Passwords on Unit PC's

Some discussions just don't fit into a well defined box. Use this forum to discuss general topics and issues revolving around the Church and the technology offerings we use and share.
mkpolansky
New Member
Posts: 29
Joined: Wed Jan 27, 2010 12:19 pm
Location: Barnhart, MO

Passwords on Unit PC's

Postby mkpolansky » Fri Aug 20, 2010 8:53 am

We just received a new PC for our unit; it came set up to utilize a Windows password.

My questions are multiple.

The first would be if the desire is to password protect the PC, you would think you almost would need to create separate Windows User Accounts, the rational being if everyone knows the one account password, then why have one at all?

The second question is if anyone is using the Windows password to begin with?

I understand that MLS is password protected in this case I am referring to Windows.

User avatar
aebrown
Community Administrator
Posts: 14685
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Aug 20, 2010 9:37 am

MKPolansky wrote:The first would be if the desire is to password protect the PC, you would think you almost would need to create separate Windows User Accounts, the rational being if everyone knows the one account password, then why have one at all?


The instructions (see Dell 740 installation instructions on the wiki) are very clear: You set up one administrator-level account called "clerk". Everyone who uses MLS uses that account.

I know that seems to violate basic security principles, but the fact is that MLS does not run properly on any type of account except an administrator account. All I can say is, follow the published rules and avoid grief.

It should not be the case that "everyone knows the one account password"; all the authorized users of the ward's computer will know it, but other people walking into the clerk's office won't know it, so it provides some small measure of protection.

MKPolansky wrote:The second question is if anyone is using the Windows password to begin with?


In my stake, everyone follows the rules and all the PCs use a Windows password. They also use a screen saver that locks the computer after a period of inactivity, so that the Windows password has to be entered to unlock the system.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

crislapi
Senior Member
Posts: 1265
Joined: Mon Jul 07, 2008 3:05 pm
Location: USA

Postby crislapi » Fri Aug 20, 2010 10:11 am

I'm just going to second Alan_Brown here. Follow the setup instructions as provided. If you don't have them, you can download them from the same site you download MLS. See this post for more info if needed and this wiki page.

I can't give you an overly convincing reason except that the church is trusting of its members, and you will not always be around to maintain the computer. Follow the instructions and if anything happens, you won't be liable.

russellhltn
Community Administrator
Posts: 20729
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Aug 20, 2010 10:31 am

Alan_Brown wrote:It should not be the case that "everyone knows the one account password"; all the authorized users of the ward's computer will know it, but other people walking into the clerk's office won't know it, so it provides some small measure of protection.


The first line of protection is the physical security of the office. Some wards get lax about that.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

mkpolansky
New Member
Posts: 29
Joined: Wed Jan 27, 2010 12:19 pm
Location: Barnhart, MO

Postby mkpolansky » Fri Aug 20, 2010 12:03 pm

Trust me, our plan is to keep the password on it. It's one of those follow the rules kind of things. So my follow up question would then be can MLS be modified so a "User" can use MLS not just an "Admin" level person? Not being too techie, I know you can set things up to "Run as Administrator" or something like that? That way each person could also have a separate Windows password.

Just a thought...

russellhltn
Community Administrator
Posts: 20729
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Aug 20, 2010 12:34 pm

I don't think I've seen anyone play with RunAs with MLS.

However, in my playing around in other areas, I have seen issues when the process was run as a different user then the logged in user. Particularly when child processes were spawned.

I think you're just setting your self up for a tech support headache.

If the computer doesn't have Internet access, I don't think you'll have a problem. If it does have Internet access, I think you'd be better off locking down the browser.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

techgy
Community Moderators
Posts: 3174
Joined: Sun Jan 13, 2008 6:48 pm
Location: California

Postby techgy » Fri Aug 20, 2010 1:51 pm

MKPolansky wrote:Trust me, our plan is to keep the password on it. It's one of those follow the rules kind of things. So my follow up question would then be can MLS be modified so a "User" can use MLS not just an "Admin" level person? Not being too techie, I know you can set things up to "Run as Administrator" or something like that? That way each person could also have a separate Windows password.

Just a thought...


MLS was designed to operated under the Administrator login. I would strongly recommend that you stick to established procedures. It's just not worth the headaches you may get yourself into.
Have you read the Code of Conduct?

scgallafent
Church Employee
Church Employee
Posts: 1043
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Postby scgallafent » Fri Aug 20, 2010 2:18 pm

MKPolansky wrote:Trust me, our plan is to keep the password on it. It's one of those follow the rules kind of things. So my follow up question would then be can MLS be modified so a "User" can use MLS not just an "Admin" level person? Not being too techie, I know you can set things up to "Run as Administrator" or something like that? That way each person could also have a separate Windows password.

Perhaps I'm missing something, but I don't see the benefit of having each person have a separate Window password. The Windows login doesn't have any effect on MLS rights, so the only reasons I could see are to (1) allow users to store documents on the computer separate from other users' documents or (2) try to restrict who can log in to Windows by creating separate accounts that can be deleted when a user who has access to the computer is released.

#1 Using user accounts to restrict access to documents can be problematic. Someone with physical access to the computer can employ other methods (portable boot CDs, etc.) to try to bypass the account restrictions and get at the documents if they really want to. I wouldn't trust the Windows logon process on a standalone XP machine with sensitive documents. This is assuming that you don't have to grant each user administrative rights, which weakens any potential security even further.

#2 Restricting Windows access through user accounts seems like more trouble than it's worth. There shouldn't be network access to the computer, so any access requires physical access to the computer. It should be secured in the clerk's office, which means that anyone with an account to access the computer would also need physical access to the clerk's office. If you're concerned about someone using the computer who shouldn't have physical access to the clerk's office, you've got bigger problems than just trying to secure Windows.

I'm just struggling to see the benefit to using something other than the recommended configuration. Alan_Brown has already documentation the approved configuration and I don't see any benefit with what you're proposing and lots of headaches (account maintenance and troubleshooting/tech support issues).

Am I missing something?

jdlessley
Community Moderators
Posts: 6522
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Fri Aug 20, 2010 4:59 pm

scgallafent wrote:I wouldn't trust the Windows logon process on a standalone XP machine with sensitive documents.
Just a side note about sensitive documents. This should not be an issue if everyone is following Church procedures. And those procedures essentially say that the only place sensitive information may be stored is in MLS. Any documents created with sensitive information may not be stored on the computer hard drive. They may, however, be stored on removable media and locked away when not in use.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

CreightonNT
New Member
Posts: 3
Joined: Sat Aug 21, 2010 9:05 am
Location: Highland, UT, USA

Postby CreightonNT » Sat Aug 21, 2010 9:25 am

I set up a clerk account as suggested in the guidelines and mentioned by Alan Brown. But in addition, I create a "Stake Clerk" account, also with Windows Administrator privilege. I do this for the following reasons:

1) It gives me an account I can depend on. While most users of the computer won't change the Windows password on the clerk account, it does happen. Even though the clerk account has the ability to change the password on the Stake Clerk account, this seems less likely and has never happened.

2) I can have different folder options set for my use than what the general purpose account has. This is important because I commonly want to see all files including hidden and system, and I want to display details and file extensions. This way I don't have to remember to change it back for others' use.

3) When I do a backup (just a dump really) of the entire workstation, I can do this from the Stake Clerk account and I'm able to copy the contents of the clerk user account without having conflicts with Windows having files locked.


Return to “General Discussions”

Who is online

Users browsing this forum: No registered users and 1 guest