You need to be aware of a few caveats regarding Cconnect. Because the SQL Server database deletes active logon records only when a user logs off in a usual manner, Cconnect might improperly deny logon. For example, the database doesn't delete the logon record during a power failure. If a user is limited to one concurrent logon and uses the same workstation for his or her next logon, the database deletes the orphaned logon record, and the problem disappears. However, if the user tries to log on to a different workstation, Cconnect assumes the user is exceeding the logon limit. To fix the problem, you must use Cconnect Administrator to manually delete the old logon record.
Another problem is that savvy users can defeat Cconnect. Cconnect uses SQL Server only to store current logon data. For other configuration and policy settings, the utility uses the HKEY_CURRENT_USER\Software\Microsoft\Cconnect registry subkey. Therefore, users who understand the registry can disable Cconnect simply by pointing the tool to a bogus SQL Server machine or by increasing their concurrent logon limit. To mitigate this risk, you can use Group Policy in Win2K or SPE in NT to disable registry editors. But users who know how to use scripts to access the registry can circumvent that restriction. To limit users to Read access to the Cconnect registry key, you might try implementing a script that is executed at logon.
Also, Cconnect Client stores SQL Server user and password data in clear text in the registry. If you follow the instructions for setting up the SQL Server user account for Cconnect, the account will have SQL Server authority similar to SQL Server's built-in administrator account (i.e., sa). The account's username and password are therefore sitting dangerously in clear text on every workstation registry. To reduce the risk of malicious users using this account to attack other databases on the same SQL Server machine, first create the Cconnect database and user account on the SQL Server machine, as cconnect
.doc describes. Then, run Cconnect Client for the first time to populate the SQL Server database you just created. Now, modify the authority of the Cconnect user account to restrict it to just the Cconnect database.
Finally, you need to be aware of special requirements when you use Cconnect in a network of NT workstations. Each workstation needs Service Pack 4 (SP4) or later with Windows Script Host (WSH), Web-Based Enterprise Management (WBEM), and Microsoft Data Access Components (MDAC) 2.0 or later. All these components are available for download at http://www.microsoft.com/
ntserver/all/downloads.asp. Unfortunately, you can't use Cconnect for users with Windows 9x systems.
2. Centrally Control IE with IEAK
The resource kit includes the Microsoft Internet Explorer (IE) 5.0 Administration Kit (IEAK). The IEAK lets you customize IE before you deploy it to your workstations. You can specify IE's initial security options (e.g., restrict ActiveX and Java components), then control which settings your users can change. This capability lets you ensure that IE's browser settings adhere to corporate standards.
To install the IEAK, run ieak5.exe from the resource kit CD-ROM's \apps\ieak directory. To learn more about the IEAK, go to the new Microsoft IEAK folder in your Start menu and select IEAK Help.
1. Scrutinize the Documentation
A final important security tool in the resource kit is the wealth of documentation you'll find in the resource kit's Documentation folder in your Start menu. One of the most valuable documents is Error and Event Messages. According to Microsoft, this document "contains most of the error and event messages generated by Windows 2000. With each message comes a detailed explanation and a suggested user action." The document lives up to that promise.
You'll find the Event Log section especially useful for understanding all the events in the Security log. The Group Policy document is an enlightening reference, offering detailed information about the hundreds of settings that Group Policy contains. You'll be pleased to find an updated reference to the Win2K registry, as well as seven more references and guides under Online Books. I long ago read the brief documentation in Win2K's online Help, so now I take all my questions to the resource kit's Online Books.
Essential Tools
The Win2K Server resource kit lives up to the series' reputation for delivering useful tools and desperately needed documentation. Arguably, Microsoft should include all this information with the original product, but I suppose the opportunity to charge more for additional documentation and unsupported utilities is too valuable for Microsoft to pass up.
Regardless, the resource kit is essential to systems administrators concerned about security. Don't try administering Win2K without it.