Security Considerations

From EJP Documentation
Jump to navigation Jump to search

Goals

Never log in as Administrator

Logging in as a privileged user is always a risk. I know you have the best intentions, and plan to use the access responsibly, but accidents will happen. It only takes one careless mouse click or keystroke to disable key services or data. When you log in as a privileged user, you will get no warnings that the action you are about to take would need extra permissions.

Windows has a facility to be able to escalate a regular user's access at run-time. Any program that attempts to modify system settings or access protected files will prompt you to enter the admin password while you are still logged in as yourself.

Never grant Administrator access to a user

You may get frustrated having to type the administrator password often to accomplish tasks. This is not a reason to grant yourself administrative permissions. This is a sign that either you shouldn't be performing this task so often, or that the permissions or or rights need to be adjusted to meet the needs of your use case.


Administrator Password

The Administrator password will be documented in the Secure Binder. The original password was chosen to be memorable, easy to communicate verbally, and also be a nice daily affirmation of our goals for the lab. If you should need to change the password, please keep those goals in mind. Standard complexity requirements such as special characters and numbers that you might be accustomed to in the outside world are not valuable in this context.

  • Never write down the password
  • Never share the password with a student

7-char Administrator password

Some tools or applications will not accept a long passphrase such as the administrator password. One notable example of this is the BIOS password. The 7-char version of the password is short enough to be accepted by this sort of tool. It is literally the first 7 characters of the admin password.

Secure foreseeable entry points

There is an entire industry dedicated to hardening computer systems. Vulnerabilities exist in all software. Since our system is isolated from the rest of the world, or even other computers on the local LAN, we are not a great risk from the kind of attacks most people have to worry about.

We can do some things:

Prevent users from Changing passwords

The prison administration has asked that they have the passwords for all accounts

Preclude opportunities to hide data

We don't want to offer any features that enable a user to hide data such an encryption, or covert messaging.