Re: Local Administrator

From: Danny Sanders (Danny.Sanders_at_NO-SPAMcpcmed.org)
Date: 06/08/05

• Next message: Steven L Umbach: "Re: file permission strangeness"
• Previous message: Robin Hood: "Add domain admin back to local admin"
• In reply to: Steven L Umbach: "Re: Local Administrator"
• Next in thread: kylei_at_mvlhawaii.com: "Re: Local Administrator"
• Reply: kylei_at_mvlhawaii.com: "Re: Local Administrator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 8 Jun 2005 09:45:26 -0600

If you are using Win 2k take a look at this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;269259

hth
DDS W 2k MVP MCSE

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uVOnNw%23aFHA.2420@TK2MSFTNGP15.phx.gbl...
> You might also want to look at the free tools called filemon and regmon
> from SysInternals that can help you track down where access is denied to a
> file or registry key. You could logon to the computer as a regular user
> and use runas to bring up filemon or regmon just before you try to run the
> application and then when it fails close the log for filemon/regmon, look
> for access denied entries, make permissions adjustment and try again. Even
> doing such not all applications can be made to run for a regular user by
> modifying file folder and registry permissions.
>
> The biggest risk with a user being local administrator is to the local
> computer mostly and to the network if the computer becomes infected with
> malware like a worm that wants to spread via your network. If a computer
> becomes infected while the logged on user is a local administrator then
> the malware will have administrator access to that computer and can
> write/modify anywhere on it. Good antivirus protection and not being able
> to use the internet will greatly reduce that risk.
>
> If a user is a local administrator they have the capability to do anything
> they want on the computer including undoing any current restrictions if
> they have the knowledge how to do such and the desire. Most users do not
> even understand the concept of an administrator account and probably will
> just live with things as they are but you always will have some curious
> users. The first think such a user could do would be to try to access the
> command prompt where a local administrator could then own the computer.
> The command prompt could be accessed in a number of ways including from
> within applications. A local administrator could also unjoin a computer
> from the domain, logon as a local account that is a local administrator
> to bypass domain Group Policy user configuration settings, rename
> executables to be what is on the white list to bypass restrictions, and
> run scripts.
>
> I am not saying that will happen in your network but it should be
> considered as a possibility if you allow a user to be local
> ministrator. --- Steve
>
>
>
> <kylei@mvlhawaii.com> wrote in message
> news:1118201975.903870.289130@g47g2000cwa.googlegroups.com...
>> We have an application that is giving me tons of issues when run under
>> a user in the local Users Group. I have asked the vendor for the
>> files/folders/registry entries permissions but they have not given them
>> to me. I could turn on auditing and find all the
>> files/folders/registry entries to give the local Users Group access to
>> but that may take a long time and I don't have that kind of time at the
>> moment.
>>
>> Right now I'm using Group Policy to lockdown the PC so that the only
>> thing a user can run is the specified application. No right clicking,
>> no tray icons, no Start Menu items except that application, and no
>> internet access because we block all access to the internet with
>> Websense.
>>
>> With all this in mind, what is my security risk for the local computer
>> and for the network? Can you think of any way to cause damage?
>>
>
>

• Next message: Steven L Umbach: "Re: file permission strangeness"
• Previous message: Robin Hood: "Add domain admin back to local admin"
• In reply to: Steven L Umbach: "Re: Local Administrator"
• Next in thread: kylei_at_mvlhawaii.com: "Re: Local Administrator"
• Reply: kylei_at_mvlhawaii.com: "Re: Local Administrator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Unable to connect using the network wizard ... Logon as the local administrator. ... Add http://servername to the IE Intranet ... >the network now to try again and click Yes when prompted. ... (microsoft.public.windows.server.sbs) Re: People accessing my machine ... The security log would keep track of who accessed your computer from the ... network but you need to be a local administrator to open it with Event ... The Windows Firewall ... (microsoft.public.windowsxp.security_admin) Re: How do I make a network user login a Local Administrator? ... is of use in a workgroup environment for network access. ... and make the domain account a member of the machine's ... Microsoft MVP (Windows Server System: ... while allowing the Local Administrator ... (microsoft.public.security) Re: March 29, 2006 total eclipse - IT admins WORST NIGHTMARE ... >> If the user doesn't have local administrator access then they won't be ... You just disconnect from the network, ... > one of these programs and destroy the keyloging software. ... (comp.security.firewalls) Re: Deny from internet access ... If you mean all any access to the internet there are a couple of ways. ... Note that depending on your network physical security it may ... You could create an ipsec filtering policy for an OU/GPO and configure the ... Again a local administrator can modify a computers IP address. ... (microsoft.public.windows.group_policy)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint