Security Vulnerability? or just an IT Admin oversight?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

A place I work has about 1,000 computers and 95% of us use the same user ID
to log into a domain, with no password used. The login user id is extremely
restricted(group policy?) BUT by simply using calculator and going to Help,
then Help Topics, then Options and Selecting Home, it brings me to the Help &
Support link which from there I can then get Full Administrative access to
the PC.

When normally logging into the domain we have a heavily modified start menu,
with nothing but modified versions of IE, Calculator and a few office program
viewers...excel viewer....etc.

Is there a way to secure the company's PCs without disabling the Help &
Support feature? I tried disabling the Help & Support service on the
client(once I gained administrator access) but it still loaded it up when I
logged out and then logged in under the domain.....does it need to be
disabled on the server for it to prevent the client from loading the Help &
Support menu options? Is there another way to prevent users from gaining full
control of the system through Help & Support? perhaps setting our logins to
limited accounts? Haven't tested that yet myself.
5 answers Last reply
More about security vulnerability admin oversight
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
    news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
    >A place I work has about 1,000 computers and 95% of us use the same user ID
    > to log into a domain, with no password used. The login user id is
    > extremely
    > restricted(group policy?) BUT by simply using calculator and going to
    > Help,
    > then Help Topics, then Options and Selecting Home, it brings me to the
    > Help &
    > Support link which from there I can then get Full Administrative access to
    > the PC.
    >
    > When normally logging into the domain we have a heavily modified start
    > menu,
    > with nothing but modified versions of IE, Calculator and a few office
    > program
    > viewers...excel viewer....etc.
    >
    > Is there a way to secure the company's PCs without disabling the Help &
    > Support feature? I tried disabling the Help & Support service on the
    > client(once I gained administrator access) but it still loaded it up when
    > I
    > logged out and then logged in under the domain.....does it need to be
    > disabled on the server for it to prevent the client from loading the Help
    > &
    > Support menu options? Is there another way to prevent users from gaining
    > full
    > control of the system through Help & Support? perhaps setting our logins
    > to
    > limited accounts? Haven't tested that yet myself.

    What do you mean by "full admin access" ?? What can you do after going into
    Help and Support that you couldn't do before?

    PS: this does seem like an odd way of running a network... 1 user ID that
    most users use.
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    > What do you mean by "full admin access" ?? What can you do after going into
    > Help and Support that you couldn't do before?
    >

    Before using help & support, I had No priviledges on the PC. Everything was
    locked out and disabled from loading or displaying. I couldn't change screen
    resolutions, couldn't browse the local comp's hd nor the network, couldn't
    get msconfig to load, and my start menu had log off, modified IE, calculator,
    prietary software and that was it. So before I got administrative access to
    the computer I couldn't do much, but simply using the Tools in the Help &
    Support center allowed me to over-ride all policy settings for the local
    machine's access.
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
    news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
    >A place I work has about 1,000 computers and 95% of us use the same user ID
    > to log into a domain, with no password used. The login user id is
    > extremely
    > restricted(group policy?) BUT by simply using calculator and going to
    > Help,
    > then Help Topics, then Options and Selecting Home, it brings me to the
    > Help &
    > Support link which from there I can then get Full Administrative access to
    > the PC.
    >
    > When normally logging into the domain we have a heavily modified start
    > menu,
    > with nothing but modified versions of IE, Calculator and a few office
    > program
    > viewers...excel viewer....etc.
    >
    > Is there a way to secure the company's PCs without disabling the Help &
    > Support feature? I tried disabling the Help & Support service on the
    > client(once I gained administrator access) but it still loaded it up when
    > I
    > logged out and then logged in under the domain.....does it need to be
    > disabled on the server for it to prevent the client from loading the Help
    > &
    > Support menu options? Is there another way to prevent users from gaining
    > full
    > control of the system through Help & Support? perhaps setting our logins
    > to
    > limited accounts? Haven't tested that yet myself.

    Once you get the Help and Support system up - you can ONLY do tasks that
    your account has permissions to perform.
    So if there are items on the Help and Support menu that you do not want
    users to perform then you have not set the appropriate permissions/group
    memberships etc for that user account.
    It is not sufficient to just hide the tools from the user through
    controlling the user environment via group policy. You must also set the
    user account to have only the correct permissions and rights that it
    requires to do its job.

    So in short - no not a security vulnerability, it IS an IT Admin
    oversight/configuration issue.
    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
    news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
    >A place I work has about 1,000 computers and 95% of us use the same user ID
    > to log into a domain, with no password used. The login user id is
    > extremely
    > restricted(group policy?) BUT by simply using calculator and going to
    > Help,
    > then Help Topics, then Options and Selecting Home, it brings me to the
    > Help &
    > Support link which from there I can then get Full Administrative access to
    > the PC.
    >
    > When normally logging into the domain we have a heavily modified start
    > menu,
    > with nothing but modified versions of IE, Calculator and a few office
    > program
    > viewers...excel viewer....etc.
    >
    > Is there a way to secure the company's PCs without disabling the Help &
    > Support feature? I tried disabling the Help & Support service on the
    > client(once I gained administrator access) but it still loaded it up when
    > I
    > logged out and then logged in under the domain.....does it need to be
    > disabled on the server for it to prevent the client from loading the Help
    > &
    > Support menu options? Is there another way to prevent users from gaining
    > full
    > control of the system through Help & Support? perhaps setting our logins
    > to
    > limited accounts? Haven't tested that yet myself.
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    > So in short - no not a security vulnerability, it IS an IT Admin
    > oversight/configuration issue.

    Woohoo! Thank you. Thank you.
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
    news:B6E4BA3C-570B-44EF-AF50-B984EA40DB20@microsoft.com...
    >> What do you mean by "full admin access" ?? What can you do after going
    >> into
    >> Help and Support that you couldn't do before?
    >>
    >
    > Before using help & support, I had No priviledges on the PC. Everything
    > was
    > locked out and disabled from loading or displaying. I couldn't change
    > screen
    > resolutions, couldn't browse the local comp's hd nor the network, couldn't
    > get msconfig to load, and my start menu had log off, modified IE,
    > calculator,
    > prietary software and that was it. So before I got administrative access
    > to
    > the computer I couldn't do much, but simply using the Tools in the Help &
    > Support center allowed me to over-ride all policy settings for the local
    > machine's access.

    Yes, because they had just hidden the tools - your account still had
    permissions to do these things if you can get to the tools via another route
    (such as the taks sin the Help and Support).
    So this is not really a secured setup - your Admins needs to also limit the
    rights and permissions of the accounts to prevent them doing things they
    should not. Hiding the tools is not sufficient to secure the environment.

    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
    news:B6E4BA3C-570B-44EF-AF50-B984EA40DB20@microsoft.com...
    >> What do you mean by "full admin access" ?? What can you do after going
    >> into
    >> Help and Support that you couldn't do before?
    >>
    >
    > Before using help & support, I had No priviledges on the PC. Everything
    > was
    > locked out and disabled from loading or displaying. I couldn't change
    > screen
    > resolutions, couldn't browse the local comp's hd nor the network, couldn't
    > get msconfig to load, and my start menu had log off, modified IE,
    > calculator,
    > prietary software and that was it. So before I got administrative access
    > to
    > the computer I couldn't do much, but simply using the Tools in the Help &
    > Support center allowed me to over-ride all policy settings for the local
    > machine's access.
Ask a new question

Read More

Security Support Windows XP