System permissions and printer forms - serious design flaw in Win2K security?
From: Andrew Mayo (ajmayo_at_my-deja.com)
Date: 07/03/03
- Next message: Steven L Umbach: "Re: Security on Folder and Files.. should be easy but MS Security is strange!"
- Previous message: john: "auditing 1 AD account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 3 Jul 2003 05:01:03 -0700
Only power users and system administrators can create printer forms.
This is a major problem for applications which require forms to be
created programmatically - i.e the local user wishes to load
non-standard paper and define a form for it, but we do not wish the
local user account to have either power user or administrator rights
(i.e belong to those groups) because these groups can create new local
users, which we don't wish to allow.
Does anyone know how the various permissions implicit in group
membership are managed within Windows i.e do power users just get a
bunch of hard-coded rights or are these in fact stored as some kind of
permissions list on objects and with some kind of tool these could be
managed
If the rights of a group are hard-coded this seems a very inadequate
security system since you have to grant far too many rights to perform
common tasks and there is no fine-grained granularity. This doesn't
seem entirely consistent with the quite fine-grained granularity of
object permissions - for example on a printer itself I can control who
has access and what type of access down to the individual user.
But other rights which involve 'meta objects' (for want of a better
description) e.g 'can add new users' or 'can create printer forms' do
not appear to exist as a concept within the security system and
therefore access lists cannot be created to manage them.
Possibly there is one of those ill-document resource kit tools which
can manage this - I don't know - but can anyone comment further on how
permissions are managed in such cases.
In particular I'd like to create a user group whose rights are
basically the same as a power user but they CANNOT create new local
users.
I'd make the comment that under Unix these issues would never arise
because everything is either a device or a file, and the two are
mapped such that permissions are managed consistently across the two -
so it is easy to set up users who might, for example, be able to
define and load new printer forms without giving them the right to add
new users.
- Next message: Steven L Umbach: "Re: Security on Folder and Files.. should be easy but MS Security is strange!"
- Previous message: john: "auditing 1 AD account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
