Re: Security Vulnerability? or just an IT Admin oversight?

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 01/14/05 

Date: Fri, 14 Jan 2005 08:53:43 -0000

"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
>A place I work has about 1,000 computers and 95% of us use the same user ID
> to log into a domain, with no password used. The login user id is
> extremely
> restricted(group policy?) BUT by simply using calculator and going to
> Help,
> then Help Topics, then Options and Selecting Home, it brings me to the
> Help &
> Support link which from there I can then get Full Administrative access to
> the PC.
>
> When normally logging into the domain we have a heavily modified start
> menu,
> with nothing but modified versions of IE, Calculator and a few office
> program
> viewers...excel viewer....etc.
>
> Is there a way to secure the company's PCs without disabling the Help &
> Support feature? I tried disabling the Help & Support service on the
> client(once I gained administrator access) but it still loaded it up when
> I
> logged out and then logged in under the domain.....does it need to be
> disabled on the server for it to prevent the client from loading the Help
> &
> Support menu options? Is there another way to prevent users from gaining
> full
> control of the system through Help & Support? perhaps setting our logins
> to
> limited accounts? Haven't tested that yet myself.

Once you get the Help and Support system up - you can ONLY do tasks that
your account has permissions to perform.
So if there are items on the Help and Support menu that you do not want
users to perform then you have not set the appropriate permissions/group
memberships etc for that user account.
It is not sufficient to just hide the tools from the user through
controlling the user environment via group policy. You must also set the
user account to have only the correct permissions and rights that it
requires to do its job.

So in short - no not a security vulnerability, it IS an IT Admin
oversight/configuration issue. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message 
news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
>A place I work has about 1,000 computers and 95% of us use the same user ID
> to log into a domain, with no password used. The login user id is 
> extremely
> restricted(group policy?) BUT by simply using calculator and going to 
> Help,
> then Help Topics, then Options and Selecting Home, it brings me to the 
> Help &
> Support link which from there I can then get Full Administrative access to
> the PC.
>
> When normally logging into the domain we have a heavily modified start 
> menu,
> with nothing but modified versions of IE, Calculator and a few office 
> program
> viewers...excel viewer....etc.
>
> Is there a way to secure the company's PCs without disabling the Help &
> Support feature? I tried disabling the Help & Support service on the
> client(once I gained administrator access) but it still loaded it up when 
> I
> logged out and then logged in under the domain.....does it need to be
> disabled on the server for it to prevent the client from loading the Help 
> &
> Support menu options? Is there another way to prevent users from gaining 
> full
> control of the system through Help & Support? perhaps setting our logins 
> to
> limited accounts? Haven't tested that yet myself.