Re: USERS group has the ability to change security permissions???

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/06/05

• Next message: Steven L Umbach: "Re: CTRL ALT DEL function disabled locally"
• Previous message: Steven L Umbach: "Re: Security Log Help"
• In reply to: Silly: "Re: USERS group has the ability to change security permissions???"
• Next in thread: Silly: "Re: USERS group has the ability to change security permissions???"
• Reply: Silly: "Re: USERS group has the ability to change security permissions???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 6 May 2005 09:45:46 -0500

I would be interested in the results on a clean machine. I would also verify
that the user is indeed not a local administrator which can be easily done
with the " net user username " command on the local computer. Another thing
I would consider doing on a computer where a user is doing such is enabling
auditing of object access and then auditing that folders in question for
just "change permission" to see if the user name that is changing the
permission is indeed who you think they are - IE not using other credentials
by viewing object access events in the security log though that is not a
real user friendly procedure the info is usually there. Users that have
physical access to a computer can easily use utilities to make themselves
local administrators if steps are not taken to disallow them to boot from
floppy, cdrom, etc. Often when confronted about how they are able to do
tasks that only administrators can do they act stupid rather than admit they
hacked the computer. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640

"Silly" <Silly@discussions.microsoft.com> wrote in message
news:BC5E9146-841C-4325-87F3-8E50B130D446@microsoft.com...
> no, the users are not belong to any of the power users or administrators,
> AND
> the NTFS permissions are set on local disks using those of Windows XP as
> the
> followings:
>
> - Administrators: Full Control
> - Creator Owner: Full Control (Subfolders and Files)
> - System: Full Control
> - Users: Read & Execute (This Folder, Subfolders, and Files)
> - Users: Create Folders / Append Date (This Folder and Subfolders)
> - Users: Create Files / Write Data (Subfolders Only)
> - Everyone: Read & Execute
>
> I'll set up a clean machine tomorrow and test it against what I found
> today,
> and will keep you posted. Thanks for checking this.
>
> "Steven L Umbach" wrote:
>
>> Are the users local administrators?? If so you will not be able to
>> effectively stop them from changing permissions. Assuming they are not
>> you
>> can modify permissions so that the user can not change permissions. A
>> user
>> needs change permissions, full control, or be owner to change
>> permissions.
>> You should check the permissions of an XP Pro or Windows 2003 Server
>> computer to get an idea of good default ntfs permissions where by default
>> a
>> regular user can change permissions only on their profile folder. ---
>> Steve
>>
>>
>> "Silly" <Silly@discussions.microsoft.com> wrote in message
>> news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com...
>> > hi all,
>> >
>> > i've just learned today that if a user can get access to computer
>> > management
>> > console, he/she can go to the "logical drives" and change the NTFS
>> > permissions set on local hard disks. Besides remove permissions set on
>> > the
>> > "compmgmt.msc" for users, power users, and everyone groups, is there
>> > any
>> > other way that i can set or disable so that the user won't have the
>> > ability
>> > to mess up with permissions again.
>> >
>> > i am still really confused that the user can just have the ability to
>> > change
>> > NTFS permissions like that. please help!!!
>>
>>
>>

• Next message: Steven L Umbach: "Re: CTRL ALT DEL function disabled locally"
• Previous message: Steven L Umbach: "Re: Security Log Help"
• In reply to: Silly: "Re: USERS group has the ability to change security permissions???"
• Next in thread: Silly: "Re: USERS group has the ability to change security permissions???"
• Reply: Silly: "Re: USERS group has the ability to change security permissions???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Help-Power Policy Manager-RegHack using regini.exe ? ... The resolution to our problem was to change permissions in the registry ... Subject: Re: Power Policy Manager ... without being added to the Local Administrators group. ... (microsoft.public.win2000.security) Help-Power Policy Manager-RegHack using regini.exe ? ... The resolution to our problem was to change permissions in the registry ... Subject: Re: Power Policy Manager ... without being added to the Local Administrators group. ... (microsoft.public.win2000.security) Help-Power Policy Manager-RegHack using regini.exe ? ... The resolution to our problem was to change permissions in the registry ... Subject: Re: Power Policy Manager ... without being added to the Local Administrators group. ... (microsoft.public.win2000.security) Re: Preventing users installing programms...? ... use ntfs special permissions to deny the user execute permissions to "files only" for ... can change permissions back to allow execute. ... Restriction Policies, even local administrators.. ... > Ive a standalone win 2000pro workstation, ... (microsoft.public.win2000.security) Re: Delegating rights ... Exchange System Manager. ... filter down to the mailboxes and when you look at the Mailbox Rights ... permissions, you should see that they now have Change Permissions ACL ... (microsoft.public.exchange.admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint