How would you go about preventing unwanted eyes from trolling around a workstation with critical information inside? I am going on the premise that the unwanted eyes are users already authenticated as authorized to be on the network in question.
For example, the Director of Human Resources has a file documenting the pay rates of all employees. How would you prevent users on the network from actually being able to see the file on that particular workstation?
Research shows that one should realize that the very first step one should take in protecting the workstation is that of physical security. Physically, privacy screens are essential for preventing unwanted eyes from trolling around a workstation. In addition, a company need not to allow everyone access to the workstation outside of normal working hours. Once a department is done work for the day, the door to that section should be locked.
For example, no reason to have anyone else drop into the accounting department ifthe telemarketing staff is there. You should also bear in mind the trustworthiness of the cleaning staff that comes in after hours to vacuum and clean office spaces. These people typically have unfettered access to the corporate work area with no one else around. Make sure the cleaning staff are properly vetted by the company you hired to do your cleaning.
We can see already with a couple of examples that physical access to the workstation is largely our biggest threat. Due to this you should always treat these workstations as if they have been exploited. This may sound rather paranoid, but it will help you in the possible redesign of your network architecture. Now there is a series of steps that should be taken in an attempt to harden access to the workstation. Such tried and true methods as having a BIOS password are greatly encouraged. This would by extension also make it far more difficult for someone to drop a live Linux distro into the CD tray, as they would be then prompted for the BIOS password. It is also rather important to restrict BIOS access, as you will hopefully have turned off USB support via the BIOS settings. There is little point in making changes in the BIOS if you allow someone else to simply change them after again.
The subject of USB stick based attacks has been receiving a great deal of attention as of late and deservedly so. These memory sticks can have pretty much anything you want on them, and they are of course very portable. That makes for a fairly stealthy attack as these can fit into anyone's pocket. Disabling this type of support can also be enforced via GPO. Group policy objects are one of the best tools that you can use to help enforce security, policy, and standards on your Windows 2K/XP/K3 network. There is an excellent link to various types of network scenarios at this link provided by Microsoft. Microsoft have themselves published a lot of excellent information on ways to harden your network. Unlike much of the rhetoric you may hear about Microsoft's security you would be well advised to peruse their security section. There are many, many excellent pieces of information there to be had. Why go for a third party software solution if Microsoft already has one for you.
Through the use of various GPO's you should restrict access to the places that you do not want a user to access to. Area's such as the registry, cmd.exe, control panel, can greatly help you in your task of hardening the operating system. These measures are not foolproof due to the proliferation of live Linux distributions. You should also bear in mind that administrative controls such as GPO's for one can be bypassed at times. A perfect example of this would be the system administrator blocking access to regedit via the cmd.exe but forgetting about regedt32.
This is where the link in the second above paragraph comes in handy. You will need to segment your network into various groups, and then decide with management what those groups of users should have access to. Take for instance the management group, which could be composed of the company's executives. One measure that should be implemented is the use of PKI for all emails coming from the management group. This is by definition probably some of the most sensitive data flying around on your network. You certainly don't want someone to be able to intercept and then read those emails do you, as Base64 is hardly an encryption scheme. It may appear to you as a mass of undecipherable characters, however it is easily and quickly converted."
Explains network security and controlling file access in a shared environment.