Re: Question on XP network security

From: JP (palmeroj@nospam.hotmail.com)
Date: 03/22/03 

From: JP <palmeroj@nospam.hotmail.com>
Date: Sat, 22 Mar 2003 05:44:47 GMT

John,

I agree with you that giving them this access is a recipe for trouble.
And, yes they do load a lot of crap along with what they really need,
generating a lot of service calls. On the other hand, we've been
somewhat fortunate that the number of "troublemakers" is relatively
small.

This is why I've been pulling the few hairs I have left trying to find
a balance between securing the network while giving them the access
they're used to. I just know that I'll have a mass riot if I deploy
the image with limited rights.

I like your idea of adding the individual user account to the local
admin group during the login process. This should keep things
relatively secure (at least initially). I can see that security will
erode slowly when users log on more and more different machines.

What type of script do you use, WSH? If you have a sample snippet of
code, I'd appreciate it.

Thanks,

John.

On Fri, 21 Mar 2003 07:53:36 -0800, "John" <john@nospam.net> wrote:

>I would hate to manage that volume of users with Admin
>access. Bruce does have a point, you say they are computer
>savvy, but I bet you they have a bunch of crap loaded on
>their machine for non-business reasons. Opens a big
>security risk...Legality concerns....etc...
>
>If you were to ever get audited I bet the company would
>fold with the unlicensed software loaded.
>
>Don't get me wrong I see the need for what you want, but
>there are other ways.
>
>To keep this short.
>1. If you give everyone Admin access to the local machine
>EVERYONE will be able to access all the shares on a remote
>machine be it Admin or user defined. There is NO WAY to
>stop it, without killing the shares, but they could re-
>create them. No win situation.
>
>The only option I see to stop this with out putting a
>group in the local admin group is to put an individual
>user in there. This could be scripted, I have written
>similar scripts, but for other reasons.
>
>We used Altiris to migrate form 95/NT to 2000 user had to
>have admin access to run Altiris to get all of the
>settings. (We had A LOT of custom script with Altirirs to
>get EVERYTHING, required user had to have admin access)
>
>Have the script get the current user name utilize the
>RunAs function and add the username to the local admin
>group on the machine. This way they will only have admin
>access to their machine.
>
>
>
>>-----Original Message-----
>>I know you meant well with your comment, but in all
>seriousness; the
>>large majority of users are automotive design engineers
>and a little
>>more technology savvy than you might be used to. They
>need the XP
>>plug-n-play features to connect a wide array of
>peripherals and
>>software applications in order to do their job.
>>
>>For over 3 years, they've had NT 4.0 SP6a with just this
>level of
>>security and support hasn't been an issue. When a machine
>it trashed,
>>my support technicians re-image it remotely using Altiris
>with a
>>minimum of effort. This doesn't happen as often as you
>might think,
>>however.
>>
>>On the other hand, responding to the requests for
>Administrator
>>access, or having a technician visit the site, in order
>to be able to
>>install their applications will make support impossible
>for my team.
>>
>>Now that we're migrating to XP, I would like to close
>some of the
>>security flaws that the old OS had.
>>
>>I'm not sure whether you meant adding each and every user
>account to
>>the local administrator's group, or the "DOMAIN\Domain
>Users" account.
>>Since there are about 3000 users in the company, adding
>each and every
>>account to the image is out of the question.
>>
>>I did add the "MYDOMAIN\Domain Users" account to the local
>>administrator group and this had the desired effect, only
>problem is
>>that it gives every user full access to all other
>machines ACROSS the
>>network.
>>
>>I'm seriously trying to find a middle ground between
>giving my users
>>as much control over their own machines as possible
>without violating
>>network security. I was wondering if giving the local
>USERS group
>>more rights might do the trick.
>>
>>I was hoping to hear from other administrators what
>approach they
>>might have taken to resolve similar issues, or what
>security settings
>>they might have used on the local USERS group. Perhaps
>some registry
>>hacks to prevent unauthorized access across the network,
>etc.
>>
>>I am seriously looking for answers or suggestions.
>>
>>Thanks in advance.
>>
>>John
>>
>>PS. If you wish to email me, please remove the nospam
>substring from
>>the following email address: palmeroj@nospam.hotmail.com
>>
>>On Fri, 21 Mar 2003 07:21:10 -0700, "Bruce Chambers"
>><bchambers@nospam.cableone.net> wrote:
>>
>>>Greetings --
>>>
>>> Add each user's domain account to the local
>administrators group.
>>>(And then hire several more technicians to clean up
>behind the users
>>>as they trash their installations.)
>>>
>>>Bruce Chambers
>>>Microsoft MVP - Shell/User
>>>
>>>Help us help you:
>>>http://dts-l.org/goodpost.htm
>>>http://www.catb.org/~esr/faqs/smart-questions.html
>>>----
>>>You can have peace. Or you can have freedom. Don't
>ever count on
>>>having both at once. -- RAH
>>>
>>>
>>><nospam@sp.com> wrote in message
>>>news:spbl7vomg0pl1vs5u8avn66qdbag7gferf@4ax.com...
>>>> I'm configuring a standard Windows XP Professional
>image that will
>>>> be
>>>> deployed to a large number of client workstations. The
>file system
>>>> will be NTFS.
>>>>
>>>> The domain is Windows NT 4.0 and 2000 Servers. No
>Active Directory
>>>> is
>>>> enabled yet.
>>>>
>>>> My problem is that the users want to have
>administrative rights over
>>>> their workstation. To accomplish this I've added the
>DOMAIN\All
>>>> Users
>>>> to the local Administrators group. However, users can
>also access
>>>> other workstations across the network, particularly
>troubling to me
>>>> is
>>>> access to the hidden shares.
>>>>
>>>> My question then is; how do I give users full control
>over their
>>>> machines while preventing them from accessing other
>machines across
>>>> the network?
>>>>
>>>> I'd appreciate any suggestions.
>>>>
>>>> Thank you.
>>>>
>>>> John
>>>
>>
>>.
>>

Relevant Pages

  • SUMMARY WAS: OT? Philosophical Question on SA responsibilities
    ... helpful for managers interested in hiring new administrators. ... Would you go thru the 14,600 messages in root and admin ... If I was a new SA I would if encountering a security hole, ... I can see some use for the passwd -s part of the crontab script, ...
    (SunManagers)
  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.security.misc)
  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Food for Thought
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... that telling the reader to do a Google search for sources isn't going to ... it's probably an admin who has ...
    (microsoft.public.win2000.security)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)