server; not a good practice either... > IF, on the other hand I worked at a financial institution or something > like that then the security would have been more strict. I don't see > the need for it in our office. I worked a few years ago, in between finance jobs, at a publisher who had similar rules. This is a standard for any properly-run IT department.