Re: USERS group has the ability to change security permissions???
From: Silly (Silly_at_discussions.microsoft.com)
Date: 05/07/05
- Previous message: Roger Abell: "Re: USERS group has the ability to change security permissions???"
- In reply to: Steven L Umbach: "Re: USERS group has the ability to change security permissions???"
- Next in thread: Roger Abell: "Re: USERS group has the ability to change security permissions???"
- Reply: Roger Abell: "Re: USERS group has the ability to change security permissions???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 6 May 2005 15:26:01 -0700
Okay, here are the steps:
- clean install of windows 2000 professional (standalone)
- reconfigure default everyone's permissions to those posted previously >
restart
- install all security updates through windows update
- create a user JohnDoe with password "password" and user JaneDoe without
password
- restart > login using both users
RESULTS: permissions work as they are supposed too! PHEW!!!
So, I setup another machine and load the image that is currently run on so
many computers here, just to see if it's something related to the image that
I might have missed, the RESULT: user level access can change NTFS
permissions when they right click on local hard disks > properties > security.
THIS IS HOW I CREATED THE IMAGE FOR MASS DEPLOYMENT
- Same steps as I wrote above with a user "Public" without password for
general access
- all required applications were installed and tested OK
- ran Sysprep, leaving every settings in Sysprep as default (meaning I just
clicked on Sysprep and let it go throught whatever processes that it needed
to go through, and then the computer is automatically shut down).
- booted system with Norton Ghost 2003 to create an image
- when done, rolled the image out to the other computers, went through
simple initial setup steps (i.e. Name, company, computer name, etc.)
- login with user "Public" and this user is able to change the NTFS
permissions.
I don't know where I got it wrong, if anyone has done the image with Norton
Ghost 2003 and had everything works fine, could you please show the way?
thanks!
"Steven L Umbach" wrote:
> I would be interested in the results on a clean machine. I would also verify
> that the user is indeed not a local administrator which can be easily done
> with the " net user username " command on the local computer. Another thing
> I would consider doing on a computer where a user is doing such is enabling
> auditing of object access and then auditing that folders in question for
> just "change permission" to see if the user name that is changing the
> permission is indeed who you think they are - IE not using other credentials
> by viewing object access events in the security log though that is not a
> real user friendly procedure the info is usually there. Users that have
> physical access to a computer can easily use utilities to make themselves
> local administrators if steps are not taken to disallow them to boot from
> floppy, cdrom, etc. Often when confronted about how they are able to do
> tasks that only administrators can do they act stupid rather than admit they
> hacked the computer. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
- Previous message: Roger Abell: "Re: USERS group has the ability to change security permissions???"
- In reply to: Steven L Umbach: "Re: USERS group has the ability to change security permissions???"
- Next in thread: Roger Abell: "Re: USERS group has the ability to change security permissions???"
- Reply: Roger Abell: "Re: USERS group has the ability to change security permissions???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
