Re: Permissions

• Previous message: John Hendren: "RE: Adware, spyware, and trojans"
• In reply to: Chris Berry: "Re: Permissions"
• Next in thread: Chris Berry: "Re: Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 06 Dec 2002 12:07:35 -0800
From: Nexus <nexus06@drxlabs.com>
To: Chris Berry <compjma@hotmail.com>

The NT and Win2k Files permission Model is different, NT is more lose
and the /WINNT directory and such give users more permissions.

 goto sysinternals.com there are lots of good tools there that when run
before you run an app will tell you what it is accessing, including reg
keys dll , etc...

The default prems in a win2k install(or evenNT4 worksation) gives the
users only what they need, the more access you give USERS the more
trouble your in for later the SYSTEM group is for the Operating system,
giving it change or full 'sometimes' will solve those oddball issues,
and sometimes not.

use the tools at sysinternals to find out what keys and dll's
directorys said app is using, test it on a test machine, then
create a domain gobal group.

apply that group to all the places with the level you tested. (test
using the SYSTEM, and NETWORK type groups first)

the from there you just add and subtract users from the gobal groups to
be able to access said apps....

The whole idea of a user having only user type perms and not being able
to install or chnage anything is to make the systems and network run
smooth...
if you give all your 'users' massive perms then you just asking for
trouble becuase of a few reasons.

it makes it easyer for an attacker to take over your network as he as
more accounts to target.
and more users with more perms means you will be alot busyer then if you
had a more well setup network.

another group you can utizile is authencated users, this group will
make sure a user is 'authencated'
this group is in leiu of the 'everyone' group.

ps: MS office needs the 'everyone group' in the profiles so becarful
there....

Hope this Helps?

let me know if you need more ?

-Nexus

Chris Berry wrote:

>> From: Nexus <nexus06@drxlabs.com>
>> That is way to much,
>> With that much access, users / attackers can have almost full control
>> over the machine.
>
>
> Only if they have an authenticated user account, at which point,
> you're pretty much hosed anyways, right?
>
>> What i would do is create a group for each type of program,
>> and place that group in the image(if you have standard images) .
>> then just setup the access that program needs, with said group. this
>> way ONLY users with a valid need get access to programs they are
>> suppose to have.
>
>
> Most programs run under the USERS permissions, how would you put a
> program in a group?
>
>> i have a few programs like that, what i did is hunt down every
>> registry key it used and apply premissions to that key in a standard
>> image on an as needed basis along with file prems. (with domian groups)
>> also sometimes giving the SYSTEM group more access or adding it fixs
>> some issues so try that also.
>
>
> I had alot of trouble finding the necessary permissions most programs,
> alot of them assume you are admin, or running on win9x Kept having
> wierd errors all the time, very frustrating.
>
>> trust me, in the long run its better to have it setup correctly then
>> >to have a hay wired setup.
>
>
> I totally agree with that, or I wouldn't have posted the question in
> the first place.
>
> Chris Berry
> compjma@hotmail.com
> Systems Administrator
> JM Associates
>
> "Live dangerously, overclock your servers."
>
> _________________________________________________________________
> Add photos to your messages with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
>

• Next message: Stokes Andy: "Re: Adware, spyware, and trojans"
• Previous message: John Hendren: "RE: Adware, spyware, and trojans"
• In reply to: Chris Berry: "Re: Permissions"
• Next in thread: Chris Berry: "Re: Permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]