Users vs. Power Users

From: Yechiel Levin (ylevin@NmOaSmPaAsMh.com)
Date: 03/05/03

• Next message: april: "windows password"
• Previous message: Pardeep Singh: "Almost Everything through Command Line"
• Next in thread: Carrie Garth: "Re: Users vs. Power Users"
• Reply: Carrie Garth: "Re: Users vs. Power Users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Yechiel Levin" <ylevin@NmOaSmPaAsMh.com>
Date: Wed, 5 Mar 2003 10:09:51 +0200

The Background:

According to the White Paper "Default Access Control Settings in Windows
2000" from Microsoft's TechNet site

(TechNet Home > Prods. & Techs. > Windows 2000 Server > Maintain >
Security),

Administrative users can, among other things, "configure critical
machine-wide operating system parameters, for example, ... password policy,
access control, and audit functions."

It further states that Power Users "should be able to perform any task
EXCEPT for the administrative tasks described above." This is mitigated
somewhat by the next sentence, to the effect that Power Users' abilities may
be further limited in terms of the types of applications they can install.
In any case I should expect that a Power User cannot be allowed to change
local security policy settings.

The Problem:

I have responsibility for hardening the security of a standalone laptop
Windows 2000 Professional here in the office. As the local administrator, I
set all the settings that our hardening procedures indicate. Then I logged
on as a Power User and was able to change the Local Security Policy
settings, in all of the following categories: Password Policy, Account
Lockout Policy, Audit Policy, and Security Options.

This renders completely useless any hardening procedures I have applied.

Does anyone have any idea why this is happening or if it is supposed to be
this way? How does this square with the info in the above quoted white
paper?

Thanks in advance

Yechiel

• Next message: april: "windows password"
• Previous message: Pardeep Singh: "Almost Everything through Command Line"
• Next in thread: Carrie Garth: "Re: Users vs. Power Users"
• Reply: Carrie Garth: "Re: Users vs. Power Users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: One App Machine ... SRP is available in Local Security Policy under ... rule for the executable or a path rule to the folder for the authorized executable. ... > I'm a programmer with almost no experience with policy settings but is has ... > I need to a XP Pro machine with two accounts: Administrator and General ... (microsoft.public.win2000.group_policy) Re: Local security policy on Windows server 2003 domain controller ... Anything defined higher up in the policy chain has ... precedence over the local security policy. ... policy in the domain called default domain controllers security policy. ... > So this means that the settings in the Local Security policy are disabled by> default, ... (microsoft.public.windows.server.general) Re: Local security policy on Windows server 2003 domain controller ... Anything defined higher up in the policy chain has ... precedence over the local security policy. ... policy in the domain called default domain controllers security policy. ... > So this means that the settings in the Local Security policy are disabled by> default, ... (microsoft.public.windows.server.security) Users vs. Power Users ... According to the White Paper "Default Access Control Settings in Windows ... local security policy settings. ... As the local administrator, I ... on as a Power User and was able to change the Local Security Policy ... (comp.security.misc) Re: Inherited security properties ... group policy set on the organizational until that your server is in. ... settings at the local policy level. ... > When I look at the local security policy on the Windows ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint