hot potato workers
-
@dashrender said in hot potato workers:
@gjacobse said in hot potato workers:
@dashrender said in hot potato workers:
@gjacobse said in hot potato workers:
@dashrender said in hot potato workers:
Web logons are:
athenaNetInteresting - so you are not using a RDP session to host the AthenaNet as an additional security layer?
No - are you? And assuming you are - how do you handle insurance card uploads, paperwork uploads, local device attachment, etc? i mean I know RDS can map in a USB port, perhaps that works pretty good today - not so much in the past.
We have a number of Ambir Scanners for insurance / id cards... working 'fine' in the RDP
Tell me about your RDP environment - does each person have their own full windows 10 desktop in Azure? or is it an RDS server?
I don't use ambir's software, I'll have to take a look at it.
Using a RDS Balancer, so you can use the same server for days and then get kicked to a different one,... a total of 15 RDS servers.
-
@gjacobse Are you doing full desktops or only deploying the browser for athenaNet?
-
@dashrender said in hot potato workers:
@gjacobse Are you doing full desktops or only deploying the browser for athenaNet?
Full Desktop
-
@dashrender said in hot potato workers:
This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there.
But it won't be logged in to the right user.
Browser sessions won't be the right user.
Just an all around bad idea.
-
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there.
But it won't be logged in to the right user.
Browser sessions won't be the right user.
Just an all around bad idea.
LP will be set to log out upon the browser closing -
There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind.
IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap.
-
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there.
But it won't be logged in to the right user.
Browser sessions won't be the right user.
Just an all around bad idea.
LP will be set to log out upon the browser closing -
There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind.
IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap.
Force Edge to always use porn mode. That should help.
-
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there.
But it won't be logged in to the right user.
Browser sessions won't be the right user.
Just an all around bad idea.
LP will be set to log out upon the browser closing -
There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind.
IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap.
Force Edge to always use porn mode. That should help.
that helps as long as the browser is closed when the user is finished -
-
Not done the comparison - but we use SecureDen.. The group (about seven of us) see the same thing, get MFA'd ...
-
@jaredbusch said in hot potato workers:
Force Edge to always use porn mode. That should help.
Helpful Hint: Don't google: "Edge Porn Mode"
-
@jasgot said in hot potato workers:
@jaredbusch said in hot potato workers:
Force Edge to always use porn mode. That should help.
Helpful Hint: Don't google: "Edge Porn Mode"
LOL... That so makes me want to. But No. Pass.
-
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there.
But it won't be logged in to the right user.
Browser sessions won't be the right user.
Just an all around bad idea.
LP will be set to log out upon the browser closing -
There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind.
IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap.
Force Edge to always use porn mode. That should help.
that helps as long as the browser is closed when the user is finished -
Fixes the issues you raised, which are also user management issues.
So simply make the policy close the fucking browser.
-
@dashrender said in hot potato workers:
I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function.
Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work.
The printers are based on front desk location, so it's workstation based, regardless of who logs in.
Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC.
As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well.
Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work.
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
-
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked? -
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
-
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue.
-
@obsolesce said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue.
Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink
-
@obsolesce said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue.
Oh man - now that's an interesting idea...
-
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue.
Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink
Not if you look at the case above where I said that Lock is completely unusable because of the shared account.
-
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue.
Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink
Not if you look at the case above where I said that Lock is completely unusable because of the shared account.
Yes, but what is the user impact to a log on event multiple times per day?
Not saying it is the wrong solution, but this type of issue needs to be resolved around a solution that is the least impactful to user productivity while still meeting the security and technical requirements.
-
@jaredbusch said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
@dashrender said in hot potato workers:
@jaredbusch said in hot potato workers:
@obsolesce said in hot potato workers:
TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything.
Completely forgot about that.
Can a normal user force log off a logged on user if the screen is locked?nope.
You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue.
Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink
Not if you look at the case above where I said that Lock is completely unusable because of the shared account.
Yes, but what is the user impact to a log on event multiple times per day?
Not saying it is the wrong solution, but this type of issue needs to be resolved around a solution that is the least impactful to user productivity while still meeting the security and technical requirements.
Of course it does - which is why I have this topic.
I don't believe a shared account is anywhere near optimal.
Ultimately I believe I'm going to have to create some scripts that will ensure all the required settings are in place whenever any user logs in. Of course - this will make a first time user (or a user after their profile has been removed) unhappy as they wait for the scripts to run.
I already mentioned the things above I need to be there every time anyone logs into these computers...
specific printers based on location of front desk
short cuts to specific websites
Lastpass installed and enabled in Chrome at least, Edge would be useful
