Re: Windows 2000 Security Issue

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 11/14/04


Date: Sun, 14 Nov 2004 12:35:52 -0500

Ian Henderson wrote:
> Hi folks.
>
> I work for a company that has just paid a contract programmer to do a
> bit of work, integrating our telephony system with our in-house
> VB.NET CRM product. The problem that we currently have is that the
> application that has been written throws a loosely-coupled event,
> which requires to register a transient subscription through Component
> Services on the local user's machine.
>
> The setup of the network is as follows:
>
> Servers are all running Windows 2000 Server (not sure which service
> pack). Clients are all running Windows XP Pro SP2
>
> For obvious security reasons, we haven't given the general userbase
> any administrator-level privileges. However, what we did do, purely
> as a test, was create a new user that did have administrator
> privileges. With those privileges in place, the user could reach the
> Component Services without a problem. We then gradually reduced the
> granted privileges, testing all the time, until we got to the point
> where the user could NOT reach Component Services.
>
> To cut a long story short, we currently have a bunch of users that
> have been granted administrator-level access to the network, which is
> obviously wrong on all manner of levels. However, we are unsure of
> exactly what we would need to tweak in order for the users to have
> very limited privileges, but still be able to access Component
> Services.
>
> If anyone can help me with this, I'll be extremely grateful. If you
> can help me, please, as well as replying to this post, send me an
> email to ihenderson@________
>
> TIA
>
>
>
> Ian Henderson
>

>
> Brain-Fried Systems Developer
> Glasgow, Scotland and Newcastle, England.

Frankly, if it were me, I'd insist that the developer fix his product so it
runs properly for user accounts. There's really no excuse for this. And yes,
you're absolutely right - user accounts should have no admin rights at all -
this is bad practice.

That said, you might want to check out FileMon and RegMon from
www.sysinternals.com

Sorry, no email replies. And note that you're doing yourself and everyone a
disservice by posting an "unmunged" email address in your post - it can and
likely will lead to viruses and spam. Check out
http://www.mailmsg.com/SPAM_munging.htm for help in the future....