Archived from groups: microsoft.public.windowsxp.security_admin (More info?)
I have the "Administrator" account on a WinXP Pro computer (and do
administer the computer). I also have my private account on the
computer, that is an administrator type account. Another private
account for another user also is an aministrator type account. (I can
only see options for two kinds of accounts in WinXp (adminstrator and
limited) unlike Win2k, which I recall had more -- am I right about
WinXP having only two? I think my problem wouldn't exist under Win2k
because I could set up the private accounts as "power users") Thus, the
other private account is a member of the "Administrators" group. For
reasons I won't go into here, the other private account must have admin
rights. Simple file sharing" is turned off on the system.
I have created a private folder on the machine that has its security
settings set only to allow access to me (i.e., no sharing, and only my
private account is given any permissions.
However, the folder is not really secure, because although the other
private account holder cannot access the folder itself, they can defeat
the security settings on it. This is because they can access the
properties page for the folder, and even though they cannot initially
change the permissions for the folder, they can access the ownership
properties page for the folder, which shows that "Administrators" as
well as I can take ownership of the folder. Then, by changing ownership
of the folder from my account to "Administrators" , they can then
change the privileges to give "Administrators" full control. And,
because their account is part of the "Administrators" group, they end
up with access to the folder.
I tried to prevent this from happening by logging on as
"Administrator," goiing into Control Panel -> Administrative Tools ->
Local Security Settings -> User Rights Assignments, and I changed the
value for Take Ownership of Files or Other Objects from
"Administrators" to "Administrator". Now, (after a reboot) the other
person cannot, from their account, change the ownership of my private
folder to "Administrators" and then proceed to unlock it because
"Administrators" no longer shows up as a possible owner of the folder.
But this security provision can also be defeated, because, the other
user can go into User Rights Assignment and change the permission for
Take Ownership of Files or Other Objects back to "Administrators" from
"Administrator"! Even if I delete the "Administrators" group, (which as
I understand under XP cannot be restored once deleted), the other user
can still add their own account to the permissions for Take Ownership
of Files or Other Objects" (because, it appears, any user with
administrative privilveges can alter the security settings). So my
folder is still not secure.
Is there a way to prevent any user besides the "Administrator" from
accessing "Administrative Tools" or "Local Security Settings?" Any
other ideas? Am I missing something?
Thanks
I have the "Administrator" account on a WinXP Pro computer (and do
administer the computer). I also have my private account on the
computer, that is an administrator type account. Another private
account for another user also is an aministrator type account. (I can
only see options for two kinds of accounts in WinXp (adminstrator and
limited) unlike Win2k, which I recall had more -- am I right about
WinXP having only two? I think my problem wouldn't exist under Win2k
because I could set up the private accounts as "power users") Thus, the
other private account is a member of the "Administrators" group. For
reasons I won't go into here, the other private account must have admin
rights. Simple file sharing" is turned off on the system.
I have created a private folder on the machine that has its security
settings set only to allow access to me (i.e., no sharing, and only my
private account is given any permissions.
However, the folder is not really secure, because although the other
private account holder cannot access the folder itself, they can defeat
the security settings on it. This is because they can access the
properties page for the folder, and even though they cannot initially
change the permissions for the folder, they can access the ownership
properties page for the folder, which shows that "Administrators" as
well as I can take ownership of the folder. Then, by changing ownership
of the folder from my account to "Administrators" , they can then
change the privileges to give "Administrators" full control. And,
because their account is part of the "Administrators" group, they end
up with access to the folder.
I tried to prevent this from happening by logging on as
"Administrator," goiing into Control Panel -> Administrative Tools ->
Local Security Settings -> User Rights Assignments, and I changed the
value for Take Ownership of Files or Other Objects from
"Administrators" to "Administrator". Now, (after a reboot) the other
person cannot, from their account, change the ownership of my private
folder to "Administrators" and then proceed to unlock it because
"Administrators" no longer shows up as a possible owner of the folder.
But this security provision can also be defeated, because, the other
user can go into User Rights Assignment and change the permission for
Take Ownership of Files or Other Objects back to "Administrators" from
"Administrator"! Even if I delete the "Administrators" group, (which as
I understand under XP cannot be restored once deleted), the other user
can still add their own account to the permissions for Take Ownership
of Files or Other Objects" (because, it appears, any user with
administrative privilveges can alter the security settings). So my
folder is still not secure.
Is there a way to prevent any user besides the "Administrator" from
accessing "Administrative Tools" or "Local Security Settings?" Any
other ideas? Am I missing something?
Thanks
Facebook
Twitter
Instagram