Re: On the topic of Windows Hardening
From: Steve Friedl (steve_at_unixwiz.net)
Date: 11/12/05
- Previous message: maralisa: "RE: break in? - terminal services on alternate port"
- In reply to: Peter Hyvonen: "On the topic of Windows Hardening"
- Next in thread: Laura A. Robinson: "RE: On the topic of Windows Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 12 Nov 2005 08:26:07 -0800 To: Peter Hyvonen <phyvonen@selfcharge.com>
On Fri, Nov 11, 2005 at 03:18:28PM -0800, Peter Hyvonen wrote:
> Its there a way to 'fake' an administrator account? I ask because our
> MRP software requires the user have complete local privliges (power user
> accounts do not work) I've complained but changing MRP software is not
> an option. We have alot of small fires because the users of the MRP
> software have to be administrator on their own box. Thanks in advance
Does it require Administrator access because it legitimately requires
those functions, or was this just laziness on the part of the MRP software
vendor where they didn't bother to write their software properly?
When faced with software which appears to require admin, I normally run
the software as a non-admin while running the SysInternals FileMon and
RegMon: these point out which files or registry keys get ACCESS DENIED,
and those keys/files/directories can have permissions changed to allow
access by non-admin users.
Sometimes you'll find that it's easy, and can just tweak one or two things,
but other times (such as with Quickbooks), it requires full rights to the
top of the HKEY_CLASSES_ROOT registry hive. These are a lot more work to
figure out.
There are two common tips when actually changing permissions:
First, if you just modify the ACL to allow (say) Domain Users full access
to the object, when looking at this later you'll never realize that the
permissions are different or why you did it. So create a domain-wide group
("MRP Software ACL") which you use strictly to attach to these permission
changes. Rather than just modify an existing ACL, add this one with
Full Contorl or whatever. Then anybody later looking at this object
will know *exactly* what you did. Just make Domain Users a member of
this group (or whatever other proper group).
Second, this is a great candidate for deployment via Group Policy: by
setting this up on the domain controller, you can make it so throughout
the entire enterprise (or a subset as needed).
Steve
-- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@unixwiz.net --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: maralisa: "RE: break in? - terminal services on alternate port"
- In reply to: Peter Hyvonen: "On the topic of Windows Hardening"
- Next in thread: Laura A. Robinson: "RE: On the topic of Windows Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
