Sign in with
Sign up | Sign in
Your question

Security Vulnerability? or just an IT Admin oversight?

Last response: in Windows XP
Share
Anonymous
a b 8 Security
January 13, 2005 11:01:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

A place I work has about 1,000 computers and 95% of us use the same user ID
to log into a domain, with no password used. The login user id is extremely
restricted(group policy?) BUT by simply using calculator and going to Help,
then Help Topics, then Options and Selecting Home, it brings me to the Help &
Support link which from there I can then get Full Administrative access to
the PC.

When normally logging into the domain we have a heavily modified start menu,
with nothing but modified versions of IE, Calculator and a few office program
viewers...excel viewer....etc.

Is there a way to secure the company's PCs without disabling the Help &
Support feature? I tried disabling the Help & Support service on the
client(once I gained administrator access) but it still loaded it up when I
logged out and then logged in under the domain.....does it need to be
disabled on the server for it to prevent the client from loading the Help &
Support menu options? Is there another way to prevent users from gaining full
control of the system through Help & Support? perhaps setting our logins to
limited accounts? Haven't tested that yet myself.
Anonymous
a b 8 Security
January 14, 2005 3:26:48 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
>A place I work has about 1,000 computers and 95% of us use the same user ID
> to log into a domain, with no password used. The login user id is
> extremely
> restricted(group policy?) BUT by simply using calculator and going to
> Help,
> then Help Topics, then Options and Selecting Home, it brings me to the
> Help &
> Support link which from there I can then get Full Administrative access to
> the PC.
>
> When normally logging into the domain we have a heavily modified start
> menu,
> with nothing but modified versions of IE, Calculator and a few office
> program
> viewers...excel viewer....etc.
>
> Is there a way to secure the company's PCs without disabling the Help &
> Support feature? I tried disabling the Help & Support service on the
> client(once I gained administrator access) but it still loaded it up when
> I
> logged out and then logged in under the domain.....does it need to be
> disabled on the server for it to prevent the client from loading the Help
> &
> Support menu options? Is there another way to prevent users from gaining
> full
> control of the system through Help & Support? perhaps setting our logins
> to
> limited accounts? Haven't tested that yet myself.

What do you mean by "full admin access" ?? What can you do after going into
Help and Support that you couldn't do before?

PS: this does seem like an odd way of running a network... 1 user ID that
most users use.
Anonymous
a b 8 Security
January 14, 2005 4:03:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> What do you mean by "full admin access" ?? What can you do after going into
> Help and Support that you couldn't do before?
>

Before using help & support, I had No priviledges on the PC. Everything was
locked out and disabled from loading or displaying. I couldn't change screen
resolutions, couldn't browse the local comp's hd nor the network, couldn't
get msconfig to load, and my start menu had log off, modified IE, calculator,
prietary software and that was it. So before I got administrative access to
the computer I couldn't do much, but simply using the Tools in the Help &
Support center allowed me to over-ride all policy settings for the local
machine's access.
Related resources
Anonymous
a b 8 Security
January 14, 2005 11:53:43 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
>A place I work has about 1,000 computers and 95% of us use the same user ID
> to log into a domain, with no password used. The login user id is
> extremely
> restricted(group policy?) BUT by simply using calculator and going to
> Help,
> then Help Topics, then Options and Selecting Home, it brings me to the
> Help &
> Support link which from there I can then get Full Administrative access to
> the PC.
>
> When normally logging into the domain we have a heavily modified start
> menu,
> with nothing but modified versions of IE, Calculator and a few office
> program
> viewers...excel viewer....etc.
>
> Is there a way to secure the company's PCs without disabling the Help &
> Support feature? I tried disabling the Help & Support service on the
> client(once I gained administrator access) but it still loaded it up when
> I
> logged out and then logged in under the domain.....does it need to be
> disabled on the server for it to prevent the client from loading the Help
> &
> Support menu options? Is there another way to prevent users from gaining
> full
> control of the system through Help & Support? perhaps setting our logins
> to
> limited accounts? Haven't tested that yet myself.

Once you get the Help and Support system up - you can ONLY do tasks that
your account has permissions to perform.
So if there are items on the Help and Support menu that you do not want
users to perform then you have not set the appropriate permissions/group
memberships etc for that user account.
It is not sufficient to just hide the tools from the user through
controlling the user environment via group policy. You must also set the
user account to have only the correct permissions and rights that it
requires to do its job.

So in short - no not a security vulnerability, it IS an IT Admin
oversight/configuration issue.
--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
news:FD762878-CF51-48CA-B26C-226BF77D578D@microsoft.com...
>A place I work has about 1,000 computers and 95% of us use the same user ID
> to log into a domain, with no password used. The login user id is
> extremely
> restricted(group policy?) BUT by simply using calculator and going to
> Help,
> then Help Topics, then Options and Selecting Home, it brings me to the
> Help &
> Support link which from there I can then get Full Administrative access to
> the PC.
>
> When normally logging into the domain we have a heavily modified start
> menu,
> with nothing but modified versions of IE, Calculator and a few office
> program
> viewers...excel viewer....etc.
>
> Is there a way to secure the company's PCs without disabling the Help &
> Support feature? I tried disabling the Help & Support service on the
> client(once I gained administrator access) but it still loaded it up when
> I
> logged out and then logged in under the domain.....does it need to be
> disabled on the server for it to prevent the client from loading the Help
> &
> Support menu options? Is there another way to prevent users from gaining
> full
> control of the system through Help & Support? perhaps setting our logins
> to
> limited accounts? Haven't tested that yet myself.
Anonymous
a b 8 Security
January 14, 2005 11:53:44 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> So in short - no not a security vulnerability, it IS an IT Admin
> oversight/configuration issue.

Woohoo! Thank you. Thank you.
Anonymous
a b 8 Security
January 14, 2005 12:28:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
news:B6E4BA3C-570B-44EF-AF50-B984EA40DB20@microsoft.com...
>> What do you mean by "full admin access" ?? What can you do after going
>> into
>> Help and Support that you couldn't do before?
>>
>
> Before using help & support, I had No priviledges on the PC. Everything
> was
> locked out and disabled from loading or displaying. I couldn't change
> screen
> resolutions, couldn't browse the local comp's hd nor the network, couldn't
> get msconfig to load, and my start menu had log off, modified IE,
> calculator,
> prietary software and that was it. So before I got administrative access
> to
> the computer I couldn't do much, but simply using the Tools in the Help &
> Support center allowed me to over-ride all policy settings for the local
> machine's access.

Yes, because they had just hidden the tools - your account still had
permissions to do these things if you can get to the tools via another route
(such as the taks sin the Help and Support).
So this is not really a secured setup - your Admins needs to also limit the
rights and permissions of the accounts to prevent them doing things they
should not. Hiding the tools is not sufficient to secure the environment.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Arcalyn121" <Arcalyn121@discussions.microsoft.com> wrote in message
news:B6E4BA3C-570B-44EF-AF50-B984EA40DB20@microsoft.com...
>> What do you mean by "full admin access" ?? What can you do after going
>> into
>> Help and Support that you couldn't do before?
>>
>
> Before using help & support, I had No priviledges on the PC. Everything
> was
> locked out and disabled from loading or displaying. I couldn't change
> screen
> resolutions, couldn't browse the local comp's hd nor the network, couldn't
> get msconfig to load, and my start menu had log off, modified IE,
> calculator,
> prietary software and that was it. So before I got administrative access
> to
> the computer I couldn't do much, but simply using the Tools in the Help &
> Support center allowed me to over-ride all policy settings for the local
> machine's access.
!