Page 1 of 1

How to secure your data

PostPosted: Tue Jul 26, 2005 5:04 am
by Alan McCay
Hi All

Below is the best method we could think of to allow the inventory tool to run with least risk to the network security.

1.Create a Service account on the domain controller called InventoryAdmin
2.install windows 2000 professional with SP4 / XP Professional and join to the domain and give local admin privilage to the InventoryAdmin user
3.Install the Network inventory software on to the PC
4.Create a share on the c drive called Alloy -> give everyone full access for NTFS and Share level permissions
5. create a folder called Agent in Alloy directory
5. create a folder called AuditData in Agent folder->
security perimissions -
Domain admins-full control
EveryOne - remove all permissions
Select Advanced – Select Evevryone – Click Edit
Select – Read Attributes, Create file / write data, Delete subfolders and files, read permissions
6. create a folder called logs in Agent folder
security perimissions -
Same as above
7.In Deployment path of NINA give the respective folders
SharedAgent folder : \\sytemnameAlloyAgent
SharedInventoryrepositery folder :\\systemnameAlloyAgentAuditData
Shared Logfile folder : \\systemnameAlloyAgentLog
8. Registery settings or adding null share ( this can be done in two ways)

a) run addnullshare.exe from bin directory of NINA folder
>addnullshare.exe <share name>
>addnullshare.exe alloy


b) edit the register using regedt32.exe ( not regedit.exe)

Naviagate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
Add share name to the NullSessionShares value example add Alloy for this example

9. Make sure you set the HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaRestrictAnonymous value to 0.

10. In tools --> Options --> on-Demand Audit give the username : InventoryAdmin and password
11 Select Account type as Domain administrator

2000 Client Configuration

Right click Mycomputer --> Manage--> services and Applications -->select WMI Control--> Rt click -->properties -->
Go to Security Tab -->navigate to RootCMIV2-->select security tab -->Add InventoryAdmin user and give remote enable permission

These settings will allow a domain user account ( not domain admin) - "InventoryAdmin" to logon to the client pc. Run the scan and output the content to the Data folder. Note that the permissions deny any other domain users from accessing this folder ( view / write )