Tech Forum

One of the ward technology clerks is asking if he can modify additional security settings on the new PCs we have received, such as disabling AutoRun. I am the stake tech person, and I have not seen this question before. I had assumed all security was being centrally administrated now through Trivoli and Sophos so I have not gone through and made any additional security changes.

Am I correct that these settings are being centrally managed or?

I don't know if those settings are remotely managed, or if local users are locked out.
I do know that disabling Auto-Run is a very good idea. I would do it if I had the privileges to do so.

Rictersmith wrote:One of the ward technology clerks is asking if he can modify additional security settings on the new PCs we have received, such as disabling AutoRun.

I don't know as we've received any direction in this. However, I think it's probably safe to say that absent any conflict from the guidelines, adding security is a good thing. Removing security is a no-no.

If it's any help, I routinely disable autorun in the group policy for the machines I deploy for my stake.

However, there a number of things in the guidelines that do offend my sense of security (last I checked: all MLS users having a single Windows login with local admin rights), but they are the guidelines, so I follow them.

Pretty sure the MLS single user requirement has been gone for a while, at least since they started using the all users folder for database storage. When we get the Windows 7 update we are changing the clerk password on all the ward computers and have an auxiliary account for non-bishopric/clerks to use MLS (non admin rights). If you want to know why we are doing this, finding bit torrent installed with several illegal video files on the Stake computer could go a long ways to answering that.

Also, disabling auto-run is a really good idea. Auto-run is by far the easiest way to get a trojan going on your computer (the virus will be loaded faster than the scanner will detect it). I still have bad dreams after having to clear out a virus running through all my Wards that came from someone's usb drive.

The next time I receive new admin computers and/or am instructed to install Windows 7, I would very much like to get rid of the Clerk account, and create user accounts for each user. I just need to know if those users need to have Admin privileges, or if I should create a special group to which I need to assign read/write privileges for the MLS database files.

slmsz20 wrote:Pretty sure the MLS single user requirement has been gone for a while, at least since they started using the all users folder for database storage.

I can't find anything either way in the current setup instructions.

slmsz20 wrote:When we get the Windows 7 update we are changing the clerk password on all the ward computers

Setup still specifies the clerk password. (Something that really, really has to change before we allow missionaries to use the computers.)

slmsz20 wrote:and have an auxiliary account for non-bishopric/clerks to use MLS (non admin rights).

I just hope that they don't do something that triggers a MLS update. It could get ugly.

slmsz20 wrote:If you want to know why we are doing this, finding bit torrent installed with several illegal video files on the Stake computer could go a long ways to answering that.

Ouch. But how do you know who did that? In my case it was finding someone was tethering their phone to the ward computer to get internet access. But the culprit in that case was the clerk.

slmsz20 wrote:Also, disabling auto-run is a really good idea. Auto-run is by far the easiest way to get a trojan going on your computer

Agreed! IIRC, that's how the first viruses started back in the 80's: the autorun feature of Macs allowed a floppy disk to infect memory, which infected other floppies. It ripped though schools in nothing flat. Cool feature, but it seems someone had to re-learn history.

slmsz20 wrote:Pretty sure the MLS single user requirement has been gone for a while, at least since they started using the all users folder for database storage. When we get the Windows 7 update we are changing the clerk password on all the ward computers and have an auxiliary account for non-bishopric/clerks to use MLS (non admin rights). If you want to know why we are doing this, finding bit torrent installed with several illegal video files on the Stake computer could go a long ways to answering that.

Also, disabling auto-run is a really good idea. Auto-run is by far the easiest way to get a trojan going on your computer (the virus will be loaded faster than the scanner will detect it). I still have bad dreams after having to clear out a virus running through all my Wards that came from someone's usb drive.

We have run this type of setup in our Stake for years- WIndows XP, Vista and 7 computers. Two accounts also simplifies the access and setup. We went from nearly a support call every month to maybe one per year across our stake doing this.

Also, If Windows is properly updated Auto-run is disabled. Microsoft put out a patch a couple of years ago for all OSs to get rid of Auto-run.

FWIW I also disable File and Printer Sharing.

craiggsmith wrote:FWIW I also disable File and Printer Sharing.

Good idea. The computer isn't secure if it's turned on.