Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#126320 - 15/11/2002 14:54 Security in 2000 question
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
OK... I have a need to force a log-off of a user at say, 10:00 PM, and not to allow a logon till say 7:00AM. I know this was easily done in WinNT, but I cannot find a way to do it in 2000. Also, this is in a 2000 Pro standalone machine, WITHOUT a PDC. I was just hoping it was somewhere in the profiles and I was just missing it.

Thanks for any help.

Mason

Top
#126321 - 15/11/2002 15:12 Re: Security in 2000 question [Re: lectric]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Even by running the NT4 "User Manager" tool under 2k, I can't seem to get it to display any options for limiting the login times.

I'm guessing that the time limits for logins must be something that can only be assigned in a domain situation, not in a standalone computer situation. Could be wrong about that, but it's kind of looking that way.
_________________________
Tony Fabris

Top
#126322 - 15/11/2002 15:37 Re: Security in 2000 question [Re: lectric]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
I didn't see anything in the local user or local security policy either. I did find

http://support.microsoft.com/default.aspx?scid=kb;en-us;318714

This details the 'net user' command which may or may not work w/o a domain, the documentation is not clear. Alternately you could use Windows 2000 help and search for 'net user'. The final description is listed in the Command Reference.
_________________________
WWFSMD?

Top
#126323 - 15/11/2002 15:58 Re: Security in 2000 question [Re: tfabris]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
Hrmmm... Thanks guys... That's kinda the feeling I was getting. Just seems kinda stupid. Oh well... I guess I'll have to investigate a program to handle it, plus a lock on setting the time.

Thanks

M

Top
#126324 - 15/11/2002 17:45 Re: Security in 2000 question [Re: lectric]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
I think there's a good shot the net user command will work, try that first.

-Zeke
_________________________
WWFSMD?

Top
#126325 - 15/11/2002 21:51 Re: Security in 2000 question [Re: lectric]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
plus a lock on setting the time.

See, that's the thing. I'll bet that's why Microsoft hasn't bothered with locking the logons based on time from the local client desktop space. Very hard to (securely) lock the actual system time down on the local desktop when there is easy physical access to the machine. Too many ways to easily change the clock on a workstation PC, for someone who's serious about getting around time-based restrictions.

In a properly implemented domain environment, though, the server will be physically located behind a locked door, so it's possible to make the server's timeclock setting reasonably secure. Then you can accurately refuse server authentication based on server's time of day.

Of course, refusing server authentication doesn't completely stop someone from mucking about on a client workstation, it just prevents them from accessing server resources. Again, in such an environment, the properly place for those resources is on the server instead of on the workstaion.
_________________________
Tony Fabris

Top
#126326 - 16/11/2002 10:38 Re: Security in 2000 question [Re: tfabris]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
Fortunately for me, it's a 16-year old girl that is logging in at night to chat with friends. She's not terribly sophisticated, so I lock the changing from desktop, set a bios passwd, and viola. She can't log in. It's for a friends of mine. His daughter is driving him nuts.

Top
#126327 - 17/11/2002 05:27 Re: Security in 2000 question [Re: lectric]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
Fortunately for me, it's a 16-year old girl that is logging in at night to chat with friends. She's not terribly sophisticated, so I lock the changing from desktop, set a bios passwd, and viola. She can't log in. It's for a friends of mine. His daughter is driving him nuts.

Technology: In The Battle Between A Bloke And His Sixteen-Year-Old Daughter, Bet On The Daughter.

Peter

Top
#126328 - 17/11/2002 07:30 Re: Security in 2000 question [Re: tfabris]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
In a properly implemented domain environment, though, the server will be physically located behind a locked door, so it's possible to make the server's timeclock setting reasonably secure. Then you can accurately refuse server authentication based on server's time of day.

Can't you easily get round this by:

- changing the workstation time
- unplug the workstation from the network
- logon
- plug the workstation back in

That way the workstation will use the cached domain login information without any reference to the server at all. Unless there is a setting that you can set to stop cached login info from being used ?
_________________________
Remind me to change my signature to something more interesting someday

Top
#126329 - 17/11/2002 11:29 Re: Security in 2000 question [Re: andy]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
That way the workstation will use the cached domain login information without any reference to the server at all.

Right, but that's only the workstation.

My point (and I thought I'd made this clear earlier) was that in a properly secure Domain-based client/server environment, the sensitive stuff is stored on the server, and it's access to that server that you block based on TOD.
_________________________
Tony Fabris

Top
#126330 - 17/11/2002 17:34 Re: Security in 2000 question [Re: peter]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
Technology: In The Battle Between A Bloke And His Sixteen-Year-Old Daughter, Bet On The Daughter.


Top