In a prior issue this year (volume 3), I answered a question about security over a local area network (LAN) where users do not always follow company rules requiring them to sign off of the LAN when they leave their workstations. In this case the company was relying on Windows NT Workstation screen saver passwords to protect the LAN from unauthorized access.

In reply to the question, I agreed with the company's new auditor who said the company needed stronger controls over workstations particularly at night. In addition, I indicated that leaving workstations signed-on at night and protected by screen savers can interfere with some maintenance functions commonly done automatically at night, such as updates of virus checking software and other security programs. As a solution, I recommended having audit personnel periodically perform checks on unattended workstations and using the system's capabilities to force a sign-off at all workstations late at night. I also suggested that readers with different solutions send me their comments to be published as user comments.

The following comments were received from Karibo Oruwari:

I read your solution to the problem of users not logging off the LAN and have some recommendations that might be of assistance to your readers. I believe one of the main causes of security lapses is the inability of the security administration and management to adequately inform staff of the implications of security lapses. Staff members who are in charge of the key to a vault containing money will normally take appropriate measures to ensure that the key is safeguarded and the vault is locked before leaving at the end of the workday. This is because most staff members are aware of the implications of security breaches where cash is involved.

In today's world information has become a valuable asset for many organizations and the protection of that information should be a high priority for the organization. I believe that the organization should regularly inform employees of the worst-case scenario of not logging off before going home and instill a monitoring system that notifies management of persistent lapses. This should make staff members more conscious of their actions.

Other actions that I recommend for management consideration include putting a message on the screen saver that informs staff members to log off after a certain time of inactivity. This way other staff on seeing the information can inform the owner of the system to log off. Another action for consideration would be setting the system to automatically shut down user workstations after a period of inactivity after closing hours and with only the administrator having permit to allow users to log on again. This way the defaulter will be known, as he or she has to contact the administrator before gaining access to his or her system.

A special thank you to Oruwari Karibo, ACA, for providing recommendations on LAN security.

The following comments were received from Chad Laber:

I agree that there are limitations with screen saver passwords, particularly with password strength. However, Microsoft Group Policy allows administrators to timeout workstations after a period of inactivity. This way, workstations are locked with their NT/2000 password, not their screen saver password. This reduces the number of passwords that a user must remember, and guarantees that the passwords will conform to password complexity standards.

To identify this option refer to the Security Options "Amount of idle time required before disconnecting session" and "Automatically log off users when logon time expires (local)" for details.

A special thank you to Chad Laber, who is an IT Auditor at Cooper Tire & Rubber Company, for providing recommendations on LAN security.

I work for a company that is small, but has offices in several different countries. We rely extensively on e-mail for communication between our offices in different countries, our independent sales representatives and our customers. Sometimes we receive messages that we cannot identify as having been sent by an authorized person and we try to identify the source of the message. We have been relying of the address from which the messages were sent, however; we were recently told that it is possible to "spoof" an address so that it does not actually come from the source listed on the e-mail header. Is this a problem and if so what can we do to verify the actual source of the e-mail messages we receive? Also, how can we tell if any of our personnel are doing this when sending messages?

E-mail addresses that do not actually identify the source of the message (spoofed addresses) can be a problem. Many organizations that send unwanted e-mail messages (sometimes called spam) spoof their addresses to prevent people from being able to recognize the messages as spam. In addition hackers sometimes do this, making it even more desirable for you to be able to determine the true source of an e-mail message, as necessary.

When you check to see if any of your people are spoofing their addresses to present a different address as the source of their messages you should recognize that there can be valid reasons for sometimes spoofing return addresses. When people travel they may originate e-mail messages from a computer that has a return address that belongs to the company that owns the computer. Since some people reply to messages with the "reply to sender" function it is reasonable for the sender of the message to have the system show their own address as the source of the message so that the reply will come to them.

In my case, I spoof my return address on e-mail I send. The address through which I receive e-mail is flilly@lillycpa.com. However, that address is at a web-hosting site and I have no way of actually sending messages from that site. When messages come to that address they are forwarded to my mailbox at the Internet Service Provider (ISP) I use. When I send messages from my ISP, I spoof the address to show that they come from flilly@lillycpa.com. This way I have the flexibility to use my own domain name and an ISP as I wish.

For the part of your question on finding out if your people are spoofing their return addresses, there are two approaches that you can take. The easy way is to have them send you an e-mail message through the Internet and compare the return address shown in the message with their actual address. If you want to tell by looking at the settings on their computers it is a little more complicated. You could find out on the laptop I carry out of town with me and use at different locations while spoofing the return address to my regular address at lillycpa.com. In my case I am using Microsoft Outlook Express and my solution is based on that system. Your company may be using a different e-mail program, but the process will be similar.

Start Outlook Express and click on Tools. In the drop down menu for Tools click on Accounts. This will bring up a screen labeled Internet Accounts. On that screen select the tab labeled Mail. Then select an Account (normally the default account) and click on Properties. Within Properties select the General tab. This will display the e-mail address and reply address going out with messages. These addresses will go out with the e-mail regardless of the actual address your company is using.

Obtaining information on actual addresses used to send e-mail to your company is more complicated. The best information on this I have ever seen was written by Susan Bradley and published in the March/April 2002 edition of the AICPA InfoTech Update published by the American Institute of Certified Public Accountants (AICPA). The AICPA has given permission for this to be included in ISACA's K-NET database. For further information, I recommend that you access this article on K-NET, www.isaca.org/knet.