[windows2000] Re: adding users to workstation administrator g roup
- From: Frank Monroe <Frank.Monroe@xxxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Mon, 11 Apr 2005 20:49:31 -0500
Actually, not only local policies. There is no distinction of where the
policy came from when it is inserted in the registry. So, all a user has to
do is modify the registry location that was just set by the policy engine.
It takes no time at all.
And if they can't find a registry location to repoint an executable to some
other file, all they have to do is replace one of the system executables
that run as a servers with something like usermgr.exe from old NT and,
instant admin privs. Its even easier than that, just replace the default
screen savor with usrmgr.exe and logoff and wait for it to launch. Again,
instant admin privs.
Just send this discussion to the windows NT security group and they will go
on for days with all of the exploits possible with this approach. I have
personally broken into systems with little effort where the security has
been changed in this manner.
By the way, this is one reason why also granting users power users is just
as good as admin.
-----Original Message-----
From: Chris Berry [mailto:chris_berry-list-windows2000@xxxxxxxxxxxxxxxxx]
Sent: Monday, April 11, 2005 8:11 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: adding users to workstation administrator g roup
Only local security policies. Even if what you say is true, and I'm not
sure it is, they'd still have to know how to escalate, which most of
them do not.
Chris Berry
chris_berry@xxxxxxxxxxxxxxxxx
Information Advisory Manager
JM Associates
"There is nothing so useless as doing efficiently that which should not
be done at all." --Peter Drucker
Frank Monroe wrote:
> I don't have a specific example, but once you do this, there are ways
> to get admin privs so you might as well give it to them. Not only
> that, if they have write access to that entire tree, they can override
> any security policy.
>
> -----Original Message-----
> From: Chris Berry
> [mailto:chris_berry-list-windows2000@xxxxxxxxxxxxxxxxx]
> Sent: Monday, April 11, 2005 2:12 PM
> To: windows2000@xxxxxxxxxxxxx
> Subject: [windows2000] Re: adding users to workstation administrator g
roup
>
>
> We set it up for Domain Users. It seems better to us because there
> are
> lots of other things that you can do as an Admin.
>
> Chris Berry
> chris_berry@xxxxxxxxxxxxxxxxx
> Information Advisory Manager
> JM Associates
>
> "There is nothing so useless as doing efficiently that which should
> not
> be done at all." --Peter Drucker
>
>
> Sorin Srbu wrote:
>
>>windows2000-bounce@xxxxxxxxxxxxx <> sez on Friday, April 08, 2005
>>10:14
>>PM:
>>
>>
>>
>>>Actually we'll rarely need it. I have found previously that giving
>>>write permission to Program Files & WINNT, plus full control of
>>>HKEY_LOCAL_MACHINE\Software solved the vast majority of the issues
>>>with no further maintenance. Although not as secure as determining
>>>the exact file and registry permissions for each program, this seems
>>>to work well enough for us considering our limited labor availability
>>>due to being a small shop.
>>
>>
>>Do you give these rights to any particular group, like Authenticated
>>Users or Everyone only?
>>
>>Also, I wonder if this isn't as "bad" as giving the user local admin
>>rights anyway? Or is this a thing that depends on how you view things?
>>;-)
>>
>>
>>
>>
>>>Frank Monroe wrote:
>>>
>>>
>>>>But I would use this as a lost resort. Usually you can work around
>>>>the permission issues without the use of epal.
>>>>
>>>>-----Original Message-----
>>>>From: Chris Berry
>>>>[mailto:chris_berry-list-windows2000@xxxxxxxxxxxxxxxxx] Sent: Friday,
>>>>April 08, 2005 4:07 PM
>>>>To: windows2000@xxxxxxxxxxxxx
>>>>Subject: [windows2000] Re: adding users to workstation administrator
>>>>g roup
>>>>
>>>>
>>>>Hey, that's awesome, thanks!
>>>>
>>>>Chris Berry
>>>>chris_berry@xxxxxxxxxxxxxxxxx
>>>>Information Advisory Manager
>>>>JM Associates
>>>>
>>>>"There is nothing so useless as doing efficiently that which should
>>>>not be done at all." --Peter Drucker
>>>>
>>>>
>>>>Frank Monroe wrote:
>>>>
>>>>
>>
>>http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads
>>
>>
>>>>>/epal. mspx
>>>>>
>>>>>-----Original Message-----
>>>>>From: Sorin Srbu [mailto:sorin.srbu@xxxxxxxxxxxxx]
>>>>>Sent: Friday, April 08, 2005 8:45 AM
>>>>>To: windows2000@xxxxxxxxxxxxx
>>>>>Subject: [windows2000] Re: adding users to workstation
>>>>>administrator
>>>>>group
>>>>>
>>>>>
>>>>>windows2000-bounce@xxxxxxxxxxxxx <> sez on Friday, April 08, 2005
>>>>>2:40 PM:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Microsoft also has a utility to fix apps that you can fix from
>>>>>>other means. What the utility does is inflate the users privs just
>>>>>>inside the particular application. To use it, you place entries in
>>>>>>Active Directory containing the executable name and its hash value
>>>>>>(so that the elevation only occurs for the app). If you use this,
>>>>>>you may be able to save granting the admin privs and also satisfy
>>>>>>the application.
>>>>>
>>>>>
>>>>>What would that fix be called then?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Sorin Srbu [mailto:sorin.srbu@xxxxxxxxxxxxx]
>>>>>>Sent: Friday, April 08, 2005 8:23 AM
>>>>>>To: windows2000@xxxxxxxxxxxxx
>>>>>>Subject: [windows2000] Re: adding users to workstation
>>>>>>administrator group
>>>>>>
>>>>>>
>>>>>>windows2000-bounce@xxxxxxxxxxxxx <> sez on Friday, April 08, 2005
>>>>>>2:09 PM:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>And, all it takes is one user with admin privs on a workstation
>>>>>>>to
>>>>>>>bring down your whole network, or at least make it appear that
>>>>>>>way.
>>>>>>
>>>>>>Unfortunately, yes... But if we set up the controller computers
>>>>>>we'll void any warranties. 8-/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: Sorin Srbu [mailto:sorin.srbu@xxxxxxxxxxxxx]
>>>>>>>Sent: Friday, April 08, 2005 3:30 AM
>>>>>>>To: windows2000@xxxxxxxxxxxxx
>>>>>>>Subject: [windows2000] Re: adding users to workstation
>>>>>>>administrator group
>>>>>>>
>>>>>>>
>>>>>>>Dave stevens <> sez on Thursday, April 07, 2005 5:11 PM:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Andrew,
>>>>>>>>
>>>>>>>>I have seen quite a few applications that require local admin
>>>>>>>>rights to run. You might call it bad design, but they do exist.
>>>>>>>>
>>>>>>>>and I think the vendor recommends that as well.
>>>>>>>
>>>>>>>I senond that. Most, all in fact, of our instrument control
>>>>>>>software clearly states in the manual that the software *must* run
>>>>>>>under an account with admin privs.
>>>>>>>
>>>>>>>In most of the cases I've simply disconnected the computer(s)
>>>>>>>from
>>>>>>>the network so they can't do anything stupid. Besides tinkering
>>>>>>>with a maybe critical instrument's control computer is just plain
>>>>>>>bonkers; the users over here are mostly intelligent enough not to
>>>>>>>do that. Note "mostly". 8->
>>
>>
>>
>>
>>BW,
>>
>>Sorin
>>
>># Sorin Srbu, Systems Engineer Web: http://pharm.orgfarm.uu.se/pc/
>># Dept of Medicinal Chemistry, Phone: +46 (0)18-4714482 >3 signals>
>
> GSM
>
>># Div of Org Pharm Chem, Mobile Phone: +46 (0)701-718023
>># Box 574, Uppsala University, Fax: +46 (0)18-4714474
>># SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b
>>#
>># Public PGP key available on request.
>>#
>># () ASCII ribbon campaign - Against html E-mail
>># /\
>>#
>># Harmless tagline follows:
>>#
>># BOFH excuse follows: Temporal anomaly
>>
>>
>>********************************************************
>>This Weeks Sponsor SeamlessPlanet.com Domain Names
>>Register your .com domain name for as low as $7.85
>>One of the lowest prices on the web! Part of The Kenzig Group.
>>http://www.seamlessplanet.com
>>**********************************************************
>>To Unsubscribe, set digest or vacation
>>mode or view archives use the below link.
>>
>>http://thethin.net/win2000list.cfm
>
> ********************************************************
> This Weeks Sponsor SeamlessPlanet.com Domain Names
> Register your .com domain name for as low as $7.85
> One of the lowest prices on the web! Part of The Kenzig Group.
> http://www.seamlessplanet.com
> **********************************************************
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
> ********************************************************
> This Weeks Sponsor SeamlessPlanet.com Domain Names
> Register your .com domain name for as low as $7.85
> One of the lowest prices on the web! Part of The Kenzig Group.
> http://www.seamlessplanet.com
> **********************************************************
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor SeamlessPlanet.com Domain Names
Register your .com domain name for as low as $7.85
One of the lowest prices on the web! Part of The Kenzig Group.
http://www.seamlessplanet.com
**********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor SeamlessPlanet.com Domain Names
Register your .com domain name for as low as $7.85
One of the lowest prices on the web! Part of The Kenzig Group.
http://www.seamlessplanet.com
**********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
